55 research outputs found
Quantum authentication with key recycling
We show that a family of quantum authentication protocols introduced in
[Barnum et al., FOCS 2002] can be used to construct a secure quantum channel
and additionally recycle all of the secret key if the message is successfully
authenticated, and recycle part of the key if tampering is detected. We give a
full security proof that constructs the secure channel given only insecure
noisy channels and a shared secret key. We also prove that the number of
recycled key bits is optimal for this family of protocols, i.e., there exists
an adversarial strategy to obtain all non-recycled bits. Previous works
recycled less key and only gave partial security proofs, since they did not
consider all possible distinguishers (environments) that may be used to
distinguish the real setting from the ideal secure quantum channel and secret
key resource.Comment: 38+17 pages, 13 figures. v2: constructed ideal secure channel and
secret key resource have been slightly redefined; also added a proof in the
appendix for quantum authentication without key recycling that has better
parameters and only requires weak purity testing code
Attacks on quantum key distribution protocols that employ non-ITS authentication
We demonstrate how adversaries with unbounded computing resources can break
Quantum Key Distribution (QKD) protocols which employ a particular message
authentication code suggested previously. This authentication code, featuring
low key consumption, is not Information-Theoretically Secure (ITS) since for
each message the eavesdropper has intercepted she is able to send a different
message from a set of messages that she can calculate by finding collisions of
a cryptographic hash function. However, when this authentication code was
introduced it was shown to prevent straightforward Man-In-The-Middle (MITM)
attacks against QKD protocols.
In this paper, we prove that the set of messages that collide with any given
message under this authentication code contains with high probability a message
that has small Hamming distance to any other given message. Based on this fact
we present extended MITM attacks against different versions of BB84 QKD
protocols using the addressed authentication code; for three protocols we
describe every single action taken by the adversary. For all protocols the
adversary can obtain complete knowledge of the key, and for most protocols her
success probability in doing so approaches unity.
Since the attacks work against all authentication methods which allow to
calculate colliding messages, the underlying building blocks of the presented
attacks expose the potential pitfalls arising as a consequence of non-ITS
authentication in QKD-postprocessing. We propose countermeasures, increasing
the eavesdroppers demand for computational power, and also prove necessary and
sufficient conditions for upgrading the discussed authentication code to the
ITS level.Comment: 34 page
Quantum encryption with certified deletion
Given a ciphertext, is it possible to prove the deletion of the underlying
plaintext? Since classical ciphertexts can be copied, clearly such a feat is
impossible using classical information alone. In stark contrast to this, we
show that quantum encodings enable certified deletion. More precisely, we show
that it is possible to encrypt classical data into a quantum ciphertext such
that the recipient of the ciphertext can produce a classical string which
proves to the originator that the recipient has relinquished any chance of
recovering the plaintext should the decryption key be revealed. Our scheme is
feasible with current quantum technology: the honest parties only require
quantum devices for single-qubit preparation and measurements; the scheme is
also robust against noise in these devices. Furthermore, we provide an analysis
that is suitable in the finite-key regime.Comment: 28 pages, 1 figure. Some technical details modifie
On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes
Abstract. Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega’s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen’s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. We also greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class. Finally, we demonstrate that these algebraic properties and corresponding attacks are highly relevant to GCM/2 +, a variant of GCM designed to increase the efficiency in software
Reduction and Abstraction Techniques for BIP
Reduction and abstraction techniques have been proposed to address the state space explosion problem in verification. In this paper, we present reduction and abstraction techniques for component-based systems modeled in BIP (Behavior, Interaction and Priority). Given a BIP system consisting of several atomic components, we compute the product of two selected atomic components. The product operation often exposes opportunities for constant propagation in the product component that were hidden originally. Moreover, the product operation introduces states that are branching bisimilar. Our method detects and merges those states resulting in a behavior that may overapproximate the original one. The presented method is fully implemented. Our results show a drastic improvement in verifying BIP systems
Analyzing Multi-key Security Degradation
Contains fulltext :
179039.pdf (preprint version ) (Closed access)
Contains fulltext :
179039.pdf (Publisher’s version ) (Open Access)nul
On the Query Complexity of Constructing PRFs from Non-adaptive PRFs
This paper studies constructions of pseudorandom functions (PRFs) from non-adaptive PRFs (naPRFs), i.e., PRFs which are secure only against distinguishers issuing all of their queries at once.
Berman and Haitner (Journal of Cryptology, \u2715) gave a one-call construction which, however, is not hardness preserving -- to obtain a secure PRF (against polynomial-time distinguishers), they need to rely on a naPRF secure against superpolynomial-time distinguishers; in contrast, all known hardness-preserving constructions require calls. This leaves open the question of whether a stronger superpolynomial-time assumption is necessary for one-call (or constant-call) approaches. Here, we show that a large class of one-call constructions (which in particular includes the one of Berman and Haitner) cannot be proved to be a secure PRF under a black-box reduction to the (polynomial-time) naPRF security of the underlying function.
Our result complements existing impossibility results (Myers, EUROCRYPT \u2704; Pietrzak, CRYPTO \u2705) ruling out natural specific approaches, such as parallel and sequential composition. Furthermore, we show that our techniques extend to rule out a natural class of constructions making parallel but arbitrary number of calls which in particular includes parallel composition and the two-call, cuckoo-hashing based construction of Berman et al.\ (Journal of Cryptology, \u2719)
BBB Secure Nonce Based MAC Using Public Permutations
In the recent trend of CAESAR competition and NIST light-weight competition, cryptographic community have witnessed the submissions of several cryptographic schemes that are build on public random permutations. Recently, in CRYPTO 2019, Chen et al. have initiated an interesting research direction in designing beyond birthday bound PRFs from public random permutations and they proposed two instances of such PRFs. In this work, we extend this research direction by proposing a nonce-based MAC build from public random permutations. We show that our proposed MAC achieves bit security (with respect to the state size of the permutation) and the bound is essentially tight. Moreover, the security of the MAC degrades gracefully with the repetition of the nonce
On the Computational Overhead of MPC with Dishonest Majority
We consider the situation where a large number of players want to securely compute a large function with security against an adaptive, malicious adversary which might corrupt of the parties for some given . In other words, only some arbitrarily small constant fraction of the parties are assumed to be honest. For any fixed , we consider the asymptotic complexity as and the size of grows. We are in particular interested in the computational overhead, defined as the total computational complexity of all parties divided by the size of .
We show that it is possible to achieve poly-logarithmic computational overhead for all .
Prior to our result it was only known how to get poly-logarithmic overhead for .
We therefore significantly extend the area where we can do secure multiparty computation with poly-logarithmic overhead. Since we allow that more than half the parties are corrupted, we can only get security with abort, i.e., the adversary might make the protocol abort before all parties learn their outputs.
We can, however, for all make a protocol for which there exists such that if at most parties are actually corrupted in a given execution, then the protocol will not abort. Our result is solely of theoretical interest
Protecting against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation
The decorrelation theory provides a different point of view on the security of block cipher primitives. Results on some statistical attacks obtained in this context can support or provide new insight on the security of symmetric cryptographic primitives. In this paper, we study, for the first time, the multidimensional linear attacks as well as the truncated differential attacks in this context. We show that the cipher should be decorrelated of order two to be resistant against some multidimensional linear and truncated differential attacks. Previous results obtained with this theory for linear, differential, differential-linear and boomerang attacks are also resumed and improved in this paper
- …