pptx

Download Report

Transcript pptx 

Formal Verification of
Quantum Cryptography
Dominique Unruh
University of Tartu
Outline
• Quantum crypto:
– What and why?
– Challenges.
• Verification of quantum crypto
– Motivation and challenges
– Current work
Dominique Unruh
Verification of Quantum Crypto
2
What is quantum cryptography?
Cryptography
involving quantum
mechanics
Security against
quantum computers
Dominique Unruh
Using quantum
mechanics in crypto
protocols
Verification of Quantum Crypto
3
Quantum computers
• Computer is in many states:
“Quantum parallelism”
• Can be exploited
– Under very specific conditions!
• We can:
– Compute discrete logarithms (breaks ElGamal etc.)
– Factor large integers (breaks RSA etc.)
– Reduce the time for brute force attacks to the
square root
Dominique Unruh
Verification of Quantum Crypto
6
If quantum computers were here…
ElGamal, RSA,
elliptic curve crypto
All commonly used public key crypto:
BROKEN
If quantum computers were
Candidates
for replacements:
Lattice-based crypto, available
today…
Exist, but not as well-studied
McEliece etc.
… we would be screwed.
Common symmetric
crypto (AES etc.)
Symmetric crypto:
Double the key length!
Dominique Unruh
Verification of Quantum Crypto
7
The threat today
• Quantum computers do not exist
• Unclear when
“Post-quantum cryptography”
• If we
don’t start
research
now,
(classical
crypto,
quantum-secure)
major disaster when they come
• Research & awareness: now!
Dominique Unruh
Verification of Quantum Crypto
8
Quantum Protocols
• Use quantum communication to make
impossible tasks feasible
• Best known example:
Unconditionally secure key distribution
• Possible today! (No quantum computer
needed.)
(Not the main focus of this talk.)
Dominique Unruh
Verification of Quantum Crypto
9
Post-quantum cryptography
What must be done?
1. Identify assumptions that are not quantumbroken (e.g., lattice-based crypto, not RSA)
2. Build cryptosystems based on those
3. Prove security
Dominique Unruh
Verification of Quantum Crypto
Possible
without
“quantum
literacy”?
10
The post-quantum fallacy
“If protocol 𝑋 is proven secure,
and based on assumption 𝑌,
and 𝑌 is quantum-secure,
then 𝑋 is quantum-secure.”
• Not true!
• Consequence: cryptographers focus on finding
protocols based on lattices and call it postquantum crypto.
Dominique Unruh
Verification of Quantum Crypto
11
Why is the fallacy wrong?
• Typical crypto proof:
If adversary 𝐴 breaks protocol 𝑋,
then we construct from 𝐴 an adversary 𝐵
that breaks assumption 𝑌.
• If 𝐴 is quantum, the construction may not
work
• Protocol might be secure, but has no proof!
• Quantum proofs can be much harder!
Dominique Unruh
Verification of Quantum Crypto
12
Summary (so far)
• Post-quantum crypto:
– Security of classical protocols against quantum
attacks
• Finding quantum hard assumptions:
Not enough
• Need quantum proof techniques
 “Normal” cryptographers cannot verify their
own schemes!
Dominique Unruh
Verification of Quantum Crypto
13
Quantum Crypto & Verification
Formal methods
& security
Nothing to do (?)
For classical
protocols
Symbolic models
Computational
crypto
For quantum
protocols
???
Existing tools?
Post-quantum
crypto
“Classical” proofs
Quantum
protocols
“Quantum” proofs
New languages
and logics
Dominique Unruh
Verification of Quantum Crypto
14
Post-quantum crypto verification
(computational / classical proto / quantum adv)
• Tools exist for computational verification
• CertiCrypt (relational Hoare)
• EasyCrypt (relational Hoare, higher level)
• CryptoVerif (rewriting, automated)
• Could those be quantum-sound?
Dominique Unruh
Verification of Quantum Crypto
15
Quantum soundness of EasyCrypt
CHSH game:
𝑥 ∈ 0,1
𝑦 ∈ 0,1
𝑨𝒅𝒗𝟏
𝑨𝒅𝒗𝟐
𝑎
𝑏
• Adv wins if:
𝑎⊕𝑏 =𝑥∧𝑦
• No communication
(after start)
• EasyCrypt proof: Pr 𝑤𝑖𝑛 ≤ 0.75
• Quantum strategy: Pr 𝑤𝑖𝑛 ≈ 0.85
Dominique Unruh
Verification of Quantum Crypto
16
Why EasyCrypt fails…
• Case distinction (e.g., on adv’s state 𝐴)
∀𝑥. 𝐴 = 𝑥 𝒄{𝑄}
true 𝒄{𝑄}
(Related to: coin fixing, rewinding)
• Composition of equality
𝑃 𝒄1 ~𝒄2 {𝑋1 = 𝑋2 ∧ 𝑌1 = 𝑌2 }
𝑃 𝒄1 ~𝒄2 { 𝑋1 , 𝑌1 = 𝑋2 , 𝑌2 }
(Ignores: entanglement)
Dominique Unruh
Verification of Quantum Crypto
17
“QuEasyCrypt” (work in progress…)
• Quantum language for crypto games
– Follows EasyCrypt, no surprises
• Quantum Hoare Logic
• Quantum Relational Hoare Logic
– Same intuition as probabilistic RHL
– But semantics are quantum
 rules must be refined
Dominique Unruh
Verification of Quantum Crypto
18
Quantum Hoare Logic
Semantics of programs:
• 𝒄
a program on classical and quantum variables
• 𝜌
density operator (a “probabilistic quantum state”)
• 𝑐 𝜌
the quantum state after execution
Assertions:
Sets of density operators
(preferable closed vector spaces)
Hoare triples:
𝑃 𝒄{𝑄}
means
Dominique Unruh
∀𝜌 ∈ 𝑃.
𝒄 𝜌 ∈𝑄
Verification of Quantum Crypto
19
Classical Relational Hoare Logic
Assertions: Relations on states
(e.g., 𝑥1 = 𝑥2 + 𝑦2 )
RHL judgements:
𝑃 𝒄1 ~𝒄2 {𝑄} means: if initial states in 𝑃,
then final states in 𝑄
E.g.: 𝑥1 = 𝑥2 skip ~ 𝑥2 ≔ 𝑥2 + 𝑦2 {𝑥1 = 𝑥2 + 𝑦2 }
Dominique Unruh
Verification of Quantum Crypto
20
Classical Relational Hoare Logic
RHL judgements:
𝑃 𝒄1 ~𝒄2 {𝑄} means: if initial states in 𝑃,
then final states in 𝑄
Formally:
For any 𝑚1 , 𝑚2 ∈ 𝑃:
Exists distribution 𝜇 on pairs s.t.:
Pr 𝑚1 , 𝑚2 ∉ 𝑄 𝜇 = 0 and
𝜇1 = 𝒄1 (𝑚1 )
𝜇
𝜇2 = 𝒄2 (𝑚2 )
Dominique Unruh
Verification of Quantum Crypto
21
Quantum Relational Hoare Logic?
If analogous to classical, loose frame rule:
𝑃 𝒄𝑄
𝑅′ s variables distinct from 𝑃, 𝑄, 𝒄
𝑃 ∧ 𝑅 𝒄{𝑄 ∧ 𝑅}
Without frame rule:
No compositional analysis  useless
Dominique Unruh
Verification of Quantum Crypto
22
Quantum Relational Hoare Logic?
Assertions:
qRHL:
𝜌
𝐸
Sets of quantum states of
systems with two states
𝑃 𝒄1 ~𝒄2 {𝑄} means:
Exists quantum process 𝐸:
For all 𝜌 ∈ 𝑃:
𝜌′
𝜌1′
𝒄1
′
𝜌2
𝒄2
𝜌1
𝜌2
𝜌
𝜌′ ∈ 𝑄
Dominique Unruh
Verification of Quantum Crypto
23
QuEasyCrypt – the future
• If you can use EasyCrypt, you can use
QuEasyCrypt
– Get post-quantum verification for free
(when classical proof is quantum-sound)
• Verification of quantum protocols:
– Should be possible
– Time will show
Dominique Unruh
Verification of Quantum Crypto
24
Summary
Formal methods
& security
Nothing to do (?)
For classical
protocols
Symbolic models
Computational
crypto
For quantum
protocols
???
Existing tools?
Post-quantum
crypto
“Classical” proofs
Quantum
protocols
“Quantum” proofs
New languages
and logics
Dominique Unruh
Verification of Quantum Crypto
25
Q?
uestions?
(Or catch me for offline discussion…)
Dominique Unruh
Verification of Quantum Crypto
26
I thank for your
attention
Logo This research was supported
soup by European Social Fund’s
Doctoral Studies and
Internationalisation
Programme DoRa