revocable timed release encryption revocable timedâ€گrelease encryption 7 quantum no cloning?...

Download Revocable Timed Release Encryption Revocable Timedâ€گRelease Encryption 7 Quantum No Cloning? ... Naأ¯ve

Post on 12-Mar-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Dominique Unruh

    Revocable Timed‐Release Encryption

    Dominique Unruh University of Tartu

    Eurocrypt 2014

  • Dominique Unruh

    Motivation

    Revocable Timed‐Release Encryption 2

    Open Feb 14

    • Want to send a message • Opens at a particular date • No earlier opening!

  • Dominique Unruh

    Time Vaults

    Physical solution:

    Digital solution:

    Revocable Timed‐Release Encryption 3

    Enc(message)

    Just hard enough to be breakable

    in time t

  • Dominique Unruh

    Required properties

    • Can be decrypted in time t • Cannot be opened in time (much) smaller t

    Challenges: • Very precise hardness assumptions • Knowledge of adversary hardware • Non‐parallelisable • Quantum secure

    Revocable Timed‐Release Encryption 4

    For this talk: Assume that’s solved.

  • Dominique Unruh

    Another application

    Revocable Timed‐Release Encryption 5

    meets with mafia “a friend”

    still alive “a friend”

    Next day: Still unopened…

    2 days

    1 day

  • Dominique Unruh

    Using digital time vaults…

    Revocable Timed‐Release Encryption 6

    meets with mafia “a friend”

    still alive “a friend”

    Next day: ???

    (2 days)

    (1 day) Enc(msg)Enc(msg)

    Enc(msg)

  • Dominique Unruh

    Revocable time vaults

    • Physical time vaults have “revocability” – Before timeout, possible to “give back” – Recipient can keep time vault, but will be detected

    • Digital time vaults: – Recipient can always keep copy – And continue decrypting the copy

    Revocable Timed‐Release Encryption 7

    Quantum No Cloning?

  • Dominique Unruh

    Example applications

    Deposits: Put digital money in TRE. Hand it back  upon return.

    – Useful for fair MPC also?

    Data retention with verifiable deletion: Keep user  data for legally mandated time, provably delete  afterwards.

    Unknown recipient encryption: Send a message  to unknown recipient. Recipient knows no‐one else  got it.

    – More unexpected applications of revocable TRE?

    Revocable Timed‐Release Encryption 8

  • Dominique Unruh

    Quantum Time Vaults

    Revocable Timed‐Release Encryption 9

    Enc(B)

    • Message msg • Random basis B

    |msg B

    Classical time vault

    Quantum encoded msg

    Revocation:

    • Check if state unmodified

    |msg B

  • Dominique Unruh

    Naïve Proof

    Recipient does not know B before time t Can’t copy msg before time t (no cloning) Won’t have msg after revocation Secure

    Revocable Timed‐Release Encryption 10

    Enc(B) |msg B |msg B

    time t

    “Theorem”: Without knowing B, impossible to transform |msg B into |msg B,|msg B

  • Dominique Unruh

    Naïve Proof – criticism

    Perhaps “encrypted cloning” is possible?

    Revocable Timed‐Release Encryption 11

    Enc(B) |msg B |msg B

    Enc(|msg〉B)

    time T

    msg

  • Dominique Unruh

    Proof idea

    • Need to show: no “encrypted cloning”

    • “Independence of msg”: not T‐time testable • “|msg B” maximally entangled with environment:  T‐time testable!

    ⇒ Unentangled with Enc(|msg B)

    Revocable Timed‐Release Encryption 12

    Enc(B) |msg B

    |msg B Enc(|msg〉B)

    To show: independent of

    msg

  • Dominique Unruh

    The big picture

    Revocable Timed‐Release Encryption 13

    Revocable TRE (not “hiding”)

    Classical TRE

    everlasting

    Revocable TRE (hiding) everlasting

    bad reduction Revocable TRE

    (hiding)

    msg ⊕ H(key) TRE(key)

    not everlasting random oracle model

    H(H(H(H(…H(msg)…)))) T times

    provable with random oracle

  • Dominique Unruh

    Conclusions

    • Revocable time vaults – Gap between quantum and classical crypto

    • Useful building block in crypto protocols? – Unknown recipient encryption

    • Technique: Giving back data  other  applications?

    Revocable Timed‐Release Encryption 14

  • Dominique Unruh

    Open questions

    • Classical TRE schemes. – H(H(H(H(…H(msg)…)))): encryption takes long – Rivest‐Shamir‐Wagner: not quantum secure

    • Efficient reduction for revocable hiding TRE in standard model.

    Revocable Timed‐Release Encryption 15

  • Dominique Unruh

    I thank for your attention

    This research was supported  by European Social Fund’s 

    Doctoral Studies and  Internationalisation Programme DoRa

    Logo soup

Recommended

View more >