WO2024009052A1

WO2024009052A1 - Secure storage of data

Info

Publication number: WO2024009052A1
Application number: PCT/GB2023/051620
Authority: WO
Inventors: Herschel Aditya CHAWDHRY
Original assignee: Oxford University Innovation Limited
Priority date: 2022-07-04
Filing date: 2023-06-21
Publication date: 2024-01-11
Also published as: GB2620388A; GB202209779D0

Abstract

A method of securely storing data comprising: obtaining a data item to be stored; receiving a user password; generating a mask from the user password using a deterministic algorithm, the mask matching the length of the data item; and storing the data item in a quantum memory using the mask to determine the basis for storage.

Description

SECURE STORAGE OF DATA

Field

[0001] The present invention relates to the storage of data in a secure manner, in particular to the storage of data in such a manner that an adversary is limited in the number of guesses of a password required for access that can be made.

Background

[0002] Many computer systems and data need to be secured against unauthorised access. Passwords are a very convenient form of authentication used to gain authorised access. Unlike physical authentication tokens (e.g. an ATM card or a door key), a password is ideally memorised and therefore cannot be physically stolen or lost. However, since most people are not capable of memorising long strings of random characters, many people choose short and/or common passwords. Therefore, there is a risk that an adversary might break into a password-protected system by simply guessing the right password. In many situations, the adversary has the advantage of being able to use a computer to try millions of passwords until they find the correct one: this is known as a brute-force attack. Brute-force attacks are a major vulnerability of password-protected systems, particularly in cases where the adversary has physical access to the system (e.g. a thief trying to access the data on a stolen laptop) or an off-line copy of encrypted data. To protect against brute-force attacks, users are typically required to choose complicated passwords, but this increases the risk of forgetting the password. Writing the password down is not desirable as it makes it vulnerable to either misplacement or theft.

Summary

[0003] It is an aim of the invention to improve security and/or user convenience, e.g. by allowing users to use simple passwords without becoming vulnerable to brute-force attacks, even if an adversary gains full physical access to a protected system.

[0004] According to the invention there is provided a method of securely storing data comprising: obtaining a data item to be stored; receiving a user password; generating a mask from the user password using a deterministic algorithm, the mask matching the length of the data item; and storing the data item in a quantum memory using the mask to determine the basis for storage.

[0005] According to the invention there is provided a method of retrieving securely stored data comprising: receiving a user password; generating a mask from the user password using a deterministic algorithm, the mask matching the length of a data item to be retrieved; and accessing the data item in a quantum memory using the mask to determine the basis for access to the quantum memory.

[0006] According to the invention there is provided a computer program comprising computer-readable code means for instructing a computer system to perform a method as described above.

[0007] According to the invention there is provided a security device comprising a processor, a quantum memory and a memory storing instructions to perform a method as described above.

Brief Description of the Drawings

[0008] The present invention is described below with reference to exemplary embodiments and the accompanying schematic drawings, in which:

[0009] Figure 1 depicts a computer system in which the present invention may be embodied;

[0010] Figure 2 depicts a security device according to an embodiment of the invention;

[0011] Figure 3 is a flow chart of an encryption method according to an embodiment of the invention; and

[0012] Figure 4 is a flow chart of an decryption method according to an embodiment of the invention.

[0013] In the drawings, like parts are indicated by like references. Detailed Description of Embodiments

[0014] The strength of a password is quantified by its entropy, which is measured in bits. If a password consists of randomly-chosen case-insensitive letters, each letter carries log2(26) ~ 4.7 bits of entropy. If rather than being random, the letters spell out a sentence, then the entropy is generally estimated to be approximately 1 bit per letter. The difficulty of a bruteforce attack increases exponentially with the total entropy of a password. In high-security domains, it is standard practice to use encryption keys that are at least 256 bits long. This is equivalent to a sequence of 55 random letters, and is therefore too difficult to memorise (for most users). The authentication protocol presented here allows encryption/ authentication keys of arbitrarily high entropy to be used, while only requiring the user to memorise a simple low-entropy password.

[0015] The quantum-mechanical aspects of the protocol are described in terms of “qubits”, which are the quantum-mechanical equivalent of the “0”s and “l”s of classical computing/communication. There are numerous different ways to implement qubits in practice, and the protocol is not affected by the choice of implementation. Just like its classical analogue, a qubit can take one of two values, 0 or 1. In contrast to the classical case, however, a “basis” must be chosen before reading from or writing to a qubit. If one first writes to a qubit using one basis and later reads the qubit using a different basis, the qubit will spontaneously adopt a random value (0 or 1) along the new basis, and the former value in the old basis will be irretrievably destroyed. This property, known as conjugate coding, is widely used in quantum communications and is used in the present invention.

[0016] This invention uses quantum mechanics to improve on password-based authentication systems. A secure (but long) password is randomly generated and stored inside qubits, in a basis that depends on a simple password chosen by the user. Any suitable random or pseudo-random number generating process may be used, the more truly random the better. The qubits are stored by the “host” (e.g. the server), not the user. To prove their identity, the only thing the user needs is knowledge of the password; there is no requirement for them to carry a physical authentication token (such as a smart card, key fob, or other cryptographic device). However an additional factor, such as a physical token or biometric sensor, can be used as well for additional security. The process and an exemplary system in which it can be implemented is described in more detail below. [0017] Figure 1 depicts a system in which the present invention may be embodied. A user device 10 communicates with a security device 20 which controls access to a secured system 30 which, in turn, controls access to securely stored data 40.

[0018] As depicted in Figure 2, security device 20 includes a random number generator 21 for generating a long random number. An input interface 22 receives a user password or pin, e.g. from user terminal 10. Mask generator 23 processes the user password or pin into a bit sequence of equal length of the long random number generated by random number generator 21. Write module 26 uses a bit sequence generated by mask generator 23 to control storage of the random number generated by random number generator 21 into a quantum memory 28 which comprises qubits QB_1 to QB_N, equal in number to the length in bits of the random number. As discussed further below, multiple parallel qubit memories 28 may be provided. For readout, readout module 27 similarly uses the mask generated from the user’s password or pin to readout from quantum memory 28. Output processor 24 performs any desired processes on the data item retrieved from quantum memory 28 and output interface 25 communicates the processed output for the desired use.

[0019] Part A: “encryption” - depicted in Figure 3

51. A secure N-bit key S = {S_l, S_N} is randomly generated by a classical or quantum method (with e.g. N=256 bits). S is an example of a data item to be securely stored.

52. S is used for the process that originally required a strong password (e.g. encrypting a hard drive, registering an account, etc.)

53. The user’s password, is received, e.g. from the user or an automatic password generator.

54. The user’s password, which can be simple, is deterministically compressed to produce a high-entropy-per-bit sequence P = {P_l , .. . , P_m} . Note that m is typically small if the user’s password is simple. P is repeated to obtain a bit string B = {P l, .. ., P m, P l, .. ., P_m, ...} of the same length as S.

55. S is stored in the qubits QB_1 to QB_N, with B determining the basis for each qubit. (Specifically, store S i in qubit QB_i using the x-basis if B i = 0 and the y-basis if B i = 1 (or vice versa)). For this purpose, B may be considered an example of a mask for storing the password. [0020] Part B: “decryption” depicted in Figure 4

56. The user’s password, is received, e.g. from the user.

57. Same as step 4.

58. Obtain 5 by reading QB_1 to QB_N in the basis B l to B N.

59. Use S for the purpose that is complementary to step 2 (e.g. decrypting a hard drive, logging into an account, etc.)

[0021] The security of the system arises because an adversary who does not know the user’s password would not know which basis to use in step S8. Without knowing the correct basis, any measurement made on quantum memory 28 will alter the state of quantum memory 28, making it forever impossible thereafter to retrieve S. Technically, random measurements on quantum memory 28 provide the adversary with some information about S, but this can be mitigated by increasing N by a small factor e.g. about 2 to 4.

[0022] Various modifications and extensions of the above protocol are possible. For example, when storing S in the qubits QB_1 to QB_N, it is possible to use 3 mutually orthogonal bases rather than 2. (These 3 bases correspond to the x, y, z directions on the Bloch sphere.) To do this, P and B should be sequences of trits (i.e. numbers from the set {0,1,2}) rather than bits (numbers from the set {0,1 }). This means an adversary who tries to randomly guess B will only obtain the correct basis for one third of the qubits, rather than one half.

[0023] Another variation is, if S has N bits, to use N*M qubits for some small M (e.g. M=5) to exponentially reduce power of random guessing. An algorithm (which may or may not be deterministic) - e.g. secret sharing, finite-field-based encoding, or salting - is used to generate a longer number S’ to store, such that on retrieval S can be obtained from S’ by a deterministic algorithm such as hashing or decryption. This has the advantage that even if an adversary obtains some information about S’ they have virtually no useful information about 5.

[0024] It could be beneficial to modify the method in order to accommodate noisy qubits, e.g. by using Reed-Solomon encoding to store S. (However, it may be advantageous to tolerate only a small amount of noise, since high tolerance to noise could benefit an adversary.)

[0025] Instead of steps S4 and S7, one can generate an alternative basis B’ (instead of B) by applying an N-bit cryptographic hash to the user’s password. [0026] In the form described above, the protocol only allows a single password attempt. This maximises the difficulty of a brute-force attack. However, it may be beneficial to allow more than one attempt, in order to tolerate user mistakes. T attempts can be allowed by providing T parallel quantum memories 28, each storing a distinct, independently-generated value of S, which can be denoted S_n. Note that by allowing the user to make T attempts, we also allow an adversary to make T attempts, so it is desirable that T is a small number (e.g. 10) - enough to help an honest user but not enough to significantly help an adversary. The parallel quantum memories should not store the same value S using the same basis as this would allow the adversary to determine the value S by making multiple read attempts. Also, note that to have T parallel quantum memories, we of course require T times more qubits. [0027] Given that each of the parallel memories 28 stores a different value S_n, each of the values S_n must give access to the protected system. Since S_n can be made almost arbitrarily long, this does not significantly reduce security. However if the protected system is encrypted data, it would be inconvenient to store multiple copies of the data, each encrypted with a different S_n. This can be avoided by storing the data encrypted by an intermediate key S’, again which can be almost arbitrarily long, and storing multiple copies of the intermediate key S’, each encrypted by a different one of S_n, as a plurality of encrypted key files. The use of an intermediate key in this way may be advantageous in other circumstances, e.g. to avoid having to re-encrypt the protected data after a successful access or to allow multiple users to access the data.

[0028] The protocol is not limited to the use of a specific form of qubit; any type of quantum system that provides multiple bases for storing can be used, irrespective of the underlying technology. It is desirable that the quantum information storage device used provides longterm storage, in order to allow Part B of the protocol to take place several hours/days/months after Part A. Current candidates for long-term quantum information storage (or “quantum memory”) include: an optically trapped ultracold gas of RbCs molecules; a 171 Yb+ single-ion qubit memory; an ion-doped crystal. The exact length of time required will depend on the application. In some cases, e.g. to allow time-limited access to data or a facility or to authorise high value rapid transactions, a short storage time may be an advantage.

[0029] In some types of qubit, a successful read with the correct basis will leave the content of the qubit unchanged. In that case no additional measures are required to allow multiple use. In other cases, read out of the qubit effectively erases it, in which case the key S is stored again into memory using the same basis. Keeping S the same in this case likely does not reduce security to a significant extent but it is also possible to generate a new key S to store again.

[0030] Unlike many applications of quantum memory, this protocol does not require the qubits to be entangled with each other. This means that the protocol can be implemented using a series of single-qubit memories, rather than requiring a (much more challenging) multi-qubit quantum memory.

[0031] There are numerous applications of this protocol, since password-based authentication is so common in the modem world. It would be particularly valuable in offline authentication situations that lack a secure authority who can limit the number of password attempts. Examples include protecting portable devices like laptops and mobile phones. The protocol is also valuable in situations with online authentication: recent years have seen numerous cases where the secure authority (e.g. a web server) has been hacked, leading to the theft of databases of hashed/ encrypted passwords which the attacker can then attempt to decode via brute force.

[0032] Other applications of the protocol include controlling access to buildings, bank vaults, confidential archives, sensitive information, etc.. These applications do not require miniaturisation of the qubit storage technology. The data item to be stored is not restricted to a key for encryption of other data but may have other uses, e.g. an access token or address. [0033] An advantageous application of the invention for access control is as follows. A strong key S is generated for a user to access a protected system. The protected system stores a hash of strong key S in its own secured memory. An access control device stores the strong key S in a quantum storage system of the invention, protected by the user's memorable password. When seeking access to the protected system, the user provides their memorable password to the access control device, which recovers the secure key from the quantum memory and supplies it to the protected system, which grants access if the hash of the supplied key matches the hash previously stored in its secure memory. If an adversary breaches the access control device and gains full access to the qubits contained inside it, the adversary is limited in the number of guesses they can make of the user's memorable password in order to recover the strong key S and gain access to the protected system. Even if an adversary breaches the access control device and, by other means, also breaches the protected system, thereby obtaining full access to the qubits and the hash of the secure password S, the adversary is limited in the number of guesses they can make to determine the user's memorable password with the aim of subsequently accessing other independent systems on which the user has re-used their memorable password. Thus a common weakness that a breach of one system leads to a breach of other independent systems (due to password re-use by users) is avoided.

[0034] The methods of the present invention may be performed by computer systems comprising one or more computers. A computer used to implement the invention may comprise one or more processors, including general purpose CPUs, graphical processing units (GPUs), tensor processing units (TPU) or other specialized processors. A computer used to implement the invention may be physical or virtual. A computer used to implement the invention may be a server, a client or a workstation. Multiple computers used to implement the invention may be distributed and interconnected via a network such as a local area network (LAN), wide area network (WAN) or quantum communication network. Individual steps of the method may be carried out by a computer system but not necessarily the same computer system. For example, the invention may be applied in an arrangement where the user interacts with a mobile device whilst the quantum memory is maintained by a server, which carries out at least steps S5 and S8. Results of a method of the invention may be displayed to a user or stored in any suitable storage medium. The present invention may be embodied in a non-transitory computer-readable storage medium that stores instructions to carry out a method of the invention. The present invention may be embodied in a computer system comprising one or more processors and memory or storage storing instructions to carry out a method of the invention. The present invention may be incorporated into software updates or add-ons for a pre-existing system or device.

[0035] Having described the invention it will be appreciated that variations may be made to the above described embodiments which are not intended to be limiting. The invention is defined in the appended claims and their equivalents.

Claims

1. A method of securely storing data comprising: obtaining a data item to be stored; receiving a user password; generating a mask from the user password using a deterministic algorithm, the mask matching the length of the data item; and storing the data item in a quantum memory using the mask to determine the basis for storage.

2. A method according to any one of the preceding claims wherein obtaining a data item comprises generating a random or pseudo-random number.

3. A method according to any one of the preceding claims further comprising encrypting a data file using the data item as a key to generate an encrypted data file.

4. A method according to claim 3 further comprising storing the encrypted file in a classical memory.

5. A method according to any one of the preceding claims wherein storing the data item comprises storing a plurality of data items in a plurality of separate quantum memories.

6. A method according to claim 5 further comprising encrypting a data file using an intermediate key to generate an encrypted data file; encrypting the intermediate key separately with each of the data items as secondary keys to generate a plurality of encrypted key files.

7. A method of retrieving securely stored data comprising: receiving a user password; generating a mask from the user password using a deterministic algorithm, the mask matching the length of a data item to be retrieved; and accessing the data item in a quantum memory using the mask to determine the basis for access to the quantum memory.

8. A method according to claim 7 further comprising using the data item as a key to decode an encrypted fde.

9. A method according to claim 8 wherein the encrypted file is an encrypted key file and further comprising using the content of the encrypted key file as a key to decrypt an encrypted data file.

10. A method according to any one of the preceding claims wherein generating a mask comprises deterministically compressing the user password to produce a digit-sequence having a high entropy per digit.

11. A method according to claim 10 wherein generating a mask further comprises repeating the digit-sequence.

12. A method according to any one of the preceding claims wherein generating a mask comprises hashing the user password.

13. A method according to any one of the preceding claims wherein the mask is a ternary number and the quantum memory has three orthogonal bases for each qubit.

14. A method according to any one of the preceding claims wherein the data item has greater entropy than the user password.

15. A computer program comprising computer-readable code means for instructing a computer system to perform a method according to any one of the preceding claims.

16. A security device comprising a processor, a quantum memory and a memory storing instructions to perform a method according to any one of claims 1 to 14.