Results

**11 - 19**of**19**### Studies in the Efficiency and (versus) Security of Cryptographic Tasks

"... In this thesis, we deal with the following questions: (1) How efficient a cryptographic algorithm can be while achieving a desired level of security? (2) Since mathematical conjectures like P = NP are necessary for the possibility of secure cryptographic primitives in the standard models of computa ..."

Abstract
- Add to MetaCart

(Show Context)
In this thesis, we deal with the following questions: (1) How efficient a cryptographic algorithm can be while achieving a desired level of security? (2) Since mathematical conjectures like P = NP are necessary for the possibility of secure cryptographic primitives in the standard models of computation: (a) Can we base cryptography solely based on the widely believed assumption of P = NP, or do we need stronger assumptions? (b) Which alternative nonstandard models offer us provable security unconditionally, while being implementable in real life? First we study the question of security vs. efficiency in public-key cryptography and prove tight bounds on the efficiency of black-box constructions of key-agreement and (public-key) digital signatures that achieve a desired level of security using “random-like ” functions. Namely, we prove that any key-agreement protocol in the random oracle model where the parties ask at most n oracle queries can be broken by an adversary who asks at most O(n 2) oracle queries and finds the key with high probability. This improves upon the previous Õ(n 6)-query attack of Impagliazzo and Rudich [98] and proves that a simple key-agreement protocol due to Merkle [118] is optimal. We also prove that any signature scheme in the

### Quantum one-time programs (extended abstract)

"... Abstract. A one-time program is a hypothetical device by which a user may evaluate a circuit on exactly one input of his choice, before the device self-destructs. One-time programs cannot be achieved by software alone, as any software can be copied and re-run. However, it is known that every circuit ..."

Abstract
- Add to MetaCart

(Show Context)
Abstract. A one-time program is a hypothetical device by which a user may evaluate a circuit on exactly one input of his choice, before the device self-destructs. One-time programs cannot be achieved by software alone, as any software can be copied and re-run. However, it is known that every circuit can be compiled into a one-time program using a very basic hypothetical hardware device called a one-time memory. At first glance it may seem that quantum information, which cannot be copied, might also allow for one-time programs. But it is not hard to see that this intuition is false: one-time programs for classical or quantum circuits based solely on quantum information do not exist, even with computational assumptions. This observation raises the question, “what assumptions are required to achieve one-time programs for quantum circuits? ” Our main result is that any quantum circuit can be compiled into a one-time program assuming only the same basic one-time memory devices used for classical circuits. Moreover, these quantum one-time programs achieve statistical universal composability (UC-security) against any malicious user. Our construction employs methods for computation on authenticated quantum data, and we present a new quantum authentication scheme called the trap scheme for this purpose. As a corollary, we establish UC-security of a recent protocol for delegated quantum computation. 1

### Contents

, 2007

"... Integral inequality, Young’s inequality. In this note we prove a generalized version of an inequality which was first introduced by A. Q. Ngo, et al. and later generalized and proved by W. J. Liu, et al. in the paper: "On an open problem concerning an integral inequality", J. Inequal. Pure ..."

Abstract
- Add to MetaCart

(Show Context)
Integral inequality, Young’s inequality. In this note we prove a generalized version of an inequality which was first introduced by A. Q. Ngo, et al. and later generalized and proved by W. J. Liu, et al. in the paper: "On an open problem concerning an integral inequality", J. Inequal. Pure & Appl. Math., 8(3) (2007), Art. 74. Notes on an Inequality

### Several Weak Bit-Commitments Using Seal-Once Tamper-Evident Devices ∗

"... Following both theoretical and practical arguments, we construct UC-secure bit-commitment protocols that place their strength on the sender’s side and are built using tamper-evident devices, e.g., a type of distinguishable, sealed envelopes. We show that by using a second formalisation of tamper-evi ..."

Abstract
- Add to MetaCart

(Show Context)
Following both theoretical and practical arguments, we construct UC-secure bit-commitment protocols that place their strength on the sender’s side and are built using tamper-evident devices, e.g., a type of distinguishable, sealed envelopes. We show that by using a second formalisation of tamper-evident distinguishable envelopes we can attain better security guarantees, i.e., EUC-security. We show the relations between several flavours of weak bit-commitments, bit-commitments and distinguishable tamper-evident envelopes. We focus, at all points, on the lightweight nature of the underlying mechanisms and on the end-to-end human verifiability. 1

### Noname manuscript No. (will be inserted by the editor) METAP: Revisiting Privacy-Preserving Data Publishing using Secure Devices

"... the date of receipt and acceptance should be inserted later Abstract The goal of Privacy-Preserving Data Publishing (PPDP) is to gen-erate a sanitized (i.e. harmless) view of sensitive personal data (e.g. a health survey), to be released to some agencies or simply the public. However, tradi-tional P ..."

Abstract
- Add to MetaCart

the date of receipt and acceptance should be inserted later Abstract The goal of Privacy-Preserving Data Publishing (PPDP) is to gen-erate a sanitized (i.e. harmless) view of sensitive personal data (e.g. a health survey), to be released to some agencies or simply the public. However, tradi-tional PPDP practices all make the assumption that the process is run on a trusted central server. In this article, we argue that the trust assumption on the central server is far too strong. We propose MetAP, a generic fully distributed protocol, to execute various forms of PPDP algorithms on an asymmetric ar-chitecture composed of low power secure devices and a powerful but untrusted infrastructure. We show that this protocol is both correct and secure against honest-but-curious or malicious adversaries. Finally, we provide an experimen-tal validation showing that this protocol can support PPDP processes scaling up to nation-wide surveys.

### Secure Physical Computation using Disposable Circuits

"... Abstract. In a secure physical computation, a set of parties each have physical inputs and jointly compute a function of their inputs in a way that reveals no information to any party except for the output of the function. Recent work in CRYPTO’14 presented examples of physical zero-knowledge proofs ..."

Abstract
- Add to MetaCart

(Show Context)
Abstract. In a secure physical computation, a set of parties each have physical inputs and jointly compute a function of their inputs in a way that reveals no information to any party except for the output of the function. Recent work in CRYPTO’14 presented examples of physical zero-knowledge proofs of physical properties, a special case of secure physical two-party computation in which one party has a physical input and the second party verifies a boolean function of that input. While the work suggested a general framework for modeling and analyzing physi-cal zero-knowledge protocols, it did not provide a general theory of how to prove any physical property with zero-knowledge. This paper takes an orthogonal approach using disposable circuits (DC)—cheap hardware tokens that can be completely destroyed after a computation—an ex-tension of the familiar tamper-proof token model. In the DC model, we demonstrate that two parties can compute any function of their physical inputs in a way that leaks at most 1 bit of additional information to either party. Moreover, our result generalizes to any multi-party physical computation. Formally, our protocols achieve unconditional UC-security with input-dependent abort. 1

### Methods for Leakage-‐Resilient Computa2on

"... in the presence of malicious/a7acked HW ! input x program P output z=P(x,y) or fail input y privacy threats • hardware trojans • side-‐channel a?acks correctness threats • hardware bugs/viruses/implementaDon errors • fault injecDon ..."

Abstract
- Add to MetaCart

in the presence of malicious/a7acked HW ! input x program P output z=P(x,y) or fail input y privacy threats • hardware trojans • side-‐channel a?acks correctness threats • hardware bugs/viruses/implementaDon errors • fault injecDon

### (Efficient) Universally Composable Oblivious Transfer Using a Minimal Number of Stateless Tokens

, 2013

"... We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamper-proof hardware for universally composable secure computation. As our main result, we show an efficient oblivious-transfer (OT) protocol in which two parties each create and exchange a single, stateless token and can then ..."

Abstract
- Add to MetaCart

(Show Context)
We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamper-proof hardware for universally composable secure computation. As our main result, we show an efficient oblivious-transfer (OT) protocol in which two parties each create and exchange a single, stateless token and can then run an unbounded number of OTs. Our result yields what we believe is the most practical and efficient known approach for oblivious transfer based on tamper-proof tokens, and implies that the parties can perform (repeated) secure computation of arbitrary functions without exchanging additional tokens. Motivated by this result, we investigate the minimal number of stateless tokens needed for universally composable OT / secure computation. We prove that our protocol is optimal in this regard for constructions making black-box use of the tokens (in a sense we define). We also show that nonblack-box techniques can be used to obtain a construction using only a single stateless token.