Results 1  10
of
16
Unconditional security from noisy quantum storage
, 2009
"... We consider the implementation of twoparty cryptographic primitives based on the sole assumption that no largescale reliable quantum storage is available to the cheating party. We construct novel protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide sec ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
We consider the implementation of twoparty cryptographic primitives based on the sole assumption that no largescale reliable quantum storage is available to the cheating party. We construct novel protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide security even against the most general attack. Such unconditional results were previously only known in the socalled boundedstorage model which is a special case of our setting. Our protocols can be implemented with presentday hardware used for quantum key distribution. In particular, no quantum storage is required for the honest parties.
Universally composable quantum multiparty computation
 In Advances in Cryptology – Proc. EUROCRYPT 2010, LNCS
, 2010
"... ar ..."
Composable Security in the BoundedQuantumStorage Model
, 2008
"... We present a simplified framework for proving sequential composability in the quantum setting. In particular, we give a new, simulationbased, definition for security in the boundedquantumstorage model, and show that this definition allows for sequential composition of protocols. Damgård et al. (F ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
We present a simplified framework for proving sequential composability in the quantum setting. In particular, we give a new, simulationbased, definition for security in the boundedquantumstorage model, and show that this definition allows for sequential composition of protocols. Damgård et al. (FOCS ’05, CRYPTO ’07) showed how to securely implement bit commitment and oblivious transfer in the boundedquantumstorage model, where the adversary is only allowed to store a limited number of qubits. However, their security definitions did only apply to the standalone setting, and it was not clear if their protocols could be composed. Indeed, we first give a simple attack that shows that these protocols are not composable without a small refinement of the model. Finally, we prove the security of their randomized oblivious transfer protocol in our refined model. Secure implementations of oblivious transfer and bit commitment then follow easily by a (classical) reduction to randomized oblivious transfer.
ROBUST CRYPTOGRAPHY IN THE NOISYQUANTUMSTORAGE MODEL
, 2009
"... It was shown in [42] that cryptographic primitives can be implemented based on the assumption that quantum storage of qubits is noisy. In this work we analyze a protocol for the universal task of oblivious transfer that can be implemented using quantumkeydistribution (QKD) hardware in the practica ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
It was shown in [42] that cryptographic primitives can be implemented based on the assumption that quantum storage of qubits is noisy. In this work we analyze a protocol for the universal task of oblivious transfer that can be implemented using quantumkeydistribution (QKD) hardware in the practical setting where honest participants are unable to perform noisefree operations. We derive tradeoffs between the amount of storage noise, the amount of noise in the operations performed by the honest participants and the security of oblivious transfer which are greatly improved compared to the results in [42]. As an example, we show that for the case of depolarizing noise in storage we can obtain secure oblivious transfer as long as the quantum biterror rate of the channel does not exceed 11 % and the noise on the channel is strictly less than the quantum storage noise. This is optimal for the protocol considered. Finally, we show that our analysis easily carries over to quantum protocols for secure identification.
On the efficiency of classical and quantum oblivious transfer reductions
 In Advances in Cryptology — CRYPTO ’10, Lecture Notes in Computer Science
, 2010
"... Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multiparty computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such a ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multiparty computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such as noisy channels. It is important to know how efficient such unconditionally secure reductions can be in principle, i.e., how many instances of a given primitive are at least needed to implement OT. For perfect (errorfree) implementations good lower bounds are known, e.g. the bounds by Beaver (STOC ’96) or by Dodis and Micali (EUROCRYPT ’99). However, in practice one is usually willing to tolerate a small probability of error and it is known that these statistical reductions can in general be much more efficient. Thus, the known bounds have only limited application. In the first part of this work we provide bounds on the efficiency of secure (onesided) twoparty computation of arbitrary finite functions from distributed randomness in the statistical case. From these results we derive bounds on the efficiency of protocols that use (different variants of) OT as a blackbox. When applied to implementations of OT, our bounds generalize known results to the statistical case. Our results hold in particular for transformations between a finite number of primitives and for any error. Furthermore, we provide bounds on the efficiency of protocols implementing Rabin OT.
On the power of twoparty quantum cryptography
, 2009
"... We study quantum protocols among two distrustful parties. Under the sole assumption of correctness—guaranteeing that honest players obtain their correct outcomes—we show that every protocol implementing a nontrivial primitive necessarily leaks information to a dishonest player. This extends known i ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
We study quantum protocols among two distrustful parties. Under the sole assumption of correctness—guaranteeing that honest players obtain their correct outcomes—we show that every protocol implementing a nontrivial primitive necessarily leaks information to a dishonest player. This extends known impossibility results to all nontrivial primitives. We provide a framework for quantifying this leakage and argue that leakage is a good measure for the privacy provided to the players by a given protocol. Our framework also covers the case where the two players are helped by a trusted third party. We show that despite the help of a trusted third party, the players cannot amplify the cryptographic power of any primitive. All our results hold even against quantum honestbutcurious adversaries who honestly follow the protocol but purify their actions and apply a different measurement at the end of the protocol. As concrete examples, we establish lower bounds on the leakage of standard universal twoparty primitives such as oblivious transfer.
Classical cryptographic protocols in a quantum world
 of Lecture Notes in Computer Science
, 2011
"... Cryptographic protocols, such as protocols for secure function evaluation, have played a crucial role in the development of modern cryptography. Secure function evaluation (SFE) allows a group of players, each holding a secret input (e.g., a vote) to jointly evaluate some function of their inputs (s ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols, such as protocols for secure function evaluation, have played a crucial role in the development of modern cryptography. Secure function evaluation (SFE) allows a group of players, each holding a secret input (e.g., a vote) to jointly evaluate some function of their inputs (say, the votes ’ tally) without revealing anything except the function’s value. A special case of this is a zeroknowledge (ZK) proof system, which allows a prover P who knows a short proof of a statement to interactively prove the statement to a computationallybounded verifier V without revealing anything except the statement’s veracity. The very possibility of such protocols is counterintuitive. But a series of seminal results in the 1980’s showed that under mild assumptions (roughly, the existence of secure publickey cryptosystems), SFE protocols exist for any polynomialtime function [22, 10, 3, 29], and ZK proof systems are possible for any language in NP [23]. Research into the design and analysis of these protocols is now a large subfield of cryptography; moreover, it has driven important advances in more traditional areas of cryptography such as the design of encryption, authentication and signature schemes. The extensive theory of these protocols, however, deals almost exclusively with classical attackers. If we accept that quantum information processing is currently the most realistic model of physically feasible computation (we do), then we must ask: what classical protocols remain secure against quantum attackers?
Improving the Security of Quantum Protocols via CommitandOpen
, 2009
"... We consider twoparty quantum protocols starting with a transmission of some random BB84 qubits followed by classical messages. We show a general “compiler” improving the security of such protocols: if the original protocol is secure against an “almost honest ” adversary, then the compiled protoco ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
We consider twoparty quantum protocols starting with a transmission of some random BB84 qubits followed by classical messages. We show a general “compiler” improving the security of such protocols: if the original protocol is secure against an “almost honest ” adversary, then the compiled protocol is secure against an arbitrary computationally bounded (quantum) adversary. The compilation preserves the number of qubits sent and the number of rounds up to a constant factor. The compiler also preserves security in the boundedquantumstorage model (BQSM), so if the original protocol was BQSMsecure, the compiled protocol can only be broken by an adversary who has large quantum memory and large computing power. This is in contrast to known BQSMsecure protocols, where security breaks down completely if the adversary has larger quantum memory than expected. We show how our technique can be applied to quantum identification and oblivious transfer protocols.
Simple protocols for oblivious transfer and secure identification in the noisyquantumstorage model
 Phys. Rev. A
"... ar ..."
(Show Context)
Secure authentication from a weak key, without leaking information
 Advances in Cryptology — Eurocrypt 2011, volume 6632 of LNCS
, 2011
"... Abstract. We study the problem of authentication based on a weak key in the informationtheoretic setting. A key is weak if its minentropy is an arbitrary small fraction of its bit length. This problem has recently received considerable attention, with different solutions optimizing different param ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. We study the problem of authentication based on a weak key in the informationtheoretic setting. A key is weak if its minentropy is an arbitrary small fraction of its bit length. This problem has recently received considerable attention, with different solutions optimizing different parameters. We study the problem in an extended setting, where the weak key is as a onetime session key that is derived from a public source of randomness with the help of a (potentially also weak) longterm key. Our goal now is to authenticate a message by means of the weak session key in such a way that (nearly) no information on the longterm key is leaked. Ensuring privacy of the longterm key is vital for the longterm key to be reusable. Previous work has not considered such a privacy issue, and previous solutions do not seem to satisfy this requirement. We show the existence of a practical fourround protocol that provides message authentication from a weak session key and that avoids nonnegligible leakage on the longterm key. The security of our scheme also holds in the quantum setting where the adversary may have limited quantum side information on the weak session key. As an application of our scheme, we show the existence of an identification scheme in the bounded quantum storage model that is secure against a maninthemiddle attack and that is truly passwordbased: it does not need any high entropy key, in contrast to the scheme proposed by Damg˚ard et al.. 1.