Results 1 
8 of
8
Classical cryptographic protocols in a quantum world
 of Lecture Notes in Computer Science
, 2011
"... Cryptographic protocols, such as protocols for secure function evaluation, have played a crucial role in the development of modern cryptography. Secure function evaluation (SFE) allows a group of players, each holding a secret input (e.g., a vote) to jointly evaluate some function of their inputs (s ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols, such as protocols for secure function evaluation, have played a crucial role in the development of modern cryptography. Secure function evaluation (SFE) allows a group of players, each holding a secret input (e.g., a vote) to jointly evaluate some function of their inputs (say, the votes ’ tally) without revealing anything except the function’s value. A special case of this is a zeroknowledge (ZK) proof system, which allows a prover P who knows a short proof of a statement to interactively prove the statement to a computationallybounded verifier V without revealing anything except the statement’s veracity. The very possibility of such protocols is counterintuitive. But a series of seminal results in the 1980’s showed that under mild assumptions (roughly, the existence of secure publickey cryptosystems), SFE protocols exist for any polynomialtime function [22, 10, 3, 29], and ZK proof systems are possible for any language in NP [23]. Research into the design and analysis of these protocols is now a large subfield of cryptography; moreover, it has driven important advances in more traditional areas of cryptography such as the design of encryption, authentication and signature schemes. The extensive theory of these protocols, however, deals almost exclusively with classical attackers. If we accept that quantum information processing is currently the most realistic model of physically feasible computation (we do), then we must ask: what classical protocols remain secure against quantum attackers?
On the Connection between Leakage Tolerance and Adaptive Security ⋆
"... Abstract. We revisit the context of leakagetolerant interactive protocols as defined by Bitanski, Canetti and Halevi (TCC 2012). Our contributions can be summarized as follows: 1. For the purpose of secure message transmission, any encryption protocol with message space M and secret key space SK to ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit the context of leakagetolerant interactive protocols as defined by Bitanski, Canetti and Halevi (TCC 2012). Our contributions can be summarized as follows: 1. For the purpose of secure message transmission, any encryption protocol with message space M and secret key space SK tolerating polylogarithmic leakage on the secret state of the receiver must satisfy SK  ≥ (1 − ɛ)M, for every 0 < ɛ ≤ 1, and if SK  = M, then the scheme must use a fresh key pair to encrypt each message. 2. More generally, we show that any n party protocol tolerates leakage of ≈ poly(log κ) bits from one party at the end of the protocol execution, if and only if the protocol has passive adaptive security against an adaptive corruption of one party at the end of the protocol execution. This shows that as soon as a little leakage is tolerated, one needs full adaptive security. 3. In case more than one party can be corrupted, we get that leakage tolerance is equivalent to a weaker form of adaptivity, which we call semiadaptivity. Roughly, a protocol has semiadaptive security if there exist a simulator which can simulate the internal state of corrupted parties, however, such a state is not required to be indistinguishable from a real state, only that it would have lead to the simulated communication. All our results can be based on the solely assumption that collisionresistant function ensembles exist.
Microsoft Cambridge
"... The FiatShamir transform is a well studied paradigm for removing interaction from publiccoin protocols. We investigate whether the resulting noninteractive zeroknowledge (NIZK) proof systems also exhibit nonmalleability properties that have up to now only been studied for NIZK proof systems in t ..."
Abstract
 Add to MetaCart
(Show Context)
The FiatShamir transform is a well studied paradigm for removing interaction from publiccoin protocols. We investigate whether the resulting noninteractive zeroknowledge (NIZK) proof systems also exhibit nonmalleability properties that have up to now only been studied for NIZK proof systems in the common reference string model: first, we formally define simulation soundness and a weak form of simulation extraction in the random oracle model (ROM). Second, we show that in the ROM the FiatShamir transform meets these properties under lenient conditions. A consequence of our result is that, in the ROM, we obtain truly efficient non malleable NIZK proof systems essentially for free. Our definitions are sufficient for instantiating the NaorYung paradigm for CCA2secure encryption, as well as a generic construction for signature schemes from hard relations and simulationextractable NIZK proof systems. These two constructions are interesting as the former preserves both the leakage resilience and keydependent message security of the underlying CPAsecure encryption scheme, while the latter lifts the leakage resilience of the hard relation to the
Contents
, 2008
"... Important note: These notes are not supposed to be selfcontained. Instead, they are intended as a reminder about which topics where discussed in the lecture. If you ..."
Abstract
 Add to MetaCart
(Show Context)
Important note: These notes are not supposed to be selfcontained. Instead, they are intended as a reminder about which topics where discussed in the lecture. If you
Making ExistentialUnforgeable Signatures Strongly Unforgeable in the Quantum RandomOracle Model
"... Strongly unforgeable signature schemes provide a more stringent security guarantee than the standard existential unforgeability. It requires that not only forging a signature on a new message is hard, it is infeasible as well to produce a new signature on a message for which the adversary has seen v ..."
Abstract
 Add to MetaCart
Strongly unforgeable signature schemes provide a more stringent security guarantee than the standard existential unforgeability. It requires that not only forging a signature on a new message is hard, it is infeasible as well to produce a new signature on a message for which the adversary has seen valid signatures before. Strongly unforgeable signatures are useful both in practice and as a building block in many cryptographic constructions. This work investigates a generic transformation that compiles any existentialunforgeable scheme into a strongly unforgeable one, which was proposed by Teranishi et al. [30] and was proven in the classical randomoracle model. Our main contribution is showing that the transformation also works against quantum adversaries in the quantum randomoracle model. We develop proof techniques such as adaptively programming a quantum randomoracle in a new setting, which could be of independent interest. Applying the transformation to an existentialunforgeable signature scheme due to Cash et al. [10], which can be shown to be quantumsecure assuming certain lattice problems are hard for quantum computers, we get an efficient quantumsecure strongly unforgeable signature scheme in the quantum randomoracle model.
Semantic Security and Indistinguishability in the Quantum World
, 2015
"... Abstract. At CRYPTO 2013, Boneh and Zhandry initiated the study of quantumsecure encryption. They proposed first indistinguishability definitions for the quantum world where the actual indistinguishability only holds for classical messages, and they provide arguments why it might be hard to achiev ..."
Abstract
 Add to MetaCart
Abstract. At CRYPTO 2013, Boneh and Zhandry initiated the study of quantumsecure encryption. They proposed first indistinguishability definitions for the quantum world where the actual indistinguishability only holds for classical messages, and they provide arguments why it might be hard to achieve a stronger notion. In this work, we show that stronger notions are achievable, where the indistinguishability holds for quantum superpositions of messages. We investigate exhaustively the possibilities and subtle differences in defining such a quantum indistinguishability notion for symmetrickey encryption schemes. We justify our stronger definition by showing its equivalence to novel quantum semanticsecurity notions that we introduce. Furthermore, we show that our new security definitions cannot be achieved by a large class of ciphers – those which are quasipreserving the message length. On the other hand, we provide a secure construction based on quantumresistant pseudorandom permutations; this construction can be used as a generic transformation for turning a large class of encryption schemes into quantum indistinguishable and hence quantum semantically secure ones. 1