Generalized privacy amplification
 IEEE Transactions on Information Theory
, 1995
"... Abstract This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard, and Robert for a special scenario. Privacy amplification is a process that allows two parties to distill a secret key from a common random variable about which ..."
Abstract This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard, and Robert for a special scenario. Privacy amplification is a process that allows two parties to distill a secret key from a common random variable about which an eavesdropper has partial information. The two parties generally know nothing about the eavesdropper’s information except that it satisfies a certain constraint. The results have applications to unconditionally secure secretkey agreement protocols and quantum cryptography, and they yield results on wiretap and broadcast channels for a considerably strengthened definition of secrecy capacity. Index Terms Cryptography, secretkey agreement, unconditional security, privacy amplification, wiretap channel, secrecy capacity, RCnyi entropy, universal hashing, quantum cryptography. I.
Quantum Circuit Complexity
, 1993
"... We study a complexity model of quantum circuits analogous to the standard (acyclic) Boolean circuit model. It is shown that any function computable in polynomial time by a quantum Turing machine has a polynomialsize quantum circuit. This result also enables us to construct a universal quantum compu ..."
We study a complexity model of quantum circuits analogous to the standard (acyclic) Boolean circuit model. It is shown that any function computable in polynomial time by a quantum Turing machine has a polynomialsize quantum circuit. This result also enables us to construct a universal quantum computer which can simulate, with a polynomial factor slowdown, a broader class of quantum machines than that considered by Bernstein and Vazirani [BV93], thus answering an open question raised in [BV93]. We also develop a theory of quantum communication complexity, and use it as a tool to prove that the majority function does not have a linearsize quantum formula. Keywords. Boolean circuit complexity, communication complexity, quantum communication complexity, quantum computation AMS subject classifications. 68Q05, 68Q15 1 This research was supported in part by the National Science Foundation under grant CCR9301430. 1 Introduction One of the most intriguing questions in computation theroy ...
Unconditionally Secure Quantum Bit Commitment is Impossible
, 1996
"... The claim of quantum cryptography has always been that it can provide protocols that are unconditionally secure, that is, for which the security does not rely on any restriction on the time, space or technology available to the cheaters. We show that this claim cannot be applied to any quantum bit c ..."
The claim of quantum cryptography has always been that it can provide protocols that are unconditionally secure, that is, for which the security does not rely on any restriction on the time, space or technology available to the cheaters. We show that this claim cannot be applied to any quantum bit commitment protocol. We briefly discuss the consequences for quantum cryptography.
Quantum information theory
, 1998
"... We survey the field of quantum information theory. In particular, we discuss the fundamentals of the field, source coding, quantum errorcorrecting codes, capacities of quantum channels, measures of entanglement, and quantum cryptography. ..."
We survey the field of quantum information theory. In particular, we discuss the fundamentals of the field, source coding, quantum errorcorrecting codes, capacities of quantum channels, measures of entanglement, and quantum cryptography.
Practical and ProvablySecure Commitment Schemes from CollisionFree Hashing
 in Advances in Cryptology  CRYPTO96, Lecture Notes in Computer Science 1109
, 1996
"... . We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, a ..."
. We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, and computation. Our result also proves that constant round statistical zeroknowledge arguments and constantround computational zeroknowledge proofs for NP exist based on the existence of collisionfree hash functions. 1 Introduction String commitment is a fundamental primitive for cryptographic protocols. A commitment scheme is an electronic way to temporarily hide a value that cannot be changed. Such a scheme emulates by means of a protocol the following twostage process. In Stage 1 (the Commit stage), a party called the Sender locks a message in a box, and sends the locked box to another party called the receiver. In Stage 2 (the Decommit stage), the Sender provides the Receiver with ...
Is Quantum Bit Commitment Really Possible?
, 1996
"... We show that all proposed quantum bit commitment schemes are insecure because the sender can always cheat successfully by using an EPRtype of attack and delaying her measurement until she opens her commitment. PACS Numbers: 03.65.Bz, 89.70.+c, 89.80.+h Typeset using REVT E X email: hkl@sns.ias.e ..."
We show that all proposed quantum bit commitment schemes are insecure because the sender can always cheat successfully by using an EPRtype of attack and delaying her measurement until she opens her commitment. PACS Numbers: 03.65.Bz, 89.70.+c, 89.80.+h Typeset using REVT E X email: hkl@sns.ias.edu y email: chau@sns.ias.edu A bit commitment scheme generally involves two parties, a sender, Alice and a receiver, Bob. Suppose that Alice has a bit (b = 0 or 1) in mind, to which she would like to be committed towards Bob. That is to say, she wishes to provide Bob with a piece of evidence that she has a bit in mind and that she cannot change it. Meanwhile, Bob should not be able to tell from that evidence what b is. At a later time, however, it must be possible for Alice to open the commitment. In other words, Alice must be able to show Bob which bit she has committed to and convinced him that this is indeed the genuine bit that she had in mind when she committed. Various quantum bit...
Efficient Cryptographic Protocols based on Noisy Channels
, 1996
"... The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a c ..."
The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a cryptographic scenario of two possibly dishonest people facing each other. Unfortunately this result is rather impractical as it requires\Omega\Gamma n 11 ) bits to be transmitted through the BSC to accomplish a single OT. The current paper provides efficient protocols to achieve the cryptographic primitives of Bit Commitment and Oblivious Transfer based on the existence of a Binary Symmetric Channel. Our protocols respectively require sending O(n) and O(n 3 ) bits through the BSC. These results are based on a technique known as Generalized Privacy Amplification [1] that allow two people to extract secret information from partially compromised data. 1 Introduction The cryptographic power of...
Committed Oblivious Transfer and Private MultiParty Computation
, 1995
"... . In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob lear ..."
. In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b . Our protocol, based on the properties of error correcting codes, uses Bit Commitment (bc) and oneoutoftwo Oblivious Transfer (ot) as black boxes. Consequently the protocol may be implemented with or without a computational assumption, depending on the kind of bc and ot used by the participants. Assuming a Broadcast Channel is also available, we exploit this result to obtain a protocol for Private MultiParty Computation, without making assumptions about a specific number or fraction of participants being honest. We analyze the protocol's efficiency in terms of bcs and ots performed. Our approach connects Zero Knowledge proofs on bcs, Oblivious Circuit Evaluation and Private MultiParty ...
Security of Quantum Protocols against Coherent Measurements
 Proceedings of 26th Annual ACM Symposium on the Theory of Computing
, 1995
"... The goal of quantum cryptography is to design cryptographic protocols whose security depends on quantum physics and little else. A serious obstacle to security proofs is the cheaters' ability to make coherent measurements on the joint properties of large composite states. With the exception of ..."
The goal of quantum cryptography is to design cryptographic protocols whose security depends on quantum physics and little else. A serious obstacle to security proofs is the cheaters' ability to make coherent measurements on the joint properties of large composite states. With the exception of commit protocols, no cryptographic primitives have been proved secure when coherent measurements are allowed. In this paper we develop some mathematical techniques for analyzing probabilistic events in Hilbert spaces, and prove the security of a canonical quantum oblivious transfer protocol against coherent measurements. 1 Introduction Work on quantum cryptography was started by Wiesner [Wi70] twentyfive years ago. Much knowledge on how to exploit quantum physics for cryptographic purposes has been gained through the work of Bennet and Brassard ([BBBW83][BB84][BBBSS92]), and later Cr'epeau ([Cr90][BC91][BBCS92][Cr94]). Furthermore, prototypes for implementing some of these This research was...