Results 1  10
of
35
A tight highorder entropic quantum uncertainty relation with applications
, 2007
"... We derive a new entropic quantum uncertainty relation involving minentropy. The relation is tight and can be applied in various quantumcryptographic settings. Protocols for quantum 1outof2 Oblivious Transfer and quantum Bit Commitment are presented and the uncertainty relation is used to prove ..."
Abstract

Cited by 27 (9 self)
 Add to MetaCart
(Show Context)
We derive a new entropic quantum uncertainty relation involving minentropy. The relation is tight and can be applied in various quantumcryptographic settings. Protocols for quantum 1outof2 Oblivious Transfer and quantum Bit Commitment are presented and the uncertainty relation is used to prove the security of these protocols in the boundedquantumstorage model according to new strong security definitions. As another application, we consider the realistic setting of Quantum Key Distribution (QKD) against quantummemorybounded eavesdroppers. The uncertainty relation allows to prove the security of QKD protocols in this setting while tolerating considerably higher error rates compared to the standard model with unbounded adversaries. For instance, for the sixstate protocol with oneway communication, a bitflip error rate of up to 17 % can be tolerated (compared to 13 % in the standard model). Our uncertainty relation also yields a lower bound on the minentropy key uncertainty against knownplaintext attacks when quantum ciphers are composed. Previously, the key uncertainty of these ciphers was only known with respect to Shannon entropy.
Composing quantum protocols in a classical environment
, 2009
"... We propose a general security definition for cryptographic quantum protocols that implement classical nonreactive twoparty tasks. The definition is expressed in terms of simple quantuminformationtheoretic conditions which must be satisfied by the protocol to be secure. The conditions are unique ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
We propose a general security definition for cryptographic quantum protocols that implement classical nonreactive twoparty tasks. The definition is expressed in terms of simple quantuminformationtheoretic conditions which must be satisfied by the protocol to be secure. The conditions are uniquely determined by the ideal functionality F defining the cryptographic task to be implemented. We then show the following composition result. If quantum protocols π1,...,πℓ securely implement ideal functionalities F1,...,Fℓ according to our security definition, then any purely classical twoparty protocol, which makes sequential calls to F1,...,Fℓ, is equally secure as the protocol obtained by replacing the calls to F1,...,Fℓ with the respective quantum protocols π1,...,πℓ. Hence, our approach yields the minimal security requirements which are strong enough for the typical use of quantum protocols as subroutines within larger classical schemes. Finally, we show that recently proposed quantum protocols for secure identification and oblivious transfer in the boundedquantumstorage model satisfy our security definition, and thus compose in the above sense.
The boundedstorage model in the presence of a quantum adversary
 IEEE Transactions on Information Theory
, 2008
"... Abstract—An extractor is a function that is used to extract randomness. Given an imperfect random sourceX and a uniform seedY, the output (X; Y) is close to uniform. We study properties of such functions in the presence of prior quantum information about X, with a particular focus on cryptographic a ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
Abstract—An extractor is a function that is used to extract randomness. Given an imperfect random sourceX and a uniform seedY, the output (X; Y) is close to uniform. We study properties of such functions in the presence of prior quantum information about X, with a particular focus on cryptographic applications. We prove that certain extractors are suitable for key expansion in the boundedstorage model where the adversary has a limited amount of quantum memory. For extractors with onebit output we show that the extracted bit is essentially equally secure as in the case where the adversary has classical resources. We prove the security of certain constructions that output multiple bits in the boundedstorage model. Index Terms—Boundedstorage model, cryptography, extractors, locking, privacy amplification, quantum information theory, quantum key distribution, quantum memory, security proofs, universal composability. I.
Universally composable quantum multiparty computation
 In Advances in Cryptology – Proc. EUROCRYPT 2010, LNCS
, 2010
"... ar ..."
Secure identification and QKD in the boundedquantumstorage model
 In Advances in Cryptology— CRYPTO ’07
, 2007
"... Abstract. We consider the problem of secure identification: user U proves to server S that he knows an agreed (possibly lowentropy) password w, while giving away as little information on w as possible, namely the adversary can exclude at most one possible password for each execution of the scheme. ..."
Abstract

Cited by 14 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the problem of secure identification: user U proves to server S that he knows an agreed (possibly lowentropy) password w, while giving away as little information on w as possible, namely the adversary can exclude at most one possible password for each execution of the scheme. We propose a solution in the boundedquantumstorage model, where U and S may exchange qubits, and a dishonest party is assumed to have limited quantum memory. No other restriction is posed upon the adversary. An improved version of the proposed identification scheme is also secure against a maninthemiddle attack, but requires U and S to additionally share a highentropy key k. However, security is still guaranteed if one party loses k to the attacker but notices the loss. In both versions of the scheme, the honest participants need no quantum memory, and noise and imperfect quantum sources can be tolerated. The schemes compose sequentially, and w and k can securely be reused. A small modification to the identification scheme results in a quantumkeydistribution (QKD) scheme, secure in the boundedquantumstorage model, with the same reusability properties of the keys, and without assuming authenticated channels. This is in sharp contrast to known QKD schemes (with unbounded adversary) without authenticated channels, where authentication keys must be updated, and unsuccessful executions can cause the parties to run out of keys. 1
C.: PositionBased Quantum Cryptography: Impossibility and Constructions. Full version of this paper
, 2010
"... Copyright It is not permitted to download or to forward/distribute the text or part of it without the consent of the author(s) and/or copyright holder(s), other than for strictly personal, individual use, unless the work is under an open content licence (like ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Copyright It is not permitted to download or to forward/distribute the text or part of it without the consent of the author(s) and/or copyright holder(s), other than for strictly personal, individual use, unless the work is under an open content licence (like
Composable Security in the BoundedQuantumStorage Model
, 2008
"... We present a simplified framework for proving sequential composability in the quantum setting. In particular, we give a new, simulationbased, definition for security in the boundedquantumstorage model, and show that this definition allows for sequential composition of protocols. Damgård et al. (F ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
We present a simplified framework for proving sequential composability in the quantum setting. In particular, we give a new, simulationbased, definition for security in the boundedquantumstorage model, and show that this definition allows for sequential composition of protocols. Damgård et al. (FOCS ’05, CRYPTO ’07) showed how to securely implement bit commitment and oblivious transfer in the boundedquantumstorage model, where the adversary is only allowed to store a limited number of qubits. However, their security definitions did only apply to the standalone setting, and it was not clear if their protocols could be composed. Indeed, we first give a simple attack that shows that these protocols are not composable without a small refinement of the model. Finally, we prove the security of their randomized oblivious transfer protocol in our refined model. Secure implementations of oblivious transfer and bit commitment then follow easily by a (classical) reduction to randomized oblivious transfer.
Longterm security and universal composability
 Journal of Cryptology
"... Algorithmic progress and future technological advances threaten today’s cryptographic protocols. This may allow adversaries to break a protocol retrospectively by breaking the underlying complexity assumptions long after the execution of the protocol. Longterm secure protocols, protocols that after ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Algorithmic progress and future technological advances threaten today’s cryptographic protocols. This may allow adversaries to break a protocol retrospectively by breaking the underlying complexity assumptions long after the execution of the protocol. Longterm secure protocols, protocols that after the end of the execution do not reveal any information to a then possibly unlimited adversary, could meet this threat. On the other hand, in many applications, it is necessary that a protocol is secure not only when executed alone, but within arbitrary contexts. The established notion of universal composability (UC) captures this requirement. This is the first paper to study protocols which are simultaneously longterm secure and universally composable. We show that the usual setup assumptions used for UC protocols (e.g., a common reference string) are not sufficient to achieve longterm secure and composable protocols for commitments or zeroknowledge protocols. We give practical alternatives (e.g., signature cards) to these usual setupassumptions and show that these enable the implementation of the important primitives
From LowDistortion Norm Embeddings to Explicit Uncertainty Relations and Efficient Information Locking
"... Quantum uncertainty relations are at the heart of many quantum cryptographic protocols performing classically impossible tasks. One operational manifestation of these uncertainty relations is a purely quantum effect referred to as information locking [12]. A locking scheme can be viewed as a cryptog ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Quantum uncertainty relations are at the heart of many quantum cryptographic protocols performing classically impossible tasks. One operational manifestation of these uncertainty relations is a purely quantum effect referred to as information locking [12]. A locking scheme can be viewed as a cryptographic protocol in which a uniformly random nbit message is encoded in a quantum system using a classical key of size much smaller than n. Without the key, no measurement of this quantum state can extract more than a negligible amount of information about the message (the message is “locked”). Furthermore, knowing the key, it is possible to recover (or “unlock”) the message. In this paper, we make the following contributions by exploiting a connection between uncertainty relations and lowdistortion embeddings of ℓ2 into ℓ1.