Results 1  10
of
14
Domain theory for concurrency
, 2003
"... Concurrent computation can be given an abstract mathematical treatment very similar to that provided for sequential computation by domain theory and denotational semantics of Scott and Strachey. ..."
Abstract

Cited by 28 (6 self)
 Add to MetaCart
Concurrent computation can be given an abstract mathematical treatment very similar to that provided for sequential computation by domain theory and denotational semantics of Scott and Strachey.
Zeroknowledge proofs and string commitments withstanding quantum attacks
, 2004
"... The concept of zeroknowledge (ZK) has become of fundamental importance in cryptography. However, in a setting where entities are modeled by quantum computers, classical arguments for proving ZK fail to hold since, in the quantum setting, the concept of rewinding is not generally applicable. More ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
The concept of zeroknowledge (ZK) has become of fundamental importance in cryptography. However, in a setting where entities are modeled by quantum computers, classical arguments for proving ZK fail to hold since, in the quantum setting, the concept of rewinding is not generally applicable. Moreover, known classical techniques that avoid rewinding have various shortcomings in the quantum setting. We propose new
Unconditional security from noisy quantum storage
, 2009
"... We consider the implementation of twoparty cryptographic primitives based on the sole assumption that no largescale reliable quantum storage is available to the cheating party. We construct novel protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide sec ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
We consider the implementation of twoparty cryptographic primitives based on the sole assumption that no largescale reliable quantum storage is available to the cheating party. We construct novel protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide security even against the most general attack. Such unconditional results were previously only known in the socalled boundedstorage model which is a special case of our setting. Our protocols can be implemented with presentday hardware used for quantum key distribution. In particular, no quantum storage is required for the honest parties.
Computational indistinguishability between quantum states and its cryptographic application
 Advances in Cryptology – EUROCRYPT 2005
, 2005
"... We introduce a computational problem of distinguishing between two specific quantum states as a new cryptographic problem to design a quantum cryptographic scheme that is “secure ” against any polynomialtime quantum adversary. Our problem QSCDff is to distinguish between two types of random coset s ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
(Show Context)
We introduce a computational problem of distinguishing between two specific quantum states as a new cryptographic problem to design a quantum cryptographic scheme that is “secure ” against any polynomialtime quantum adversary. Our problem QSCDff is to distinguish between two types of random coset states with a hidden permutation over the symmetric group of finite degree. This naturally generalizes the commonlyused distinction problem between two probability distributions in computational cryptography. As our major contribution, we show three cryptographic properties: (i) QSCDff has the trapdoor property; (ii) the averagecase hardness of QSCDff coincides with its worstcase hardness; and (iii) QSCDff is computationally at least as hard in the worst case as the graph automorphism problem. These cryptographic properties enable us to construct a quantum publickey cryptosystem, which is likely to withstand any chosen plaintext attack of a polynomialtime quantum adversary. We further discuss a generalization of QSCDff, called QSCDcyc, and introduce a multibit encryption scheme relying on the cryptographic properties of QSCDcyc.
Classical cryptographic protocols in a quantum world
 of Lecture Notes in Computer Science
, 2011
"... Cryptographic protocols, such as protocols for secure function evaluation, have played a crucial role in the development of modern cryptography. Secure function evaluation (SFE) allows a group of players, each holding a secret input (e.g., a vote) to jointly evaluate some function of their inputs (s ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols, such as protocols for secure function evaluation, have played a crucial role in the development of modern cryptography. Secure function evaluation (SFE) allows a group of players, each holding a secret input (e.g., a vote) to jointly evaluate some function of their inputs (say, the votes ’ tally) without revealing anything except the function’s value. A special case of this is a zeroknowledge (ZK) proof system, which allows a prover P who knows a short proof of a statement to interactively prove the statement to a computationallybounded verifier V without revealing anything except the statement’s veracity. The very possibility of such protocols is counterintuitive. But a series of seminal results in the 1980’s showed that under mild assumptions (roughly, the existence of secure publickey cryptosystems), SFE protocols exist for any polynomialtime function [22, 10, 3, 29], and ZK proof systems are possible for any language in NP [23]. Research into the design and analysis of these protocols is now a large subfield of cryptography; moreover, it has driven important advances in more traditional areas of cryptography such as the design of encryption, authentication and signature schemes. The extensive theory of these protocols, however, deals almost exclusively with classical attackers. If we accept that quantum information processing is currently the most realistic model of physically feasible computation (we do), then we must ask: what classical protocols remain secure against quantum attackers?
Improving the Security of Quantum Protocols via CommitandOpen
, 2009
"... We consider twoparty quantum protocols starting with a transmission of some random BB84 qubits followed by classical messages. We show a general “compiler” improving the security of such protocols: if the original protocol is secure against an “almost honest ” adversary, then the compiled protoco ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
We consider twoparty quantum protocols starting with a transmission of some random BB84 qubits followed by classical messages. We show a general “compiler” improving the security of such protocols: if the original protocol is secure against an “almost honest ” adversary, then the compiled protocol is secure against an arbitrary computationally bounded (quantum) adversary. The compilation preserves the number of qubits sent and the number of rounds up to a constant factor. The compiler also preserves security in the boundedquantumstorage model (BQSM), so if the original protocol was BQSMsecure, the compiled protocol can only be broken by an adversary who has large quantum memory and large computing power. This is in contrast to known BQSMsecure protocols, where security breaks down completely if the adversary has larger quantum memory than expected. We show how our technique can be applied to quantum identification and oblivious transfer protocols.
NonInteractive StatisticallyHiding Quantum Bit Commitment from Any Quantum OneWay Function
"... iv ..."
(Show Context)
ZeroKnowledge Proofs and String Commitments Withstanding Quantum Attacks
"... Abstract. The concept of zeroknowledge (ZK) has become of fundamental importance in cryptography. However, in a setting where entities are modeled by quantum computers, classical arguments for proving ZK fail to hold since, in the quantum setting, the concept of rewinding is not generally applicabl ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. The concept of zeroknowledge (ZK) has become of fundamental importance in cryptography. However, in a setting where entities are modeled by quantum computers, classical arguments for proving ZK fail to hold since, in the quantum setting, the concept of rewinding is not generally applicable. Moreover, known classical techniques that avoid rewinding have various shortcomings in the quantum setting. We propose new techniques for building quantum zeroknowledge (QZK) protocols, which remain secure even under (active) quantum attacks. We obtain computational QZK proofs and perfect QZK arguments for any NP language in the common reference string model. This is based on a general method converting an important class of classical honestverifier ZK (HVZK) proofs into QZK proofs. This leads to quite practical protocols if the underlying HVZK proof is efficient. These are the first proof protocols enjoying these properties, in particular the first to achieve perfect QZK. As part of our construction, we propose a general framework for building unconditionally hiding (trapdoor) string commitment schemes, secure against quantum attacks, as well as concrete instantiations based on specific (believed to be) hard problems. This is of independent interest, as these are the first unconditionally hiding string commitment schemes withstanding quantum attacks. Finally, we give a partial answer to the question whether QZK is possible in the plain model. We propose a new notion of QZK, nonoblivious verifier QZK, which is strictly stronger than honestverifier QZK but weaker than full QZK, and we show that this notion can be achieved by means of efficient (quantum) protocols. 1
On the (Im)Possibility of Quantum String . . .
, 2005
"... Unconditionally secure nonrelativistic bit commitment is known to be impossible in both the classical and quantum worlds. However, when committing to a string of n bits at once, how far can we stretch the quantum limits? We consider quantum schemes where Alice commits a string of n bits to Bob, in ..."
Abstract
 Add to MetaCart
Unconditionally secure nonrelativistic bit commitment is known to be impossible in both the classical and quantum worlds. However, when committing to a string of n bits at once, how far can we stretch the quantum limits? We consider quantum schemes where Alice commits a string of n bits to Bob, in such a way that she can only cheat on a bits and Bob can learn at most b bits of ”information ” before the reveal phase. We show a negative and a positive result, depending on how we measure Bob’s information. If we use the Holevo quantity, no good schemes exist: a + b is at least n. If, however, we use accessible information, there exists a scheme where a = 4 log n + O(1) and b = 4. This is classically impossible. Our protocol is not efficient, however, we also exhibit an efficient scheme when Bob’s measurement circuit is restricted to polynomial size. Our scheme also implies a protocol for n simultaneous coin flips which achieves higher entropy of the resulting string than any previously known protocol.
Computational Distinguishability between Quantum States: Random Coset States vs. Maximally Mixed States over the Symmetric Groups
, 2004
"... We introduce a new underlying problem for computational cryptographic schemes secure against quantum adversaries. The problem is a distinction problem between quantum states which is a natural generalization of distinction problems between probability distributions, which are commonly used in comput ..."
Abstract
 Add to MetaCart
(Show Context)
We introduce a new underlying problem for computational cryptographic schemes secure against quantum adversaries. The problem is a distinction problem between quantum states which is a natural generalization of distinction problems between probability distributions, which are commonly used in computational cryptography. Specifically speaking, our problem QSCDff is defined as a quantum state computational distinguishability problem between random coset states with a hidden permutation and a maximally mixed state (uniform distribution) over the symmetric group. A similar problem to ours appears in the context of the hidden subgroup problem on the symmetric group in the research of quantum computation and is regarded as a hard problem. In this paper, we show that (i) QSCDff has the trapdoor property; (ii) the averagecase complexity of QSCDff completely coincides with its worstcase complexity; (iii) the computational complexity of QSCDff is lowerbounded by the worstcase hardness of the graph automorphism problem. These properties enable us to construct cryptographic systems. Actually, we show a cryptographic application based on the hardness of QSCDff. Keywords: 1