#### DMCA

## Composable Security in the Bounded-Quantum-Storage Model (2008)

Citations: | 10 - 2 self |

### Citations

1232 | The knowledge complexity of interactive proof systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ... of secure protocols will remain secure. Formal security definitions for secure function evaluation have first been proposed in [30] and [2]. These definitions use the simulation paradigm invented in =-=[21]-=- to define zero-knowledge proofs of knowledge. In [10] it has been shown formally that these definitions imply that protocols can be composed sequentially. Sequential composition implies that protocol... |

841 |
Universal classes of hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...| Z) − log |Y| − log(1/ε ′ ). We also need the following monotonicity of the smooth min-entropy H ε min (XY | Z) ≥ Hε min (X | Z). A function h : S×X → {0,1} ℓ is called a two-universal hash function =-=[13]-=-, if for all x0 ̸= x1 ∈ X, we have Pr[h(S,x0) = h(S,x1)] ≤ 2 −ℓ if S is uniform over S. We thereby say that a random variable S is uniform over a set S if S is chosen from S according to the uniform d... |

818 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
- 2001
(Show Context)
Citation Context ... at any point in time exactly one protocol is running. All other protocols have to wait until that protocol stops. A stronger security definition called universal composability has been introduced in =-=[11, 32, 1]-=-. It guarantees that protocols can be securely composed in an arbitrary way (also concurrently) in any environment. Simulation-based security requires that for any adversary attacking the real protoco... |

796 |
Protocols for secure computation
- Yao
- 1982
(Show Context)
Citation Context ... our refinement. Secure implementations of oblivious transfer and bit commitment follow easily by a (classical) reduction to randomized oblivious transfer. 1 Introduction Secure two-party computation =-=[1]-=- allows two mutually distrustful players to jointly compute the value of a function without revealing more information about their inputs than can be inferred from the function value itself. The primi... |

583 | A fair protocol for signing contracts - Ben-Or, Goldreich, et al. - 1990 |

457 | Security and Composition of Multiparty Cryptographic Protocols
- Canetti
(Show Context)
Citation Context ...ty definitions for secure function evaluation have first been proposed in [30] and [2]. These definitions use the simulation paradigm invented in [21] to define zero-knowledge proofs of knowledge. In =-=[10]-=- it has been shown formally that these definitions imply that protocols can be composed sequentially. Sequential composition implies that protocols can be composed in an arbitrary way, as long as at a... |

376 |
How to exchange secrets by oblivious transfer
- Rabin
- 1981
(Show Context)
Citation Context ...without revealing more information about their inputs than can be inferred from the function value itself. In this context, the primitives known as bit commitment (BC) [6] and oblivious transfer (OT) =-=[44, 33, 19]-=- are of particular importance: any two-party computation can be implemented, provided these two primitives are available [20, 23, 15]. In bit commitment, the committer (Alice) secretly chooses a bit b... |

303 |
Founding Cryptography on Oblivious Transfer
- Kilian
- 1988
(Show Context)
Citation Context ...tives known as bit commitment (BC) [6] and oblivious transfer (OT) [44, 33, 19] are of particular importance: any two-party computation can be implemented, provided these two primitives are available =-=[20, 23, 15]-=-. In bit commitment, the committer (Alice) secretly chooses a bit b, and commits herself to b by exchanging messages with the verifier (Bob). From the commitment alone, Bob should not be able to gain ... |

270 | Bit Commitment Using Pseudo-Randomness
- Naor
- 1991
(Show Context)
Citation Context ...that the adversary is limited. In the classical case, one such limiting assumption is that the adversary is computationally bounded, i.e., he is restricted to a polynomial time computations (see e.g. =-=[31, 19]-=-). In the quantum model, it is also possible to securely implement both protocols provided that an adversary cannot measure more than a fixed number of qubits simultaneously [37]. Very weak forms of s... |

176 | Unconditionally secure quantum bit commitment is impossible
- Mayers
- 1997
(Show Context)
Citation Context ...at Bob only retrieves xc and no information about the other input bit x1−c. Unfortunately, BC and OT are impossible to implement securely without any additional assumptions, even in the quantum model =-=[29, 26]-=-. This result holds even in the presence of the so-called superselection rules [24]. Exact tradeoffs on how well we can implement BC in the quantum world can be found in [39]. To circumvent this probl... |

173 | A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission
- Pfitzmann, Waidner
- 2001
(Show Context)
Citation Context ... at any point in time exactly one protocol is running. All other protocols have to wait until that protocol stops. A stronger security definition called universal composability has been introduced in =-=[11, 32, 1]-=-. It guarantees that protocols can be securely composed in an arbitrary way (also concurrently) in any environment. Simulation-based security requires that for any adversary attacking the real protoco... |

172 | Security of Quantum Key Distribution
- RENNER
- 2005
(Show Context)
Citation Context ...sal hash function can be used to extract an almost random string from a source with enough min-entropy. The following theorem is from [16], stated slightly differently than the original statements in =-=[35, 34]-=-. Theorem 2.2 (Privacy Amplification [35, 34]). Let X and Z be (classical) random variables distributed over X and Z, and let Q be a random state of q qubits. Let h : S × X → {0,1} ℓ be a two-universa... |

162 |
Conjugate coding
- Wiesner
- 1983
(Show Context)
Citation Context ...te his classical output. After the memory bound is applied, the receiver obtains additional information from the sender. The actions of the adversary after step 3 can then be described by a unitary A =-=(2)-=- B followed by a measurement of quantum registers M and A in the computational basis. First, we analyze the case where the adversary’s auxiliary quantum input is a pure state of β qubits. Note that th... |

154 |
Foundations of Secure Interactive Computing
- Beaver
- 1991
(Show Context)
Citation Context ...ted applications. However, it is not clear that the composition of secure protocols will remain secure. Formal security definitions for secure function evaluation have first been proposed in [30] and =-=[2]-=-. These definitions use the simulation paradigm invented in [21] to define zero-knowledge proofs of knowledge. In [10] it has been shown formally that these definitions imply that protocols can be com... |

151 | Universally composable two-party and multi-party secure computation
- Canetti, Lindell, et al.
- 2002
(Show Context)
Citation Context ...be achieved by simply using the (classical) universal composable protocols presented in [18], which are based on [15]. Note that because our implementation of OT is physical, the results presented in =-=[12]-=- cannot be applied. Outline In Section 2, we introduce the basic tools that we need later. In Section 3, we define a framework that provides offline security in the bounded-quantum-storage model, whic... |

143 |
flipping by telephone: a protocol for solving impossible problems
- Blum, “Coin
- 1982
(Show Context)
Citation Context ...compute the value of a function without revealing more information about their inputs than can be inferred from the function value itself. In this context, the primitives known as bit commitment (BC) =-=[6]-=- and oblivious transfer (OT) [44, 33, 19] are of particular importance: any two-party computation can be implemented, provided these two primitives are available [20, 23, 15]. In bit commitment, the c... |

118 | Secure computation - Micali, Rogaway - 1991 |

89 | Practical Quantum Oblivious Transfer
- Bennett, Brassard, et al.
- 1992
(Show Context)
Citation Context ...reasonable bounds on the adversaries memory. In the quantum case, on the other hand, it is very difficult to store states even for a very short period of time. This leads to the protocol presented in =-=[5, 14]-=-, which show how to implement BC and OT if the adversary is not able to store any qubits at all. In [17, 16], these ideas have been generalized in a very nice way to the bounded-quantumstorage model, ... |

89 | Conditionally-perfect secrecy and a provably-secure randomized cipher
- Maurer
- 1992
(Show Context)
Citation Context ... space instead of time, i.e., she is only allowed to use a certain amount of storage space. Both OT and BC can be implemented in this model [9]. Yet, the security of a classical bounded-storage model =-=[27, 9]-=- is somewhat unsatisfactory: First, a dishonest player needs only quadratically more memory than the honest one. Second, as classical memory is very cheap, most of these protocols require a huge amoun... |

87 | Entropy measures and unconditional security in cryptography
- Cachin
- 1997
(Show Context)
Citation Context ...Y ) = max E:Pr(E)≥1−ε min y min x (− log P XE|Y =y(x)). The smooth min-entropy allows us to use the following chain rule which does not hold in the case of standard min-entropy. Lemma 2.1 (Chain Rule =-=[8, 28, 36]-=-). Let X, Y , and Z be arbitrary random variables over X, Y and Z. Then for all ε,ε ′ > 0, H ε+ε′ min (X|Y Z) ≥ Hε min(XY | Z) − log |Y| − log(1/ε ′ ). We also need the following monotonicity of the s... |

73 |
Precomputing oblivious transfer
- Beaver
(Show Context)
Citation Context ...for a smaller memory bound in our model. Third, we give well-known classical reductions of BC and OT to randomized OT in the appendix, and prove that they are secure in our model. Using the idea from =-=[3]-=-, this also implies that the two players can precompute ROT, and, at a later point in time, they can use it to implement either an OT or a BC, for which they only need classical communication. Since t... |

72 |
2006 Quantum Information: An Introduction
- Hayashi
(Show Context)
Citation Context ...ntations of oblivious transfer and bit commitment follow by a (classical) reduction to randomized oblivious transfer. 2 Preliminaries 2.1 Notation We assume general familiarity with the quantum model =-=[22]-=-. Throughout this paper, we use the term computational basis to refer to the basis given by {|0〉, |1〉}. We write + for the computational basis, and let |0〉+ = |0〉 and |1〉+ = |1〉. The Hadamard basis is... |

70 | Is quantum bit commitment really possible
- Lo, Chau
- 1997
(Show Context)
Citation Context ...at Bob only retrieves xc and no information about the other input bit x1−c. Unfortunately, BC and OT are impossible to implement securely without any additional assumptions, even in the quantum model =-=[29, 26]-=-. This result holds even in the presence of the so-called superselection rules [24]. Exact tradeoffs on how well we can implement BC in the quantum world can be found in [39]. To circumvent this probl... |

69 | Universally composable privacy amplification against quantum adversaries
- Renner, König
- 2005
(Show Context)
Citation Context ...e have D(ρ, ρ ′′) ≤ D(ρ, ρ ′) + D(ρ ′, ρ ′′). We also write ρ ≡ε ρ ′, if D(ρ, ρ ′) ≤ ε. For all practical purposes, ρ ≡ε ρ means that the state ρ ′ behaves like the state ρ, except with probability ε =-=[33]-=-. For any quantum channel Λ, we have D(Λ(ρ), Λ(ρ ′)) ≤ D(ρ, ρ ′). Let ρAB ∈ S(A ⊗ B) be classical on A, i.e. ρAB = ∑ x∈X PX(x)|x〉〈x| ⊗ ρx for some distribution PX over a finite set X . We say that A i... |

66 | Committed oblivious transfer and private multi-party computation
- Crépeau, Graaf, et al.
(Show Context)
Citation Context ...tives known as bit commitment (BC) [6] and oblivious transfer (OT) [44, 33, 19] are of particular importance: any two-party computation can be implemented, provided these two primitives are available =-=[20, 23, 15]-=-. In bit commitment, the committer (Alice) secretly chooses a bit b, and commits herself to b by exchanging messages with the verifier (Bob). From the commitment alone, Bob should not be able to gain ... |

64 | M.: A universally composable cryptographic library. Cryptology ePrint Archive, Report 2003/015 (2003) http://eprint.iacr. org
- Backes, Pfitzmann, et al.
(Show Context)
Citation Context ... at any point in time exactly one protocol is running. All other protocols have to wait until that protocol stops. A stronger security definition called universal composability has been introduced in =-=[11, 32, 1]-=-. It guarantees that protocols can be securely composed in an arbitrary way (also concurrently) in any environment. Simulation-based security requires that for any adversary attacking the real protoco... |

61 | On the reversibility of oblivious transfer
- Crépeau, Sántha
- 1991
(Show Context)
Citation Context ...reasonable bounds on the adversaries memory. In the quantum case, on the other hand, it is very difficult to store states even for a very short period of time. This leads to the protocol presented in =-=[5, 14]-=-, which show how to implement BC and OT if the adversary is not able to store any qubits at all. In [17, 16], these ideas have been generalized in a very nice way to the bounded-quantumstorage model, ... |

59 | Simple and tight bounds for information reconciliation and privacy amplification
- Renner, Wolf
(Show Context)
Citation Context ...t X . We say that A is ε-close to uniform with respect to B, if D(ρAB, IA/d ⊗ ρB) ≤ ε, where d = dim(HA). For random variables X and Y with joint distribution PXY , the smooth conditional min-entropy =-=[34]-=- can be expressed in terms of an optimization over events E occurring with probability at least 1 − ε. Let PXE|Y =y(x) be the probability that {X = x} and E occur conditioned on Y = y. We have Hε min ... |

57 | Privacy amplification secure against active adversaries
- Maurer, Wolf
- 1997
(Show Context)
Citation Context ...Y ) = max E:Pr(E)≥1−ε min y min x (− log P XE|Y =y(x)). The smooth min-entropy allows us to use the following chain rule which does not hold in the case of standard min-entropy. Lemma 2.1 (Chain Rule =-=[8, 28, 36]-=-). Let X, Y , and Z be arbitrary random variables over X, Y and Z. Then for all ε,ε ′ > 0, H ε+ε′ min (X|Y Z) ≥ Hε min(XY | Z) − log |Y| − log(1/ε ′ ). We also need the following monotonicity of the s... |

53 | Oblivious transfer with a memorybounded receiver
- Cachin, Crépeau, et al.
- 1998
(Show Context)
Citation Context ...the bounded-storage model. Here, the adversary is bounded in space instead of time, i.e., she is only allowed to use a certain amount of storage space. Both OT and BC can be implemented in this model =-=[9]-=-. Yet, the security of a classical bounded-storage model [27, 9] is somewhat unsatisfactory: First, a dishonest player needs only quadratically more memory than the honest one. Second, as classical me... |

53 | Zero-knowledge against quantum attacks
- Watrous
(Show Context)
Citation Context ...its by teleporting β qubits to the environment, and storing the remaining m. Hence, we now have to take the adversary to be m ′ -bounded, where m ′ := m − β. Luckily, using a a similar argument as in =-=[38]-=-, we can now extend the argument given above: Note that for any pure state input |Ψ〉 = |Ψin〉 ⊗ kin, the output of the simulated adversary is exactly Λ(|Ψ〉〈Ψ|), where Λ is the adversary’s channel. Sinc... |

49 | How to solve any protocol problem - an efficiency improvement
- Goldreich, Vainish
- 1987
(Show Context)
Citation Context ...tives known as bit commitment (BC) [6] and oblivious transfer (OT) [44, 33, 19] are of particular importance: any two-party computation can be implemented, provided these two primitives are available =-=[20, 23, 15]-=-. In bit commitment, the committer (Alice) secretly chooses a bit b, and commits herself to b by exchanging messages with the verifier (Bob). From the commitment alone, Bob should not be able to gain ... |

41 |
Degrees of concealment and bindingness in quantum bit commitment protocols
- Spekkens, Rudolph
- 2001
(Show Context)
Citation Context ...n in the quantum model [8, 9]. This result holds even in the presence of the so-called superselection rules [10]. Exact trade-offs on how well we can implement BC in the quantum world can be found in =-=[11]-=-. To circumvent this problem (classically and quantumly), we thus need to assume that the adversary is limited. In the classical case, one such limiting assumption is that the adversary is computation... |

36 | Cryptography in the bounded quantum-storage model
- Damg˚ard, Fehr, et al.
- 2005
(Show Context)
Citation Context ...n the first phase, the simulator must be allowed to use some classical memory between the rounds. 4 Randomized Oblivious Transfer We now apply our framework to the randomized OT protocol presented in =-=[17]-=-. In particular, we prove security with respect to the following definition of randomized oblivious transfer. We show 5 We denote the concatenation of the functionalities G and G ′ by G‖G ′ . 8in the... |

36 |
Secure computation (abstract
- Micali, Rogaway
- 1991
(Show Context)
Citation Context ... complicated applications. However, it is not clear that the composition of secure protocols will remain secure. Formal security definitions for secure function evaluation have first been proposed in =-=[30]-=- and [2]. These definitions use the simulation paradigm invented in [21] to define zero-knowledge proofs of knowledge. In [10] it has been shown formally that these definitions imply that protocols ca... |

30 | General security definition and composability for quantum and classical protocols, 2004. arXive e-print quant-ph/0409062
- Ben-Or, Mayers
(Show Context)
Citation Context ...antum setting [24], a simulation-based security definition has been presented in [25], however no composability theorem was proven. Universal composability in the quantum world has been introduced in =-=[26]-=-, and independently in [27]. In [28], it has been shown that classical protocols are universally composable using their classical definitions, are secure against quantum adversaries. 1.1 Contribution ... |

28 | Oblivious-transfer amplification
- Wullschleger
- 2007
(Show Context)
Citation Context ...ry and his input, while keeping the output state of the adversary intact. To do so, we use a generalization of the min-entropy splitting lemma in [17], which in turn is based on an earlier version of =-=[37]-=-. It states that if two random variables X0 and X1 together have high min-entropy, then we can define a random variable C, such that X1−C has at least half of the original min-entropy. To find C, one ... |

16 | Composing quantum protocols in a classical environment
- Fehr, Schaffner
- 2009
(Show Context)
Citation Context ...with other protocols. Indeed, the following simple example shows that in some situations, the protocols presented in [16, 17] do not guarantee security in a strong sense. (However, Fehr and Schaffner =-=[29]-=- recently showed that the original definitions still allow for some weak form of composability.) Suppose the adversary receives a large number of halves of EPR-pairs from the environment as his auxili... |

14 | Quantum Bit Commitment from a Physical Assumption,” CRYPTO
- Salvail
- 1998
(Show Context)
Citation Context ... is computationally bounded. In the quantum model, it isalso possible to securely implement both protocols provided that an adversary cannot measure more than a fixed number of qubits simultaneously =-=[12]-=-. String commitments can be obtained with very weak security parameters [13]. The Bounded-Quantum-Storage Model. In the quantum case, it is very difficult to store states even for a very short period ... |

13 | Simulatable security for quantum protocols
- Unruh
- 2004
(Show Context)
Citation Context ...ation-based security definition has been presented in [25], however no composability theorem was proven. Universal composability in the quantum world has been introduced in [26], and independently in =-=[27]-=-. In [28], it has been shown that classical protocols are universally composable using their classical definitions, are secure against quantum adversaries. 1.1 Contribution In [17], protocols for OT a... |

10 |
Superselection rules and quantum protocols
- Kitaev, Mayers, et al.
- 2004
(Show Context)
Citation Context ...ly, BC and OT are impossible to implement securely without any additional assumptions, even in the quantum model [29, 26]. This result holds even in the presence of the so-called superselection rules =-=[24]-=-. Exact tradeoffs on how well we can implement BC in the quantum world can be found in [39]. To circumvent this problem (in both, the classical and the quantum ∗ Supported by EU fifth framework projec... |

10 |
Locking of accessible information and implications for the security of quantum cryptography
- König, Renner, et al.
(Show Context)
Citation Context ...ting. Great care must be taken in the definition of security in the quantum setting: For example, the standard security definition for QKD based on accessible information does not imply composability =-=[25]-=-. 1.1 Contribution In [16], protocols for OT and BC have been presented and shown to be secure against bounded quantum adversaries. However, the proofs only guarantee security in a standalone setting.... |

10 | Towards a Formal Definition of Security for Quantum Protocols
- Graaf
- 1997
(Show Context)
Citation Context ...in [21–23]. It guarantees that protocols can be securely composed in an arbitrary way (also concurrently) in any environment. Based on earlier an earlier definition of security in the quantum setting =-=[24]-=-, a simulation-based security definition has been presented in [25], however no composability theorem was proven. Universal composability in the quantum world has been introduced in [26], and independ... |

8 |
Security of quantum bit string commitment depends on the information measure
- Buhrman, Christandl, et al.
(Show Context)
Citation Context ...sible to securely implement both protocols provided that an adversary cannot measure more than a fixed number of qubits simultaneously [37]. Very weak forms of string commitments can also be obtained =-=[7]-=-. The Bounded-Quantum-Storage Model. Of particular interest to us is the bounded-storage model. Here, the adversary is bounded in space instead of time, i.e., she is only allowed to use a certain amou... |

7 | M.: Algorithms for Quantum Computers
- Smith, Mosca
- 2012
(Show Context)
Citation Context ...n an arbitrary way (also concurrently) in any environment. Based on earlier an earlier definition of security in the quantum setting [24], a simulation-based security definition has been presented in =-=[25]-=-, however no composability theorem was proven. Universal composability in the quantum world has been introduced in [26], and independently in [27]. In [28], it has been shown that classical protocols ... |

4 |
A tight high-order entropic uncertainty relation with applications in the bounded quantum-storage model
- Damg˚ard, Fehr, et al.
- 2006
(Show Context)
Citation Context ...o store states even for a very short period of time. This leads to the protocol presented in [5, 14], which show how to implement BC and OT if the adversary is not able to store any qubits at all. In =-=[17, 16]-=-, these ideas have been generalized in a very nice way to the bounded-quantumstorage model, where the adversary is computationally unbounded and allowed to have an unlimited amount of classical memory... |

3 | Universally composable committed oblivious transfer and multi-party computation assuming only basic black-box primitives
- Estren
- 2004
(Show Context)
Citation Context ...resented in [40] carries over to our model, secure function evaluation in the bounded-quantum-storage model can be achieved by simply using the (classical) universal composable protocols presented in =-=[18]-=-, which are based on [15]. Note that because our implementation of OT is physical, the results presented in [12] cannot be applied. Outline In Section 2, we introduce the basic tools that we need late... |

2 |
Formal security in quantum cryptology. Student research project, Institut fr Algorithmen und Kognitive Systeme
- Unruh
- 2002
(Show Context)
Citation Context ...ed security definition has been presented in [25], however no composability theorem was proven. Universal composability in the quantum world has been introduced in [26], and independently in [27]. In =-=[28]-=-, it has been shown that classical protocols are universally composable using their classical definitions, are secure against quantum adversaries. 1.1 Contribution In [17], protocols for OT and BC hav... |