Results 1  10
of
14
Secure identitybased encryption in the quantum random oracle model
 In Proceedings of CRYPTO
, 2012
"... We give the first proof of security for an identitybased encryption scheme in the quantum random oracle model. This is the first proof of security for any scheme in this model that requires no additional assumptions. Our techniques are quite general and we use them to obtain security proofs for two ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
We give the first proof of security for an identitybased encryption scheme in the quantum random oracle model. This is the first proof of security for any scheme in this model that requires no additional assumptions. Our techniques are quite general and we use them to obtain security proofs for two random oracle hierarchical identitybased encryption schemes and a random oracle signature scheme, all of which have previously resisted quantum security proofs, even using additional assumptions. We also explain how to remove the extra assumptions from prior quantum random oracle model proofs. We accomplish these results by developing new tools for arguing that quantum algorithms cannot distinguish between two oracle distributions. Using a particular class of oracle distributions, so called semiconstant distributions, we argue that the aforementioned cryptosystems are secure against quantum adversaries.
On the efficiency of classical and quantum oblivious transfer reductions
 In Advances in Cryptology — CRYPTO ’10, Lecture Notes in Computer Science
, 2010
"... Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multiparty computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such a ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multiparty computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such as noisy channels. It is important to know how efficient such unconditionally secure reductions can be in principle, i.e., how many instances of a given primitive are at least needed to implement OT. For perfect (errorfree) implementations good lower bounds are known, e.g. the bounds by Beaver (STOC ’96) or by Dodis and Micali (EUROCRYPT ’99). However, in practice one is usually willing to tolerate a small probability of error and it is known that these statistical reductions can in general be much more efficient. Thus, the known bounds have only limited application. In the first part of this work we provide bounds on the efficiency of secure (onesided) twoparty computation of arbitrary finite functions from distributed randomness in the statistical case. From these results we derive bounds on the efficiency of protocols that use (different variants of) OT as a blackbox. When applied to implementations of OT, our bounds generalize known results to the statistical case. Our results hold in particular for transformations between a finite number of primitives and for any error. Furthermore, we provide bounds on the efficiency of protocols implementing Rabin OT.
Secure Signatures and Chosen Ciphertext Security in a PostQuantum World
"... We initiate the study of quantumsecure digital signatures and quantum chosen ciphertext security. In the case of signatures, we enhance the standard chosen message query model by allowing the adversary to issue quantum chosen message queries: given a superposition of messages, the adversary receive ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
We initiate the study of quantumsecure digital signatures and quantum chosen ciphertext security. In the case of signatures, we enhance the standard chosen message query model by allowing the adversary to issue quantum chosen message queries: given a superposition of messages, the adversary receives a superposition of signatures on those messages. Similarly, for encryption, we allow the adversary to issue quantum chosen ciphertext queries: given a superposition of ciphertexts, the adversary receives a superposition of their decryptions. These adversaries model a natural postquantum environment where endusers sign messages and decrypt ciphertexts on a personal quantum computer. We construct classical systems that remain secure when exposed to such quantum queries. For signatures we construct two compilers that convert classically secure signatures into signatures secure in the quantum setting and apply these compilers to existing postquantum signatures. We also show that standard constructions such as Lamport onetime signatures and Merkle signatures remain secure under quantum chosen message attacks, thus giving signatures whose quantum security is based on generic assumptions. For encryption, we define security under quantum chosen ciphertext attacks and present both publickey and symmetrickey constructions.
F.: Classical cryptographic protocols in a quantum world
 In: CRYPTO. LNCS
, 2011
"... Abstract. Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a crucial role in the development of modern cryptography. The extensive theory of these protocols, however, deals almost exclusively with classical attackers. If we accept that quantum information ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a crucial role in the development of modern cryptography. The extensive theory of these protocols, however, deals almost exclusively with classical attackers. If we accept that quantum information processing is the most realistic model of physically feasible computation, then we must ask: what classical protocols remain secure against quantum attackers? Our main contribution is showing the existence of classical twoparty protocols for the secure evaluation of any polynomialtime function under reasonable computational assumptions (for example, it suffices that the learning with errors problem be hard for quantum polynomial time). Our result shows that the basic twoparty feasibility picture from classical cryptography remains unchanged in a quantum world.
Key recycling in authentication
, 2012
"... In their seminal work on authentication, Wegman and Carter propose that to authenticate multiple messages, it is sufficient to reuse the same hash function as long as each tag is encrypted with a onetime pad. They argue that because the onetime pad is perfectly hiding, the hash function used remai ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
In their seminal work on authentication, Wegman and Carter propose that to authenticate multiple messages, it is sufficient to reuse the same hash function as long as each tag is encrypted with a onetime pad. They argue that because the onetime pad is perfectly hiding, the hash function used remains completely unknown to the adversary. Since their proof is not composable, we revisit it using a universally composable framework. It turns out that the above argument is insufficient: information about the hash function is in fact leaked in every round to the adversary, and after a bounded finite amount of rounds it is completely known. We show however that this leak is very small, and Wegman and Carter’s protocol is still εsecure, if εalmost strongly universal2 hash functions are used. This implies that the secret key corresponding to the choice of hash function can be recycled for any task without any additional error than this ε. We illustrate this by applying it to quantum key distribution (QKD): if the same hash function is recycled to authenticate the classical communication in every round of a QKD protocol, and used ℓ times per round, the total error after r rounds is upper bounded by r(ℓε + ε ′), where ε ′ is the error of one round of QKD given an authentic channel. 1
input
"... disabled persons in developing countries access to computer games through a novel gaming ..."
Abstract
 Add to MetaCart
disabled persons in developing countries access to computer games through a novel gaming
Quantum onetime programs (extended abstract)
"... Abstract. A onetime program is a hypothetical device by which a user may evaluate a circuit on exactly one input of his choice, before the device selfdestructs. Onetime programs cannot be achieved by software alone, as any software can be copied and rerun. However, it is known that every circuit ..."
Abstract
 Add to MetaCart
Abstract. A onetime program is a hypothetical device by which a user may evaluate a circuit on exactly one input of his choice, before the device selfdestructs. Onetime programs cannot be achieved by software alone, as any software can be copied and rerun. However, it is known that every circuit can be compiled into a onetime program using a very basic hypothetical hardware device called a onetime memory. At first glance it may seem that quantum information, which cannot be copied, might also allow for onetime programs. But it is not hard to see that this intuition is false: onetime programs for classical or quantum circuits based solely on quantum information do not exist, even with computational assumptions. This observation raises the question, “what assumptions are required to achieve onetime programs for quantum circuits? ” Our main result is that any quantum circuit can be compiled into a onetime program assuming only the same basic onetime memory devices used for classical circuits. Moreover, these quantum onetime programs achieve statistical universal composability (UCsecurity) against any malicious user. Our construction employs methods for computation on authenticated quantum data, and we present a new quantum authentication scheme called the trap scheme for this purpose. As a corollary, we establish UCsecurity of a recent protocol for delegated quantum computation. 1
Contents
, 2008
"... Important note: These notes are not supposed to be selfcontained. Instead, they are intended as a reminder about which topics where discussed in the lecture. If you ..."
Abstract
 Add to MetaCart
(Show Context)
Important note: These notes are not supposed to be selfcontained. Instead, they are intended as a reminder about which topics where discussed in the lecture. If you