Results 1  10
of
17
Quantum Money from Hidden Subspaces
"... Forty years ago, Wiesner pointed out that quantum mechanics raises the striking possibility of money that cannot be counterfeited according to the laws of physics. We propose the first quantum money scheme that is (1) publickey—meaning that anyone can verify a banknote as genuine, not only the bank ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Forty years ago, Wiesner pointed out that quantum mechanics raises the striking possibility of money that cannot be counterfeited according to the laws of physics. We propose the first quantum money scheme that is (1) publickey—meaning that anyone can verify a banknote as genuine, not only the bank that printed it, and (2) cryptographically secure, under a “classical ” hardness assumption that has nothing to do with quantum money. Our scheme is based on hidden subspaces, encoded as the zerosets of random multivariate polynomials. A main technical advance is to show that the “blackbox ” version of our scheme, where the polynomials are replaced by classical oracles, is unconditionally secure. Previously, such a result had only been known relative to a quantum oracle (and even there, the proof was never published). Even in Wiesner’s original setting—quantum money that can only be verified by the bank— we are able to use our techniques to patch a major security hole in Wiesner’s scheme. We give the first privatekey quantum money scheme that allows unlimited verifications and that remains unconditionally secure, even if the counterfeiter can interact adaptively with the bank. Our money scheme is simpler than previous publickey quantum money schemes, including a knotbased scheme of Farhi et al. The verifier needs to perform only two tests, one in the standard basis and one in the Hadamard basis—matching the original intuition for quantum money, based on the existence of complementary observables. Our security proofs use a new variant of Ambainis’s quantum adversarymethod, and several other tools that might be of independent interest. 1
A Note on Quantum Security for PostQuantum Cryptography
"... Shor’s quantum factoring algorithm and a few other efficient quantum algorithms break many classical cryptosystems. In response, people proposed postquantum cryptography based on computational problems that are believed hard even for quantum computers. However, security of these schemes against q ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Shor’s quantum factoring algorithm and a few other efficient quantum algorithms break many classical cryptosystems. In response, people proposed postquantum cryptography based on computational problems that are believed hard even for quantum computers. However, security of these schemes against quantum attacks is elusive. This is because existing security analysis (almost) only deals with classical attackers and arguing security in the presence of quantum adversaries is challenging due to unique quantum features such as nocloning. This work proposes a general framework to study which classical security proofs can be restored in the quantum setting. Basically, we split a security proof into (a sequence of) classical security reductions, and investigate what security reductions are “quantumfriendly”. We characterize sufficient conditions such that a classical reduction can be “lifted ” to the quantum setting. We then apply our lifting theorems to postquantum signature schemes. We are able to show that the classical generic construction of hashtree based signatures from oneway functions and and a more efficient variant proposed in [BDH11] carry over to the quantum setting. Namely, assuming existence of (classical) oneway functions that are resistant to efficient quantum inversion algorithms, there exists a quantumsecure signature scheme. We note that the scheme in [BDH11] is a promising (postquantum) candidate to be implemented in practice and our result further justifies it. Actually, to obtain these results, we formalize a simple criteria, which is motivated by many classical proofs in the literature and is straightforward to check. This makes our lifting theorem easier to apply, and it should be useful elsewhere to prove quantum security of proposed postquantum cryptographic schemes. Finally we demonstrate the generality of our framework by showing that several existing works (FullDomain hash in the quantum randomoracle model [Zha12b] and the simple hybrid arguments framework in [HSS11]) can be reformulated under our unified framework. 1
Classical Encryption and Authentication under Quantum Attacks
, 2013
"... Postquantum cryptography studies the security of classical, i.e. nonquantum cryptographic protocols against quantum attacks. Until recently, the considered adversaries were assumed to use quantum computers and behave like classical adversaries otherwise. A more conservative approach is to assume t ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Postquantum cryptography studies the security of classical, i.e. nonquantum cryptographic protocols against quantum attacks. Until recently, the considered adversaries were assumed to use quantum computers and behave like classical adversaries otherwise. A more conservative approach is to assume that also the communication between the honest parties and the adversary is (partly) quantum. We discuss several options to define secure encryption and authentication against these stronger adversaries who can carry out superposition attacks. We reprove a recent result of Boneh and Zhandry, stating that a uniformly random function (and hence also a quantumsecure pseudorandom function) can serve as a messageauthentication code which is secure, even if the adversary can evaluate this function in superposition. i Acknowledgements
Revocable quantum timedrelease encryption
, 2013
"... Abstract. Timedrelease encryption is a kind of encryption scheme that a recipient can decrypt only after a specified amount of time T (assuming that we have a moderately precise estimate of his computing power). A revocable timedrelease encryption is one where, before the time T is over, the sende ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. Timedrelease encryption is a kind of encryption scheme that a recipient can decrypt only after a specified amount of time T (assuming that we have a moderately precise estimate of his computing power). A revocable timedrelease encryption is one where, before the time T is over, the sender can “give back ” the timedrelease encryption, provably loosing all access to the data. We show that revocable timedrelease encryption without trusted parties is possible using quantum cryptography (while trivially impossible classically). Along the way, we develop two proof techniques in the quantum random oracle model that we believe may have applications also for other protocols. Finally, we also develop another new primitive, unknown recipient encryption, which allows us to send a message to an unknown/unspecified recipient over an insecure network in such a way that at most one recipient will get the message.
A note on the quantum collision and set equality problems. arXiv:1312.1027v3 [cs.CC
, 2013
"... ar ..."
Tesla: Tightlysecure efficient signatures from standard lattices
, 2015
"... Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice problems, ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice problems, that might not be as hard as standard lattice problems. Secondly, the security reductions of the most efficient schemes are nontight; hence, their choices of parameters offer security merely heuristically. Moreover, latticebased signatures are instantiated for classical adversaries, although they are based on presumably quantum hard problems. Yet, it is not known how such schemes perform in a postquantum world. We bridge this gap by proving the latticebased signature scheme TESLA to be tightly secure based on the learning with errors problem over standard lattices in the random oracle model. As such, we improve the security of the original proposal by Bai and Galbraith (CTRSA’14) twofold; we tighten the security reduction and we minimize the underlying security assumptions. Remarkably, by enhancing the security we can improve TESLA’s performance by a factor of two. Furthermore, we are first to propose parameters providing a security of 128 bits against both classical and quantum adversaries for a latticebased signature scheme. Our implementation of TESLA competes well with stateoftheart latticebased signatures and SPHINCS (EUROCRYPT’15), the only signature scheme instantiated with quantumhard parameters thus far.
PostQuantum ZeroKnowledge and Signatures from SymmetricKey Primitives *
"... Abstract We propose a new class of postquantum digital signature schemes that: (a) derive their security entirely from the security of symmetrickey primitives, believed to be quantumsecure, and (b) have extremely small keypairs, and, (c) are highly parameterizable. In our signature constructions ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract We propose a new class of postquantum digital signature schemes that: (a) derive their security entirely from the security of symmetrickey primitives, believed to be quantumsecure, and (b) have extremely small keypairs, and, (c) are highly parameterizable. In our signature constructions, the public key is an image y = f (x) of a oneway function f and secret key x. A signature is a noninteractive zeroknowledge proof of x, that incorporates a message to be signed. For this proof, we leverage recent progress of Giacomelli et al. (USENIX'16) in constructing an efficient Σprotocol for statements over general circuits. We improve this Σprotocol to reduce proof sizes by a factor of two, at no additional computational cost. While this is of independent interest as it yields more compact proofs for any circuit, it also decreases our signature sizes. We consider two possibilities for making the proof noninteractive, the FiatShamir transform, and Unruh's transform (EUROCRYPT'12, We implement and benchmark both approaches and explore the possible choice of f , taking advantage of the recent trend to strive for practical symmetric ciphers with a particularly low number of multiplications and end up using LowMC. * This paper is a merge of
MSc in Logic
, 2013
"... cryptography studies the security of classical, i.e. nonquantum cryptographic protocols against quantum attacks. Until recently, the considered adversaries were assumed to use quantum computers and behave like classical adversaries otherwise. A more conservative approach is to assume that also the ..."
Abstract
 Add to MetaCart
cryptography studies the security of classical, i.e. nonquantum cryptographic protocols against quantum attacks. Until recently, the considered adversaries were assumed to use quantum computers and behave like classical adversaries otherwise. A more conservative approach is to assume that also the communication between the honest parties and the adversary is (partly) quantum. We discuss several options to define secure encryption and authentication against these stronger adversaries who can carry out superposition attacks. We reprove a recent result of Boneh and Zhandry, stating that a uniformly random function (and hence also a quantumsecure pseudorandom function) can serve as a messageauthentication code which is secure, even if the adversary can evaluate this function in superposition. i Acknowledgements I would like to thank my supervisor Christian Schaffner for working together after making me interested with his course on cryptography. I am grateful for his patience and didactic guidance through the complex proofs during my