#### DMCA

## Composability in quantum cryptography

Venue: | New Journal of Physics |

Citations: | 5 - 1 self |

### Citations

1235 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...ing and (as general applications are to be considered) independent of the specific goals the attacker might have. The first step towards this new definition was the discovery of zero knowledge proofs =-=[18]-=- where the simulation paradigm was introduced. Instead of considering different security properties the new notion was based on indistinguishability. Intuitively speaking, a real protocol is compared ... |

976 |
Quantum cryptography: Public key distribution and coin tossing
- Bennett, Brassard
- 1984
(Show Context)
Citation Context ...ave been proposed. Although they differ in many aspects (such as their realizability with current technology), they still very much resemble the original protocols put forward by Bennett and Brassard =-=[5]-=- (based on ideas by Wiesner [48]) and by Ekert [16]. We will not attempt here to give a description of these protocols. In fact, for the purpose of this article, it is sufficient to take a rather abst... |

828 | Universally composable security: A new paradigm for cryptographic protocols”, in 42nd FOCS, 2001. Also available at http://eprint.iacr.org/2000/067. (Previous versions of this work appeared under the title “A unified framework for analyzing security of Pr
- Canetti
(Show Context)
Citation Context ...g the overall security. Furthermore an arbitrary number of protocols proven secure in this model can be used concurrently and remain secure in the model. We will have to neglect many details (already =-=[9]-=- has 128 pages and describes the classical case). Our treatment will be on a more intuitive and abstract level. For details please see [43, 4, 45]. One could argue that this topic need not be discusse... |

551 | Multiparty unconditionally secure protocols
- Chaum, Crépeau, et al.
- 1988
(Show Context)
Citation Context ...secure channels based on quantum cryptography can be used instead of idealized secure channels in many cryptographic settings, such as secure multiparty computations in presence of an honest majority =-=[11]-=-. 5.3 Impossibility of Bit Commitment Additionally to the impossibility of unconditionally secure bit commitment in quantum cryptography [28, 25] a new impossibility result is introduced by the UC fra... |

417 |
Quantum cryptography based on bell’s theorem,” Phys
- Ekert
- 1991
(Show Context)
Citation Context ...pects (such as their realizability with current technology), they still very much resemble the original protocols put forward by Bennett and Brassard [5] (based on ideas by Wiesner [48]) and by Ekert =-=[16]-=-. We will not attempt here to give a description of these protocols. In fact, for the purpose of this article, it is sufficient to take a rather abstract point of view, where the internal workings of ... |

417 | New Hash Functions and Their Use in Authentication and Set - Wegman, Carter - 1981 |

301 |
Elements of Information Theory. Wiley series in telecommunications
- Cover, Thomas
- 1991
(Show Context)
Citation Context .... We now move on to the proof of the claims made above. First, we show that the accessible information Iacc(SA : E) is small. This implies that (12) holds for some small ε (see, e.g., Lemma 12.6.1 of =-=[12]-=-). Second, we describe an attack against a scheme where the key SA is used for one-time-pad encryption. The attack allows the adversary to learn one bit of the message with certainty. This, in particu... |

256 | Foundations of Cryptography
- Goldreich
(Show Context)
Citation Context ...l signatures, online banking, or remote voting. One of the big differences of such applications to key exchange is that the protocols participants are mutually mistrusting. Secure function evaluation =-=[49, 17]-=- is a generalization of such cryptographic applications: In a secure function evaluation a set of players P1, . . . , Pn wishes to evaluate a function f on inputs x1, . . . , xn they hold respectively... |

228 |
Simple proof of security of the BB84 quantum key distribution protocol
- Shor, Preskill
- 2000
(Show Context)
Citation Context ...y derive a bound on the trace distance in (11) (rather than on the accessible information). Such a bound can in principle be obtained by a modification of the well-known argument by Shor and Preskill =-=[40]-=-, which however only applies to specific types of protocols. A more generic approach is to use the fact that privacy amplification based on suitably chosen hash functions (e.g., two-universal hashing)... |

205 |
Protocols for secure computations (extended abstract
- Yao
- 1982
(Show Context)
Citation Context ...l signatures, online banking, or remote voting. One of the big differences of such applications to key exchange is that the protocols participants are mutually mistrusting. Secure function evaluation =-=[49, 17]-=- is a generalization of such cryptographic applications: In a secure function evaluation a set of players P1, . . . , Pn wishes to evaluate a function f on inputs x1, . . . , xn they hold respectively... |

197 | Limits on the provable consequences of one-way permutations
- Impagliazzo, Rudich
- 1989
(Show Context)
Citation Context ...sages. 21In the case of key distribution this amounts to approximate security with ε negligible, i.e. asymptotically smaller than any 1/kn. 22E.g. realizing oblivious transfer from a one way function =-=[50, 21]-=-. 13 5.1 The Composition Theorem The UC framework provides a very strict notion of security and for a protocol ρ securely realizing an ideal protocol F in the UC framework strong composition guarantee... |

176 | A model for asynchronous reactive systems and its application to secure message transmission
- Pfitzmann, Waidner
- 2000
(Show Context)
Citation Context ...tribution has no input and guarantees no security if one of the parties is corrupted. 12 classical universal composability framework [9] and independently discovered concept of reactive simulatability=-=[31, 2]-=- two quantum models of security were defined in [43, 4]. Both models follow the same motivation, but differ in details which are not of importance in this overview. The model of [43] is described in t... |

173 | Security of quantum key distribution
- Renner
(Show Context)
Citation Context ...on each of the signals sent through the channel independently and identically. This is useful because, for most protocols, security against collective attacks implies security against general attacks =-=[33, 34]-=-. 6Because of the correctness property, it is sufficient to require secrecy for either SA or SB . 7Note that this property is always relative to a given noise model of the quantum channel. 3 Intuitive... |

170 | Universally composable commitments
- Canetti, Fischlin
- 2001
(Show Context)
Citation Context ...nt in quantum cryptography [28, 25] a new impossibility result is introduced by the UC framework: Without additional security assumptions bit commitment cannot be realized with computational security =-=[10]-=-. This result generalizes to many more cryptographic tasks like coin flipping or oblivious transfer and it also holds in the quantum case. The reason for this impossibility result is that the simulato... |

168 |
Conjugate coding
- Wiesner
- 1983
(Show Context)
Citation Context ...y differ in many aspects (such as their realizability with current technology), they still very much resemble the original protocols put forward by Bennett and Brassard [5] (based on ideas by Wiesner =-=[48]-=-) and by Ekert [16]. We will not attempt here to give a description of these protocols. In fact, for the purpose of this article, it is sufficient to take a rather abstract point of view, where the in... |

146 |
Moni Naor. Nonmalleable cryptography
- Dolev, Dwork
(Show Context)
Citation Context ... key (n, e). So without knowing the amount of Alice’s bid Bob is able to compute a ciphertext which encrypts a higher bid and so he will win the auction. This security weakness is called malleability =-=[15]-=- and it is not per se a weakness of textbook RSA, but becomes a problem when textbook RSA is used in certain larger applications. 4.2.2 Quantum Superpositions can Span over several Subprotocols Quantu... |

143 |
flipping by telephone: a protocol for solving impossible problems
- Blum, “Coin
- 1982
(Show Context)
Citation Context ...versary may have gained by an eavesdropping attack. 3Dropping this assumption leads to the additional problem of generating randomness by mutually mistrustful parties, which is known as coin flipping =-=[7]-=-. 2 protocol may either generate keys, in which case SA and SB are two identical random bitstrings of a certain fixed length `, or it may abort, in which case we set SA =⊥ and SB =⊥. 4 Furthermore, we... |

71 | Universally composable privacy amplification against quantum adversaries”,
- Renner, Konig
- 2005
(Show Context)
Citation Context ... ⊗ ρ′E + p⊥| ⊥〉〈⊥ | ⊗ ρ ′′ E , (4) where p⊥ ∈ [0, 1] and where ρ ′ E and ρ ′′ E are density operators. With these definitions, we arrive at a reformulation of ε-secrecy in terms of the trace distance =-=[35, 3]-=-.10 Lemma 4. A QKD protocol is ε-secret if and only if, for any attack, the cq-state ρSAE describing the joint state of the protocol output SA and the system E held by the adversary satisfies 1 2 ∥∥ρS... |

63 | Why quantum bit commitment and ideal quantum coin tossing are impossible
- Lo, Chau
- 1998
(Show Context)
Citation Context ...st important building blocks of general applications, i.e. protocols like coin flipping, bit commitment, or oblivious transfer, can in quantum cryptography not be achieved with unconditional security =-=[1, 28, 25]-=-. However, there still are enough interesting applications for quantum cryptography. Even if some tasks are impossible to achieve in principle it is possible to achieve them relative to security assum... |

61 | Indistinguishability of Random Systems.
- Maurer
- 2002
(Show Context)
Citation Context ... of the privacy amplification step, which is used to transform the (partially secret) raw key into a final secret key satisfying (5). 8This intuition can be made precise in a purely classical context =-=[27]-=-. 9The state of a bipartite system is called classical-quantum (cq) if the first subsystem is purely classical (in the sense that its states are perfectly distinguishable.) 10Lemma 4 is an immediate c... |

53 | General Composition and Universal Composability in Secure Multi-Party Computation
- Lindell
- 2003
(Show Context)
Citation Context ...n cannot be done in retrospect as the real adversary could feed information into surrounding protocols at any time. This requirement of a straight line simulator is very strict, however, according to =-=[24]-=- it is close to the minimal requirement if one wants to combine the requirements of stand alone simulatability and the notion of security being preserved if run in arbitrary applications. 5 The Univer... |

51 | The universal composable security of quantum key distribution
- Ben-Or, Horodecki, et al.
- 2005
(Show Context)
Citation Context ...ness, the secrecy, and the robustness criteria above. 4Alternatively, the length ` of the generated key may be determined during the run of the protocol, with ` = 0 if the protocol aborts (see, e.g., =-=[3]-=-). For practical applications, however, it is usually more convenient to work with a fixed key length. 5One sometimes restricts the security analysis to more restricted types of attacks. An example ar... |

51 | Security of Quantum Protocols Against Coherent Measurements,”
- Yao
- 1995
(Show Context)
Citation Context ...sages. 21In the case of key distribution this amounts to approximate security with ε negligible, i.e. asymptotically smaller than any 1/kn. 22E.g. realizing oblivious transfer from a one way function =-=[50, 21]-=-. 13 5.1 The Composition Theorem The UC framework provides a very strict notion of security and for a protocol ρ securely realizing an ideal protocol F in the UC framework strong composition guarantee... |

37 | The reactive simulatability (RSIM) framework for asynchronous systems
- Backes, Pfitzmann, et al.
- 2007
(Show Context)
Citation Context ...tribution has no input and guarantees no security if one of the parties is corrupted. 12 classical universal composability framework [9] and independently discovered concept of reactive simulatability=-=[31, 2]-=- two quantum models of security were defined in [43, 4]. Both models follow the same motivation, but differ in details which are not of importance in this overview. The model of [43] is described in t... |

36 | Cryptography in the bounded quantum-storage model
- Damg̊ard, Fehr, et al.
- 2005
(Show Context)
Citation Context ...n if some tasks are impossible to achieve in principle it is possible to achieve them relative to security assumptions which are independent of the computational assumptions of classical cryptography =-=[37, 13]-=-. Furthermore, many of the assumptions possible, like the adversary being able to store only a limited amount of qubits or the adversary being unable to maintain coherency for large quantum states are... |

30 | General security definition and composability for quantum and classical protocols,
- Ben-Or, Mayers
- 2004
(Show Context)
Citation Context ... highly random from the adversary’s point of view [36] (this is also known as entropic security). Interestingly, these schemes only require a short key. 9 We will describe a quantum model of security =-=[43, 4, 45]-=- which gives strong composability guarantees. The composition theorem (see Subsection 5.1) states that a protocol secure in this model can be used in an arbitrary application without lowering the over... |

28 | How to fool an unbounded adversary with a short key
- Russell, Wang
(Show Context)
Citation Context ...sed bases. 16It is possible to design encryption schemes whose security is based on the additional assumption that the distribution of the messages is highly random from the adversary’s point of view =-=[36]-=- (this is also known as entropic security). Interestingly, these schemes only require a short key. 9 We will describe a quantum model of security [43, 4, 45] which gives strong composability guarantee... |

27 |
Leftover hashing against quantum side information.
- Tomamichel, Schaffner, et al.
- 2010
(Show Context)
Citation Context ...on suitably chosen hash functions (e.g., two-universal hashing) directly produces keys that satisfy (11), provided the input to the hash function (the raw key) has sufficiently high entropy [35] (see =-=[14, 42]-=- for specific examples of such hash functions). 3 Composability of General Secure Applications In the following sections, which constitute the second part of the article, we consider security definiti... |

21 |
Quantum cryptography with finite resources: Unconditional security bound for discrete-variable protocols with oneway postprocessing
- Scarani, Renner
- 2008
(Show Context)
Citation Context .... The second term is due to the imperfectness of the authentication scheme. 11Values of ρ = 10−2 and γ = ν = 10−3 may be realistic for textbook protocols such as BB84 with single photons. We refer to =-=[39, 8]-=- for a more detailed numerical analysis of the performance of QKD protocols. 6 To make sure that (9) converges, it is necessary to increase the number ni of exchanged signals in each round of the prot... |

19 | Trevisans extractor in the presence of quantum side information
- De, Portmann, et al.
(Show Context)
Citation Context ...on suitably chosen hash functions (e.g., two-universal hashing) directly produces keys that satisfy (11), provided the input to the hash function (the raw key) has sufficiently high entropy [35] (see =-=[14, 42]-=- for specific examples of such hash functions). 3 Composability of General Secure Applications In the following sections, which constitute the second part of the article, we consider security definiti... |

19 |
Cheat sensitive quantum bit commitment
- Hardy, Kent
(Show Context)
Citation Context ...heorem of Mayers [28] and Lo/Chau [25] by a clever composition of possible quantum protocols. One could try to build up a secure bit commitment from weaker primitives like cheat sensitive commitments =-=[19]-=-. However, the impossibility theorem rules this out and therefore shows that composing quantum protocols can be counter intuitive. One cannot treat the subprotocols as being ”atomic” and quantum super... |

16 |
Symmetry of Large Physical Systems Implies Independence of Subsystems,” Nature Phys
- Renner
- 2007
(Show Context)
Citation Context ...on each of the signals sent through the channel independently and identically. This is useful because, for most protocols, security against collective attacks implies security against general attacks =-=[33, 34]-=-. 6Because of the correctness property, it is sufficient to require secrecy for either SA or SB . 7Note that this property is always relative to a given noise model of the quantum channel. 3 Intuitive... |

14 | Quantum Bit Commitment from a Physical Assumption,” CRYPTO
- Salvail
- 1998
(Show Context)
Citation Context ...n if some tasks are impossible to achieve in principle it is possible to achieve them relative to security assumptions which are independent of the computational assumptions of classical cryptography =-=[37, 13]-=-. Furthermore, many of the assumptions possible, like the adversary being able to store only a limited amount of qubits or the adversary being unable to maintain coherency for large quantum states are... |

14 | Universally composable quantum multi-party computation.
- Unruh
- 2010
(Show Context)
Citation Context ... highly random from the adversary’s point of view [36] (this is also known as entropic security). Interestingly, these schemes only require a short key. 9 We will describe a quantum model of security =-=[43, 4, 45]-=- which gives strong composability guarantees. The composition theorem (see Subsection 5.1) states that a protocol secure in this model can be used in an arbitrary application without lowering the over... |

13 |
Finite-key analysis for practical implementations of quantum key distribution
- Cai, Scarani
(Show Context)
Citation Context .... The second term is due to the imperfectness of the authentication scheme. 11Values of ρ = 10−2 and γ = ν = 10−3 may be realistic for textbook protocols such as BB84 with single photons. We refer to =-=[39, 8]-=- for a more detailed numerical analysis of the performance of QKD protocols. 6 To make sure that (9) converges, it is necessary to increase the number ni of exchanged signals in each round of the prot... |

13 |
Miloslav Dušek, Norbert Lütkenhaus, and Momtchil Peev. The security of practical quantum key distribution
- Scarani, Bechmann-Pasquinucci, et al.
- 2009
(Show Context)
Citation Context ...view, where the internal workings of the protocols are unimportant. (The reader interested in the concrete protocols is referred to the original articles [5, 16] as well as the recent review articles =-=[38]-=- and references therein.) The security of QKD basically relies on an intrinsic property of quantum mechanics, namely that it is generally impossible to copy the state of a system without disturbing th... |

13 | Simulatable security for quantum protocols,
- Unruh
- 2004
(Show Context)
Citation Context ... highly random from the adversary’s point of view [36] (this is also known as entropic security). Interestingly, these schemes only require a short key. 9 We will describe a quantum model of security =-=[43, 4, 45]-=- which gives strong composability guarantees. The composition theorem (see Subsection 5.1) states that a protocol secure in this model can be used in an arbitrary application without lowering the over... |

12 |
Controlling passively quenched single photon detectors by bright light.
- Makarov
- 2009
(Show Context)
Citation Context ...el. This, however, is almost never the case in practice. Indeed, explicit attacks exploiting the deviation of the implementation from the theoretical model have been demonstrated recently (see, e.g., =-=[51, 26]-=-). It 15 would thus be desirable to have a (composable) framework that allows a more flexible modeling of the underlying hardware devices. Acknowledgments We would like to thank Gilles Brassard for he... |

11 |
Small accessible quantum information does not imply security
- König, Renner, et al.
- 2007
(Show Context)
Citation Context ...vial value of ε. Small Accessible Information. We do not attempt here to give a rigorous proof of the above claim but rather describe the intuition for it. For the details of the argument we refer to =-=[23]-=-. In order to prove that Iacc(SA : E) is small, we need to argue that any outcome Z of a measurement applied to E has only negligible correlation with SA. To simplify this task, we split SA = (S1, . .... |

10 | Long-term security and universal composability
- Müller-Quade, Unruh
- 2007
(Show Context)
Citation Context ...t Composition many instances of the same protocol with correlated inputs are run concurrently. Apart from the problems of simple composition, that messages from one protocol could be fed into another =-=[30]-=-, an additional problem occurs if one allows more than a constant number of protocol instances to be run concurrently. Even though each single instance of the protocol is secure in the sense of simula... |

10 | Composable security in the boundedquantum-storage model
- Wehner, Wullschleger
- 2008
(Show Context)
Citation Context ...g large coherent operations [37] or that the adversary has a quantum memory which is bounded in size [13]. It was shown that the protocols in the bounded quantum storage model do compose sequentially =-=[47]-=-, however, the protocols as stated do not allow general composition. With an example we will illustrate that this seems to be a general problem. To have a useful composition theorem we need that the a... |

7 |
Yevgeniy Dodis, and Hein Rohrig, Multiparty Quantum Coin Flipping.
- Ambainis, Buhrman
- 2004
(Show Context)
Citation Context ...t is easy to see that, for any attack, the state resulting from the run of a perfectly secure scheme has the form ρperfectSAE = (1− p⊥) ∑ s∈S 1 |S| |s〉〈s| ⊗ ρ′E + p⊥| ⊥〉〈⊥ | ⊗ ρ ′′ E , (4) where p⊥ ∈ =-=[0, 1]-=- and where ρ ′ E and ρ ′′ E are density operators. With these definitions, we arrive at a reformulation of ε-secrecy in terms of the trace distance [35, 3].10 Lemma 4. A QKD protocol is ε-secret if an... |

5 |
Unconditionally secure bit commitment is impossible
- Mayers
- 1997
(Show Context)
Citation Context ...st important building blocks of general applications, i.e. protocols like coin flipping, bit commitment, or oblivious transfer, can in quantum cryptography not be achieved with unconditional security =-=[1, 28, 25]-=-. However, there still are enough interesting applications for quantum cryptography. Even if some tasks are impossible to achieve in principle it is possible to achieve them relative to security assum... |

3 | On using quantum protocols to detect traffic analysis
- Steinwandt, Janzing, et al.
(Show Context)
Citation Context ...ctive and inactive in superposition nor are messages sent and not sent in superposition. This makes the model usable, but it excludes the possibility of certain protocols detecting a traffic analysis =-=[29, 41]-=-. Protocol, Adversary, and Environment. Apart from the protocol participants which are specified by the protocol there are two more machines taking part in the protocol execution. The adversary A (or ... |

2 |
On the problem of authentication in a quantum protocol to detect traffic analysis
- Müller-Quade, Steinwandt
(Show Context)
Citation Context ...ctive and inactive in superposition nor are messages sent and not sent in superposition. This makes the model usable, but it excludes the possibility of certain protocols detecting a traffic analysis =-=[29, 41]-=-. Protocol, Adversary, and Environment. Apart from the protocol participants which are specified by the protocol there are two more machines taking part in the protocol execution. The adversary A (or ... |

2 |
Concurrent composition in the bounded quantum storage model.
- Unruh
- 2011
(Show Context)
Citation Context ...≥ not being transitive. A way around this problem is to generalize the notion of at least as secure as to one that explicitly involves the memory bound of the adversary as a parameter, as proposed in =-=[44]-=-. 6 Conclusions This work reviewed composable security in quantum cryptography. In the first part of the paper the focus was on quantum key distribution (QKD), the most prominent application of quantu... |

1 |
Biham and Tal Mor. Security of quantum cryptography against collective attacks
- Eli
- 1997
(Show Context)
Citation Context ...ications, however, it is usually more convenient to work with a fixed key length. 5One sometimes restricts the security analysis to more restricted types of attacks. An example are collective attacks =-=[6]-=-, where it is assumed that the adversary acts on each of the signals sent through the channel independently and identically. This is useful because, for most protocols, security against collective att... |

1 | A paradox of quantum universal composability
- Hofheinz, Müller-Quade
- 2003
(Show Context)
Citation Context ... to conclude from pi ≥ ρ and ρ ≥ F that pi securely realizes F we need that the simulator in the protocol ρ should be admitted as a real adversary for ρ if this protocol is to be compared with F . In =-=[20]-=- it is shown that it is possible to achieve oblivious transfer (and hence bit commitment) if the real adversary is restricted to have no quantum memory at all. However, the simulator for this protocol... |

1 | On the security and composability of the one time pad
- Raub, Steinwandt, et al.
- 2005
(Show Context)
Citation Context ...realizes F in the quantum composability setting. This result is very useful. Quantum Key Distribution (QKD) is composable (cf. Section 2.3) and from QKD one can obtain composable secure communication =-=[32]-=-. Hence secure channels based on quantum cryptography can be used instead of idealized secure channels in many cryptographic settings, such as secure multiparty computations in presence of an honest m... |

1 |
Hoi Kwong Lo. Quantum hacking: Experimental demonstration of time shift attack against practical quantum key-distribution systems
- Zhao, Fung, et al.
(Show Context)
Citation Context ...el. This, however, is almost never the case in practice. Indeed, explicit attacks exploiting the deviation of the implementation from the theoretical model have been demonstrated recently (see, e.g., =-=[51, 26]-=-). It 15 would thus be desirable to have a (composable) framework that allows a more flexible modeling of the underlying hardware devices. Acknowledgments We would like to thank Gilles Brassard for he... |