#### DMCA

## Simple protocols for oblivious transfer and secure identification in the noisy-quantum-storage model

Venue: | Phys. Rev. A |

Citations: | 6 - 0 self |

### Citations

3885 | A method for obtaining digital signatures and public-key cryptosystem,”
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...ovide secure two-party computation are based on unproven mathematical assumptions such as the hardness of finding the prime factors of large integer numbers (for example in the widely used RSA scheme =-=[RSA78]-=-). We do not know any practical schemes which are provably infeasible to break and it is unlikely that the currently known mathematical techniques allow for such a scheme. In 1 contrast, quantum crypt... |

977 |
Quantum cryptography: Public-key distribution and coin tossing.
- Bennett, Brassard
- 1984
(Show Context)
Citation Context ...mes with provable security. The most prominent example is Quantum Key Distribution (QKD) which allows two honest parties to securely communicate. In 1984, Bennett and Brassard proposed a QKD protocol =-=[BB84]-=- which was proven unconditionally secure [May95, Yao95, SP00]. In other words, security does not rely on any unproven assumptions but holds against any eavesdropper Eve with unbounded (quantum) comput... |

845 |
Universal Classes of Hash Functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ... Amplification We will make use of two-universal hash functions. A class F of functions f : {0, 1}n → {0, 1}` is called two-universal, if for all x 6= y ∈ {0, 1}n, we have Prf∈RF [f(x) = f(y)] ≤ 2 −` =-=[CW79]-=-. The following theorem expresses how the application of hash functions increases the privacy of a random variable X given a quantum adversary holding ρE, the function F and a classical random variabl... |

228 | Simple proof of security of the BB84 quantum key distribution protocol - Shor, Preskill - 2000 |

176 | Unconditionally Secure Quantum Bit Commitment - Mayers |

173 | Security of Quantum Key Distribution - Renner - 2005 |

51 | Security of Quantum Protocols Against Coherent Measurements,” - Yao - 1995 |

43 |
The capacity of the quantum depolarizing channel
- King
- 2003
(Show Context)
Citation Context ...cted by independent and identically distributed noise. To see for which values of r we can obtain security, we need to consider the classical capacity of the depolarizing channel as evaluated by King =-=[Kin03]-=-. For d = 2, i.e., qubits, it is given by CNr = 1 + 1 + r 2 log 1 + r 2 + 1− r 2 log 1− r 2 . 4 1-2 Oblivious Transfer 4.1 Security Definition and Protocol In this section we prove the security of a r... |

39 | Storage and retrieval of single photons transmitted between remote quantum memories. - Chaneliere - 2005 |

39 | Constantround oblivious transfer in the bounded storage model.
- Ding, Harnik, et al.
- 2004
(Show Context)
Citation Context ...nst noisy-quantum-storage attacks. 1A detailed description of the model of [KWW09] will be given in Section 3, see also Figure 1. 2A constant-round variant of interactive hashing has been proposed in =-=[DHRS04]-=-. However, it is unclear how the weaker security guarantees affect the security proof in [KWW09]. The use of η-almost t-wise independent permutations might render this variant “prohibitively complicat... |

36 | Cryptography in the bounded quantum-storage model
- Damg̊ard, Fehr, et al.
- 2005
(Show Context)
Citation Context ...uctions. Indeed, in joint work with Damg̊ard, Fehr and Salvail, we proposed in 2005 a new realistic assumption for quantum protocols under which provably secure two-party computation becomes possible =-=[DFSS05]-=-. The basic idea is to exploit the technical difficulty of storing quantum information. In this bounded-quantum-storage model, security holds based on the sole assumption that the parties’ quantum mem... |

34 | Experimental demonstration of quantum memory for light. - Julsgaard, Sherson, et al. - 2004 |

30 | Electromagnetically induced transparency with tunable single-photon pulses. - Eisaman - 2005 |

28 | Oblivious-transfer amplification
- Wullschleger
- 2007
(Show Context)
Citation Context ... the other variable X1−i are uniform, but still sum up to a significant mass. However, the following basic version of the min-entropy splitting lemma, which first appeared in a preliminary version of =-=[Wul07]-=- and was later developed further in the context of randomness extraction [KR07], shows that the intuition about splitting the min-entropy is correct in a randomized sense. This lemma (with a slightly ... |

27 | A tight high-order entropic quantum uncertainty relation with applications - Damg̊ard, Fehr, et al. - 2007 |

27 | Insecurity of quantum secure computations - Lo - 1997 |

22 |
A strong converse for classical channel coding using entangled inputs.
- Koenig, Wehner
- 2009
(Show Context)
Citation Context ...ng-converse property : The success probability (12) decays exponentially for rates R above the capacity, i.e., it takes the form PN ⊗n succ (nR) ≤ 2 −nγN (R) where γN (R) > 0 for all R > CN . (13) In =-=[KW09]-=-, property (13) was shown to hold for a large class of channels. An important example for which we obtain security is the d-dimensional depolarizing channel Nr : B(C d)→ B(Cd) defined for d ≥ 2 as Nr(... |

21 | Mapping photonic entanglement into and out of a quantum memory. - Choi, Deng, et al. - 2008 |

18 | Unconditional security from noisy quantum storage
- Koenig, Wehner, et al.
- 2012
(Show Context)
Citation Context ... March 31, 2010 Abstract We present simple protocols for oblivious transfer and password-based identification which are secure against general attacks in the noisy-quantum-storage model as defined in =-=[KWW09]-=-. We argue that a technical tool from [KWW09] suffices to prove security of the known protocols. Whereas the more involved protocol for oblivious transfer from [KWW09] requires less noise in storage t... |

18 | On the security of quantum oblivious transfer and key distribution protocols - Mayers - 1995 |

17 |
Sampling of min-entropy relative to quantum knowledge. eprint,
- K\onig, Renner
- 2007
(Show Context)
Citation Context ...ounds [NOVY98]2. The analysis is complicated by the fact that the dishonest receiver holds quantum information, but can be handled by techniques of min-entropy sampling developed by König and Renner =-=[KR07]-=-. It was left as open question how to build password-based identification based on weak string erasure or in general, secure against noisy-quantum-storage attacks. 1A detailed description of the model... |

16 | Composing quantum protocols in a classical environment.
- Fehr, Schaffner
- 2009
(Show Context)
Citation Context ...) = ŜC . He stays completely ignorant about the other message ŜC since he is ignorant about SC . The security of a quantum protocol implementing ROT is formally defined in [DFR+07] and justified in =-=[FS09]-=- (see also [WW08]). Definition 4.1 An ε-secure 1-2 ROT` is a protocol between Alice and Bob, where Bob has input C ∈ {0, 1}, and Alice has no input. • (Correctness) If both parties are honest, then fo... |

15 |
The existence of binary linear concatenated codes with Reed-Solomon outer codes which asymptotically meet the Gilbert-Varshamov bound
- Thommesen
- 1983
(Show Context)
Citation Context .../4)d−log(m)−3), and security against dishonest Alice holds except with an error m2/2` = 2 − 1 3 ( γN ( 1/4−δ ν ) νd−6 log(m) ) . Using a code c, which asymptotically meets the Gilbert-Varshamov bound =-=[Tho83]-=-, d may be chosen arbitrarily close to n · h−1 ( 1− log(m)/n ) . In particular, we can ensure that d does not differ from this value by more than 1. Inserting d = µ·n−1 in the expressions and using th... |

15 | Cryptography from noisy storage - Wehner, Scha↵ner, et al. |

13 | Claude Crepeau, and Marie-Helene Skubiszewska. Practical quantum oblivious transfer. - Bennett, Brassard - 1992 |

13 | Secure identification and QKD in the bounded-quantum-storage model
- Damg̊ard, Fehr, et al.
- 2007
(Show Context)
Citation Context ...ion on the player’s inputs: Both Alice and Bob input passwords wA and wB from a set of possible passwords W into the protocol and Bob learns as output whether wA = wB or not. The protocol proposed in =-=[DFSS07]-=- is secure against an unbounded user Alice and a quantummemory bounded server Bob in the sense that it is guaranteed that if a dishonest player starts with 20 quantum side information which is uncorre... |

13 | Efficient reconciliation protocol for discrete-variable quantum key distribution,”
- Elkouss, Leverrier, et al.
- 2009
(Show Context)
Citation Context ...yndrome of the string. If each bit of the string is flipped independently with probability phB,err, this procedure amounts to sending error-correcting information of at most 1.2 · h(phB,err) · k bits =-=[ELAB09]-=-. We assume that the players have synchronized clocks. In each time slot, Alice sends one qubit to Bob. Protocol 2 Robust 1-2 ROT`(C, T, ε) 1. Alice picks x ∈R {0, 1} n and θ ∈R {+,×} n uniformly at r... |

12 | Quantum memory for squeezed light - Appel, Figueroa, et al. - 2008 |

11 |
Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Perfect zero-knowledge arguments for NP using any one-way permutation
- Naor
- 1998
(Show Context)
Citation Context ...k string erasure. Their approach to realize oblivious transfer is quite involved. It uses interactive hashing [Sav07], for which the standard classical protocol requires a lot of communication rounds =-=[NOVY98]-=-2. The analysis is complicated by the fact that the dishonest receiver holds quantum information, but can be handled by techniques of min-entropy sampling developed by König and Renner [KR07]. It was... |

10 | Composable security in the boundedquantum-storage model
- Wehner, Wullschleger
- 2008
(Show Context)
Citation Context ...s completely ignorant about the other message ŜC since he is ignorant about SC . The security of a quantum protocol implementing ROT is formally defined in [DFR+07] and justified in [FS09] (see also =-=[WW08]-=-). Definition 4.1 An ε-secure 1-2 ROT` is a protocol between Alice and Bob, where Bob has input C ∈ {0, 1}, and Alice has no input. • (Correctness) If both parties are honest, then for any distributio... |

9 | Robust cryptography in the noisy-quantum storage model,” arXiv:0807.1333
- Schaffner, Terhal, et al.
(Show Context)
Citation Context ...erfections in Alice’s and Bob’s apparatus as well as in the communication channel manifest themselves in form of erasures and bit-flip errors. This setting has been analyzed for individual attacks in =-=[STW09]-=- and for general attacks in [WCSL10]. In the following, we present an upgraded protocol for oblivious transfer along the lines of [WCSL10] but with a much simpler and natural post-processing. 5.1 Prot... |

8 | Cryptography in the bounded-quantumstorage model. - Damgard, Fehr, et al. - 2008 |

7 | Improving the security of quantum protocols via commit-and-open - Damg̊ard, Fehr, et al. - 2009 |

7 | Interactive Hashing and reductions between Oblivious Transfer variants
- Savvides
- 2007
(Show Context)
Citation Context ...y propose classical reductions to build bit commitment and oblivious transfer based on weak string erasure. Their approach to realize oblivious transfer is quite involved. It uses interactive hashing =-=[Sav07]-=-, for which the standard classical protocol requires a lot of communication rounds [NOVY98]2. The analysis is complicated by the fact that the dishonest receiver holds quantum information, but can be ... |

5 | Cryptography in the bounded-quantum-storage model
- Schaffner
- 2007
(Show Context)
Citation Context ...ransfer and passwordbased identification was established using the original protocols from the bounded-quantum-storage model [DFR+07, DFSS10]. The most general storage attacks were first mentioned in =-=[Sch07]-=-, but addressed only recently by König, Wehner and Wullschleger [KWW09]. In this most general model, the adversary can for example try to use a quantum error-correcting code in order to protect himse... |

3 |
How to implement two-party protocols in the noisy-storage model
- Wehner, Curty, et al.
- 2010
(Show Context)
Citation Context ...bitrary ccq-state ρXTQ, and let ε, ε ′ ≥ 0 be arbitrary. Let F : B(HQ)→ B(HQout) be an arbitrary CPTP map. Then, Hε+ε ′ min (X|TF(Q)) ≥ − logP F succ (⌊ Hεmin(X|T ) − log 1 ε′ ⌋) . 10 Figure 1: (from =-=[WCSL10]-=-): During waiting times ∆t, the adversary must use his noisy quantum storage described by the CPTP map F . Before using his quantum storage, he performs any (errorfree) “encoding attack” of his choosi... |