246 research outputs found
Simulatable security for quantum protocols
The notion of simulatable security (reactive simulatability, universal
composability) is a powerful tool for allowing the modular design of
cryptographic protocols (composition of protocols) and showing the security of
a given protocol embedded in a larger one. Recently, these methods have
received much attention in the quantum cryptographic community.
We give a short introduction to simulatable security in general and proceed
by sketching the many different definitional choices together with their
advantages and disadvantages.
Based on the reactive simulatability modelling of Backes, Pfitzmann and
Waidner we then develop a quantum security model. By following the BPW
modelling as closely as possible, we show that composable quantum security
definitions for quantum protocols can strongly profit from their classical
counterparts, since most of the definitional choices in the modelling are
independent of the underlying machine model.
In particular, we give a proof for the simple composition theorem in our
framework.Comment: Added proof of combination lemma; added comparison to the model of
Ben-Or, Mayers; minor correction
Cryptology in the Crowd
Uhell skjer: Kanskje mistet du nÞkkelen til huset, eller hadde PIN-koden til innbruddsalarmen skrevet pÄ en dÄrlig plassert post-it lapp. Og kanskje endte de slik opp i hendene pÄ feil person, som nÄ kan pÄfÞre livet ditt all slags ugagn: Sikkerhetssystemer gir ingen garantier nÄr nÞkler blir stjÄlet og PIN-koder lekket. Likevel burde naboen din, hvis nÞkkel-og-PIN-kode rutiner er heller vanntette, kunne fÞle seg trygg i vissheten om at selv om du ikke evner Ä sikre huset ditt mot innbrudd, sÄ forblir deres hjem trygt.
Det er tilsvarende for kryptologi, som ogsÄ lener seg pÄ at nÞkkelmateriale hemmeligholdes for Ä kunne garantere sikkerhet: Intuitivt forventer man at kjennskap til ett systems hemmelige nÞkkel ikke burde vÊre til hjelp for Ä bryte inn i andre, urelaterte systemer. Men det har vist seg overraskende vanskelig Ä sette denne intuisjonen pÄ formell grunn, og flere konkurrerende sikkerhetsmodeller av varierende styrke har oppstÄtt. Det blir dermed naturlig Ä spÞrre seg: Hvilken formalisme er den riktige nÄr man skal modellere realistiske scenarioer med mange brukere og mulige lekkasjer? Eller: hvordan bygger man kryptografi i en folkemengde?
Artikkel I begir seg ut pÄ reisen mot et svar ved Ä sammenligne forskjellige flerbrukervarianter av sikkerhetsmodellen IND-CCA, med og uten evnen til Ä motta hemmelige nÞkler tilhÞrende andre brukere. Vi finner et delvis svar ved Ä vise at uten denne evnen, sÄ er noen modeller faktisk Ä foretrekke over andre. Med denne evnen, derimot, forblir situasjonen uavklart.
Artikkel II tar et sidesteg til et sett relaterte sikkerhetsmodeller hvor, heller enn Ä angripe én enkelt bruker (ut fra en mengde av mulige ofre), angriperen Þnsker Ä bryte kryptografien til sÄ mange brukere som mulig pÄ én gang. Man ser for seg en uvanlig mektig motstander, for eksempel en statssponset aktÞr, som ikke har problemer med Ä bryte kryptografien til en enkelt bruker: MÄlet skifter dermed fra Ä garantere trygghet for alle brukerne, til Ä gjÞre masseovervÄking sÄ vanskelig som mulig, slik at det store flertall av brukere kan forbli sikret.
Artikkel III fortsetter der Artikkel I slapp ved Ă„ sammenligne og systematisere de samme IND-CCA sikkerhetsmodellene med en stĂžrre mengde med sikkerhetsmodeller, med det til felles at de alle modellerer det samme (eller lignende) scenarioet. Disse modellene, som gĂ„r under navnene SOA (Selective Opening Attacks; utvalgte Ă„pningsangrep) og NCE (Non-Committing Encryption; ikke-bindende kryptering), er ofte vesentlig sterkere enn modellene studert i Artikkel I. Med et system pĂ„ plass er vi i stand til Ă„ identifisere en rekke hull i litteraturen; og dog vi tetter noen, etterlater vi mange som Ă„pne problemer.Accidents happen: you may misplace the key to your home, or maybe the PIN to your home security system was written on an ill-placed post-it note. And so they end up in the hands of a bad actor, who is then granted the power to wreak all kinds of havoc in your life: the security of your home grants no guarantees when keys are stolen and PINs are leaked. Nonetheless your neighbour, whose key-and-pin routines leave comparatively little to be desired, should feel safe that just because you canât keep your house safe from intruders, their home remains secured.
It is likewise with cryptography, whose security also relies on the secrecy of key material: intuitively, the ability to recover the secret keys of other users should not help an adversary break into an uncompromised system. Yet formalizing this intuition has turned out tricky, with several competing notions of security of varying strength. This begs the question: when modelling a real-world scenario with many users, some of which may be compromised, which formalization is the right one? Or: how do we build cryptology in a crowd?
Paper I embarks on the quest to answer the above questions by studying how various notions of multi-user IND-CCA compare to each other, with and without the ability to adaptively compromise users. We partly answer the question by showing that, without compromise, some notions of security really are preferable over others. Still, the situation is left largely open when compromise is accounted for.
Paper II takes a detour to a related set of security notions in which, rather than attacking a single user, an adversary seeks to break the security of many. One imagines an unusually powerful adversary, for example a state-sponsored actor, for whom brute-forcing a single system is not a problem. Our goal then shifts from securing every user to making mass surveillance as difficult as possible, so that the vast majority of uncompromised users can remain secure.
Paper III picks up where Paper I left off by comparing and systemizing the same security notions with a wider array of security notions that aim to capture the same (or similar) scenarios. These notions appear under the names of Selective Opening Attacks (SOA) and Non-Committing Encryption (NCE), and are typically significantly stronger than the notions of IND-CCA studied in Paper I. With a system in place, we identify and highlight a number of gaps, some of which we close, and many of which are posed as open problems.Doktorgradsavhandlin
On Fairness in Simulatability-based Cryptographic Systems
Simulatability constitutes the cryptographic notion of a secure refinement and has asserted its position as one of the fundamental concepts of modern cryptography. Although simulatability carefully captures that a distributed protocol does not behave any worse than an ideal specification, it however does not capture any form of liveness guarantees, i.e., that something good eventually happens in the protocol.
We show how one can extend the notion of simulatability to comprise liveness guarantees by imposing specific fairness constraints on the adversary. As the common notion of fairness based on infinite runs and eventual message delivery is not suited for reasoning about polynomial-time, cryptographic systems, we propose a new definition of fairness that enforces the delivery of messages after a polynomial number of steps. We provide strengthened variants of this definition by granting the protocol parties explicit guarantees on the maximum delay of messages. The variants thus capture fairness with explicit timeout signals, and we further distinguish between fairness with local timeouts and fairness with global timeouts.
We compare the resulting notions of fair simulatability, and provide separating examples that help to classify the strengths of the definitions and that show that the different definitions of fairness imply different variants of simulatability
Classical Ising model test for quantum circuits
We exploit a recently constructed mapping between quantum circuits and graphs
in order to prove that circuits corresponding to certain planar graphs can be
efficiently simulated classically. The proof uses an expression for the Ising
model partition function in terms of quadratically signed weight enumerators
(QWGTs), which are polynomials that arise naturally in an expansion of quantum
circuits in terms of rotations involving Pauli matrices. We combine this
expression with a known efficient classical algorithm for the Ising partition
function of any planar graph in the absence of an external magnetic field, and
the Robertson-Seymour theorem from graph theory. We give as an example a set of
quantum circuits with a small number of non-nearest neighbor gates which admit
an efficient classical simulation.Comment: 17 pages, 2 figures. v2: main result strengthened by removing
oracular settin
Principle of majorization: Application to random quantum circuits
We test the principle of majorization [J. I. Latorre and M. A. MartĂn-Delgado, Phys. Rev. A 66, 022305 (2002)] in random circuits. Three classes of circuits were considered: (i) universal, (ii) classically simulatable, and (iii) neither universal nor classically simulatable. The studied families are: {CNOT, H, T}, {CNOT, H, NOT}, {CNOT, H, S} (Clifford), matchgates, and IQP (instantaneous quantum polynomial-time). We verified that all the families of circuits satisfy on average the principle of decreasing majorization. In most cases the asymptotic state (number of gates â â) behaves like a random vector. However, clear differences appear in the fluctuations of the Lorenz curves associated to asymptotic states. The fluctuations of the Lorenz curves discriminate between universal and non-universal classes of random quantum circuits, and they also detect the complexity of some non-universal but not classically efficiently simulatable quantum random circuits. We conclude that majorization can be used as a indicator of complexity of quantum dynamics, as an alternative to, e.g., entanglement spectrum and out-of-time-order correlators (OTOCs).Fil: Vallejos, RaĂșl O.. Centro Brasileiro de Pesquisas FĂsicas; BrasilFil: De Melo, Fernando. Centro Brasileiro de Pesquisas FĂsicas; BrasilFil: Carlo, Gabriel Gustavo. ComisiĂłn Nacional de EnergĂa AtĂłmica. Gerencia de Ărea Investigaciones y Aplicaciones No Nucleares. Gerencia FĂsica (CAC). Departamento de FĂsica de la Materia Condensada; Argentina. Consejo Nacional de Investigaciones CientĂficas y TĂ©cnicas; Argentin
SoK: Public Key Encryption with Openings
When modelling how public key encryption can enable secure communication, we should acknowledge that secret information, such as private keys or the randomness used for encryption, could become compromised. Intuitively, one would expect unrelated communication to remain secure, yet formalizing this intuition has proven challenging. Several security notions have appeared that aim to capture said scenario, ranging from the multi-user setting with corruptions, via selective opening attacks (SOA), to non-committing encryption (NCE). Remarkably, how the different approaches compare has not yet been systematically explored.
We provide a novel framework that maps each approach to an underlying philosophy of confidentiality: indistinguishability versus simulatability based, each with an a priori versus an a posteriori variant, leading to four distinct philosophies. In the absence of corruptions, these notions are largely equivalent; yet, in the presence of corruptions, they fall into a hierarchy of relative strengths, from IND-CPA and IND-CCA at the bottom, via indistinguishability SOA and simulatability SOA, to NCE at the top.
We provide a concrete treatment for the four notions, discuss subtleties in their definitions and asymptotic interpretations and identify limitations of each. Furthermore, we re-cast the main implications of the hierarchy in a concrete security framework, summarize and contextualize other known relations, identify open problems, and close a few gaps.
We end on a survey of constructions known to achieve the various notions. We identify and name a generic random-oracle construction that has appeared in various guises to prove security in seemingly different contexts. It hails back to Bellare and Rogaway\u27s seminal work on random oracles (CCS\u2793) and, as previously shown, suffices to meet one of the strongest notions of our hierarchy (single-user NCE with bi-openings)
Universally Composable Quantum Multi-Party Computation
The Universal Composability model (UC) by Canetti (FOCS 2001) allows for
secure composition of arbitrary protocols. We present a quantum version of the
UC model which enjoys the same compositionality guarantees. We prove that in
this model statistically secure oblivious transfer protocols can be constructed
from commitments. Furthermore, we show that every statistically classically UC
secure protocol is also statistically quantum UC secure. Such implications are
not known for other quantum security definitions. As a corollary, we get that
quantum UC secure protocols for general multi-party computation can be
constructed from commitments
- âŠ