355 research outputs found
Composable and Finite Computational Security of Quantum Message Transmission
Recent research in quantum cryptography has led to the development of schemes
that encrypt and authenticate quantum messages with computational security. The
security definitions used so far in the literature are asymptotic, game-based,
and not known to be composable. We show how to define finite, composable,
computational security for secure quantum message transmission. The new
definitions do not involve any games or oracles, they are directly operational:
a scheme is secure if it transforms an insecure channel and a shared key into
an ideal secure channel from Alice to Bob, i.e., one which only allows Eve to
block messages and learn their size, but not change them or read them. By
modifying the ideal channel to provide Eve with more or less capabilities, one
gets an array of different security notions. By design these transformations
are composable, resulting in composable security.
Crucially, the new definitions are finite. Security does not rely on the
asymptotic hardness of a computational problem. Instead, one proves a finite
reduction: if an adversary can distinguish the constructed (real) channel from
the ideal one (for some fixed security parameters), then she can solve a finite
instance of some computational problem. Such a finite statement is needed to
make security claims about concrete implementations.
We then prove that (slightly modified versions of) protocols proposed in the
literature satisfy these composable definitions. And finally, we study the
relations between some game-based definitions and our composable ones. In
particular, we look at notions of quantum authenticated encryption and QCCA2,
and show that they suffer from the same issues as their classical counterparts:
they exclude certain protocols which are arguably secure.Comment: 43+11 pages, 18 figures, v2: minor changes, extended version of the
published pape
Composability in quantum cryptography
In this article, we review several aspects of composability in the context of
quantum cryptography. The first part is devoted to key distribution. We discuss
the security criteria that a quantum key distribution protocol must fulfill to
allow its safe use within a larger security application (e.g., for secure
message transmission). To illustrate the practical use of composability, we
show how to generate a continuous key stream by sequentially composing rounds
of a quantum key distribution protocol. In a second part, we take a more
general point of view, which is necessary for the study of cryptographic
situations involving, for example, mutually distrustful parties. We explain the
universal composability framework and state the composition theorem which
guarantees that secure protocols can securely be composed to larger
applicationsComment: 18 pages, 2 figure
Quantum cryptography: key distribution and beyond
Uniquely among the sciences, quantum cryptography has driven both
foundational research as well as practical real-life applications. We review
the progress of quantum cryptography in the last decade, covering quantum key
distribution and other applications.Comment: It's a review on quantum cryptography and it is not restricted to QK
Composable security of delegated quantum computation
Delegating difficult computations to remote large computation facilities,
with appropriate security guarantees, is a possible solution for the
ever-growing needs of personal computing power. For delegated computation
protocols to be usable in a larger context---or simply to securely run two
protocols in parallel---the security definitions need to be composable. Here,
we define composable security for delegated quantum computation. We distinguish
between protocols which provide only blindness---the computation is hidden from
the server---and those that are also verifiable---the client can check that it
has received the correct result. We show that the composable security
definition capturing both these notions can be reduced to a combination of
several distinct "trace-distance-type" criteria---which are, individually,
non-composable security definitions.
Additionally, we study the security of some known delegated quantum
computation protocols, including Broadbent, Fitzsimons and Kashefi's Universal
Blind Quantum Computation protocol. Even though these protocols were originally
proposed with insufficient security criteria, they turn out to still be secure
given the stronger composable definitions.Comment: 37+9 pages, 13 figures. v3: minor changes, new references. v2:
extended the reduction between composable and local security to include
entangled inputs, substantially rewritten the introduction to the Abstract
Cryptography (AC) framewor
Attacks on quantum key distribution protocols that employ non-ITS authentication
We demonstrate how adversaries with unbounded computing resources can break
Quantum Key Distribution (QKD) protocols which employ a particular message
authentication code suggested previously. This authentication code, featuring
low key consumption, is not Information-Theoretically Secure (ITS) since for
each message the eavesdropper has intercepted she is able to send a different
message from a set of messages that she can calculate by finding collisions of
a cryptographic hash function. However, when this authentication code was
introduced it was shown to prevent straightforward Man-In-The-Middle (MITM)
attacks against QKD protocols.
In this paper, we prove that the set of messages that collide with any given
message under this authentication code contains with high probability a message
that has small Hamming distance to any other given message. Based on this fact
we present extended MITM attacks against different versions of BB84 QKD
protocols using the addressed authentication code; for three protocols we
describe every single action taken by the adversary. For all protocols the
adversary can obtain complete knowledge of the key, and for most protocols her
success probability in doing so approaches unity.
Since the attacks work against all authentication methods which allow to
calculate colliding messages, the underlying building blocks of the presented
attacks expose the potential pitfalls arising as a consequence of non-ITS
authentication in QKD-postprocessing. We propose countermeasures, increasing
the eavesdroppers demand for computational power, and also prove necessary and
sufficient conditions for upgrading the discussed authentication code to the
ITS level.Comment: 34 page
- …