Correlated Product Security from Any One-Way Function

It is well-known that the k-wise product of one-way functions remains one-way, but may no longer be when the k inputs are correlated. At TCC 2009, Rosen and Segev introduced a new notion known as Correlated Product secure functions. These functions have the property that a k-wise product of them remains one-way even under correlated inputs. Rosen and Segev gave a construction of injective trapdoor functions which were correlated product secure from the existence of Lossy Trapdoor Functions (introduced by Peikert and Waters in STOC 2008). The first main result of this work shows the surprising fact that a family of correlated prod-uct secure functions can be constructed from any one-way function. Because correlated product secure functions are trivially one-way, this shows an equivalence between the existence of these two cryptographic primitives. In the second main result of this work, we consider a natural decisional variant of correlated product security. Roughly, a family of functions are Decisional Correlated Product (DCP) secure if f1(x1),..., fk(x1) is indistinguishable from f1(x1),..., fk(xk) when x1,..., xk are chosen uniformly at random

Correlated Product Security From Any One-Way Function and the New Notion of Decisional Correlated Product Security

It is well-known that the k-wise product of one-way functions remains one-way, but may no longer be when the k inputs are correlated. At TCC 2009, Rosen and Segev introduced a new notion known as Correlated Product secure functions. These functions have the property that a k-wise product of them remains one-way even under correlated inputs. Rosen and Segev gave a construction of injective trapdoor functions which were correlated product secure from the existence of Lossy Trapdoor Functions (introduced by Peikert and Waters in STOC 2008). The first main result of this work shows the surprising fact that a family of correlated product secure functions can be constructed from any one-way function. Because correlated product secure functions are trivially one-way, this shows an equivalence between the existence of these two cryptographic primitives. In the second main result of this work, we consider a natural decisional variant of correlated product security. Roughly, a family of functions are Decisional Correlated Product (DCP) secure if $f_1(x_1),\ldots,f_k(x_1)$ is indistinguishable from $f_1(x_1),\ldots,f_k(x_k)$ when $x_1,\ldots,x_k$ are chosen uniformly at random. We argue that the notion of Decisional Correlated Product security is a very natural one. To this end, we show a parallel from the Discrete Log Problem and Decision Diffie-Hellman Problem to Correlated Product security and its decisional variant. This intuition gives very simple constructions of PRGs and IND-CPA encryption from DCP secure functions. Furthermore, we strengthen our first result by showing that the existence of DCP secure one-way functions is also equivalent to the existence of any one-way function. When considering DCP secure functions with trapdoors, we give a construction based on Lossy Trapdoor Functions, and show that any DCP secure function family with trapdoor satisfy the security requirements for Deterministic Encryption as defined by Bellare, Boldyreva and O\u27Neill in CRYPTO 2007. In fact, we also show that definitionally, DCP secure functions with trapdoors are a strict subset of Deterministic Encryption functions by showing an example of a Deterministic Encryption function which according to the definition is not a DCP secure function

A security proof of quantum cryptography based entirely on entanglement purification

We give a proof that entanglement purification, even with noisy apparatus, is sufficient to disentangle an eavesdropper (Eve) from the communication channel. In the security regime, the purification process factorises the overall initial state into a tensor-product state of Alice and Bob, on one side, and Eve on the other side, thus establishing a completely private, albeit noisy, quantum communication channel between Alice and Bob. The security regime is found to coincide for all practical purposes with the purification regime of a two-way recurrence protocol. This makes two-way entanglement purification protocols, which constitute an important element in the quantum repeater, an efficient tool for secure long-distance quantum cryptography.Comment: Follow-up paper to quant-ph/0108060, submitted to PRA; 24 pages, revex

How to reuse a one-time pad and other notes on authentication, encryption and protection of quantum information

Quantum information is a valuable resource which can be encrypted in order to protect it. We consider the size of the one-time pad that is needed to protect quantum information in a number of cases. The situation is dramatically different from the classical case: we prove that one can recycle the one-time pad without compromising security. The protocol for recycling relies on detecting whether eavesdropping has occurred, and further relies on the fact that information contained in the encrypted quantum state cannot be fully accessed. We prove the security of recycling rates when authentication of quantum states is accepted, and when it is rejected. We note that recycling schemes respect a general law of cryptography which we prove relating the size of private keys, sent qubits, and encrypted messages. We discuss applications for encryption of quantum information in light of the resources needed for teleportation. Potential uses include the protection of resources such as entanglement and the memory of quantum computers. We also introduce another application: encrypted secret sharing and find that one can even reuse the private key that is used to encrypt a classical message. In a number of cases, one finds that the amount of private key needed for authentication or protection is smaller than in the general case.Comment: 13 pages, improved rate of recycling proved in the case of rejection of authenticatio

General paradigm for distilling classical key from quantum states

We develop a formalism for distilling a classical key from a quantum state in a systematic way, expanding on our previous work on secure key from bound entanglement [K. Horodecki et. al., Phys. Rev. Lett. 94 (2005)]. More detailed proofs, discussion and examples are provided of the main results. Namely, we demonstrate that all quantum cryptographic protocols can be recast in a way which looks like entanglement theory, with the only change being that instead of distilling EPR pairs, the parties distill private states. The form of these general private states are given, and we show that there are a number of useful ways of expressing them. Some of the private states can be approximated by certain states which are bound entangled. Thus distillable entanglement is not a requirement for a private key. We find that such bound entangled states are useful for a cryptographic primitive we call a controlled private quantum channel. We also find a general class of states which have negative partial transpose (are NPT), but which appear to be bound entangled. The relative entropy distance is shown to be an upper bound on the rate of key. This allows us to compute the exact value of distillable key for a certain class of private states.Comment: 41 pages, ReVTeX4, improved version, resubmitted to IEE

Experimenter's Freedom in Bell's Theorem and Quantum Cryptography

Bell's theorem states that no local realistic explanation of quantum mechanical predictions is possible, in which the experimenter has a freedom to choose between different measurement settings. Within a local realistic picture the violation of Bell's inequalities can only be understood if this freedom is denied. We determine the minimal degree to which the experimenter's freedom has to be abandoned, if one wants to keep such a picture and be in agreement with the experiment. Furthermore, the freedom in choosing experimental arrangements may be considered as a resource, since its lacking can be used by an eavesdropper to harm the security of quantum communication. We analyze the security of quantum key distribution as a function of the (partial) knowledge the eavesdropper has about the future choices of measurement settings which are made by the authorized parties (e.g. on the basis of some quasi-random generator). We show that the equivalence between the violation of Bell's inequality and the efficient extraction of a secure key - which exists for the case of complete freedom (no setting knowledge) - is lost unless one adapts the bound of the inequality according to this lack of freedom.Comment: 7 pages, 2 figures, incorporated referee comment

New bounds on classical and quantum one-way communication complexity

In this paper we provide new bounds on classical and quantum distributional communication complexity in the two-party, one-way model of communication. In the classical model, our bound extends the well known upper bound of Kremer, Nisan and Ron to include non-product distributions. We show that for a boolean function f:X x Y -> {0,1} and a non-product distribution mu on X x Y and epsilon in (0,1/2) constant: D_{epsilon}^{1, mu}(f)= O((I(X:Y)+1) vc(f)), where D_{epsilon}^{1, mu}(f) represents the one-way distributional communication complexity of f with error at most epsilon under mu; vc(f) represents the Vapnik-Chervonenkis dimension of f and I(X:Y) represents the mutual information, under mu, between the random inputs of the two parties. For a non-boolean function f:X x Y ->[k], we show a similar upper bound on D_{epsilon}^{1, mu}(f) in terms of k, I(X:Y) and the pseudo-dimension of f' = f/k. In the quantum one-way model we provide a lower bound on the distributional communication complexity, under product distributions, of a function f, in terms the well studied complexity measure of f referred to as the rectangle bound or the corruption bound of f . We show for a non-boolean total function f : X x Y -> Z and a product distribution mu on XxY, Q_{epsilon^3/8}^{1, mu}(f) = Omega(rec_ epsilon^{1, mu}(f)), where Q_{epsilon^3/8}^{1, mu}(f) represents the quantum one-way distributional communication complexity of f with error at most epsilon^3/8 under mu and rec_ epsilon^{1, mu}(f) represents the one-way rectangle bound of f with error at most epsilon under mu . Similarly for a non-boolean partial function f:XxY -> Z U {*} and a product distribution mu on X x Y, we show, Q_{epsilon^6/(2 x 15^4)}^{1, mu}(f) = Omega(rec_ epsilon^{1, mu}(f)).Comment: ver 1, 19 page

A Quantum-Proof Non-Malleable Extractor, With Application to Privacy Amplification against Active Quantum Adversaries

In privacy amplification, two mutually trusted parties aim to amplify the secrecy of an initial shared secret $X$ in order to establish a shared private key $K$ by exchanging messages over an insecure communication channel. If the channel is authenticated the task can be solved in a single round of communication using a strong randomness extractor; choosing a quantum-proof extractor allows one to establish security against quantum adversaries. In the case that the channel is not authenticated, Dodis and Wichs (STOC'09) showed that the problem can be solved in two rounds of communication using a non-malleable extractor, a stronger pseudo-random construction than a strong extractor. We give the first construction of a non-malleable extractor that is secure against quantum adversaries. The extractor is based on a construction by Li (FOCS'12), and is able to extract from source of min-entropy rates larger than $1/2$. Combining this construction with a quantum-proof variant of the reduction of Dodis and Wichs, shown by Cohen and Vidick (unpublished), we obtain the first privacy amplification protocol secure against active quantum adversaries

Quantum entanglement

All our former experience with application of quantum theory seems to say: {\it what is predicted by quantum formalism must occur in laboratory}. But the essence of quantum formalism - entanglement, recognized by Einstein, Podolsky, Rosen and Schr\"odinger - waited over 70 years to enter to laboratories as a new resource as real as energy. This holistic property of compound quantum systems, which involves nonclassical correlations between subsystems, is a potential for many quantum processes, including ``canonical'' ones: quantum cryptography, quantum teleportation and dense coding. However, it appeared that this new resource is very complex and difficult to detect. Being usually fragile to environment, it is robust against conceptual and mathematical tools, the task of which is to decipher its rich structure. This article reviews basic aspects of entanglement including its characterization, detection, distillation and quantifying. In particular, the authors discuss various manifestations of entanglement via Bell inequalities, entropic inequalities, entanglement witnesses, quantum cryptography and point out some interrelations. They also discuss a basic role of entanglement in quantum communication within distant labs paradigm and stress some peculiarities such as irreversibility of entanglement manipulations including its extremal form - bound entanglement phenomenon. A basic role of entanglement witnesses in detection of entanglement is emphasized.Comment: 110 pages, 3 figures, ReVTex4, Improved (slightly extended) presentation, updated references, minor changes, submitted to Rev. Mod. Phys