542 research outputs found
Quantum-secure message authentication via blind-unforgeability
Formulating and designing unforgeable authentication of classical messages in
the presence of quantum adversaries has been a challenge, as the familiar
classical notions of unforgeability do not directly translate into meaningful
notions in the quantum setting. A particular difficulty is how to fairly
capture the notion of "predicting an unqueried value" when the adversary can
query in quantum superposition. In this work, we uncover serious shortcomings
in existing approaches, and propose a new definition. We then support its
viability by a number of constructions and characterizations. Specifically, we
demonstrate a function which is secure according to the existing definition by
Boneh and Zhandry, but is clearly vulnerable to a quantum forgery attack,
whereby a query supported only on inputs that start with 0 divulges the value
of the function on an input that starts with 1. We then propose a new
definition, which we call "blind-unforgeability" (or BU.) This notion matches
"intuitive unpredictability" in all examples studied thus far. It defines a
function to be predictable if there exists an adversary which can use
"partially blinded" oracle access to predict values in the blinded region. Our
definition (BU) coincides with standard unpredictability (EUF-CMA) in the
classical-query setting. We show that quantum-secure pseudorandom functions are
BU-secure MACs. In addition, we show that BU satisfies a composition property
(Hash-and-MAC) using "Bernoulli-preserving" hash functions, a new notion which
may be of independent interest. Finally, we show that BU is amenable to
security reductions by giving a precise bound on the extent to which quantum
algorithms can deviate from their usual behavior due to the blinding in the BU
security experiment.Comment: 23+9 pages, v3: published version, with one theorem statement in the
summary of results correcte
Augmented Random Oracles
We propose a new paradigm for justifying the security of random oracle-based protocols, which we call the Augmented Random Oracle Model (AROM). We show that the AROM captures a wide range of important random oracle impossibility results. Thus a proof in the AROM implies some resiliency to such impossibilities. We then consider three ROM transforms which are subject to impossibilities: Fiat-Shamir (FS), Fujisaki-Okamoto (FO), and Encrypt-with-Hash (EwH). We show in each case how to obtain security in the AROM by strengthening the building blocks or modifying the transform.
Along the way, we give a couple other results. We improve the assumptions needed for the FO and EwH impossibilities from indistinguishability obfuscation to circularly secure LWE; we argue that our AROM still captures this improved impossibility. We also demonstrate that there is no best possible hash function, by giving a pair of security properties, both of which can be instantiated in the standard model separately, which cannot be simultaneously satisfied by a single hash function
Path-Fault-Tolerant Approximate Shortest-Path Trees
Let be an -nodes non-negatively real-weighted undirected graph.
In this paper we show how to enrich a {\em single-source shortest-path tree}
(SPT) of with a \emph{sparse} set of \emph{auxiliary} edges selected from
, in order to create a structure which tolerates effectively a \emph{path
failure} in the SPT. This consists of a simultaneous fault of a set of at
most adjacent edges along a shortest path emanating from the source, and it
is recognized as one of the most frequent disruption in an SPT. We show that,
for any integer parameter , it is possible to provide a very sparse
(i.e., of size ) auxiliary structure that carefully
approximates (i.e., within a stretch factor of ) the true
shortest paths from the source during the lifetime of the failure. Moreover, we
show that our construction can be further refined to get a stretch factor of
and a size of for the special case , and that it can be
converted into a very efficient \emph{approximate-distance sensitivity oracle},
that allows to quickly (even in optimal time, if ) reconstruct the
shortest paths (w.r.t. our structure) from the source after a path failure,
thus permitting to perform promptly the needed rerouting operations. Our
structure compares favorably with previous known solutions, as we discuss in
the paper, and moreover it is also very effective in practice, as we assess
through a large set of experiments.Comment: 21 pages, 3 figures, SIROCCO 201
Quantum Simulation Logic, Oracles, and the Quantum Advantage
Query complexity is a common tool for comparing quantum and classical
computation, and it has produced many examples of how quantum algorithms differ
from classical ones. Here we investigate in detail the role that oracles play
for the advantage of quantum algorithms. We do so by using a simulation
framework, Quantum Simulation Logic (QSL), to construct oracles and algorithms
that solve some problems with the same success probability and number of
queries as the quantum algorithms. The framework can be simulated using only
classical resources at a constant overhead as compared to the quantum resources
used in quantum computation. Our results clarify the assumptions made and the
conditions needed when using quantum oracles. Using the same assumptions on
oracles within the simulation framework we show that for some specific
algorithms, like the Deutsch-Jozsa and Simon's algorithms, there simply is no
advantage in terms of query complexity. This does not detract from the fact
that quantum query complexity provides examples of how a quantum computer can
be expected to behave, which in turn has proved useful for finding new quantum
algorithms outside of the oracle paradigm, where the most prominent example is
Shor's algorithm for integer factorization.Comment: 48 pages, 46 figure
Semantic Security and Indistinguishability in the Quantum World
At CRYPTO 2013, Boneh and Zhandry initiated the study of quantum-secure
encryption. They proposed first indistinguishability definitions for the
quantum world where the actual indistinguishability only holds for classical
messages, and they provide arguments why it might be hard to achieve a stronger
notion. In this work, we show that stronger notions are achievable, where the
indistinguishability holds for quantum superpositions of messages. We
investigate exhaustively the possibilities and subtle differences in defining
such a quantum indistinguishability notion for symmetric-key encryption
schemes. We justify our stronger definition by showing its equivalence to novel
quantum semantic-security notions that we introduce. Furthermore, we show that
our new security definitions cannot be achieved by a large class of ciphers --
those which are quasi-preserving the message length. On the other hand, we
provide a secure construction based on quantum-resistant pseudorandom
permutations; this construction can be used as a generic transformation for
turning a large class of encryption schemes into quantum indistinguishable and
hence quantum semantically secure ones. Moreover, our construction is the first
completely classical encryption scheme shown to be secure against an even
stronger notion of indistinguishability, which was previously known to be
achievable only by using quantum messages and arbitrary quantum encryption
circuits.Comment: 37 pages, 2 figure
The related-key analysis of feistel constructions
Lecture Notes in Computer Science, Volume 8540, 2015.It is well known that the classical three- and four-round Feistel constructions are provably secure under chosen-plaintext and chosen-ciphertext attacks, respectively. However, irrespective of the
number of rounds, no Feistel construction can resist related-key attacks where the keys can be offset by a constant. In this paper we show that, under suitable reuse of round keys, security under related-key attacks can be provably attained. Our modification is substantially simpler and more efficient than alternatives obtained using generic transforms, namely the PRG transform of Bellare and Cash (CRYPTO 2010) and its random-oracle analogue outlined by Lucks (FSE 2004). Additionally we formalize Luck’s transform and show that it does not always work if related keys are derived in an oracle-dependent way, and then prove it sound under appropriate restrictions
- …