Multi-Prover Commitments Against Non-Signaling Attacks

We reconsider the concept of multi-prover commitments, as introduced in the late eighties in the seminal work by Ben-Or et al. As was recently shown by Cr\'{e}peau et al., the security of known two-prover commitment schemes not only relies on the explicit assumption that the provers cannot communicate, but also depends on their information processing capabilities. For instance, there exist schemes that are secure against classical provers but insecure if the provers have quantum information processing capabilities, and there are schemes that resist such quantum attacks but become insecure when considering general so-called non-signaling provers, which are restricted solely by the requirement that no communication takes place. This poses the natural question whether there exists a two-prover commitment scheme that is secure under the sole assumption that no communication takes place; no such scheme is known. In this work, we give strong evidence for a negative answer: we show that any single-round two-prover commitment scheme can be broken by a non-signaling attack. Our negative result is as bad as it can get: for any candidate scheme that is (almost) perfectly hiding, there exists a strategy that allows the dishonest provers to open a commitment to an arbitrary bit (almost) as successfully as the honest provers can open an honestly prepared commitment, i.e., with probability (almost) 1 in case of a perfectly sound scheme. In the case of multi-round schemes, our impossibility result is restricted to perfectly hiding schemes. On the positive side, we show that the impossibility result can be circumvented by considering three provers instead: there exists a three-prover commitment scheme that is secure against arbitrary non-signaling attacks

Quantum Cryptography Beyond Quantum Key Distribution

Quantum cryptography is the art and science of exploiting quantum mechanical effects in order to perform cryptographic tasks. While the most well-known example of this discipline is quantum key distribution (QKD), there exist many other applications such as quantum money, randomness generation, secure two- and multi-party computation and delegated quantum computation. Quantum cryptography also studies the limitations and challenges resulting from quantum adversaries---including the impossibility of quantum bit commitment, the difficulty of quantum rewinding and the definition of quantum security models for classical primitives. In this review article, aimed primarily at cryptographers unfamiliar with the quantum world, we survey the area of theoretical quantum cryptography, with an emphasis on the constructions and limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference

Two-Prover Bit-Commitments: Classical, Quantum and Non-Signaling

This thesis considers multi-prover commitment schemes whose security is based on restrictions on the communication between the provers. The results are applicable to so-called relativistic commitment schemes: schemes whose security is guaranteed by the fact that information does not travel faster than the speed of light. A commitment scheme is a cryptographic protocol solving the following problem: One party, the prover, has selected a value which he wants to keep secret at first. The prover wants to have the option to reveal it to the other party, the verifier, at a later time, but the verifier wants a guarantee that no value other than the originally selected one can be revealed. Standard commitment schemes can only be proven secure with computational hardness assumptions. This can be circumvented by splitting the prover into multiple entities and restricting their communication, e.g., no communication at all, or communication only with a delay (as in relativistic commitment schemes). This dissertation introduces new methods for analyzing and designing such multi-prover schemes. As an application, we show that the Lunghi et al. commitment scheme from 2015 has much stronger security that their original analysis indicated. NWO (Free Competition grant 617.001.203)Number theory, Algebra and Geometr

07381 Abstracts Collection -- Cryptography

From 16.09.2007 to 21.09.2007 the Dagstuhl Seminar 07381 ``Cryptography\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. The first section describes the seminar topics and goals in general. Links to extended abstracts or full papers are provided, if available

Contamination in Cryptographic Protocols

We discuss a foundational issue in multi-prover interactive proofs (MIP) which we call "contamination" by the verifier. We propose a model which accounts for, and controls, verifier contamination, and show that this model does not lose expressive power. A new characterization of zero-knowledge naturally follows. We show the usefulness of this model by constructing a practical MIP for NP where the provers are spatially separated. Finally, we relate our model to the practical problem of e-voting by constructing a functional voter roster based on distributed trust

Practical Relativistic Zero-Knowledge for NP

In a Multi-Prover environment, how little spatial separation is sufficient to assert the validity of an NP statement in Perfect Zero-Knowledge ? We exhibit a set of two novel Zero-Knowledge protocols for the 3-COLorability problem that use two (local) provers or three (entangled) provers and only require exchanging one edge and two bits with two trits per prover. This greatly improves the ability to prove Zero-Knowledge statements on very short distances with very basic communication gear

Quantum cryptography: key distribution and beyond

Uniquely among the sciences, quantum cryptography has driven both foundational research as well as practical real-life applications. We review the progress of quantum cryptography in the last decade, covering quantum key distribution and other applications.Comment: It's a review on quantum cryptography and it is not restricted to QK

Interactive Oracle Proofs

We initiate the study of a proof system model that naturally combines two well-known models: interactive proofs (IPs) and probabilistically-checkable proofs (PCPs). An *interactive oracle proof* (IOP) is an interactive proof in which the verifier is not required to read the prover\u27s messages in their entirety; rather, the verifier has oracle access to the prover\u27s messages, and may probabilistically query them. IOPs simultaneously generalize IPs and PCPs. Thus, IOPs retain the expressiveness of PCPs, capturing NEXP rather than only PSPACE, and also the flexibility of IPs, allowing multiple rounds of communication with the prover. These degrees of freedom allow for more efficient PCP-like interactive protocols, because the prover does not have to compute the parts of a PCP that are not requested by the verifier. As a first investigation into IOPs, we offer two main technical contributions. First, we give a compiler that maps any public-coin IOP into a non-interactive proof in the random oracle model. We prove that the soundness of the resulting proof is tightly characterized by the soundness of the IOP against *state restoration attacks*, a class of rewinding attacks on the IOP verifier. Our compiler preserves zero knowledge, proof of knowledge, and time complexity of the underlying IOP. As an application, we obtain blackbox unconditional ZK proofs in the random oracle model with quasilinear prover and polylogarithmic verifier, improving on the result of Ishai et al.\ (2015). Second, we study the notion of state-restoration soundness of an IOP: we prove tight upper and lower bounds in terms of the IOP\u27s (standard) soundness and round complexity; and describe a simple adversarial strategy that is optimal across all state restoration attacks. Our compiler can be viewed as a generalization of the Fiat--Shamir paradigm for public-coin IPs (CRYPTO~\u2786), and of the CS proof constructions of Micali (FOCS~\u2794) and Valiant (TCC~\u2708) for PCPs. Our analysis of the compiler gives, in particular, a unified understanding of all of these constructions, and also motivates the study of state restoration attacks, not only for IOPs, but also for IPs and PCPs

Non-Interactive Proofs: What Assumptions Are Sufficient?

A non-Interactive proof system allows a prover to convince a verifier that a statement is true by sending a single round of messages. In this thesis, we study under what assumptions can we build non-interactive proof systems with succinct verification and zero-knowledge. We obtain the following results. - Succinct Arguments: We construct the first non-interactive succinct arguments (SNARGs) for P from standard assumptions. Our construction is based on the polynomial hardness of Learning with Errors (LWE). - Zero-Knowledge: We build the first non-interactive zero-knowledge proof systems (NIZKs) for NP from sub-exponential Decisional Diffie-Hellman (DDH) assumption in the standard groups, without use of groups with pairings. To obtain our results, we build SNARGs for batch-NP from LWE and correlation intractable hash functions for TC^0 from sub-exponential DDH assumption, respectively, which may be of independent interest