4,719 research outputs found
On the Security of Proofs of Sequential Work in a Post-Quantum World
A Proof of Sequential Work (PoSW) allows a prover to convince a
resource-bounded verifier that the prover invested a substantial amount of
sequential time to perform some underlying computation. PoSWs have many
applications including time-stamping, blockchain design, and universally
verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the
first construction of a PoSW in the random oracle model though the construction
relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and
Pietrzak (EUROCRYPT 2018) gave an efficient PoSW construction that does not
require expensive depth-robust graphs.
In the classical parallel random oracle model, it is straightforward to argue
that any successful PoSW attacker must produce a long -sequence
and that any malicious party running in sequential time will fail to
produce an -sequence of length except with negligible
probability. In this paper, we prove that any quantum attacker running in
sequential time will fail to produce an -sequence except
with negligible probability -- even if the attacker submits a large batch of
quantum queries in each round. The proof is substantially more challenging and
highlights the power of Zhandry's recent compressed oracle technique (CRYPTO
2019). We further extend this result to establish post-quantum security of a
non-interactive PoSW obtained by applying the Fiat-Shamir transform to Cohen
and Pietrzak's efficient construction (EUROCRYPT 2018).Comment: 44 pages, 4 figure
Gleason-Busch theorem for sequential measurements
Gleason's theorem is a statement that, given some reasonable assumptions, the Born rule used to calculate probabilities in quantum mechanics is essentially unique [A. M. Gleason, Indiana Univ. Math. J. 6, 885 (1957)]. We show that Gleason's theorem contains within it also the structure of sequential measurements, and along with this the state update rule. We give a small set of axioms, which are physically motivated and analogous to those in Busch's proof of Gleason's theorem [P. Busch, Phys. Rev. Lett. 91, 120403 (2003)], from which the familiar Kraus operator form follows. An axiomatic approach has practical relevance as well as fundamental interest, in making clear those assumptions which underlie the security of quantum communication protocols. Interestingly, the two-time formalism is seen to arise naturally in this approach
Cryptographic security of quantum key distribution
This work is intended as an introduction to cryptographic security and a
motivation for the widely used Quantum Key Distribution (QKD) security
definition. We review the notion of security necessary for a protocol to be
usable in a larger cryptographic context, i.e., for it to remain secure when
composed with other secure protocols. We then derive the corresponding security
criterion for QKD. We provide several examples of QKD composed in sequence and
parallel with different cryptographic schemes to illustrate how the error of a
composed protocol is the sum of the errors of the individual protocols. We also
discuss the operational interpretations of the distance metric used to quantify
these errors.Comment: 31+23 pages. 28 figures. Comments and questions welcom
Foundations, Properties, and Security Applications of Puzzles: A Survey
Cryptographic algorithms have been used not only to create robust ciphertexts
but also to generate cryptograms that, contrary to the classic goal of
cryptography, are meant to be broken. These cryptograms, generally called
puzzles, require the use of a certain amount of resources to be solved, hence
introducing a cost that is often regarded as a time delay---though it could
involve other metrics as well, such as bandwidth. These powerful features have
made puzzles the core of many security protocols, acquiring increasing
importance in the IT security landscape. The concept of a puzzle has
subsequently been extended to other types of schemes that do not use
cryptographic functions, such as CAPTCHAs, which are used to discriminate
humans from machines. Overall, puzzles have experienced a renewed interest with
the advent of Bitcoin, which uses a CPU-intensive puzzle as proof of work. In
this paper, we provide a comprehensive study of the most important puzzle
construction schemes available in the literature, categorizing them according
to several attributes, such as resource type, verification type, and
applications. We have redefined the term puzzle by collecting and integrating
the scattered notions used in different works, to cover all the existing
applications. Moreover, we provide an overview of the possible applications,
identifying key requirements and different design approaches. Finally, we
highlight the features and limitations of each approach, providing a useful
guide for the future development of new puzzle schemes.Comment: This article has been accepted for publication in ACM Computing
Survey
Quantum Cryptography Beyond Quantum Key Distribution
Quantum cryptography is the art and science of exploiting quantum mechanical
effects in order to perform cryptographic tasks. While the most well-known
example of this discipline is quantum key distribution (QKD), there exist many
other applications such as quantum money, randomness generation, secure two-
and multi-party computation and delegated quantum computation. Quantum
cryptography also studies the limitations and challenges resulting from quantum
adversaries---including the impossibility of quantum bit commitment, the
difficulty of quantum rewinding and the definition of quantum security models
for classical primitives. In this review article, aimed primarily at
cryptographers unfamiliar with the quantum world, we survey the area of
theoretical quantum cryptography, with an emphasis on the constructions and
limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference
Complete Insecurity of Quantum Protocols for Classical Two-Party Computation
A fundamental task in modern cryptography is the joint computation of a
function which has two inputs, one from Alice and one from Bob, such that
neither of the two can learn more about the other's input than what is implied
by the value of the function. In this Letter, we show that any quantum protocol
for the computation of a classical deterministic function that outputs the
result to both parties (two-sided computation) and that is secure against a
cheating Bob can be completely broken by a cheating Alice. Whereas it is known
that quantum protocols for this task cannot be completely secure, our result
implies that security for one party implies complete insecurity for the other.
Our findings stand in stark contrast to recent protocols for weak coin tossing,
and highlight the limits of cryptography within quantum mechanics. We remark
that our conclusions remain valid, even if security is only required to be
approximate and if the function that is computed for Bob is different from that
of Alice.Comment: v2: 6 pages, 1 figure, text identical to PRL-version (but reasonably
formatted
Device-Independent Bit Commitment based on the CHSH Inequality
Bit commitment and coin flipping occupy a unique place in the
device-independent landscape, as the only device-independent protocols thus far
suggested for these tasks are reliant on tripartite GHZ correlations. Indeed,
we know of no other bipartite tasks, which admit a device-independent
formulation, but which are not known to be implementable using only bipartite
nonlocality. Another interesting feature of these protocols is that the
pseudo-telepathic nature of GHZ correlations -- in contrast to the generally
statistical character of nonlocal correlations, such as those arising in the
violation of the CHSH inequality -- is essential to their formulation and
analysis. In this work, we present a device-independent bit commitment protocol
based on CHSH testing, which achieves the same security as the optimal
GHZ-based protocol. The protocol is analyzed in the most general settings,
where the devices are used repeatedly and may have long-term quantum memory. We
also recast the protocol in a post-quantum setting where both honest and
dishonest parties are restricted only by the impossibility of signaling, and
find that overall the supra-quantum structure allows for greater security.Comment: 15 pages, 3 figure
Depth-Bounded Quantum Cryptography with Applications to One-Time Memory and More
With the power of quantum information, we can achieve exciting and classically impossible cryptographic primitives. However, almost all quantum cryptography faces extreme difficulties with the near-term intermediate-scale quantum technology (NISQ technology); namely, the short lifespan of quantum states and limited sequential computation. At the same time, considering only limited quantum adversaries may still enable us to achieve never-before-possible tasks.
In this work, we consider quantum cryptographic primitives against limited quantum adversaries - depth-bounded adversaries. We introduce a model for (depth-bounded) NISQ computers, which are classical circuits interleaved with shallow quantum circuits. Then, we show one-time memory can be achieved against any depth-bounded quantum adversaries introduced in the work, with their depth being any pre-fixed polynomial. Therefore we obtain applications like one-time programs and one-time proofs. Finally, we show our one-time memory has correctness even against constant-rate errors
- …