260 research outputs found
Statistical Zero Knowledge and quantum one-way functions
One-way functions are a very important notion in the field of classical
cryptography. Most examples of such functions, including factoring, discrete
log or the RSA function, can be, however, inverted with the help of a quantum
computer. In this paper, we study one-way functions that are hard to invert
even by a quantum adversary and describe a set of problems which are good such
candidates. These problems include Graph Non-Isomorphism, approximate Closest
Lattice Vector and Group Non-Membership. More generally, we show that any hard
instance of Circuit Quantum Sampling gives rise to a quantum one-way function.
By the work of Aharonov and Ta-Shma, this implies that any language in
Statistical Zero Knowledge which is hard-on-average for quantum computers,
leads to a quantum one-way function. Moreover, extending the result of
Impagliazzo and Luby to the quantum setting, we prove that quantum
distributionally one-way functions are equivalent to quantum one-way functions.
Last, we explore the connections between quantum one-way functions and the
complexity class QMA and show that, similarly to the classical case, if any of
the above candidate problems is QMA-complete then the existence of quantum
one-way functions leads to the separation of QMA and AvgBQP.Comment: 20 pages; Computational Complexity, Cryptography and Quantum Physics;
Published version, main results unchanged, presentation improve
Security of almost ALL discrete log bits
Let G be a finite cyclic group with generator \alpha and with an encoding so that multiplication is computable in polynomial time. We study the security of bits of the discrete log x when given \exp_{\alpha}(x), assuming that the exponentiation function \exp_{\alpha}(x) = \alpha^x is one-way. We reduce he general problem to the case that G has odd order q. If G has odd order q the security of the least-significant bits of x and of the most significant bits of the rational number \frac{x}{q} \in [0,1) follows from the work of Peralta [P85] and Long and Wigderson [LW88]. We generalize these bits and study the security of consecutive shift bits lsb(2^{-i}x mod q) for i=k+1,...,k+j. When we restrict \exp_{\alpha} to arguments x such that some sequence of j consecutive shift bits of x is constant (i.e., not depending on x) we call it a 2^{-j}-fraction of \exp_{\alpha}. For groups of odd group order q we show that every two 2^{-j}-fractions of \exp_{\alpha} are equally one-way by a polynomial time transformation: Either they are all one-way or none of them. Our key theorem shows that arbitrary j consecutive shift bits of x are simultaneously secure when given \exp_{\alpha}(x) iff the 2^{-j}-fractions of \exp_{\alpha} are one-way. In particular this applies to the j least-significant bits of x and to the j most-significant bits of \frac{x}{q} \in [0,1). For one-way \exp_{\alpha} the individual bits of x are secure when given \exp_{\alpha}(x) by the method of Hastad, N\"aslund [HN98]. For groups of even order 2^{s}q we show that the j least-significant bits of \lfloor x/2^s\rfloor, as well as the j most-significant bits of \frac{x}{q} \in [0,1), are simultaneously secure iff the 2^{-j}-fractions of \exp_{\alpha'} are one-way for \alpha' := \alpha^{2^s}. We use and extend the models of generic algorithms of Nechaev (1994) and Shoup (1997). We determine the generic complexity of inverting fractions of \exp_{\alpha} for the case that \alpha has prime order q. As a consequence, arbitrary segments of (1-\varepsilon)\lg q consecutive shift bits of random x are for constant \varepsilon >0 simultaneously secure against generic attacks. Every generic algorithm using generic steps (group operations) for distinguishing bit strings of j consecutive shift bits of x from random bit strings has at most advantage O((\lg q) j\sqrt{t} (2^j/q)^{\frac14})
Factorization and Malleability of RSA Moduli, and Counting Points on Elliptic Curves Modulo N
In this paper we address two different problems related with the factorization of an RSA (Rivest-Shamir-Adleman cryptosystem) modulus N. First we show that factoring is equivalent, in deterministic polynomial time, to counting points on a pair of twisted Elliptic curves modulo N. The second problem is related with malleability. This notion was introduced in 2006 by Pailler and Villar, and deals with the question of whether or not the factorization of a given number N becomes substantially easier when knowing the factorization of another one N′ relatively prime to N. Despite the efforts done up to now, a complete answer to this question was unknown. Here we settle the problem affirmatively. To construct a particular N′ that helps the factorization of N, we use the number of points of a single elliptic curve modulo N. Coppersmith's algorithm allows us to go from the factors of N′ to the factors of N in polynomial time
An efficient probabilistic public-key cryptosystem over quadratic fields quotients
AbstractWe present a new probabilistic cryptosystem working in quadratic fields quotients. Computation in such objects can be done efficiently with Lucas sequences which help to design a fast system. The security of the scheme is based on the LUC problem and its semantic security on a new decisional problem. This system appears to be an alternative to schemes based on the RSA primitive and has a full computational cost smaller than the El Gamal EC cryptosystem
Lattice-based Blind Signatures
Motivated by the need to have secure blind signatures even in the presence of quantum computers, we present two efficient blind signature schemes based on hard worst-case lattice problems. Both schemes are provably secure in the random oracle model and unconditionally blind. The first scheme is based on preimage samplable functions that were introduced at STOC 2008 by Gentry, Peikert, and Vaikuntanathan. The scheme is stateful and runs in 3 moves. The second scheme builds upon the PKC 2008 identification scheme of Lyubashevsky. It is stateless, has 4 moves, and its security is based on the hardness of worst-case problems in ideal lattices
From the Hardness of Detecting Superpositions to Cryptography: Quantum Public Key Encryption and Commitments
Recently, Aaronson et al. (arXiv:2009.07450) showed that detecting
interference between two orthogonal states is as hard as swapping these states.
While their original motivation was from quantum gravity, we show its
applications in quantum cryptography.
1. We construct the first public key encryption scheme from cryptographic
\emph{non-abelian} group actions. Interestingly, the ciphertexts of our scheme
are quantum even if messages are classical. This resolves an open question
posed by Ji et al. (TCC '19). We construct the scheme through a new abstraction
called swap-trapdoor function pairs, which may be of independent interest.
2. We give a simple and efficient compiler that converts the flavor of
quantum bit commitments. More precisely, for any prefix X,Y
{computationally,statistically,perfectly}, if the base scheme is X-hiding and
Y-binding, then the resulting scheme is Y-hiding and X-binding. Our compiler
calls the base scheme only once. Previously, all known compilers call the base
schemes polynomially many times (Cr\'epeau et al., Eurocrypt '01 and Yan,
Asiacrypt '22). For the security proof of the conversion, we generalize the
result of Aaronson et al. by considering quantum auxiliary inputs.Comment: 51 page
From Identification to Signatures, Tightly: A Framework and Generic Transforms
This paper provides a framework to treat the problem of building signature schemes from identification schemes in a unified and systematic way. The outcomes are (1) Alternatives to the Fiat-Shamir transform that, applied to trapdoor identification schemes, yield signature schemes with tight security reductions to standard assumptions (2) An understanding and characterization of existing transforms in the literature. One of our transforms has the added advantage of producing signatures shorter than produced by the Fiat-Shamir transform. Reduction tightness is important because it allows the implemented scheme to use small parameters (thereby being as efficient as possible) while retaining provable security
- …