204 research outputs found
Quantum Attacks on Classical Proof Systems - The Hardness of Quantum Rewinding
Quantum zero-knowledge proofs and quantum proofs of knowledge are
inherently difficult to analyze because their security analysis uses
rewinding. Certain cases of quantum rewinding are handled by the
results by Watrous (SIAM J Comput, 2009) and Unruh (Eurocrypt 2012),
yet in general the problem remains elusive. We show that this is not
only due to a lack of proof techniques: relative to an oracle,
we show that classically secure proofs and proofs of knowledge are
insecure in the quantum setting.
More specifically, sigma-protocols, the Fiat-Shamir construction,
and Fischlin\u27s proof system are quantum insecure under assumptions that are
sufficient for classical security. Additionally, we show that for
similar reasons, computationally binding commitments provide almost
no security guarantees in a quantum setting.
To show these results, we develop the pick-one trick , a general
technique that allows an adversary to find one value satisfying a
given predicate, but not two
Classical Cryptographic Protocols in a Quantum World
Cryptographic protocols, such as protocols for secure function evaluation
(SFE), have played a crucial role in the development of modern cryptography.
The extensive theory of these protocols, however, deals almost exclusively with
classical attackers. If we accept that quantum information processing is the
most realistic model of physically feasible computation, then we must ask: what
classical protocols remain secure against quantum attackers?
Our main contribution is showing the existence of classical two-party
protocols for the secure evaluation of any polynomial-time function under
reasonable computational assumptions (for example, it suffices that the
learning with errors problem be hard for quantum polynomial time). Our result
shows that the basic two-party feasibility picture from classical cryptography
remains unchanged in a quantum world.Comment: Full version of an old paper in Crypto'11. Invited to IJQI. This is
authors' copy with different formattin
Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model
Strongly unforgeable signature schemes provide a more stringent security
guarantee than the standard existential unforgeability. It requires that not
only forging a signature on a new message is hard, it is infeasible as well to
produce a new signature on a message for which the adversary has seen valid
signatures before. Strongly unforgeable signatures are useful both in practice
and as a building block in many cryptographic constructions.
This work investigates a generic transformation that compiles any
existential-unforgeable scheme into a strongly unforgeable one, which was
proposed by Teranishi et al. and was proven in the classical random-oracle
model. Our main contribution is showing that the transformation also works
against quantum adversaries in the quantum random-oracle model. We develop
proof techniques such as adaptively programming a quantum random-oracle in a
new setting, which could be of independent interest. Applying the
transformation to an existential-unforgeable signature scheme due to Cash et
al., which can be shown to be quantum-secure assuming certain lattice problems
are hard for quantum computers, we get an efficient quantum-secure strongly
unforgeable signature scheme in the quantum random-oracle model.Comment: 15 pages, to appear in Proceedings TQC 201
Quantum Proofs
Quantum information and computation provide a fascinating twist on the notion
of proofs in computational complexity theory. For instance, one may consider a
quantum computational analogue of the complexity class \class{NP}, known as
QMA, in which a quantum state plays the role of a proof (also called a
certificate or witness), and is checked by a polynomial-time quantum
computation. For some problems, the fact that a quantum proof state could be a
superposition over exponentially many classical states appears to offer
computational advantages over classical proof strings. In the interactive proof
system setting, one may consider a verifier and one or more provers that
exchange and process quantum information rather than classical information
during an interaction for a given input string, giving rise to quantum
complexity classes such as QIP, QSZK, and QMIP* that represent natural quantum
analogues of IP, SZK, and MIP. While quantum interactive proof systems inherit
some properties from their classical counterparts, they also possess distinct
and uniquely quantum features that lead to an interesting landscape of
complexity classes based on variants of this model.
In this survey we provide an overview of many of the known results concerning
quantum proofs, computational models based on this concept, and properties of
the complexity classes they define. In particular, we discuss non-interactive
proofs and the complexity class QMA, single-prover quantum interactive proof
systems and the complexity class QIP, statistical zero-knowledge quantum
interactive proof systems and the complexity class \class{QSZK}, and
multiprover interactive proof systems and the complexity classes QMIP, QMIP*,
and MIP*.Comment: Survey published by NOW publisher
Quantum Cryptography Beyond Quantum Key Distribution
Quantum cryptography is the art and science of exploiting quantum mechanical
effects in order to perform cryptographic tasks. While the most well-known
example of this discipline is quantum key distribution (QKD), there exist many
other applications such as quantum money, randomness generation, secure two-
and multi-party computation and delegated quantum computation. Quantum
cryptography also studies the limitations and challenges resulting from quantum
adversaries---including the impossibility of quantum bit commitment, the
difficulty of quantum rewinding and the definition of quantum security models
for classical primitives. In this review article, aimed primarily at
cryptographers unfamiliar with the quantum world, we survey the area of
theoretical quantum cryptography, with an emphasis on the constructions and
limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference
How to Base Security on the Perfect/Statistical Binding Property of Quantum Bit Commitment?
The concept of quantum bit commitment was introduced in the early 1980s for the purpose of basing bit commitments solely on principles of quantum theory. Unfortunately, such unconditional quantum bit commitments still turn out to be impossible. As a compromise like in classical cryptography, Dumais et al. [Paul Dumais et al., 2000] introduce the conditional quantum bit commitments that additionally rely on complexity assumptions. However, in contrast to classical bit commitments which are widely used in classical cryptography, up until now there is relatively little work towards studying the application of quantum bit commitments in quantum cryptography. This may be partly due to the well-known weakness of the general quantum binding that comes from the possible superposition attack of the sender of quantum commitments, making it unclear whether quantum commitments could be useful in quantum cryptography.
In this work, following Yan et al. [Jun Yan et al., 2015] we continue studying using (canonical non-interactive) perfectly/statistically-binding quantum bit commitments as the drop-in replacement of classical bit commitments in some well-known constructions. Specifically, we show that the (quantum) security can still be established for zero-knowledge proof, oblivious transfer, and proof-of-knowledge. In spite of this, we stress that the corresponding security analyses are by no means trivial extensions of their classical analyses; new techniques are needed to handle possible superposition attacks by the cheating sender of quantum bit commitments.
Since (canonical non-interactive) statistically-binding quantum bit commitments can be constructed from quantum-secure one-way functions, we hope using them (as opposed to classical commitments) in cryptographic constructions can reduce the round complexity and weaken the complexity assumption simultaneously
Online-Extractability in the Quantum Random-Oracle Model
We show the following generic result. Whenever a quantum query algorithm in
the quantum random-oracle model outputs a classical value that is promised
to be in some tight relation with for some , then can be
efficiently extracted with almost certainty. The extraction is by means of a
suitable simulation of the random oracle and works online, meaning that it is
straightline, i.e., without rewinding, and on-the-fly, i.e., during the
protocol execution and without disturbing it.
The technical core of our result is a new commutator bound that bounds the
operator norm of the commutator of the unitary operator that describes the
evolution of the compressed oracle (which is used to simulate the random oracle
above) and of the measurement that extracts .
We show two applications of our generic online extractability result. We show
tight online extractability of commit-and-open -protocols in the
quantum setting, and we offer the first non-asymptotic post-quantum security
proof of the textbook Fujisaki-Okamoto transformation, i.e, without adjustments
to facilitate the proof
Post-Quantum Secure Time-Stamping
Krüptograafilisi ajatempliprotokolle kasutatakse tõestusena, et üks dokument eksisteeris enne teist. Postkvantkrüptograafiliselt turvalised ajatempliprotokollid uurivad, kas neid tõestusi on võimalik võltsida kasutades kvantarvuteid. Tegu on suuresti uurimata alaga, kuna võtmeta ajatempliprotokollides kasutatavates primitiivides pole seni leitud kvantarvutite kontekstis tõsiseid nõrkusi. Selles töös me defineerime, mis on post-kvant turvalised ajatempliprotokollid ning uurime kuidas klassikalised tulemused muutuvad uues raamistikus. Suur erinevus kvantvastaste puhul on see, et meil ei ole võimalik saada suvalise kvantalgoritmi mitut erinevat käivitust. Tänapäeval teadaolevad tagasipööramise võtted võimaldavad kvantalgoritmi tagasi pöörata ainult väga kindlatel tingimustel. Me uurime nende võtete kombineerimise võimalikkust ühe teoreemi tõestamiseks. Sellele teoreemile ei ole hetkel post-kvant standardmudelis ühtegi tõestust. Me pakume tõestuseta ühe tagasipööramise konstruktsiooni, mille abil võib osutuda teoreemi tõestamine võimalikuks. Me lisaks pakume välja ka minimaalse lahendamata probleemi, mis on esimene samm teoreemi formaalse tõestamiseni.Cryptographic timestamps are used as proof that a certain document existed before another. Post-quantum secure time-stamping examines whether these proofs can be forged using a quantum computer. The field is very unexplored as the primitives used in keyless time-stamping have not shown any serious weakness towards quantum computers. Until now no effort had been made towards formally defining post-quantum secure time-stamping. In this work, we define the notion of post-quantum time-stamping and examine how contemporary classical results change in this new framework. A key difference in the post-quantum setting is that we cannot retrieve multiple separate executions of an arbitrary quantum adversary. Currently known rewinding techniques allow an adversary to be ran again only under very specific conditions. We examine the possibility of combining existing rewinding techniques to prove a theorem for which there is currently no proof in the standard post-quantum model. We conjecture a rewinding construction which could possibly prove the theorem and establish a minimal open problem for formally proving the theorem
- …