2,546 research outputs found
Block encryption of quantum messages
In modern cryptography, block encryption is a fundamental cryptographic
primitive. However, it is impossible for block encryption to achieve the same
security as one-time pad. Quantum mechanics has changed the modern
cryptography, and lots of researches have shown that quantum cryptography can
outperform the limitation of traditional cryptography.
This article proposes a new constructive mode for private quantum encryption,
named , which is a very simple method to construct quantum
encryption from classical primitive. Based on mode, we
construct a quantum block encryption (QBE) scheme from pseudorandom functions.
If the pseudorandom functions are standard secure, our scheme is
indistinguishable encryption under chosen plaintext attack. If the pseudorandom
functions are permutation on the key space, our scheme can achieve perfect
security. In our scheme, the key can be reused and the randomness cannot, so a
-bit key can be used in an exponential number of encryptions, where the
randomness will be refreshed in each time of encryption. Thus -bit key can
perfectly encrypt qubits, and the perfect secrecy would not be broken
if the -bit key is reused for only exponential times.
Comparing with quantum one-time pad (QOTP), our scheme can be the same secure
as QOTP, and the secret key can be reused (no matter whether the eavesdropping
exists or not). Thus, the limitation of perfectly secure encryption (Shannon's
theory) is broken in the quantum setting. Moreover, our scheme can be viewed as
a positive answer to the open problem in quantum cryptography "how to
unconditionally reuse or recycle the whole key of private-key quantum
encryption". In order to physically implement the QBE scheme, we only need to
implement two kinds of single-qubit gates (Pauli gate and Hadamard gate),
so it is within reach of current quantum technology.Comment: 13 pages, 1 figure. Prior version appears in
eprint.iacr.org(iacr/2017/1247). This version adds some analysis about
multiple-message encryption, and modifies lots of contents. There are no
changes about the fundamental result
Authentication of Quantum Messages
Authentication is a well-studied area of classical cryptography: a sender S
and a receiver R sharing a classical private key want to exchange a classical
message with the guarantee that the message has not been modified by any third
party with control of the communication line. In this paper we define and
investigate the authentication of messages composed of quantum states. Assuming
S and R have access to an insecure quantum channel and share a private,
classical random key, we provide a non-interactive scheme that enables S both
to encrypt and to authenticate (with unconditional security) an m qubit message
by encoding it into m+s qubits, where the failure probability decreases
exponentially in the security parameter s. The classical private key is 2m+O(s)
bits. To achieve this, we give a highly efficient protocol for testing the
purity of shared EPR pairs. We also show that any scheme to authenticate
quantum messages must also encrypt them. (In contrast, one can authenticate a
classical message while leaving it publicly readable.) This has two important
consequences: On one hand, it allows us to give a lower bound of 2m key bits
for authenticating m qubits, which makes our protocol asymptotically optimal.
On the other hand, we use it to show that digitally signing quantum states is
impossible, even with only computational security.Comment: 22 pages, LaTeX, uses amssymb, latexsym, time
Quantum authentication of classical messages
Although key distribution is arguably the most studied context on which to
apply quantum cryptographic techniques, message authentication, i.e.,
certifying the identity of the message originator and the integrity of the
message sent, can also benefit from the use of quantum resources. Classically,
message authentication can be performed by techniques based on hash functions.
However, the security of the resulting protocols depends on the selection of
appropriate hash functions, and on the use of long authentication keys. In this
paper we propose a quantum authentication procedure that, making use of just
one qubit as the authentication key, allows the authentication of binary
classical messages in a secure manner.Comment: LaTeX, 6 page
Qubit authentication
Secure communication requires message authentication. In this paper we
address the problem of how to authenticate quantum information sent through a
quantum channel between two communicating parties with the minimum amount of
resources. Specifically, our objective is to determine whether one elementary
quantum message (a qubit) can be authenticated with a key of minimum length. We
show that, unlike the case of classical-message quantum authentication, this is
not possible.Comment: LaTeX, 8 page
Key recycling in authentication
In their seminal work on authentication, Wegman and Carter propose that to
authenticate multiple messages, it is sufficient to reuse the same hash
function as long as each tag is encrypted with a one-time pad. They argue that
because the one-time pad is perfectly hiding, the hash function used remains
completely unknown to the adversary.
Since their proof is not composable, we revisit it using a composable
security framework. It turns out that the above argument is insufficient: if
the adversary learns whether a corrupted message was accepted or rejected,
information about the hash function is leaked, and after a bounded finite
amount of rounds it is completely known. We show however that this leak is very
small: Wegman and Carter's protocol is still -secure, if
-almost strongly universal hash functions are used. This implies
that the secret key corresponding to the choice of hash function can be reused
in the next round of authentication without any additional error than this
.
We also show that if the players have a mild form of synchronization, namely
that the receiver knows when a message should be received, the key can be
recycled for any arbitrary task, not only new rounds of authentication.Comment: 17+3 pages. 11 figures. v3: Rewritten with AC instead of UC. Extended
the main result to both synchronous and asynchronous networks. Matches
published version up to layout and updated references. v2: updated
introduction and reference
Information Theoretic Authentication and Secrecy Codes in the Splitting Model
In the splitting model, information theoretic authentication codes allow
non-deterministic encoding, that is, several messages can be used to
communicate a particular plaintext. Certain applications require that the
aspect of secrecy should hold simultaneously. Ogata-Kurosawa-Stinson-Saido
(2004) have constructed optimal splitting authentication codes achieving
perfect secrecy for the special case when the number of keys equals the number
of messages. In this paper, we establish a construction method for optimal
splitting authentication codes with perfect secrecy in the more general case
when the number of keys may differ from the number of messages. To the best
knowledge, this is the first result of this type.Comment: 4 pages (double-column); to appear in Proc. 2012 International Zurich
Seminar on Communications (IZS 2012, Zurich
Anonymous quantum communication
We present the first protocol for the anonymous transmission of a quantum
state that is information-theoretically secure against an active adversary,
without any assumption on the number of corrupt participants. The anonymity of
the sender and receiver is perfectly preserved, and the privacy of the quantum
state is protected except with exponentially small probability. Even though a
single corrupt participant can cause the protocol to abort, the quantum state
can only be destroyed with exponentially small probability: if the protocol
succeeds, the state is transferred to the receiver and otherwise it remains in
the hands of the sender (provided the receiver is honest).Comment: 11 pages, to appear in Proceedings of ASIACRYPT, 200
- …