Tight bounds for classical and quantum coin flipping

Coin flipping is a cryptographic primitive for which strictly better protocols exist if the players are not only allowed to exchange classical, but also quantum messages. During the past few years, several results have appeared which give a tight bound on the range of implementable unconditionally secure coin flips, both in the classical as well as in the quantum setting and for both weak as well as strong coin flipping. But the picture is still incomplete: in the quantum setting, all results consider only protocols with perfect correctness, and in the classical setting tight bounds for strong coin flipping are still missing. We give a general definition of coin flipping which unifies the notion of strong and weak coin flipping (it contains both of them as special cases) and allows the honest players to abort with a certain probability. We give tight bounds on the achievable range of parameters both in the classical and in the quantum setting.Comment: 18 pages, 2 figures; v2: published versio

Chosen-ciphertext security from subset sum

We construct a public-key encryption (PKE) scheme whose security is polynomial-time equivalent to the hardness of the Subset Sum problem. Our scheme achieves the standard notion of indistinguishability against chosen-ciphertext attacks (IND-CCA) and can be used to encrypt messages of arbitrary polynomial length, improving upon a previous construction by Lyubashevsky, Palacio, and Segev (TCC 2010) which achieved only the weaker notion of semantic security (IND-CPA) and whose concrete security decreases with the length of the message being encrypted. At the core of our construction is a trapdoor technique which originates in the work of Micciancio and Peikert (Eurocrypt 2012

Quantum Non-demolition Detection of Single Microwave Photons in a Circuit

Thorough control of quantum measurement is key to the development of quantum information technologies. Many measurements are destructive, removing more information from the system than they obtain. Quantum non-demolition (QND) measurements allow repeated measurements that give the same eigenvalue. They could be used for several quantum information processing tasks such as error correction, preparation by measurement, and one-way quantum computing. Achieving QND measurements of photons is especially challenging because the detector must be completely transparent to the photons while still acquiring information about them. Recent progress in manipulating microwave photons in superconducting circuits has increased demand for a QND detector which operates in the gigahertz frequency range. Here we demonstrate a QND detection scheme which measures the number of photons inside a high quality-factor microwave cavity on a chip. This scheme maps a photon number onto a qubit state in a single-shot via qubit-photon logic gates. We verify the operation of the device by analyzing the average correlations of repeated measurements, and show that it is 90% QND. It differs from previously reported detectors because its sensitivity is strongly selective to chosen photon number states. This scheme could be used to monitor the state of a photon-based memory in a quantum computer.Comment: 5 pages, 4 figures, includes supplementary materia

Secure certification of mixed quantum states with application to two-party randomness generation

We investigate sampling procedures that certify that an arbitrary quantum state on $n$ subsystems is close to an ideal mixed state $\varphi^{\otimes n}$ for a given reference state $\varphi$, up to errors on a few positions. This task makes no sense classically: it would correspond to certifying that a given bitstring was generated according to some desired probability distribution. However, in the quantum case, this is possible if one has access to a prover who can supply a purification of the mixed state. In this work, we introduce the concept of mixed-state certification, and we show that a natural sampling protocol offers secure certification in the presence of a possibly dishonest prover: if the verifier accepts then he can be almost certain that the state in question has been correctly prepared, up to a small number of errors. We then apply this result to two-party quantum coin-tossing. Given that strong coin tossing is impossible, it is natural to ask "how close can we get". This question has been well studied and is nowadays well understood from the perspective of the bias of individual coin tosses. We approach and answer this question from a different---and somewhat orthogonal---perspective, where we do not look at individual coin tosses but at the global entropy instead. We show how two distrusting parties can produce a common high-entropy source, where the entropy is an arbitrarily small fraction below the maximum (except with negligible probability)

Improving the Coherence Time of Superconducting Coplanar Resonators

The quality factor and energy decay time of superconducting resonators have been measured as a function of material, geometry, and magnetic field. Once the dissipation of trapped magnetic vortices is minimized, we identify surface two-level states (TLS) as an important decay mechanism. A wide gap between the center conductor and the ground plane, as well as use of the superconductor Re instead of Al, are shown to decrease loss. We also demonstrate that classical measurements of resonator quality factor at low excitation power are consistent with single-photon decay time measured using qubit-resonator swap experiments.Comment: 3 pages, 4 figures for the main paper; total 5 pages, 6 figures including supplementary material. Submitted to Applied Physics Letter

Microwave Dielectric Loss at Single Photon Energies and milliKelvin Temperatures

The microwave performance of amorphous dielectric materials at very low temperatures and very low excitation strengths displays significant excess loss. Here, we present the loss tangents of some common amorphous and crystalline dielectrics, measured at low temperatures (T < 100 mK) with near single-photon excitation energies, using both coplanar waveguide (CPW) and lumped LC resonators. The loss can be understood using a two-level state (TLS) defect model. A circuit analysis of the half-wavelength resonators we used is outlined, and the energy dissipation of such a resonator on a multilayered dielectric substrate is considered theoretically.Comment: 4 pages, 3 figures, submitted to Applied Physics Letter

On the joint security of signature and encryption schemes under randomness reuse: efficiency and security amplification

Lecture Notes in Computer Science, 7341We extend the work of Bellare, Boldyreva and Staddon on the systematic analysis of randomness reuse to construct multi-recipient encryption schemes to the case where randomness is reused across different cryptographic primitives. We find that through the additional binding introduced through randomness reuse, one can actually obtain a security amplification with respect to the standard black-box compositions, and achieve a stronger level of security. We introduce stronger notions of security for encryption and signatures, where challenge messages can depend in a restricted way on the random coins used in encryption, and show that two variants of the KEM/DEM paradigm give rise to encryption schemes that meet this enhanced notion of security. We obtain the most efficient signcryption scheme to date that is secure against insider attackers without random oracles.(undefined

Non-malleable encryption: simpler, shorter, stronger

In a seminal paper, Dolev et al. [15] introduced the notion of non-malleable encryption (NM-CPA). This notion is very intriguing since it suffices for many applications of chosen-ciphertext secure encryption (IND-CCA), and, yet, can be generically built from semantically secure (IND-CPA) encryption, as was shown in the seminal works by Pass et al. [29] and by Choi et al. [9], the latter of which provided a black-box construction. In this paper we investigate three questions related to NM-CPA security: 1. Can the rate of the construction by Choi et al. of NM-CPA from IND-CPA be improved? 2. Is it possible to achieve multi-bit NM-CPA security more efficiently from a single-bit NM-CPA scheme than from IND-CPA? 3. Is there a notion stronger than NM-CPA that has natural applications and can be achieved from IND-CPA security? We answer all three questions in the positive. First, we improve the rate in the scheme of Choi et al. by a factor O(λ), where λ is the security parameter. Still, encrypting a message of size O(λ) would require ciphertext and keys of size O(λ2) times that of the IND-CPA scheme, even in our improved scheme. Therefore, we show a more efficient domain extension technique for building a λ-bit NM-CPA scheme from a single-bit NM-CPA scheme with keys and ciphertext of size O(λ) times that of the NM-CPA one-bit scheme. To achieve our goal, we define and construct a novel type of continuous non-malleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural “encode-then-encrypt-bit-by-bit” approach to work. Finally, we introduce a new security notion for public-key encryption that we dub non-malleability under (chosen-ciphertext) self-destruct attacks (NM-SDA). After showing that NM-SDA is a strict strengthening of NM-CPA and allows for more applications, we nevertheless show that both of our results—(faster) construction from IND-CPA and domain extension from one-bit scheme—also hold for our stronger NM-SDA security. In particular, the notions of IND-CPA, NM-CPA, and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA securit