28 research outputs found
Quantum Complexity for Discrete Logarithms and Related Problems
This paper studies the quantum computational complexity of the discrete
logarithm (DL) and related group-theoretic problems in the context of generic
algorithms -- that is, algorithms that do not exploit any properties of the
group encoding.
We establish a generic model of quantum computation for group-theoretic
problems, which we call the quantum generic group model. Shor's algorithm for
the DL problem and related algorithms can be described in this model. We show
the quantum complexity lower bounds and almost matching algorithms of the DL
and related problems in this model. More precisely, we prove the following
results for a cyclic group of prime order.
- Any generic quantum DL algorithm must make depth of
group operations. This shows that Shor's algorithm is asymptotically optimal
among the generic quantum algorithms, even considering parallel algorithms.
- We observe that variations of Shor's algorithm can take advantage of
classical computations to reduce the number of quantum group operations. We
introduce a model for generic hybrid quantum-classical algorithms and show that
these algorithms are almost optimal in this model. Any generic hybrid algorithm
for the DL problem with a total number of group operations must make
quantum group operations of depth .
- When the quantum memory can only store group elements and use quantum
random access memory of group elements, any generic hybrid algorithm must
make either group operations in total or quantum group operations.
As a side contribution, we show a multiple DL problem admits a better
algorithm than solving each instance one by one, refuting a strong form of the
quantum annoying property suggested in the context of password-authenticated
key exchange protocol
Oracle Recording for Non-Uniform Random Oracles, and its Applications
In Crypto 2019, Zhandry showed how to define compressed oracles, which record quantum superposition queries to the quantum random oracle. In this paper, we extend Zhandry\u27s compressed oracle technique to non-uniformly distributed functions with independently sampled outputs. We define two quantum oracles and , which are indistinguishable to the non-uniform quantum random oracle where quantum access is given to a random function whose images are sampled from a probability distribution independently for each . We show that these compressed oracles record the adversarial quantum superposition queries. Also, we re-prove the optimality of Grover search and the collision resistance of non-uniform random functions, using our extended compressed oracle technique
On Insecure Uses of BGN for Privacy Preserving Data Aggregation Protocols
The notion of aggregator oblivious (AO) security for privacy preserving data
aggregation was formalized with a specific construction of AO-secure blinding
technique over a cyclic group by Shi et al. Some of proposals of data
aggregation protocols use the blinding technique of Shi et al. for BGN
cryptosystem, an additive homomorphic encryption. Previously, there have been
some security analysis on some of BGN based data aggregation protocols in the
context of integrity or authenticity of data. Even with such security analysis,
the BGN cryptosystem has been a popular building block of privacy preserving
data aggregation protocol. In this paper, we study the privacy issues in the
blinding technique of Shi et al. used for BGN cryptosystem. We show that the
blinding techniques for the BGN cryptosystem used in several protocols are not
privacy preserving against the recipient, the decryptor. Our analysis is based
on the fact that the BGN cryptosystem uses a pairing e:GxG-->G_T and the
existence of the pairing makes the DDH problem on G easy to solve. We also
suggest how to prevent such privacy leakage in the blinding technique of Shi et
al. used for BGN cryptosystem.Comment: 11 page
Quantum Complexity for Discrete Logarithms and Related Problems
This paper studies the quantum computational complexity of the discrete logarithm and related group-theoretic problems in the context of ``generic algorithms\u27\u27---that is, algorithms that do not exploit any properties of the group encoding.
We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model, as a quantum analog of its classical counterpart. Shor\u27s algorithm for the discrete logarithm problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and (almost) matching algorithms of the discrete logarithm and related problems in this model. More precisely, we prove the following results for a cyclic group of prime order.
(1) Any generic quantum discrete logarithm algorithm must make depth of group operation queries. This shows that Shor\u27s algorithm that makes group operations is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms.
(2) We observe that some (known) variations of Shor\u27s algorithm can take advantage of classical computations to reduce the number and depth of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithm that captures these variants, and show that these algorithms are almost optimal in this model. Any generic hybrid quantum-classical algorithm for the discrete logarithm problem with a total number of (classical or quantum) group operations must make quantum group operations of depth . In particular, if , classical group operations can only save the number of quantum queries by a factor of and the quantum depth remains as .
(3) When the quantum memory can only store group elements and use quantum random access memory (qRAM) of group elements, any generic hybrid quantum-classical algorithm must make either group operation queries in total or quantum group operation queries. In particular, classical queries cannot reduce the number of quantum queries beyond .
As a side contribution, we show a multiple discrete logarithm problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol
Discrete subgroups of the special linear group with thin limit sets
In this paper, we construct a discrete Zariski-dense subgroup Gamma of SL(n+1, R) whose limit set on P-n is 'thin', that is, contained in a C-N-smooth curve, for any n >= 3 and N > 0. We achieve this by applying the ping-pong lemma to the action of a specially chosen generating set S on the N-th order jet bundle over P-n.
We also show that in a sense this is the best possible result: we show that there does not exist any Zariski-dense subgroup Gamma subset of SL(3, R) whose limit set is contained in a C-2-smooth curve, and there does not exist any Zariski-dense subgroup Gamma subset of SL(n+1, R) whose limit set is contained in a C-infinity-smooth curve.e.clos
Generic Hardness of the Multiple Discrete Logarithm Problem
We study generic hardness of the multiple discrete logarithm problem, where the solver has to solve n instances of the discrete logarithm problem simultaneously. There are known generic algorithms which perform O(???np) group operations, where p is the group order, but no generic lower bound was known other than the trivial bound. In this paper we prove the tight generic lower bound, showing that the previously known algorithms are asymptotically optimal. We establish the lower bound by studying hardness of a related computational problem which we call the search-by-hyperplane-queries problem, which may be of independent interest
A Strongly Unforgeable Homomorphic MAC over Integers
Homomorphic MAC is a cryptographic primitive which protects authenticity of data, while allowing homomorphic evaluation of such protected data. In this paper, we present a new homomorphic MAC, which is based on integers, relying only on the existence of secure PRFs, and having efficiency comparable to the practical Catalano-Fiore homomorphic MAC. Our scheme is unforgeable even when MAC verification queries are allowed to the adversary, and we achieve this by showing strong unforgeability of our scheme.clos
Secure Fully Homomorphic Authenticated Encryption
Homomorphic authenticated encryption allows implicit computation on plaintexts using corresponding ciphertexts without losing privacy, and provides authenticity of the computation and the resultant plaintext of the computation when performing a decryption. However, due to its special functionality, the security notions of the homomorphic authenticated encryption is somewhat complicated and the construction of fully homomorphic authenticated encryption has never been given. In this work, we propose a new security notion and the first construction of fully homomorphic authenticated encryption. Our new security notion is a unified definition for data privacy and authenticity of homomorphic authenticated encryption. Moreover, our security notion is simpler and stronger than the previous ones. To realize our new security notion, we also suggest a construction of fully homomorphic authenticated encryption via generic construction. We combine a fully homomorphic encryption and two homomorphic authenticators, one fully homomorphic and one OR-homomorphic, to construct a fully homomorphic authenticated encryption that satisfies our security notion. Our construction requires its fully homomorphic encryption to be indistinguishable under chosen plaintext attacks and its homomorphic authenticators to be unforgeable under selectively chosen plaintext queries. Our construction also supports multiple datasets and amortized efficiency. For efficiency, we also construct a multi-dataset fully homomorphic authenticator scheme, which is a variant of the first fully homomorphic signature scheme. Our multi-dataset fully homomorphic authenticator scheme satisfies the security requirement of our generic construction above and supports amortized efficiency