Composability in quantum cryptography

In this article, we review several aspects of composability in the context of quantum cryptography. The first part is devoted to key distribution. We discuss the security criteria that a quantum key distribution protocol must fulfill to allow its safe use within a larger security application (e.g., for secure message transmission). To illustrate the practical use of composability, we show how to generate a continuous key stream by sequentially composing rounds of a quantum key distribution protocol. In a second part, we take a more general point of view, which is necessary for the study of cryptographic situations involving, for example, mutually distrustful parties. We explain the universal composability framework and state the composition theorem which guarantees that secure protocols can securely be composed to larger applicationsComment: 18 pages, 2 figure

Universally Composable Quantum Multi-Party Computation

The Universal Composability model (UC) by Canetti (FOCS 2001) allows for secure composition of arbitrary protocols. We present a quantum version of the UC model which enjoys the same compositionality guarantees. We prove that in this model statistically secure oblivious transfer protocols can be constructed from commitments. Furthermore, we show that every statistically classically UC secure protocol is also statistically quantum UC secure. Such implications are not known for other quantum security definitions. As a corollary, we get that quantum UC secure protocols for general multi-party computation can be constructed from commitments

Attacks on quantum key distribution protocols that employ non-ITS authentication

We demonstrate how adversaries with unbounded computing resources can break Quantum Key Distribution (QKD) protocols which employ a particular message authentication code suggested previously. This authentication code, featuring low key consumption, is not Information-Theoretically Secure (ITS) since for each message the eavesdropper has intercepted she is able to send a different message from a set of messages that she can calculate by finding collisions of a cryptographic hash function. However, when this authentication code was introduced it was shown to prevent straightforward Man-In-The-Middle (MITM) attacks against QKD protocols. In this paper, we prove that the set of messages that collide with any given message under this authentication code contains with high probability a message that has small Hamming distance to any other given message. Based on this fact we present extended MITM attacks against different versions of BB84 QKD protocols using the addressed authentication code; for three protocols we describe every single action taken by the adversary. For all protocols the adversary can obtain complete knowledge of the key, and for most protocols her success probability in doing so approaches unity. Since the attacks work against all authentication methods which allow to calculate colliding messages, the underlying building blocks of the presented attacks expose the potential pitfalls arising as a consequence of non-ITS authentication in QKD-postprocessing. We propose countermeasures, increasing the eavesdroppers demand for computational power, and also prove necessary and sufficient conditions for upgrading the discussed authentication code to the ITS level.Comment: 34 page

Modal beam splitter:Determination of the transversal components of an electromagnetic light field

The transversal profile of beams can always be defined as a superposition of orthogonal fields, such as optical eigenmodes. Here, we describe a generic method to separate the individual components in a laser beam and map each mode onto its designated detector with low crosstalk. We demonstrate this with the decomposition into Laguerre-Gaussian beams and introduce a distribution over the integer numbers corresponding to the discrete orbital and radial momentum components of the light field. The method is based on determining an eigenmask filter transforming the incident optical eigenmodes to position eigenmodes enabling the detection of the state of the light field using single detectors while minimizing cross talk with respect to the set of filter masks considered.UK Engineering and Physical Sciences Research Council [EP/J01771X/1]This item from the UA Faculty Publications collection is made available by the University of Arizona with support from the University of Arizona Libraries. If you have questions, please contact us at [email protected]

Tight Finite-Key Analysis for Quantum Cryptography

Despite enormous progress both in theoretical and experimental quantum cryptography, the security of most current implementations of quantum key distribution is still not established rigorously. One of the main problems is that the security of the final key is highly dependent on the number, M, of signals exchanged between the legitimate parties. While, in any practical implementation, M is limited by the available resources, existing security proofs are often only valid asymptotically for unrealistically large values of M. Here, we demonstrate that this gap between theory and practice can be overcome using a recently developed proof technique based on the uncertainty relation for smooth entropies. Specifically, we consider a family of Bennett-Brassard 1984 quantum key distribution protocols and show that security against general attacks can be guaranteed already for moderate values of M.Comment: 11 pages, 2 figure

Reviewing the integration of patient data: how systems are evolving in practice to meet patient needs

<p>Abstract</p> <p>Background</p> <p>The integration of Information Systems (IS) is essential to support shared care and to provide consistent care to individuals – patient-centred care. This paper identifies, appraises and summarises studies examining different approaches to integrate patient data from heterogeneous IS.</p> <p>Methods</p> <p>The literature was systematically reviewed between 1995–2005 to identify articles mentioning patient records, computers and data integration or sharing.</p> <p>Results</p> <p>Of 3124 articles, 84 were included describing 56 distinct projects. Most of the projects were on a regional scale. Integration was most commonly accomplished by messaging with pre-defined templates and middleware solutions. HL7 was the most widely used messaging standard. Direct database access and web services were the most common communication methods. The user interface for most systems was a Web browser. Regarding the type of medical data shared, 77% of projects integrated diagnosis and problems, 67% medical images and 65% lab results. More recently significantly more IS are extending to primary care and integrating referral letters.</p> <p>Conclusion</p> <p>It is clear that Information Systems are evolving to meet people's needs by implementing regional networks, allowing patient access and integration of ever more items of patient data. Many distinct technological solutions coexist to integrate patient data, using differing standards and data architectures which may difficult further interoperability.</p

The Communication Complexity of Threshold Private Set Intersection

Threshold private set intersection enables Alice and Bob who hold sets $A$ and $B$ of size $n$ to compute the intersection $A \cap B$ if the sets do not differ by more than some threshold parameter $t$. In this work, we investigate the communication complexity of this problem and we establish the first upper and lower bounds. We show that any protocol has to have a communication complexity of $\Omega(t)$. We show that an almost matching upper bound of $\tilde{\mathcal{O}}(t)$ can be obtained via fully homomorphic encryption. We present a computationally more efficient protocol based on weaker assumptions, namely additively homomorphic encryption, with a communication complexity of $\tilde{\mathcal{O}}(t^2)$. We show how our protocols can be extended to the multiparty setting. For applications like biometric authentication, where a given fingerprint has to have a large intersection with a fingerprint from a database, our protocols may result in significant communication savings. We, furthermore, show how to extend all of our protocols to the multiparty setting. Prior to this work, all previous protocols had a communication complexity of $\Omega(n)$. Our protocols are the first ones with communication complexities that mainly depend on the threshold parameter $t$ and only logarithmically on the set size $n$

Basic Algorithms for Rational Function Fields

AbstractBy means of Gröbner basis techniques algorithms for solving various problems concerning subfields K(g):=K(g1, …,gm) of a rational function field K(x):=K(x1, …,xn) are derived: computing canonical generating sets, deciding field membership, computing the degree and separability degree resp. the transcendence degree and a transcendence basis of K(x)/K(g), deciding whetherf∈K(x) is algebraic or transcendental over K(g), computing minimal polynomials, and deciding whether K(g) contains elements of a “particular structure”, e.g. monic univariate polynomials of fixed degree. The essential idea is to reduce these problems to questions concerning an ideal of a polynomial ring; connections between minimal primary decompositions over K(x) of this ideal and intermediate fields of K(g) and K(x) are given. In the last section some practical considerations concerning the use of the algorithms are discussed