330 research outputs found
Quantum key distribution with post-processing driven by physical unclonable functions
Quantum key-distribution protocols allow two honest distant parties to
establish a common truly random secret key in the presence of powerful
adversaries, provided that the two users share beforehand a short secret key.
This pre-shared secret key is used mainly for authentication purposes in the
post-processing of classical data that have been obtained during the quantum
communication stage, and it prevents a man-in-the-middle attack. The necessity
of a pre-shared key is usually considered as the main drawback of quantum
key-distribution protocols, which becomes even stronger for large networks
involving more that two users. Here we discuss the conditions under which
physical unclonable function can be integrated in currently available quantum
key-distribution systems, in order to facilitate the generation and the
distribution of the necessary pre-shared key, with the smallest possible cost
in the security of the systems. Moreover, the integration of physical
unclonable functions in quantum key-distribution networks allows for real-time
authentication of the devices that are connected to the network
Information-Theoretically Secure Data Origin Authentication with Quantum and Classical Resources
In conventional cryptography, information-theoretically secure message authentication
can be achieved by means of universal hash functions, and requires that the two legitimate users
share a random secret key, which is at least twice as long as the tag. We address the question of
whether quantum resources can offer any advantage over classical unconditionally secure message
authentication codes. It is shown that a broad class of symmetric prepare-and-measure quantum
message-authentication schemes cannot do better than their classical counterparts
Limitations of the Meta-reduction Technique: The Case of Schnorr Signatures
We revisit the security of Fiat-Shamir signatures in the non-programmable random oracle model. The well-known proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to re-program the random oracle, and it has been unknown if this property is inherent. Pailler and Vergnaud (Asiacrypt 2005) gave some first evidence of the hardness by showing via meta-reduction techniques that algebraic reductions cannot succeed in reducing key-only attacks against unforgeability to the discrete-log assumptions. We also use meta-reductions to show that the security of Schnorr signatures cannot be proven equivalent to the discrete logarithm problem without programming the random oracle. Our result also holds under the one-more discrete logarithm assumption but applies to a large class of reductions, we call *single-instance* reductions, subsuming those used in previous proofs of security in the (programmable) random oracle model. In contrast to algebraic reductions, our class allows arbitrary operations, but can only invoke a single resettable adversary instance, making our class incomparable to algebraic reductions.
Our main result, however, is about meta-reductions and the question if this technique can be used to further strengthen the separations above. Our answer is negative. We present, to the best of our knowledge for the first time, limitations of the meta-reduction technique in the sense that finding a meta-reduction for general reductions is most likely infeasible. In fact, we prove that finding a meta-reduction against a potential reduction is equivalent to finding a ``meta-meta-reduction\u27\u27 against the strong existential unforgeability of the signature scheme. This means that the existence of a meta-reduction implies that the scheme must be insecure (against a slightly stronger attack) in the first place
Non-malleable codes for space-bounded tampering
Non-malleable codes—introduced by Dziembowski, Pietrzak and Wichs at ICS 2010—are key-less coding schemes in which mauling attempts to an encoding of a given message, w.r.t. some class of tampering adversaries, result in a decoded value that is either identical or unrelated to the original message. Such codes are very useful for protecting arbitrary cryptographic primitives against tampering attacks against the memory. Clearly, non-malleability is hopeless if the class of tampering adversaries includes the decoding and encoding algorithm. To circumvent this obstacle, the majority of past research focused on designing non-malleable codes for various tampering classes, albeit assuming that the adversary is unable to decode. Nonetheless, in many concrete settings, this assumption is not realistic
Adaptive Proofs Have Straightline Extractors (in the Random Oracle Model)
Abstract. The concept of adaptive security for proofs of knowledge was recently studied by Bernhard et al. They formalised adaptive security in the ROM and showed that the non-interactive version of the Schnorr protocol obtained using the Fiat-Shamir transformation is not adaptively secure unless the one-more discrete logarithm problem is easy. Their only construction for adaptively secure protocols used the Fischlin transformation [3] which yields protocols with straight-line extractors. In this paper we provide two further key insights. Our main result shows that any adaptively secure protocol must have a straight-line extractor: even the most clever rewinding strategies cannot offer any benefits against adaptive provers.
Then, we show that any Fiat-Shamir transformed SIGMA-protocol is not adaptively secure unless a related problem which we call the SIGMA-one-wayness problem is easy. This assumption concerns not just Schnorr but applies to a whole class of SIGMA-protocols including e.g. Chaum-Pedersen and representation proofs. We also prove that SIGMA-one-wayness is hard in the generic group model. Taken together, these results suggest that Fiat-Shamir transformed SIGMA-protocols should not be used in settings where adaptive security is important
Random Oracles in a Quantum World
The interest in post-quantum cryptography - classical systems that remain
secure in the presence of a quantum adversary - has generated elegant proposals
for new cryptosystems. Some of these systems are set in the random oracle model
and are proven secure relative to adversaries that have classical access to the
random oracle. We argue that to prove post-quantum security one needs to prove
security in the quantum-accessible random oracle model where the adversary can
query the random oracle with quantum states.
We begin by separating the classical and quantum-accessible random oracle
models by presenting a scheme that is secure when the adversary is given
classical access to the random oracle, but is insecure when the adversary can
make quantum oracle queries. We then set out to develop generic conditions
under which a classical random oracle proof implies security in the
quantum-accessible random oracle model. We introduce the concept of a
history-free reduction which is a category of classical random oracle
reductions that basically determine oracle answers independently of the history
of previous queries, and we prove that such reductions imply security in the
quantum model. We then show that certain post-quantum proposals, including ones
based on lattices, can be proven secure using history-free reductions and are
therefore post-quantum secure. We conclude with a rich set of open problems in
this area.Comment: 38 pages, v2: many substantial changes and extensions, merged with a
related paper by Boneh and Zhandr
The Sum Can Be Weaker Than Each Part
International audienceIn this paper we study the security of summing the outputs of two independent hash functions, in an effort to increase the security of the resulting design, or to hedge against the failure of one of the hash functions. The exclusive-or (XOR) combiner H1(M)⊕H2(M) is one of the two most classical combiners, together with the concatenation combiner H1(M) H2(M). While the security of the concatenation of two hash functions is well understood since Joux's seminal work on multicollisions, the security of the sum of two hash functions has been much less studied. The XOR combiner is well known as a good PRF and MAC combiner, and is used in practice in TLS versions 1.0 and 1.1. In a hash function setting, Hoch and Shamir have shown that if the compression functions are modeled as random oracles, or even weak random oracles (i.e. they can easily be inverted – in particular H1 and H2 offer no security), H1 ⊕ H2 is indifferentiable from a random oracle up to the birthday bound. In this work, we focus on the preimage resistance of the sum of two narrow-pipe n-bit hash functions, following the Merkle-Damgård or HAIFA structure (the internal state size and the output size are both n bits). We show a rather surprising result: the sum of two such hash functions, e.g. SHA-512 ⊕ Whirlpool, can never provide n-bit security for preimage resistance. More precisely, we present a generic preimage attack with a complexity of O(2 5n/6). While it is already known that the XOR combiner is not preserving for preimage resistance (i.e. there might be some instantiations where the hash functions are secure but the sum is not), our result is much stronger: for any narrow-pipe functions, the sum is not preimage resistant. Besides, we also provide concrete preimage attacks on the XOR combiner (and the concatenation combiner) when one or both of the compression functions are weak; this complements Hoch and Shamir's proof by showing its tightness for preimage resistance. Of independent interests, one of our main technical contributions is a novel structure to control simultaneously the behavior of independent hash computations which share the same input message. We hope that breaking the pairwise relationship between their internal states will have applications in related settings
Formalizing group blind signatures and practical constructions without random oracles
Group blind signatures combine anonymity properties of both group signatures and blind signatures and offer privacy for both the message to be signed and the signer. The primitive has been introduced with only informal definitions for its required security properties. In this paper, we offer two main contributions: first, we provide foundations for the primitive and present formal security definitions. In the process, we identify and address some subtle issues which were not considered by previous constructions and (informal) security definitions. Our second main contribution is a generic construction that yields practical schemes with a round-optimal signing protocol and constant-size signatures. Our constructions permit dynamic and concurrent enrollment of new members and satisfy strong security requirements. To the best of our knowledge, our schemes are the first provably secure constructions in the standard model. In addition, we introduce some new building blocks which may be of independent interest. © 2013 Springer-Verlag
BOREALIS: Building Block for Sealed Bid Auctions on Blockchains
We focus on securely computing the ranks of sealed integers
distributed among parties. For example, we securely compute the
largest or smallest integer, the median, or in general the
-ranked integer. Such computations are a useful building
block to securely implement a variety of sealed-bid auctions. Our
objective is efficiency, specifically low interactivity between
parties to support blockchains or other scenarios where multiple
rounds are time-consuming. Hence, we dismiss powerful, yet
highly-interactive MPC frameworks and propose BOREALIS, a
special-purpose protocol for secure computation of ranks among
integers. BOREALIS uses additively homomorphic encryption to implement
core comparisons, but computes under distinct keys, chosen by each
party to optimize the number of rounds. By carefully combining
cryptographic primitives, such as ECC Elgamal encryption, encrypted
comparisons, ciphertext blinding, secret sharing, and shuffling,
BOREALIS sets up systems of multi-scalar equations which we efficiently
prove with Groth-Sahai ZK proofs. Therewith, BOREALIS implements a
multi-party computation of pairwise comparisons and rank
zero-knowledge proofs secure against malicious adversaries. BOREALIS
completes in at most rounds which is constant in both bit length
of integers and the number of parties . This is not only
asymptotically optimal, but surpasses generic constant-round secure
multi-party computation protocols, even those based on shared-key
fully homomorphic encryption. Furthermore, our implementation shows
that BOREALIS is very practical. Its main bottleneck, ZK proof
computations, is small in practice. Even for a large number of
parties () and high-precision integers (),
computation time of all proofs is less than a single Bitcoin block
interval
- …