70 research outputs found
Key recycling in authentication
In their seminal work on authentication, Wegman and Carter propose that to
authenticate multiple messages, it is sufficient to reuse the same hash
function as long as each tag is encrypted with a one-time pad. They argue that
because the one-time pad is perfectly hiding, the hash function used remains
completely unknown to the adversary.
Since their proof is not composable, we revisit it using a composable
security framework. It turns out that the above argument is insufficient: if
the adversary learns whether a corrupted message was accepted or rejected,
information about the hash function is leaked, and after a bounded finite
amount of rounds it is completely known. We show however that this leak is very
small: Wegman and Carter's protocol is still -secure, if
-almost strongly universal hash functions are used. This implies
that the secret key corresponding to the choice of hash function can be reused
in the next round of authentication without any additional error than this
.
We also show that if the players have a mild form of synchronization, namely
that the receiver knows when a message should be received, the key can be
recycled for any arbitrary task, not only new rounds of authentication.Comment: 17+3 pages. 11 figures. v3: Rewritten with AC instead of UC. Extended
the main result to both synchronous and asynchronous networks. Matches
published version up to layout and updated references. v2: updated
introduction and reference
Cryptographic security of quantum key distribution
This work is intended as an introduction to cryptographic security and a
motivation for the widely used Quantum Key Distribution (QKD) security
definition. We review the notion of security necessary for a protocol to be
usable in a larger cryptographic context, i.e., for it to remain secure when
composed with other secure protocols. We then derive the corresponding security
criterion for QKD. We provide several examples of QKD composed in sequence and
parallel with different cryptographic schemes to illustrate how the error of a
composed protocol is the sum of the errors of the individual protocols. We also
discuss the operational interpretations of the distance metric used to quantify
these errors.Comment: 31+23 pages. 28 figures. Comments and questions welcom
Trevisan's extractor in the presence of quantum side information
Randomness extraction involves the processing of purely classical information
and is therefore usually studied in the framework of classical probability
theory. However, such a classical treatment is generally too restrictive for
applications, where side information about the values taken by classical random
variables may be represented by the state of a quantum system. This is
particularly relevant in the context of cryptography, where an adversary may
make use of quantum devices. Here, we show that the well known construction
paradigm for extractors proposed by Trevisan is sound in the presence of
quantum side information.
We exploit the modularity of this paradigm to give several concrete extractor
constructions, which, e.g, extract all the conditional (smooth) min-entropy of
the source using a seed of length poly-logarithmic in the input, or only
require the seed to be weakly random.Comment: 20+10 pages; v2: extract more min-entropy, use weakly random seed;
v3: extended introduction, matches published version with sections somewhat
reordere
Causal Boxes: Quantum Information-Processing Systems Closed under Composition
Complex information-processing systems, for example quantum circuits,
cryptographic protocols, or multi-player games, are naturally described as
networks composed of more basic information-processing systems. A modular
analysis of such systems requires a mathematical model of systems that is
closed under composition, i.e., a network of these objects is again an object
of the same type. We propose such a model and call the corresponding systems
causal boxes.
Causal boxes capture superpositions of causal structures, e.g., messages sent
by a causal box A can be in a superposition of different orders or in a
superposition of being sent to box B and box C. Furthermore, causal boxes can
model systems whose behavior depends on time. By instantiating the Abstract
Cryptography framework with causal boxes, we obtain the first composable
security framework that can handle arbitrary quantum protocols and relativistic
protocols.Comment: 44+24 pages, 16 figures. v3: minor edits based on referee comments,
matches published version up to layout. v2: definition of causality weakened,
new reference
Toward an Algebraic Theory of Systems
We propose the concept of a system algebra with a parallel composition
operation and an interface connection operation, and formalize
composition-order invariance, which postulates that the order of composing and
connecting systems is irrelevant, a generalized form of associativity.
Composition-order invariance explicitly captures a common property that is
implicit in any context where one can draw a figure (hiding the drawing order)
of several connected systems, which appears in many scientific contexts. This
abstract algebra captures settings where one is interested in the behavior of a
composed system in an environment and wants to abstract away anything internal
not relevant for the behavior. This may include physical systems, electronic
circuits, or interacting distributed systems.
One specific such setting, of special interest in computer science, are
functional system algebras, which capture, in the most general sense, any type
of system that takes inputs and produces outputs depending on the inputs, and
where the output of a system can be the input to another system. The behavior
of such a system is uniquely determined by the function mapping inputs to
outputs. We consider several instantiations of this very general concept. In
particular, we show that Kahn networks form a functional system algebra and
prove their composition-order invariance.
Moreover, we define a functional system algebra of causal systems,
characterized by the property that inputs can only influence future outputs,
where an abstract partial order relation captures the notion of "later". This
system algebra is also shown to be composition-order invariant and appropriate
instantiations thereof allow to model and analyze systems that depend on time
Key recycling in authentication
In their seminal work on authentication, Wegman and Carter propose that to authenticate multiple messages, it is sufficient to reuse the same hash function as long as each tag is encrypted with a one-time pad. They argue that because the one-time pad is perfectly hiding, the hash function used remains completely unknown to the adversary.
Since their proof is not composable, we revisit it using a universally composable framework. It turns out that the above argument is insufficient: information about the hash function is in fact leaked in every round to the adversary, and after a bounded finite amount of rounds it is completely known. We show however that this leak is very small, and Wegman and Carter\u27s protocol is still -secure, if -almost strongly universal hash functions are used. This implies that the secret key corresponding to the choice of hash function can be recycled for any task without any additional error than this .
We illustrate this by applying it to quantum key distribution (QKD): if the same hash function is recycled to authenticate the classical communication in every round of a QKD protocol, and used times per round, the total error after rounds is upper bounded by , where is the error of one round of QKD given an authentic channel
Quantum-Proof Multi-Source Randomness Extractors in the Markov Model
Randomness extractors, widely used in classical and quantum cryptography and other fields of computer science, e.g., derandomization, are functions which generate almost uniform randomness from weak sources of randomness. In the quantum setting one must take into account the quantum side information held by an adversary which might be used to break the security of the extractor. In the case of seeded extractors the presence of quantum side information has been extensively studied. For multi-source extractors one can easily see that high conditional min-entropy is not sufficient to guarantee security against arbitrary side information, even in the classical case. Hence, the interesting question is under which models of (both quantum and classical) side information multi-source extractors remain secure. In this work we suggest a natural model of side information, which we call the Markov model, and prove that any multi-source extractor remains secure in the presence of quantum side information of this type (albeit with weaker parameters). This improves on previous results in which more restricted models were considered or the security of only some types of extractors was shown
Crystal structures of an A-form duplex with single-adenosine bulges and a conformational basis for site-specific RNA self-cleavage
AbstractBackground: Bulged nucleotides are common secondary structural motifs in RNA molecules and are often involved in RNA-RNA and RNA-protein interactions. RNA is selectively cleaved at bulge sites (when compared to other sites within stems) in the presence of divalent metal cations. The effects of bulge nucleotides on duplex stability and topology have been extensively investigated, but no detailed X-ray structures of bulge-containing RNA fragments have been available.Results: We have crystallized a self-complementary RNA-DNA chimeric 11-nucleotide sequence containing single-adenosine bulges under two different conditions, giving two distinct crystal forms. In both lattices the adenosines are looped out, leaving the stacking interactions in the duplex virtually unaffected. The bulges cause the duplex to kink in both cases. In one of the structures, the conformation of the bulged nucleotide places its modeled 2′-oxygen in line with the adjacent phosphate on the 3′ side, where it is poised for nucleophilic attack.Conclusions: Single adenosine bulges cause a marked opening of the normally narrow RNA major groove in both crystal structures, rendering the bases more accessible to interacting molecules compared with an intact stem. The geometries around the looped-out adenosines are different in the two crystal forms, indicating that bulges can confer considerable local plasticity on the usually rigid RNA double helix. The results provide a conformational basis for the preferential, metal-assisted self-cleavage of RNA at bulged sites
- …