113 research outputs found
Simulatable security for quantum protocols
The notion of simulatable security (reactive simulatability, universal
composability) is a powerful tool for allowing the modular design of
cryptographic protocols (composition of protocols) and showing the security of
a given protocol embedded in a larger one. Recently, these methods have
received much attention in the quantum cryptographic community.
We give a short introduction to simulatable security in general and proceed
by sketching the many different definitional choices together with their
advantages and disadvantages.
Based on the reactive simulatability modelling of Backes, Pfitzmann and
Waidner we then develop a quantum security model. By following the BPW
modelling as closely as possible, we show that composable quantum security
definitions for quantum protocols can strongly profit from their classical
counterparts, since most of the definitional choices in the modelling are
independent of the underlying machine model.
In particular, we give a proof for the simple composition theorem in our
framework.Comment: Added proof of combination lemma; added comparison to the model of
Ben-Or, Mayers; minor correction
Quantum Relational Hoare Logic with Expectations
We present a variant of the quantum relational Hoare logic from (Unruh, POPL 2019) that allows us to use "expectations" in pre- and postconditions. That is, when reasoning about pairs of programs, our logic allows us to quantitatively reason about how much certain pre-/postconditions are satisfied that refer to the relationship between the programs inputs/outputs
Everlasting Multi-Party Computation
A protocol has everlasting security if it is secure against
adversaries that are computationally unlimited after the
protocol execution. This models the fact that we cannot predict which
cryptographic schemes will be broken, say, several decades after the
protocol execution. In classical cryptography, everlasting security is
difficult to achieve: even using trusted setup like common reference
strings or signature cards, many tasks such as secure communication
and oblivious transfer cannot be achieved with everlasting security.
An analogous result in the quantum setting excludes protocols based on
common reference strings, but not protocols using a signature card. We
define a variant of the Universal Composability framework, everlasting
quantum-UC, and show that in this model, we can implement secure
communication and general multi-party computation using signature
cards as trusted setup
Quantum Proofs of Knowledge
We motivate, define and construct quantum proofs of knowledge, that
is, proofs of knowledge secure against quantum adversaries. Our
constructions are based on a new quantum rewinding technique that
allows us to extract witnesses in many classical proofs of
knowledge. We give criteria under which a classical proof of knowledge
is a quantum proof of knowledge. Combining our results with Watrous\u27
results on quantum zero-knowledge, we show that there are
zero-knowledge quantum proofs of knowledge for all languages in NP
(assuming quantum 1-1 one-way functions)
Relations amount Statistical Security Notions - or - Why Exponential Adversaries are Unlimited
In the context of Universal Composability, we introduce the concept of universal environments and simulators. Then, Universal Composability is equivalent to Universal Composability wrt. universal environments and simulators.
We prove the existence of universal environments and simulators and investigate their computational complexity.
From this, we get a number of consequences: First, we see that for polynomial-time protocols, exponential adversarial entities are as powerful as unlimited ones.
Further, for a large class of protocols (those with bounded communication-complexity) we can show that UC and specialised-simulator UC coincide in the case of statistical security, i.e., that it is does not matter whether the simulator is chosen in dependence of the environment or not. This also implies that for the Universal Composition Theorem for polynomial-time protocols specialised-simulator UC is sufficient.
This result is the last piece needed to find all implications and non-implications between the notions of UC, specialised-simulator UC, O(1)-bounded and polynomially-bounded general composability for polynomial-time protocols in the cases of perfect, statistical and polynomial security.
Finally, we introduce the notion of bounded-risk UC, which allows to give explicit security guarantees for concrete security parameters and show that in the above case also this variant coincides with UC
On the (Im-)Possibility of Extending Coin Toss
We consider the task of extending a given coin toss. By this, we mean the two-party task of using a single instance of a given coin toss protocol in order to interactively generate more random coins. A bit more formally, our goal is to generate n common random coins from a single use of an ideal functionality that gives m < n common random coins to both parties. In the framework of universal composability, we show the impossibility of securely extending a coin toss for statistical and perfect security. On the other hand, for computational security, the existence of a protocol for coin toss extension depends on the number m of random coins that can be obtained “for free.” For the case of stand-alone security, i.e., a simulation-based security definition without an environment, we present a protocol for statistically secure coin toss extension. Our protocol works for superlogarithmic m, which is optimal as we show the impossibility of statistically secure coin toss extension for smaller m. Combining our results with already known results, we obtain a (nearly) complete characterization under which circumstances coin toss extension is possible
- …