Classical Cryptographic Protocols in a Quantum World

Proceedings of the thiry-fourth annual ACM symposium on Theory of computing - STOC '02, 2002

Secure multi-party computing, also called secure function evaluation, has been extensively studied in classical cryptography. We consider the extension of this task to computation with quantum inputs and circuits. Our protocols are information-theoretically secure, i.e. no assumptions are made on the computational power of the adversary. For the weaker task of verifiable quantum secret sharing, we give a protocol which tolerates any t < n/4 cheating parties (out of n). This is shown to be optimal. We use this new tool to show how to perform any multi-party quantum computation as long as the number of dishonest players is less than n/6.

International Journal of Computer Network and Information Security

In post-quantum approach, we consider classical (non-quantum) protocols and primitives which are run by honest parties on classical computers and our aim is to keep their security in an environment where the adversary can rely on quantum computers [3]. In particular, even a harder goal is set by requiring provable security guaranties in a concurrent running environment as we aim computational UC-security. Unruh [16] conjectured that classical arguments of computational UC-security remain usable in a postquantum world as long as the underlying computational UC-secure primitives are also computationally quantum UC-secure. Our proposed technique (full factorization) aims at reducing the original protocol into a statisticallysecure protocol by turning the protocol into a hybrid one where all cryptographic primitives are substituted by appropriate ideal functionalities. The considered set of primitives consists of secret key and public key encryption as well as digital signature. This way and by applying the Unruh's Quantum Lifting Theorem as well as the Quantum Universal Composition Theorem we gain a computationally quantum UC-secure protocol from a classical UC-secure protocol. We consider quantum standard-security, where the adversary can send only classical inputs to honest algorithms, i.e. honest machines cannot receive quantum superposition of inputs If we add also the practical need of efficiency our example is the class of protocols built from symmetric key primitives. A practical (fast) implementation could be based on AES encryption algorithm with appropriate key size as long as we live with the wide belief that this algorithm is secure against a quantum adversary.

Lecture Notes in Computer Science, 2008

In secure two-party function evaluation Alice holding initially a secret input x and Bob having a secret input y communicate to determine a prescribed function f (x, y) in such a way that after the computation Bob learns f (x, y) but nothing more about x other than he could deduce from y and f (x, y) alone, and Alice learns nothing. Unconditionally secure function evaluation is known to be essentially impossible even in the quantum world. In this paper we introduce a new, weakened, model for security in two-party quantum computations. In our model -we call it susceptible function computation -if one party learns something about the input of the other one with advantage ε then the probability that the correct value f (x, y) is computed, when the protocol completes, is at most 1 − δ(ε), for some function δ of ε. Thus, this model allows to measure the trade-off between the advantage of a dishonest party and the error induced by its attack. Furthermore, we present a protocol for computing the one-out-of-two oblivious transfer function that achieves a quadratic trade-off i.e. δ = Ω(ε 2 ).

2014 IEEE 55th Annual Symposium on Foundations of Computer Science, 2014

Quantum zero-knowledge proofs and quantum proofs of knowledge are inherently difficult to analyze because their security analysis uses rewinding. Certain cases of quantum rewinding are handled by the results by Watrous (SIAM J Comput, 2009) and Unruh (Eurocrypt 2012), yet in general the problem remains elusive. We show that this is not only due to a lack of proof techniques: relative to an oracle, we show that classically secure proofs and proofs of knowledge are insecure in the quantum setting. More specifically, sigma-protocols, the Fiat-Shamir construction, and Fischlin's proof system are quantum insecure under assumptions that are sufficient for classical security. Additionally, we show that for similar reasons, computationally binding commitments provide almost no security guarantees in a quantum setting. To show these results, we develop the "pick-one trick", a general technique that allows an adversary to find one value satisfying a given predicate, but not two.

2008

We propose a quantum-enhanced protocol to authenticate classical messages, with improved security with respect to the classical scheme introduced by Brassard in 1983. In that protocol, the shared key is the seed of a pseudo-random generator (PRG) and a hash function is used to create the authentication tag of a public message. We show that a quantum encoding of secret bits offers more security than the classical XOR function introduced by Brassard. Furthermore, we establish the relationship between the bias of a PRG and the amount of information about the key that the attacker can retrieve from a block of authenticated messages. Finally, we prove that quantum resources can improve both the secrecy of the key generated by the PRG and the secrecy of the tag obtained with a hidden hash function.

Electronic Notes in Theoretical Computer Science, 2011

We propose a decision procedure for analysing security of quantum cryptographic protocols, combining an algebraic logic rewrite system with an operational semantics for quantum distributed computations. We apply our approach to reasoning about security properties of a recently developed quantum secret sharing protocol.

2008

The widely held belief that BQP strictly contains BPP raises fundamental questions: Upcoming generations of quantum computers might already be too large to be simulated classically. Is it possible to experimentally test that these systems perform as they should, if we cannot efficiently compute predictions for their behavior? Vazirani has asked [21]: If computing predictions for Quantum Mechanics requires exponential resources, is Quantum Mechanics a falsifiable theory? In cryptographic settings, an untrusted future company wants to sell a quantum computer or perform a delegated quantum computation. Can the customer be convinced of correctness without the ability to compare results to predictions? To provide answers to these questions, we define Quantum Prover Interactive Proofs (QPIP). Whereas in standard Interactive Proofs [13] the prover is computationally unbounded, here our prover is in BQP, representing a quantum computer. The verifier models our current computational capabilities: it is a BPP machine, with access to few qubits. Our main theorem can be roughly stated as: "Any language in BQP has a QPIP, and moreover, a fault tolerant one" (providing a partial answer to a challenge posted in [1]). We provide two proofs. The simpler one uses a new (possibly of independent interest) quantum authentication scheme (QAS) based on random Clifford elements. This QPIP however, is not fault tolerant. Our second protocol uses polynomial codes QAS due to Ben-Or, Crépeau, Gottesman, Hassidim, and Smith [8], combined with quantum fault tolerance and secure multiparty quantum computation techniques. A slight modification of our constructions makes the protocol "blind": the quantum computation and input remain unknown to the prover.

Quantum Information Processing, 2020

Quantum key distribution (QKD) protocols allow two parties to establish a shared secret key, secure against an all powerful adversary. This is a task impossible to achieve through classical communication only; indeed, to distribute a secret key through classical means requires one to assume computationally bounded adversaries. If, however, both parties are "quantum capable" then security may be attained assuming only that the adversary must obey the laws of physics. But "how quantum" must a protocol actually be to gain this advantage over classical communication? This is one of the questions semi-quantum cryptography seeks to answer. Semi-quantum communication, a model introduced in 2007 by M. Boyer, D. Kenigsberg, and T. Mor (PRL 99 140501), involves the use of fully-quantum users and semiquantum, or "classical" users. These classical users are only allowed to interact with the quantum channel in a limited, classical manner. Originally introduced to study the key-distribution problem, semi-quantum research has since expanded, and continues to grow, with new protocols, security proof methods, experimental implementations, and new cryptographic applications beyond key distribution. Research in the field of semi-quantum cryptography requires new insights into working with restricted protocols and, so, the tools and techniques derived in this field can translate to results in broader quantum information science. Furthermore, other questions such as the connection between quantum and classical processing, including how classical information processing can be used to counteract a quantum deficiency in a protocol, can shed light on important theoretical questions. This work surveys the history and current state-of-the-art in semi-quantum research. We discuss the model and several protocols offering the reader insight into how protocols are constructed in this realm. We discuss security proof methods and how classical post-processing can be used to counteract users' inability to perform certain quantum operations. Moving beyond key distribution, we survey current work in other

Information Sciences, 2008

Most modern cryptographic studies design cryptosystems and algorithms using mathematical concepts. In designing and analyzing cryptosystems and protocols, mathematical concepts are critical in supporting the claim that the intended cryptosystem is secure. Most early cryptographic algorithms are based either on factorization or on discrete logarithm problem. Such systems generally adopt rather simple mathematics, and, therefore, need extensive secondary index computation. This study discusses quantum cryptosystems, protection of system security, and optimization of system efficiency. Quantum cryptography detects intrusion and wiretap. In quantum mechanics, a wiretap is neither external nor passive; rather it modifies its entity based on the internal component of the system. The status of the quantum system changes once a wiretap is detected. Hence, only the designer of the system can discover the quantum status of the system; an eavesdropper can neither determine the quantum state nor duplicate the system. The quantum cryptosystem can achieve unconditional security, and thus guarantees secure communication.

Physical Review A, 2004