Results 1  10
of
25
Unconditionally Secure Quantum Bit Commitment is Impossible,” Phys
 Rev. Lett
, 1997
"... The claim of quantum cryptography has always been that it can provide protocols that are unconditionally secure, that is, for which the security does not rely on any restriction on the time, space or technology available to the cheaters. We show that this claim cannot be applied to any quantum bit c ..."
Abstract

Cited by 134 (10 self)
 Add to MetaCart
The claim of quantum cryptography has always been that it can provide protocols that are unconditionally secure, that is, for which the security does not rely on any restriction on the time, space or technology available to the cheaters. We show that this claim cannot be applied to any quantum bit commitment protocol. We briefly discuss the consequences for quantum cryptography.
ZeroKnowledge Against Quantum Attacks
 STOC'06
, 2006
"... This paper proves that several interactive proof systems are zeroknowledge against general quantum attacks. This includes the wellknown GoldreichMicaliWigderson classical zeroknowledge protocols for Graph Isomorphism and Graph 3Coloring (assuming the existence of quantum computationally conceal ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
This paper proves that several interactive proof systems are zeroknowledge against general quantum attacks. This includes the wellknown GoldreichMicaliWigderson classical zeroknowledge protocols for Graph Isomorphism and Graph 3Coloring (assuming the existence of quantum computationally concealing commitment schemes in the second case). Also included is a quantum interactive protocol for a complete problem for the complexity class of problems having “honest verifier” quantum statistical zeroknowledge proofs, which therefore establishes that honest verifier and general quantum statistical zeroknowledge are equal: QSZK = QSZK HV. Previously no nontrivial proof systems were known to be zeroknowledge against quantum attacks, except in restricted settings such as the honestverifier and common reference string models. This paper therefore establishes for the first time that true zeroknowledge is indeed possible in the presence of quantum information and computation.
A quantum GoldreichLevin theorem with cryptographic applications
 In Proc. of STACS ’02, LNCS 2285
, 2002
"... We investigate the GoldreichLevin Theorem in the context of quantum information. This result is a reduction from the computational problem of inverting a oneway function to the problem of predicting a particular bit associated with that function. We show that the quantum version of the reduction—b ..."
Abstract

Cited by 30 (2 self)
 Add to MetaCart
We investigate the GoldreichLevin Theorem in the context of quantum information. This result is a reduction from the computational problem of inverting a oneway function to the problem of predicting a particular bit associated with that function. We show that the quantum version of the reduction—between quantum oneway functions and quantum hardpredicates—is quantitatively more efficient than the known classical version. Roughly speaking, if the oneway function acts on nbit strings then the overhead in the reduction is by a factor of O(n/ε2) in the classical case but only by a factor of O(1/ε) in the quantum case, where 1 2 +ε is the probability of predicting the hardpredicate. Moreover, we prove via a lower bound that, in a blackbox framework, the classical version of the reduction cannot have overhead less than Ω(n/ε2). We also show that, using this reduction, a quantum bit commitment scheme that is perfectly binding and computationally concealing can be obtained from any quantum oneway permutation. This complements a recent result by Dumais, Mayers and Salvail, where the bit commitment scheme is perfectly concealing and computationally binding. We also show how to perform qubit commitment by a similar approach. 1
Quantum publickey cryptosystems
 in Proc. of CRYPT0 2000
, 2000
"... Abstract. This paper presents a new paradigm of cryptography, quantum publickey cryptosystems. In quantum publickey cryptosystems, all parties including senders, receivers and adversaries are modeled as quantum (probabilistic) polytime Turing (QPT) machines and only classical channels (i.e., no q ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
Abstract. This paper presents a new paradigm of cryptography, quantum publickey cryptosystems. In quantum publickey cryptosystems, all parties including senders, receivers and adversaries are modeled as quantum (probabilistic) polytime Turing (QPT) machines and only classical channels (i.e., no quantum channels) are employed. A quantum trapdoor oneway function, f, plays an essential role in our system, in which a QPT machine can compute f with high probability, any QPT machine can invert f with negligible probability, and a QPT machine with trapdoor data can invert f. This paper proposes a concrete scheme for quantum publickey cryptosystems: a quantum publickey encryption scheme or quantum trapdoor oneway function. The security of our schemes is based on the computational assumption (over QPT machines) that a class of subsetsum problems is intractable against any QPT machine. Our scheme is very efficient and practical if Shor’s discrete logarithm algorithm is efficiently realized on a quantum machine.
A new protocol and lower bounds for quantum coin flipping
 In Proceedings of the ThirtyThird Annual ACM Symposium on Theory of Computing
, 2001
"... We present a new protocol and two lower bounds for quantum coin flipping. In our protocol, no dishonest party can achieve one outcome with probability more than 0.75. Then, we show that our protocol is optimal for a certain type of quantum protocols. For arbitrary quantum protocols, we show that if ..."
Abstract

Cited by 27 (4 self)
 Add to MetaCart
We present a new protocol and two lower bounds for quantum coin flipping. In our protocol, no dishonest party can achieve one outcome with probability more than 0.75. Then, we show that our protocol is optimal for a certain type of quantum protocols. For arbitrary quantum protocols, we show that if a protocol achieves a bias of at most ǫ, it must use at least Ω(log log 1 ǫ) rounds of communication. This implies that the parallel repetition fails for quantum coin flipping. (The bias of a protocol cannot be arbitrarily decreased by running several copies of it in parallel.) 1
On the Impossibility of Constructing NonInteractive StatisticallySecret Protocols from any Trapdoor OneWay Function
 In Topics in Cryptology  The Cryptographers’ Track at the RSA Conference
, 2002
"... We show that noninteractive statisticallysecret bit commitment cannot be constructed from arbitrary blackbox onetoone trapdoor functions and thus from general publickey cryptosystems. Reducing the problems of noninteractive cryptocomputing, rerandomizable encryption, and noninteractive stat ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
We show that noninteractive statisticallysecret bit commitment cannot be constructed from arbitrary blackbox onetoone trapdoor functions and thus from general publickey cryptosystems. Reducing the problems of noninteractive cryptocomputing, rerandomizable encryption, and noninteractive statisticallysenderprivate oblivious transfer and lowcommunication private information retrieval to such commitment schemes, it follows that these primitives are neither constructible from onetoone trapdoor functions and publickey encryption in general. Furthermore, our...
Cryptography In the Bounded QuantumStorage Model
 IN 46TH ANNUAL IEEE SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE (FOCS
, 2005
"... We initiate the study of twoparty cryptographic primitives with unconditional security, assuming that the adversary’s quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, w ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
We initiate the study of twoparty cryptographic primitives with unconditional security, assuming that the adversary’s quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, whereas an adversarial player needs quantum memory of size at least n/2 in order to break the protocol, where n is the number of qubits transmitted. This is in sharp contrast to the classical boundedmemory model, where we can only tolerate adversaries with memory of size quadratic in honest players’ memory size. Our protocols are efficient, noninteractive and can be implemented using today’s technology. On the technical side, a new entropic uncertainty relation involving minentropy is established.
A tight highorder entropic quantum uncertainty relation with applications
, 2007
"... We derive a new entropic quantum uncertainty relation involving minentropy. The relation is tight and can be applied in various quantumcryptographic settings. Protocols for quantum 1outof2 Oblivious Transfer and quantum Bit Commitment are presented and the uncertainty relation is used to prove ..."
Abstract

Cited by 12 (6 self)
 Add to MetaCart
We derive a new entropic quantum uncertainty relation involving minentropy. The relation is tight and can be applied in various quantumcryptographic settings. Protocols for quantum 1outof2 Oblivious Transfer and quantum Bit Commitment are presented and the uncertainty relation is used to prove the security of these protocols in the boundedquantumstorage model according to new strong security definitions. As another application, we consider the realistic setting of Quantum Key Distribution (QKD) against quantummemorybounded eavesdroppers. The uncertainty relation allows to prove the security of QKD protocols in this setting while tolerating considerably higher error rates compared to the standard model with unbounded adversaries. For instance, for the sixstate protocol with oneway communication, a bitflip error rate of up to 17 % can be tolerated (compared to 13 % in the standard model). Our uncertainty relation also yields a lower bound on the minentropy key uncertainty against knownplaintext attacks when quantum ciphers are composed. Previously, the key uncertainty of these ciphers was only known with respect to Shannon entropy.
How to Convert the Flavor of a Quantum Bit Commitment
 Eurocrypt 2001, Lecture Notes in Computer Science
, 2001
"... Abstract. In this paper we show how to convert a statistically binding but computationally concealing quantum bit commitment scheme into a computationally binding but statistically concealing qbc scheme. For a security parameter n, the construction of the statistically concealing scheme requires O(n ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Abstract. In this paper we show how to convert a statistically binding but computationally concealing quantum bit commitment scheme into a computationally binding but statistically concealing qbc scheme. For a security parameter n, the construction of the statistically concealing scheme requires O(n 2) executions of the statistically binding scheme. As a consequence, statistically concealing but computationally binding quantum bit commitments can be based upon any family of quantum oneway functions. Such a construction is not known to exist in the classical world. 1