Results 1  10
of
27
Exponential lower bound for 2query locally decodable codes via a quantum argument
 JOURNAL OF COMPUTER AND SYSTEM SCIENCES
, 2003
"... A locally decodable code encodes nbit strings x in mbit codewords C(x) in such a way that one can recover any bit xi from a corrupted codeword by querying only a few bits of that word. We use a quantum argument to prove that LDCs with 2 classical queries require exponential length: m = 2 \Omega ( ..."
Abstract

Cited by 134 (15 self)
 Add to MetaCart
A locally decodable code encodes nbit strings x in mbit codewords C(x) in such a way that one can recover any bit xi from a corrupted codeword by querying only a few bits of that word. We use a quantum argument to prove that LDCs with 2 classical queries require exponential length: m = 2 \Omega (n). Previously this was known only for linear codes (Goldreich et al. 02). The
A new protocol and lower bounds for quantum coin flipping
 In Proceedings of the ThirtyThird Annual ACM Symposium on Theory of Computing
, 2001
"... We present a new protocol and two lower bounds for quantum coin flipping. In our protocol, no dishonest party can achieve one outcome with probability more than 0.75. Then, we show that our protocol is optimal for a certain type of quantum protocols. For arbitrary quantum protocols, we show that if ..."
Abstract

Cited by 40 (5 self)
 Add to MetaCart
We present a new protocol and two lower bounds for quantum coin flipping. In our protocol, no dishonest party can achieve one outcome with probability more than 0.75. Then, we show that our protocol is optimal for a certain type of quantum protocols. For arbitrary quantum protocols, we show that if a protocol achieves a bias of at most ǫ, it must use at least Ω(log log 1 ǫ) rounds of communication. This implies that the parallel repetition fails for quantum coin flipping. (The bias of a protocol cannot be arbitrarily decreased by running several copies of it in parallel.) 1
Unconditional security from noisy quantum storage
, 2009
"... We consider the implementation of twoparty cryptographic primitives based on the sole assumption that no largescale reliable quantum storage is available to the cheating party. We construct novel protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide sec ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
We consider the implementation of twoparty cryptographic primitives based on the sole assumption that no largescale reliable quantum storage is available to the cheating party. We construct novel protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide security even against the most general attack. Such unconditional results were previously only known in the socalled boundedstorage model which is a special case of our setting. Our protocols can be implemented with presentday hardware used for quantum key distribution. In particular, no quantum storage is required for the honest parties.
Composing quantum protocols in a classical environment
, 2009
"... We propose a general security definition for cryptographic quantum protocols that implement classical nonreactive twoparty tasks. The definition is expressed in terms of simple quantuminformationtheoretic conditions which must be satisfied by the protocol to be secure. The conditions are unique ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
We propose a general security definition for cryptographic quantum protocols that implement classical nonreactive twoparty tasks. The definition is expressed in terms of simple quantuminformationtheoretic conditions which must be satisfied by the protocol to be secure. The conditions are uniquely determined by the ideal functionality F defining the cryptographic task to be implemented. We then show the following composition result. If quantum protocols π1,...,πℓ securely implement ideal functionalities F1,...,Fℓ according to our security definition, then any purely classical twoparty protocol, which makes sequential calls to F1,...,Fℓ, is equally secure as the protocol obtained by replacing the calls to F1,...,Fℓ with the respective quantum protocols π1,...,πℓ. Hence, our approach yields the minimal security requirements which are strong enough for the typical use of quantum protocols as subroutines within larger classical schemes. Finally, we show that recently proposed quantum protocols for secure identification and oblivious transfer in the boundedquantumstorage model satisfy our security definition, and thus compose in the above sense.
Secure identification and QKD in the boundedquantumstorage model
 In Advances in Cryptology— CRYPTO ’07
, 2007
"... Abstract. We consider the problem of secure identification: user U proves to server S that he knows an agreed (possibly lowentropy) password w, while giving away as little information on w as possible, namely the adversary can exclude at most one possible password for each execution of the scheme. ..."
Abstract

Cited by 14 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the problem of secure identification: user U proves to server S that he knows an agreed (possibly lowentropy) password w, while giving away as little information on w as possible, namely the adversary can exclude at most one possible password for each execution of the scheme. We propose a solution in the boundedquantumstorage model, where U and S may exchange qubits, and a dishonest party is assumed to have limited quantum memory. No other restriction is posed upon the adversary. An improved version of the proposed identification scheme is also secure against a maninthemiddle attack, but requires U and S to additionally share a highentropy key k. However, security is still guaranteed if one party loses k to the attacker but notices the loss. In both versions of the scheme, the honest participants need no quantum memory, and noise and imperfect quantum sources can be tolerated. The schemes compose sequentially, and w and k can securely be reused. A small modification to the identification scheme results in a quantumkeydistribution (QKD) scheme, secure in the boundedquantumstorage model, with the same reusability properties of the keys, and without assuming authenticated channels. This is in sharp contrast to known QKD schemes (with unbounded adversary) without authenticated channels, where authentication keys must be updated, and unsuccessful executions can cause the parties to run out of keys. 1
Implications of superstrong nonlocality for cryptography
, 2005
"... Nonlocal boxes are hypothetical “machines” that give rise to superstrong nonlocal correlations, leading to a stronger violation of Bell/CHSH inequalities than is possible within the framework of quantum mechanics. We show how nonlocal boxes can be used to perform any twoparty secure computation. ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Nonlocal boxes are hypothetical “machines” that give rise to superstrong nonlocal correlations, leading to a stronger violation of Bell/CHSH inequalities than is possible within the framework of quantum mechanics. We show how nonlocal boxes can be used to perform any twoparty secure computation. We first construct a protocol for bit commitment and then show how to achieve oblivious transfer using nonlocal boxes. Both have been shown to be impossible using quantum mechanics alone.
ROBUST CRYPTOGRAPHY IN THE NOISYQUANTUMSTORAGE MODEL
, 2009
"... It was shown in [42] that cryptographic primitives can be implemented based on the assumption that quantum storage of qubits is noisy. In this work we analyze a protocol for the universal task of oblivious transfer that can be implemented using quantumkeydistribution (QKD) hardware in the practica ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
It was shown in [42] that cryptographic primitives can be implemented based on the assumption that quantum storage of qubits is noisy. In this work we analyze a protocol for the universal task of oblivious transfer that can be implemented using quantumkeydistribution (QKD) hardware in the practical setting where honest participants are unable to perform noisefree operations. We derive tradeoffs between the amount of storage noise, the amount of noise in the operations performed by the honest participants and the security of oblivious transfer which are greatly improved compared to the results in [42]. As an example, we show that for the case of depolarizing noise in storage we can obtain secure oblivious transfer as long as the quantum biterror rate of the channel does not exceed 11 % and the noise on the channel is strictly less than the quantum storage noise. This is optimal for the protocol considered. Finally, we show that our analysis easily carries over to quantum protocols for secure identification.
L.: Secure twoparty quantum evaluation of unitaries against specious adversaries
 Advances in Cryptology, Proceedings of Crypto 2010
, 2010
"... ar ..."
(Show Context)
On the efficiency of classical and quantum oblivious transfer reductions
 In Advances in Cryptology — CRYPTO ’10, Lecture Notes in Computer Science
, 2010
"... Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multiparty computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such a ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multiparty computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such as noisy channels. It is important to know how efficient such unconditionally secure reductions can be in principle, i.e., how many instances of a given primitive are at least needed to implement OT. For perfect (errorfree) implementations good lower bounds are known, e.g. the bounds by Beaver (STOC ’96) or by Dodis and Micali (EUROCRYPT ’99). However, in practice one is usually willing to tolerate a small probability of error and it is known that these statistical reductions can in general be much more efficient. Thus, the known bounds have only limited application. In the first part of this work we provide bounds on the efficiency of secure (onesided) twoparty computation of arbitrary finite functions from distributed randomness in the statistical case. From these results we derive bounds on the efficiency of protocols that use (different variants of) OT as a blackbox. When applied to implementations of OT, our bounds generalize known results to the statistical case. Our results hold in particular for transformations between a finite number of primitives and for any error. Furthermore, we provide bounds on the efficiency of protocols implementing Rabin OT.