Tomoyuki Morimae,Takashi Yamakawa

2024-05-08

Abstract:The existence of one-way functions is one of the most fundamental assumptions in classical cryptography. In the quantum world, on the other hand, there are evidences that some cryptographic primitives can exist even if one-way functions do not exist. We therefore have the following important open problem in quantum cryptography: What is the most fundamental element in quantum cryptography? In this direction, Brakerski, Canetti, and Qian recently defined a notion called EFI pairs, which are pairs of efficiently generatable states that are statistically distinguishable but computationally indistinguishable, and showed its equivalence with some cryptographic primitives including commitments, oblivious transfer, and general multi-party computations. However, their work focuses on decision-type primitives and does not cover search-type primitives like quantum money and digital signatures. In this paper, we study properties of one-way state generators (OWSGs), which are a quantum analogue of one-way functions. We first revisit the definition of OWSGs and generalize it by allowing mixed output states. Then we show the following results. (1) We define a weaker version of OWSGs, weak OWSGs, and show that they are equivalent to OWSGs. (2) Quantum digital signatures are equivalent to OWSGs. (3) Private-key quantum money schemes (with pure money states) imply OWSGs. (4) Quantum pseudo one-time pad schemes imply both OWSGs and EFI pairs. (5) We introduce an incomparable variant of OWSGs, which we call secretly-verifiable and statistically-invertible OWSGs, and show that they are equivalent to EFI pairs.

Quantum Physics,Cryptography and Security

Giulio Malavolta,Tomoyuki Morimae,Michael Walter,Takashi Yamakawa

2024-04-21

Abstract:In classical cryptography, one-way functions are widely considered to be the minimal computational assumption. However, when taking quantum information into account, the situation is more nuanced. There are currently two major candidates for the minimal assumption: the search quantum generalization of one-way functions are one-way state generators (OWSG), whereas the decisional variant are EFI pairs. A well-known open problem in quantum cryptography is to understand how these two primitives are related. A recent breakthrough result of Khurana and Tomer (STOC'24) shows that OWSGs imply EFI pairs, for the restricted case of pure states.

Quantum Physics,Cryptography and Security

Tomoyuki Morimae,Takashi Yamakawa

2024-05-22

Abstract:We demonstrate quantum advantage with several basic assumptions, specifically based on only the existence of OWFs. We introduce inefficient-verifier proofs of quantumness (IV-PoQ), and construct it from classical bit commitments. IV-PoQ is an interactive protocol between a verifier and a quantum prover consisting of two phases. In the first phase, the verifier is probabilistic polynomial-time, and it interacts with the prover. In the second phase, the verifier becomes inefficient, and makes its decision based on the transcript of the first phase. If the prover is honest, the inefficient verifier accepts with high probability, but any classical malicious prover only has a small probability of being accepted by the inefficient verifier. Our construction demonstrates the following results: (1)If one-way functions exist, then IV-PoQ exist. (2)If distributional collision-resistant hash functions exist (which exist if hard-on-average problems in $\mathbf{SZK}$ exist), then constant-round IV-PoQ exist. We also demonstrate quantum advantage based on worst-case-hard assumptions. We define auxiliary-input IV-PoQ (AI-IV-PoQ) that only require that for any malicious prover, there exist infinitely many auxiliary inputs under which the prover cannot cheat. We construct AI-IV-PoQ from an auxiliary-input version of commitments in a similar way, showing that (1)If auxiliary-input one-way functions exist (which exist if $\mathbf{CZK}\not\subseteq\mathbf{BPP}$), then AI-IV-PoQ exist. (2)If auxiliary-input collision-resistant hash functions exist (which is equivalent to $\mathbf{PWPP}\nsubseteq \mathbf{FBPP}$) or $\mathbf{SZK}\nsubseteq \mathbf{BPP}$, then constant-round AI-IV-PoQ exist.

Quantum Physics,Computational Complexity,Cryptography and Security

Yifan Jia,Angela Capel

DOI: https://doi.org/10.22331/q-2024-05-02-1331

2024-04-25

Abstract:Quantum Wielandt's inequality gives an optimal upper bound on the minimal length $k$ such that length-$k$ products of elements in a generating system span $M_n(\mathbb{C})$. It is conjectured that $k$ should be of order $\mathcal{O}(n^2)$ in general. In this paper, we give an overview of how the question has been studied in the literature so far and its relation to a classical question in linear algebra, namely the length of the algebra $M_n(\mathbb{C})$. We provide a generic version of quantum Wielandt's inequality, which gives the optimal length with probability one. More specifically, we prove based on [KS16] that $k$ generically is of order $\Theta(\log n)$, as opposed to the general case, in which the best bound to date is $\mathcal O(n^2 \log n)$. Our result implies a new bound on the primitivity index of a random quantum channel. Furthermore, we shed new light on a long-standing open problem for Projected Entangled Pair State, by concluding that almost any translation-invariant PEPS (in particular, Matrix Product State) with periodic boundary conditions on a grid with side length of order $\Omega( \log n )$ is the unique ground state of a local Hamiltonian. We observe similar characteristics for matrix Lie algebras and provide numerical results for random Lie-generating systems.

Quantum Physics,Mathematical Physics

Amit Behera,Giulio Malavolta,Tomoyuki Morimae,Tamer Mour,Takashi Yamakawa

2024-10-14

Abstract:While in classical cryptography, one-way functions (OWFs) are widely regarded as the "minimal assumption," the situation in quantum cryptography is less clear. Recent works have put forward two concurrent candidates for the minimal assumption in quantum cryptography: One-way state generators (OWSGs), postulating the existence of a hard search problem with an efficient verification algorithm, and EFI pairs, postulating the existence of a hard distinguishing problem. Two recent papers [Khurana and Tomer STOC'24; Batra and Jain FOCS'24] showed that OWSGs imply EFI pairs, but the reverse direction remained open. In this work, we give strong evidence that the opposite direction does not hold: We show that there is a quantum unitary oracle relative to which EFI pairs exist, but OWSGs do not. In fact, we show a slightly stronger statement that holds also for EFI pairs that output classical bits (QEFID). As a consequence, we separate, via our oracle, QEFID, and one-way puzzles from OWSGs and several other Microcrypt primitives, including efficiently verifiable one-way puzzles and unclonable state generators. In particular, this solves a problem left open in [Chung, Goldin, and Gray Crypto'24]. Using similar techniques, we also establish a fully black-box separation (which is slightly weaker than an oracle separation) between private-key quantum money schemes and QEFID pairs. One conceptual implication of our work is that the existence of an efficient verification algorithm may lead to qualitatively stronger primitives in quantum cryptography.

Quantum Physics,Cryptography and Security

Bruno Cavalar,Eli Goldin,Matthew Gray,Peter Hall,Yanyi Liu,Angelos Pelecanos

2023-12-21

Abstract:There is a large body of work studying what forms of computational hardness are needed to realize classical cryptography. In particular, one-way functions and pseudorandom generators can be built from each other, and thus require equivalent computational assumptions to be realized. Furthermore, the existence of either of these primitives implies that $\rm{P} \neq \rm{NP}$, which gives a lower bound on the necessary hardness. One can also define versions of each of these primitives with quantum output: respectively one-way state generators and pseudorandom state generators. Unlike in the classical setting, it is not known whether either primitive can be built from the other. Although it has been shown that pseudorandom state generators for certain parameter regimes can be used to build one-way state generators, the implication has not been previously known in full generality. Furthermore, to the best of our knowledge, the existence of one-way state generators has no known implications in complexity theory. We show that pseudorandom states compressing $n$ bits to $\log n + 1$ qubits can be used to build one-way state generators and pseudorandom states compressing $n$ bits to $\omega(\log n)$ qubits are one-way state generators. This is a nearly optimal result since pseudorandom states with fewer than $c \log n$-qubit output can be shown to exist unconditionally. We also show that any one-way state generator can be broken by a quantum algorithm with classical access to a $\rm{PP}$ oracle. An interesting implication of our results is that a $t(n)$-copy one-way state generator exists unconditionally, for every $t(n) = o(n/\log n)$. This contrasts nicely with the previously known fact that $O(n)$-copy one-way state generators require computational hardness. We also outline a new route towards a black-box separation between one-way state generators and quantum bit commitments.

Cryptography and Security,Computational Complexity,Quantum Physics

Rishabh Batra,Rahul Jain

2024-09-25

Abstract:One-way state generators (OWSG) are natural quantum analogs to classical one-way functions. We consider statistically-verifiable OWSGs (sv-OWSG), which are potentially weaker objects than OWSGs. We show that O(n/log(n))-copy sv-OWSGs (n represents the input length) are equivalent to poly(n)-copy sv-OWSGs and to quantum commitments. Since known results show that o(n/log(n))-copy OWSGs cannot imply commitments, this shows that O(n/log(n))-copy sv-OWSGs are the weakest OWSGs from which we can get commitments (and hence much of quantum cryptography). Our construction follows along the lines of Hastad, Impagliazzo, Levin and Luby, who obtained classical pseudorandom generators (PRG) from classical one-way functions (OWF), however with crucial modifications. Our construction, when applied to the classical case, provides an alternative to the classical construction to obtain a classical mildly non-uniform PRG from any classical OWF. Since we do not argue conditioned on the output $f(x)$, our construction and analysis is arguably simpler and may be of independent interest. For converting a mildly non-uniform PRG to a uniform PRG, we can use the classical construction.

Quantum Physics,Cryptography and Security

Wei Zheng Teo,Marco Carmosino,Lior Horesh

DOI: https://doi.org/10.48550/arXiv.2209.10146

2022-09-21

Abstract:One-way functions (OWF) are one of the most essential cryptographic primitives, the existence of which results in wide-ranging ramifications such as private-key encryption and proving $P \neq NP$. These OWFs are often thought of as having classical input and output (i.e. binary strings), however, recent work proposes OWF constructions where the input and/or the output can be quantum. In this paper, we demonstrate that quantum-classical (i.e. quantum input, classical output) OWFs can be used to produce classical-classical (i.e. classical input, classical output) OWFs that retain the one-wayness property against any quantum polynomial adversary (i.e. quantum-resistant). We demonstrate this in two ways. Firstly, we propose a definition of quantum-classical OWFs and show that the existence of such a quantum-classical OWF would imply the existence of a classical-classical OWF. Secondly, we take a proposed quantum-classical OWF and demonstrate how to turn it into a classical-classical OWF. In summary, this paper showcases another possible route into proving the existence of classical-classical OWFs (assuming intermediate quantum computations are allowed) using a "domain-shifting" technique between classical and quantum information, with the added bonus that such OWFs are also going to be quantum-resistant.

Quantum Physics,Cryptography and Security

Stefan Rass

2023-07-18

Abstract:This note is an attempt to unconditionally prove the existence of weak one way functions (OWF). Starting from a provably intractable decision problem $L_D$ (whose existence is nonconstructively assured from the well-known discrete time-hierarchy theorem from complexity theory), we construct another intractable decision problem $L\subseteq \{0,1\}^*$ that has its words scattered across $\{0,1\}^\ell$ at a relative frequency $p(\ell)$, for which upper and lower bounds can be worked out. The value $p(\ell)$ is computed from the density of the language within $\{0,1\}^\ell$ divided by the total word count $2^\ell$. It corresponds to the probability of retrieving a yes-instance of a decision problem upon a uniformly random draw from $\{0,1\}^\ell$. The trick to find a language with known bounds on $p(\ell)$ relies on switching from $L_D$ to $L_0:=L_D\cap L'$, where $L'$ is an easy-to-decide language with a known density across $\{0,1\}^*$. In defining $L'$ properly (and upon a suitable Gödel numbering), the hardness of deciding $L_D\cap L'$ is inherited from $L_D$, while its density is controlled by that of $L'$. The lower and upper approximation of $p(\ell)$ then let us construct an explicit threshold function (as in random graph theory) that can be used to efficiently and intentionally sample yes- or no-instances of the decision problem (language) $L_0$ (however, without any auxiliary information that could ease the decision like a polynomial witness). In turn, this allows to construct a weak OWF that encodes a bit string $w\in\{0,1\}^*$ by efficiently (in polynomial time) emitting a sequence of randomly constructed intractable decision problems, whose answers correspond to the preimage $w$.

Computational Complexity

Minki Hhan,Shogo Yamada

2024-11-05

Abstract:Recent active studies have demonstrated that cryptography without one-way functions (OWFs) could be possible in the quantum world. Many fundamental primitives that are natural quantum analogs of OWFs or pseudorandom generators (PRGs) have been introduced, and their mutual relations and applications have been studied. Among them, pseudorandom function-like state generators (PRFSGs) [Ananth, Qian, and Yuen, Crypto 2022] are one of the most important primitives. PRFSGs are a natural quantum analogue of pseudorandom functions (PRFs), and imply many applications such as IND-CPA secret-key encryption (SKE) and EUF-CMA message authentication code (MAC). However, only known constructions of (many-query-secure) PRFSGs are ones from OWFs or pseudorandom unitaries (PRUs). In this paper, we construct classically-accessible adaptive secure PRFSGs in the invertible quantum Haar random oracle (QHRO) model which is introduced in [Chen and Movassagh, Quantum]. The invertible QHRO model is an idealized model where any party can access a public single Haar random unitary and its inverse, which can be considered as a quantum analog of the random oracle model. Our PRFSG constructions resemble the classical Even-Mansour encryption based on a single permutation, and are secure against any unbounded polynomial number of queries to the oracle and construction. To our knowledge, this is the first application in the invertible QHRO model without any assumption or conjecture. The previous best construction in the idealized model is PRFSGs secure up to o({\lambda}/ log {\lambda}) queries in the common Haar state model [Ananth, Gulati, and Lin, TCC 2024].

Quantum Physics

Chris Brzuska,Geoffroy Couteau

DOI: https://doi.org/10.1007/s00145-024-09518-1

2024-12-06

Journal of Cryptology

Abstract:Constructing one-way functions from average-case hardness is a long-standing open problem. A positive result would exclude Pessiland (Impagliazzo '95) and establish a highly desirable win–win situation: either (symmetric) cryptography exists unconditionally, or all problems can be solved efficiently on the average. Motivated by the lack of progress on this seemingly very hard question, we initiate the investigation of weaker yet meaningful candidate win–win results of the following type: either there are fine-grained one-way functions (FGOWF), or non-trivial speedups can be obtained for all problems on the average. FGOWFs only require a fixed polynomial gap (as opposed to superpolynomial) between the running time of the function and the running time of an inverter. We obtain three main results: Construction. We show that if there is an language having a very strong form of average-case hardness, which we call block finding hardness , then FGOWF exist. We provide heuristic support for this very strong average-case hardness notion by showing that it holds for a random language. Then, we study whether weaker (and more natural) forms of average-case hardness could already suffice to obtain FGOWF and obtain two negative results: Separation I. We provide a strong oracle separation for the implication ( exponentially average-case hard language FGOWF). Separation II. We provide a second strong negative result for an even weaker candidate win–win result. Namely, we rule out a relativizing proof for the implication ( exponentially average-case hard language whose hardness amplifies optimally through parallel repetitions FGOWF). This separation forms the core technical contribution of our work.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Dakshita Khurana,Kabir Tomer

2024-01-30

Abstract:One-way functions are central to classical cryptography. They are both necessary for the existence of non-trivial classical cryptosystems, and sufficient to realize meaningful primitives including commitments, pseudorandom generators and digital signatures. At the same time, a mounting body of evidence suggests that assumptions even weaker than one-way functions may suffice for many cryptographic tasks of interest in a quantum world, including bit commitments and secure multi-party computation. This work studies one-way state generators [Morimae-Yamakawa, CRYPTO 2022], a natural quantum relaxation of one-way functions. Given a secret key, a one-way state generator outputs a hard to invert quantum state. A fundamental question is whether this type of quantum one-wayness suffices to realize quantum cryptography. We obtain an affirmative answer to this question, by proving that one-way state generators with pure state outputs imply quantum bit commitments and secure multiparty computation. Along the way, we build an intermediate primitive with classical outputs, which we call a (quantum) one-way puzzle. Our main technical contribution is a proof that one-way puzzles imply quantum bit commitments.

Quantum Physics,Cryptography and Security

Anne Broadbent,Eric Culf

DOI: https://doi.org/10.4230/LiPIcs.ITCS.2023.28

2023-03-02

Abstract:In a monogamy-of-entanglement (MoE) game, two players who do not communicate try to simultaneously guess a referee's measurement outcome on a shared quantum state they prepared. We study the prototypical example of a game where the referee measures in either the computational or Hadamard basis and informs the players of her choice. We show that this game satisfies a rigidity property similar to what is known for some nonlocal games. That is, in order to win optimally, the players' strategy must be of a specific form, namely a convex combination of four unentangled optimal strategies generated by the Breidbart state. We extend this to show that strategies that win near-optimally must also be near an optimal state of this form. We also show rigidity for multiple copies of the game played in parallel. We give three applications: (1) We construct for the first time a weak string erasure (WSE) scheme where the security does not rely on limitations on the parties' hardware. Instead, we add a prover, which enables security via the rigidity of this MoE game. (2) We show that the WSE scheme can be used to achieve bit commitment in a model where it is impossible classically. (3) We achieve everlasting-secure randomness expansion in the model of trusted but leaky measurement and untrusted preparation and measurements by two isolated devices, while relying only on the temporary assumption of pseudorandom functions. This achieves randomness expansion without the need for shared entanglement.

Quantum Physics

Taiga Hiroka,Tomoyuki Morimae

2024-11-05

Abstract:In classical cryptography, one-way functions (OWFs) are the minimal assumption, while it is not the case in quantum cryptography. Several new primitives have been introduced such as pseudorandom state generators (PRSGs), one-way state generators (OWSGs), one-way puzzles (OWPuzzs), and EFI pairs. They seem to be weaker than OWFs, but still imply many useful applications. Now that the possibility of quantum cryptography without OWFs has opened up, the most important goal in the field is to build a foundation of it. In this paper, we, for the first time, characterize quantum cryptographic primitives with meta-complexity. We show that one-way puzzles (OWPuzzs) exist if and only if GapK is weakly-quantum-average-hard. GapK is a promise problem to decide whether a given bit string has a small Kolmogorov complexity or not. Weakly-quantum-average-hard means that an instance is sampled from a QPT samplable distribution, and for any QPT adversary the probability that it makes mistake is larger than ${\rm 1/poly}$. We also show that if quantum PRGs exist then GapK is strongly-quantum-average-hard. Here, strongly-quantum-average-hard is a stronger version of weakly-quantum-average-hard where the probability that the adversary makes mistake is larger than $1/2-1/{\rm poly}$. Finally, we show that if GapK is weakly-classical-average-hard, then inefficient-verifier proofs of quantumness (IV-PoQ) exist. Weakly-classical-average-hard is the same as weakly-quantum-average-hard except that the adversary is PPT. IV-PoQ are a generalization of proofs of quantumness (PoQ) that capture sampling-based and search-based quantum advantage, and an important application of OWpuzzs. This is the fist time that quantum advantage is based on meta-complexity. (Note: There are two concurrent works[Khurana-Tomer,<a class="link-https" data-arxiv-id="2409.15248" href="https://arxiv.org/abs/2409.15248">arXiv:2409.15248</a>; Cavalar-Goldin-Gray-Hall,<a class="link-https" data-arxiv-id="2410.04984" href="https://arxiv.org/abs/2410.04984">arXiv:2410.04984</a>].)

Quantum Physics

Kai-Min Chung,Eli Goldin,Matthew Gray

2024-06-29

Abstract:Recent work has introduced the "Quantum-Computation Classical-Communication" (QCCC) (Chung et. al.) setting for cryptography. There has been some evidence that One Way Puzzles (OWPuzz) are the natural central cryptographic primitive for this setting (Khurana and Tomer). For a primitive to be considered central it should have several characteristics. It should be well behaved (which for this paper we will think of as having amplification, combiners, and universal constructions); it should be implied by a wide variety of other primitives; and it should be equivalent to some class of useful primitives. We present combiners, correctness and security amplification, and a universal construction for OWPuzz. Our proof of security amplification uses a new and cleaner version construction of EFI from OWPuzz (in comparison to the result of Khurana and Tomer) that generalizes to weak OWPuzz and is the most technically involved section of the paper. It was previously known that OWPuzz are implied by other primitives of interest including commitments, symmetric key encryption, one way state generators (OWSG), and therefore pseudorandom states (PRS). However we are able to rule out OWPuzz's equivalence to many of these primitives by showing a black box separation between general OWPuzz and a restricted class of OWPuzz (those with efficient verification, which we call EV-OWPuzz). We then show that EV-OWPuzz are also implied by most of these primitives, which separates them from OWPuzz as well. This separation also separates extending PRS from highly compressing PRS answering an open question of Ananth et. al.

Cryptography and Security

Omar Fawzi,Aadil Oufkir,Robert Salzmann

2024-09-06

Abstract:Estimating the fidelity between a desired target quantum state and an actual prepared state is essential for assessing the success of experiments. For pure target states, we use functional representations that can be measured directly and determine the number of copies of the prepared state needed for fidelity estimation. In continuous variable (CV) systems, we utilise the Wigner function, which can be measured via displaced parity measurements. We provide upper and lower bounds on the sample complexity required for fidelity estimation, considering the worst-case scenario across all possible prepared states. For target states of particular interest, such as Fock and Gaussian states, we find that this sample complexity is characterised by the $L^1$-norm of the Wigner function, a measure of Wigner negativity widely studied in the literature, in particular in resource theories of quantum computation. For discrete variable systems consisting of $n$ qubits, we explore fidelity estimation protocols using Pauli string measurements. Similarly to the CV approach, the sample complexity is shown to be characterised by the $L^1$-norm of the characteristic function of the target state for both Haar random states and stabiliser states. Furthermore, in a general black box model, we prove that, for any target state, the optimal sample complexity for fidelity estimation is characterised by the smoothed $L^1$-norm of the target state. To the best of our knowledge, this is the first time the $L^1$-norm of the Wigner function provides a lower bound on the cost of some information processing task.

Quantum Physics,Mathematical Physics,Statistics Theory

Remigiusz Augusiak,Jordi Tura,Maciej Lewenstein

DOI: https://doi.org/10.1088/1751-8113/44/21/212001

2011-04-08

Abstract:Entanglement witnesses (EWs) constitute one of the most important entanglement detectors in quantum systems. Nevertheless, their complete characterization, in particular with respect to the notion of optimality, is still missing, even in the decomposable case. Here we show that for any qubit-qunit decomposable EW (DEW) W the three statements are equivalent: (i) the set of product vectors obeying \bra{e,f}W\ket{e,f}=0 spans the corresponding Hilbert space, (ii) W is optimal, (iii) W=Q^{\Gamma} with Q denoting a positive operator supported on a completely entangled subspace (CES) and \Gamma standing for the partial transposition. While, implications $(i)\Rightarrow(ii)$ and $(ii)\Rightarrow(iii)$ are known, here we prove that (iii) implies (i). This is a consequence of a more general fact saying that product vectors orthogonal to any CES in C^{2}\otimes C^{n} span after partial conjugation the whole space. On the other hand, already in the case of C^{3}\otimes C^{3} Hilbert space, there exist DEWs for which (iii) does not imply (i). Consequently, either (i) does not imply (ii), or (ii) does not imply (iii), and the above transparent characterization obeyed by qubit-qunit DEWs, does not hold in general.

Quantum Physics

Tomoyuki Morimae,Yuki Shirakawa,Takashi Yamakawa

2024-11-01

Abstract:Quantum computational advantage refers to an existence of computational tasks that are easy for quantum computing but hard for classical one. Unconditionally showing quantum advantage is beyond our current understanding of complexity theory, and therefore some computational assumptions are needed. Which complexity assumption is necessary and sufficient for quantum advantage? In this paper, we show that inefficient-verifier proofs of quantumness (IV-PoQ) exist if and only if classically-secure one-way puzzles (OWPuzzs) exist. As far as we know, this is the first time that a complete cryptographic characterization of quantum advantage is obtained. IV-PoQ capture various types of quantum advantage previously studied, such as sampling-based quantum advantage and searching-based one. Previous work [Morimae and Yamakawa, Crypto 2024] showed that IV-PoQ can be constructed from OWFs, but a construction of IV-PoQ from weaker assumptions was left open. Our result solves the open problem. OWPuzzs are one of the most fundamental quantum cryptographic primitives implied by many quantum cryptographic primitives weaker than one-way functions (OWFs). The equivalence between IV-PoQ and classically-secure OWPuzzs therefore highlights that if there is no quantum advantage, then these fundamental primitives do not exist. The equivalence also means that quantum advantage is an example of the applications of OWPuzzs. Except for commitments, no application of OWPuzzs was known before. Our result shows that quantum advantage is another application of OWPuzzs, which solves the open question of [Chung, Goldin, and Gray, Crypto 2024]. Moreover, it is the first quantum-computation-classical-communication (QCCC) application of OWPuzzs.

Quantum Physics

Frédéric Dupuis,Philippe Lamontagne,Louis Salvail

2024-02-21

Abstract:We explore the cryptographic power of arbitrary shared physical resources. The most general such resource is access to a fresh entangled quantum state at the outset of each protocol execution. We call this the Common Reference Quantum State (CRQS) model, in analogy to the well-known Common Reference String (CRS). The CRQS model is a natural generalization of the CRS model but appears to be more powerful: in the two-party setting, a CRQS can sometimes exhibit properties associated with a Random Oracle queried once by measuring a maximally entangled state in one of many mutually unbiased bases. We formalize this notion as a Weak One-Time Random Oracle (WOTRO), where we only ask of the $m$-bit output to have some randomness when conditioned on the $n$-bit input. We show that when $n-m\in\omega(\lg n)$, any protocol for WOTRO in the CRQS model can be attacked by an (inefficient) adversary. Moreover, our adversary is efficiently simulatable, which rules out the possibility of proving the computational security of a scheme by a fully black-box reduction to a cryptographic game assumption. On the other hand, we introduce a non-game quantum assumption for hash functions that implies WOTRO in the CRQS model (where the CRQS consists only of EPR pairs). We first build a statistically secure WOTRO protocol where $m=n$, then hash the output. The impossibility of WOTRO has the following consequences. First, we show the fully-black-box impossibility of a quantum Fiat-Shamir transform, extending the impossibility result of Bitansky et al. (TCC 2013) to the CRQS model. Second, we show a fully-black-box impossibility result for a strenghtened version of quantum lightning (Zhandry, Eurocrypt 2019) where quantum bolts have an additional parameter that cannot be changed without generating new bolts. Our results also apply to $2$-message protocols in the plain model.

Quantum Physics,Cryptography and Security

Liu, Feng-Hao

DOI: https://doi.org/10.1007/s10623-024-01523-6

IF: 1.4

2024-11-25

Designs Codes and Cryptography

Abstract:Achieving tight security is a fundamental task in cryptography. While one of the most important purposes of this task is to improve the overall efficiency of a construction (by allowing smaller security parameters), many current lattice-based instantiations do not completely achieve the goal. Particularly, a super-polynomial modulus seems to be necessary in all prior work for (almost) tight schemes that allow the adversary to conduct queries, such as PRF, IBE, and Signatures. As the super-polynomial modulus would affect the noise-to-modulus ratio and thus increase the parameters, this might cancel out the advantages (in efficiency) brought from the tighter analysis. To determine the full power of tight security/analysis in lattices, it is necessary to determine whether the super-polynomial modulus restriction is inherent. In this work, we remove the super-polynomial modulus restriction for many important primitives—PRF, IBE, all-but-many Lossy Trapdoor Functions, and Signatures. The crux relies on an improvement over the framework of Boyen and Li (Asiacrypt 16), and an almost tight reduction from LWE to LWR, which improves prior work by Alwen et al. (Eurocrypt 13), Bogdanov et al. (TCC 16), and Bai et al. (Asiacrypt 15). By combining these two advances, we are able to derive these almost tight schemes under LWE with a polynomial modulus.

mathematics, applied,computer science, theory & methods