Serge Fehr & Christian Schaffner CWI Amsterdam, The Netherlands 1 Randomness Extraction via ± -Biased Masking in the Presence of a Quantum Attacker TCC.

Slides:

Advertisements

Similar presentations

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

Advertisements

Deterministic Extractors for Small Space Sources Jesse Kamp, Anup Rao, Salil Vadhan, David Zuckerman.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya.

Quantum One-Way Communication is Exponentially Stronger than Classical Communication TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Paul Cuff THE SOURCE CODING SIDE OF SECRECY TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Yi Wu (CMU) Joint work with Parikshit Gopalan (MSR SVC) Ryan O’Donnell (CMU) David Zuckerman (UT Austin) Pseudorandom Generators for Halfspaces TexPoint.

A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.

 Secure Authentication Using Biometric Data Karen Cui.

A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (University.

Oblivious Transfer based on the McEliece Assumptions

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Oblivious Transfer and Linear Functions Ivan Damgård, Louis Salvail, Christian Schaffner (BRICS, University of Aarhus, Denmark) Serge Fehr (CWI Amsterdam,

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Message Passing for the Coloring Problem: Gallager Meets Alon and Kahale Sonny Ben-Shimon and Dan Vilenchik Tel Aviv University AofA June, 2007 TexPoint.

Toyohiro Tsurumaru (Mitsubishi Electric Corporation) Masahito Hayashi (Graduate School of Information Sciences, Tohoku University / CQT National University.

1 Streaming Computation of Combinatorial Objects Ziv Bar-Yossef U.C. Berkeley Omer Reingold AT&T Labs – Research Ronen.

GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&

Lattices for Distributed Source Coding - Reconstruction of a Linear function of Jointly Gaussian Sources -D. Krithivasan and S. Sandeep Pradhan - University.

Linear Codes for Distributed Source Coding: Reconstruction of a Function of the Sources -D. Krithivasan and S. Sandeep Pradhan -University of Michigan,

Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.

Extractors with Weak Random Seeds Ran Raz Weizmann Institute.

Quantum Public Key Cryptography with Information- Theoretic Security Daniel Gottesman Perimeter Institute.

Simulating independence: new constructions of Condensers, Ramsey Graphs, Dispersers and Extractors Boaz Barak Guy Kindler Ronen Shaltiel Benny Sudakov.

Extractors against classical and quantum adversaries AmnonTa-Shma Tel-Aviv University.

A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.

The Operational Meaning of Min- and Max-Entropy

Entropy-based Bounds on Dimension Reduction in L 1 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAAA A Oded Regev.

Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Workshop on Post-Quantum Security Models Paris, France Tuesday,

Why Extractors? … Extractors, and the closely related “Dispersers”, exhibit some of the most “random-like” properties of explicitly constructed combinatorial.

1 Sublinear Algorithms Lecture 1 Sofya Raskhodnikova Penn State University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this.

The Secrecy of Compressed Sensing Measurements Yaron Rachlin & Dror Baron TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.:

Communication Complexity Rahul Jain Centre for Quantum Technologies and Department of Computer Science National University of Singapore. TexPoint fonts.

Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October.

Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January.

The Operational Meaning of Min- and Max-Entropy Christian Schaffner – CWI Amsterdam, NL joint work with Robert König – Caltech Renato Renner – ETH Zürich,

On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr.

Polynomials Emanuele Viola Columbia University work partially done at IAS and Harvard University December 2007.

Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Tropical QKD Waterloo, ON, Canada Wednesday, 16 June 2010.

Cryptography In the Bounded Quantum-Storage Model

Non-interactive quantum zero-knowledge proofs

The question Can we generate provable random numbers? …. ?

Randomness Extraction Beyond the Classical World Kai-Min Chung Academia Sinica, Taiwan 1 Based on joint works with Xin Li, Yaoyun Shi, and Xiaodi Wu.

1 Leonid Reyzin Boston University Adam Smith Weizmann  IPAM  Penn State Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets Yevgeniy.

Tight Bound for the Gap Hamming Distance Problem Oded Regev Tel Aviv University TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

When is Key Derivation from Noisy Sources Possible?

Iftach Haitner and Eran Omri Coin Flipping with Constant Bias Implies One-Way Functions TexPoint fonts used in EMF. Read the TexPoint manual before you.

New Results of Quantum-proof Randomness Extractors Xiaodi Wu (MIT) 1 st Trustworthy Quantum Information Workshop Ann Arbor, USA 1 based on work w/ Kai-Min.

Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.

Correcting Errors Without Leaking Partial Information Yevgeniy Dodis New York University Adam SmithWeizmann Institute To appear in STOC 2005

Non-malleable Reductions and Applications Divesh Aggarwal * Yevgeniy Dodis * Tomasz Kazana ** Maciej Obremski ** Non-Malleable Codes from Two-Source Extractors.

หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

Unbounded-Error Classical and Quantum Communication Complexity

Sampling of min-entropy relative to quantum knowledge Robert König in collaboration with Renato Renner TexPoint fonts used in EMF. Read the TexPoint.

Semantic Security and Indistinguishability in the Quantum World

When are Fuzzy Extractors Possible?

When are Fuzzy Extractors Possible?

Cryptographic Applications of Randomness Extractors

TexPoint fonts used in EMF.

Presentation transcript:

Serge Fehr & Christian Schaffner CWI Amsterdam, The Netherlands 1 Randomness Extraction via ± -Biased Masking in the Presence of a Quantum Attacker TCC 2008, 21/3/2008 New York, USA TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAAA A A A A

Agenda 2 Motivation Main Result Applications Related Work

3 X= … Z =10011… Key K X= … random source Motivating Example

4 X= … Z =10011… Key K X= … F(X)= H 1 (X|KZ) ¸ m Key K 2-universal F(X)=? Left-Over Hash Lemma F(X)= m F Key K can be reused!

5 Z =10011… imperfect random source X= … Key K X’= … Imperfect Source

Information Reconciliation 6 X= … Key K X’= … Z =10011… F(X)= decode C’ = Y © X’ Y = X © C F(X)=? C 2 R C X= … Key K H 1 (X|KZ) ¸ m + |syn(X)|

Reusability Problem 7 X= … Key K X’= … Z =10011… F(X)= decode C’ = Y © X’ Y = X © C F(X)=? C 2 R C X= … Key K H 1 (X|KZ) ¸ m + |syn(X)| Problem: K cannot be reused!

Solution 8 X= … Key K X’= … Z =10011… decode C’ = Y © X’ Y = X © C C 2 R C X= … Key K H 1 (X|KZ) ¸ m + |syn(X)| K can be safely reused! Y = ? [Dodis, Smith 05]

The Quantum Case 9 ρZρZ imperfect random source X= … Key K X’= … 101…

Two-Universal Hashing 10 X= … Key K X’= … F(X)= decode C’ = Y © X’ Y = X © C F(X)=? C 2 R C X= … Key K H 1 (X|K ρ Z ) ¸ m + |syn(X)| ρZρZ 101…

Problem 11 X= … Key K X’= … decode C’ = Y © X’ Y = X © C C 2 R C X= … Key K H 1 (X|K ρ Z ) ¸ m + |syn(X)| K can be safely reused! Y = ? [Dodis, Smith 05] ρZρZ ? 101…

Agenda 12 Motivation Main Result Applications Related Work

Classical Theorem 13 random variable A in {0,1} n is ± -biased if for all {A i } ± -biased family over {0,1} n joint distribution P XZ where X in {0,1} n and Z some side information Then, for uniform I [Dodis, Smith 05] {0,1} n © = Z I,I, A I © X = ?

Main Theorem 14 random variable A in {0,1} n is ± -biased if for all {A i } ± -biased family over {0,1} n joint quantum-state ρ XZ where X in {0,1} n and Z some quantum side information Then, for uniform I I, ρ Z © = A I © X = ? {0,1} n

Proof Technique 15 random variable A in {0,1} n is ± -biased if for all {A i } ± -biased family over {0,1} n Joint quantum-state ρ XZ where X in {0,1} n and Z some quantum side information Then, for uniform I I, ρ Z A I © X = ? Proof: quantum-information theory Fourier-analysis of matrix-valued functions over {0,1} n {0,1} n

16 [Alon, Goldreich, Håstad, Peralta 90] ± -biased set K over {0,1} n of size |K|=O(n 2 / ± 2 ) joint quantum-state ρ XZ where X n-bit message and Z some quantum side information ρZρZ K © X=? Application: Entropic Encryption Then, for uniform I if H 1 ( ρ XZ |Z) ¸ t, then a key size of log |K|= n - t +2 log(n)+2 log(1/ ² ) + O(1) suffices to encrypt X

17 For any ε ¸ 0 and 0 · t · n, there exists a (t,ε)-weak quantum extractor with n-bit output and seed length n - t +2 log(n)+2 log(1/ε) + O(1) ρZρZ K © X=? Weak Extractor Then, for uniform I if H 1 ( ρ XZ |Z) ¸ t, then a key size of log |K|= n - t +2 log(n)+2 log(1/ ² ) + O(1) suffices to encrypt X

Application: Private Error Correction 18 [Dodis, Smith 05] for every 0 < λ < 1, there is a family of binary linear codes {C i } of length n, correcting a linear fraction of errors, and {C i } is δ < 2 -λn/2 -biased Joint quantum-state ρ XZ where X in {0,1} n and Z some quantum side information with H 1 (ρ XZ |Z) ¸ t Then, for uniform I I, ρ Z C I © X =?

Agenda 19 Motivation Main Result Applications Related Work

Randomness Extraction against Q-Memory 20 [König, Renner, Maurer 03] 2-universal hashing [König, Terhal 06] 1-bit-output extractors [this work 06] ± -biased masking [Smith 07] Srinivasan-Zuckerman extractors [König, Renner 07] Sampling min-entropy relative to quantum knowledge F Ext C I © X = ? || ρ XZ || 2 H 1 (X 1 X 2 … X n |ρ Z ) = α ) H 1 (X r 1 X r 2 … X r s |ρ Z ) ¸ α s/n

Related work 21 [Gavinsky, Kempe, Kerenidis, Raz, de Wolf 06] counterexample: strong extractor which is classically “secure”, but completely insecure against q-memory of similar size [Ambainis, Smith 04] encrypting quantum messages with ± -biased masking [Desrosiers, Dupuis 07] quantum entropic security Quantum Schemes

Conclusions 22 randomness extraction via ± -biased masking is secure in the presence of quantum attacker entropic security Error Correction without Leaking Partial Information Applications in the Bounded-(Quantum-)Storage Model Thanks to you!

Strong Extractor 23 Let {C i } be a δ-biased family of binary linear [n,k,d] 2 codes. {H i } the parity-check matrix. Then, Ext: (i,x)  H i x is a (t, ε)-strong quantum extractor with with (n-k)-bit output, ε= δ 2 (n-t)/2 Seed length must be linear in n Then, I, ρ Z C I © X =?