Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collapse-binding quantum commitments without random oracles

Published byΕφθαλία Σκλαβούνος Modified over 4 years ago

Similar presentations

Presentation on theme: "Collapse-binding quantum commitments without random oracles"β€” Presentation transcript:

1 Collapse-binding quantum commitments without random oracles
Dominique Unruh University of Tartu

2 Example: a commitment scheme
Consider a horse race β€œSpicy Spirit” wins… Player Bookie 𝐻("𝑠𝑝𝑖𝑐𝑦 π‘ π‘π‘–π‘Ÿπ‘–π‘‘", ) Player Bookie 231632 $$$ Commitments and hashes

3 Surprises with hash functions
Consider a cheating player β€œWallopping Waldo” wins… Player Bookie Some fake β„Ž 𝐻("𝑠𝑝𝑖𝑐𝑦 π‘ π‘π‘–π‘Ÿπ‘–π‘‘", ) Player Bookie π‘Ÿ with 𝐻 π‘€π‘Žπ‘™π‘™π‘œπ‘,π‘Ÿ =β„Ž $$$ Commitments and hashes

4 Surprises with hash functions (II)
Player Bookie Classical crypto: 𝐻 is collision-resistant (infeasible to find π‘₯, π‘₯ β€² with 𝐻 π‘₯ =𝐻( π‘₯ β€² )) Consequence: Can open β„Ž to one horse only. Surprise: Does not hold for quantum adv (𝐻 might be coll.-res., and attack still works) [Unruh, Eurocrypt 16] Commitments and hashes

5 Surprises with hash functions (III)
Player Bookie Some fake β„Ž π‘Ÿ with 𝐻 π‘€π‘Žπ‘™π‘™π‘œπ‘,π‘Ÿ =β„Ž |Ξ¨βŒͺ |Ξ¨βŒͺ used up! Commitments and hashes

6 Solution: Quantum binding-definitions [Unruh 16]
Forbids β€œWaldo-attack” Composes in parallel β€œRewinding-friendly” Definition: Collapse-binding commitment Do collapsing hash functions exist in the standard model? Simple constructions Strengthening of collision-resistance Exist in random oracle model Definition: Collapsing hash Commitments and hashes

7 Collapsing hash functions
Strengthening of β€œcollision-resistance” for quantum setting Adv. A messages π‘š (in superposition) Def: Collapsing = A cannot distinguish A |π‘šβŒͺ A |π‘šβŒͺ or Measure 𝑯(π’Ž) Measure π’Ž Commitments and hashes

8 Collapsing hash funs – constructions?
Lossy function (LF): Indistinguishable whether injective, or highly non-injective (β€œlossy”) message … long … hash LF universal hash func looks injective β‡’ is collapsing injective on im(𝐿𝐹) Commitments and hashes

9 Commitments and hashes
Hashing long messages? Prior construction: Fixed compression factor (e.g., 2) For long messages: Merkle-DamgΓ₯rd Conclusion: measure hash β‰ˆ measure input 𝑖𝑛𝑖𝑑 𝑣𝑒𝑐 measure 𝐻 measure 𝐻 measure 𝐻 measure 𝐻 β„Žπ‘Žπ‘ β„Ž measure π‘šπ‘ π‘” 1 π‘šπ‘ π‘” 2 π‘šπ‘ π‘” 3 π‘π‘Žπ‘‘π‘‘π‘–π‘›π‘” measure measure measure measure Commitments and hashes

10 Commitments and hashes
One more result Collapse-binding implies β€œsum-binding” Shows relationship to existing defs Can be used to show that collapse-binding bit commitments give secure coin-tosses Commitments and hashes

11 Commitments and hashes
Summary Classical definitions for commitments & hashes: insufficient! New definitions: collapse-binding / collapsing Constructions from lossy functions / lattice-assumptions Question: Collapsing hashes from OWF / coll.-resistance? Commitments and hashes

12 I thank for your attention
This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa

13 New definitions needed
Classical def of computationally binding: β€œWalloping Waldo” attack still possible! Collision-resistance Weaker than expected Stronger def? (NIST post-quantum competition?) Our proposal: β€œCollapse-binding” commitments Our proposal: β€œCollapsing” hash functions Commitments and hashes

14 Collapse-binding commitments
Adv. A outputs commitment 𝑐 (classically), and valid openings π‘š,𝑒 (in superposition) Def: Collapse-binding = A cannot distinguish |π‘šβŒͺ A |π‘šβŒͺ |𝑒βŒͺ 𝑐 measure A A or |𝑒βŒͺ 𝑐 Commitments and hashes

15 Commitments and hashes
Why this def? Intuition: Adversary cannot produce several openings in superposition If he could, he’d notice measurement Formally: Weaker than β€œnon-existence of two openings” (perfect) Stronger than β€œhard to find two openings” (class.-style) kind of… A |π‘šβŒͺ |𝑒βŒͺ 𝑐 or measure Commitments and hashes

Download ppt "Collapse-binding quantum commitments without random oracles"

Similar presentations

Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}* οƒ  {0,1} 160 – Input is called β€œmessage”, output is β€œdigest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}* οƒ  {0,1} 160 – Input is called β€œmessage”, output is β€œdigest”
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti UniversitΓ  di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti UniversitΓ  di Salerno.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.

Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Similar presentations

Ads by Google