-
Permutation Superposition Oracles for Quantum Query Lower Bounds
Authors:
Christian Majenz,
Giulio Malavolta,
Michael Walter
Abstract:
We propose a generalization of Zhandry's compressed oracle method to random permutations, where an algorithm can query both the permutation and its inverse. We show how to use the resulting oracle simulation to bound the success probability of an algorithm for any predicate on input-output pairs, a key feature of Zhandry's technique that had hitherto resisted attempts at generalization to random p…
▽ More
We propose a generalization of Zhandry's compressed oracle method to random permutations, where an algorithm can query both the permutation and its inverse. We show how to use the resulting oracle simulation to bound the success probability of an algorithm for any predicate on input-output pairs, a key feature of Zhandry's technique that had hitherto resisted attempts at generalization to random permutations. One key technical ingredient is to use strictly monotone factorizations to represent the permutation in the oracle's database. As an application of our framework, we show that the one-round sponge construction is unconditionally preimage resistant in the random permutation model. This proves a conjecture by Unruh.
△ Less
Submitted 12 July, 2024;
originally announced July 2024.
-
Failing gracefully: Decryption failures and the Fujisaki-Okamoto transform
Authors:
Kathrin Hövelmanns,
Andreas Hülsing,
Christian Majenz
Abstract:
In known security reductions for the Fujisaki-Okamoto transformation, decryption failures are handled via a reduction solving the rather unnatural task of finding failing plaintexts given the private key, resulting in a Grover search bound. Moreover, they require an implicit rejection mechanism for invalid ciphertexts to achieve a reasonable security bound in the QROM. We present a reduction that…
▽ More
In known security reductions for the Fujisaki-Okamoto transformation, decryption failures are handled via a reduction solving the rather unnatural task of finding failing plaintexts given the private key, resulting in a Grover search bound. Moreover, they require an implicit rejection mechanism for invalid ciphertexts to achieve a reasonable security bound in the QROM. We present a reduction that has neither of these deficiencies: We introduce two security games related to finding decryption failures, one capturing the computationally hard task of using the public key to find a decryption failure, and one capturing the statistically hard task of searching the random oracle for key-independent failures like, e.g., large randomness. As a result, our security bounds in the QROM are tighter than previous ones with respect to the generic random oracle search attacks: The attacker can only partially compute the search predicate, namely for said key-independent failures. In addition, our entire reduction works for the explicit-reject variant of the transformation and improves significantly over all of its known reductions. Besides being the more natural variant of the transformation, security of the explicit reject mechanism is also relevant for side channel attack resilience of the implicit-rejection variant. Along the way, we prove several technical results characterizing preimage extraction and certain search tasks in the QROM that might be of independent interest.
△ Less
Submitted 18 March, 2022;
originally announced March 2022.
-
Efficient NIZKs and Signatures from Commit-and-Open Protocols in the QROM
Authors:
Jelle Don,
Serge Fehr,
Christian Majenz,
Christian Schaffner
Abstract:
Commit-and-open Sigma-protocols are a popular class of protocols for constructing non-interactive zero-knowledge arguments and digital-signature schemes via the Fiat-Shamir transformation. Instantiated with hash-based commitments, the resulting non-interactive schemes enjoy tight online-extractability in the random oracle model. Online extractability improves the tightness of security proofs for t…
▽ More
Commit-and-open Sigma-protocols are a popular class of protocols for constructing non-interactive zero-knowledge arguments and digital-signature schemes via the Fiat-Shamir transformation. Instantiated with hash-based commitments, the resulting non-interactive schemes enjoy tight online-extractability in the random oracle model. Online extractability improves the tightness of security proofs for the resulting digital-signature schemes by avoiding lossy rewinding or forking-lemma based extraction.
In this work, we prove tight online extractability in the quantum random oracle model (QROM), showing that the construction supports post-quantum security. First, we consider the default case where committing is done by element-wise hashing. In a second part, we extend our result to Merkle-tree based commitments. Our results yield a significant improvement of the provable post-quantum security of the digital-signature scheme Picnic.
Our analysis makes use of a recent framework by Chung et al. [arXiv:2010.11658] for analysing quantum algorithms in the QROM using purely classical reasoning. Therefore, our results can to a large extent be understood and verified without prior knowledge of quantum information science.
△ Less
Submitted 28 February, 2022;
originally announced February 2022.
-
Post-Quantum Security of the Even-Mansour Cipher
Authors:
Gorjan Alagic,
Chen Bai,
Jonathan Katz,
Christian Majenz
Abstract:
The Even-Mansour cipher is a simple method for constructing a (keyed) pseudorandom permutation $E$ from a public random permutation~$P:\{0,1\}^n \rightarrow \{0,1\}^n$. It is secure against classical attacks, with optimal attacks requiring $q_E$ queries to $E$ and $q_P$ queries to $P$ such that $q_E \cdot q_P \approx 2^n$. If the attacker is given \emph{quantum} access to both $E$ and $P$, however…
▽ More
The Even-Mansour cipher is a simple method for constructing a (keyed) pseudorandom permutation $E$ from a public random permutation~$P:\{0,1\}^n \rightarrow \{0,1\}^n$. It is secure against classical attacks, with optimal attacks requiring $q_E$ queries to $E$ and $q_P$ queries to $P$ such that $q_E \cdot q_P \approx 2^n$. If the attacker is given \emph{quantum} access to both $E$ and $P$, however, the cipher is completely insecure, with attacks using $q_E, q_P = O(n)$ queries known.
In any plausible real-world setting, however, a quantum attacker would have only \emph{classical} access to the keyed permutation~$E$ implemented by honest parties, even while retaining quantum access to~$P$. Attacks in this setting with $q_E \cdot q_P^2 \approx 2^n$ are known, showing that security degrades as compared to the purely classical case, but leaving open the question as to whether the Even-Mansour cipher can still be proven secure in this natural, "post-quantum" setting.
We resolve this question, showing that any attack in that setting requires $q_E \cdot q^2_P + q_P \cdot q_E^2 \approx 2^n$. Our results apply to both the two-key and single-key variants of Even-Mansour. Along the way, we establish several generalizations of results from prior work on quantum-query lower bounds that may be of independent interest.
△ Less
Submitted 14 December, 2021;
originally announced December 2021.
-
Local simultaneous state discrimination
Authors:
Christian Majenz,
Maris Ozols,
Christian Schaffner,
Mehrdad Tahmasbi
Abstract:
Quantum state discrimination is one of the most fundamental problems studied in quantum information theory. Applications range from channel coding to metrology and cryptography. In this work, we introduce a new variant of this task: Local Simultaneous State Discrimination (LSSD). While previous distributed variants of the discrimination problem always allowed some communication between the parties…
▽ More
Quantum state discrimination is one of the most fundamental problems studied in quantum information theory. Applications range from channel coding to metrology and cryptography. In this work, we introduce a new variant of this task: Local Simultaneous State Discrimination (LSSD). While previous distributed variants of the discrimination problem always allowed some communication between the parties to come up with a joint answer, the parties in LSSD cannot communicate and have to simultaneously answer correctly. This simultaneity implies, e.g., that for classical states, the problem does not trivialize to a non-distributed distinguishing task. While interesting in its own right, this problem also arises in quantum cryptography. After introducing the problem, we give a number of characterization results. We give examples showing that i) the optimal strategy for local discrimination need not coincide with the optimal strategy for LSSD, even for classical states, ii) an additional entangled resource can increase the optimal success probability in LSSD, and iii) stronger-than-quantum non-signalling resources can allow for a higher success probability in some cases, compared to strategies using entanglement. Finally, we show that finding the optimal strategy in (classical) 3-party LSSD is NP-hard.
△ Less
Submitted 1 November, 2021;
originally announced November 2021.
-
A Guide for New Program Committee Members at Theoretical Computer Science Conferences
Authors:
Yfke Dulek,
Stacey Jeffery,
Christian Majenz,
Christian Schaffner,
Florian Speelman,
Ronald de Wolf
Abstract:
In theoretical computer science, conferences play an important role in the scientific process. The decisions whether to accept or reject articles is taken by the program committee (PC) members. Serving on a PC for the first time can be a daunting experience. This guide will help new program-committee members to understand how the system works, and provide useful tips and guidelines. It discusses e…
▽ More
In theoretical computer science, conferences play an important role in the scientific process. The decisions whether to accept or reject articles is taken by the program committee (PC) members. Serving on a PC for the first time can be a daunting experience. This guide will help new program-committee members to understand how the system works, and provide useful tips and guidelines. It discusses every phase of the paper-selection process, and the tasks associated to it.
△ Less
Submitted 4 May, 2021;
originally announced May 2021.
-
Limitations on Uncloneable Encryption and Simultaneous One-Way-to-Hiding
Authors:
Christian Majenz,
Christian Schaffner,
Mehrdad Tahmasbi
Abstract:
We study uncloneable quantum encryption schemes for classical messages as recently proposed by Broadbent and Lord. We focus on the information-theoretic setting and give several limitations on the structure and security of these schemes: Concretely, 1) We give an explicit cloning-indistinguishable attack that succeeds with probability $\frac12 + μ/16$ where $μ$ is related to the largest eigenvalue…
▽ More
We study uncloneable quantum encryption schemes for classical messages as recently proposed by Broadbent and Lord. We focus on the information-theoretic setting and give several limitations on the structure and security of these schemes: Concretely, 1) We give an explicit cloning-indistinguishable attack that succeeds with probability $\frac12 + μ/16$ where $μ$ is related to the largest eigenvalue of the resulting quantum ciphertexts. 2) For a uniform message distribution, we partially characterize the scheme with the minimal success probability for cloning attacks. 3) Under natural symmetry conditions, we prove that the rank of the ciphertext density operators has to grow at least logarithmically in the number of messages to ensure uncloneable security. 4) The \emph{simultaneous} one-way-to-hiding (O2H) lemma is an important technique in recent works on uncloneable encryption and quantum copy protection. We give an explicit example which shatters the hope of reducing the multiplicative "security loss" constant in this lemma to below 9/8.
△ Less
Submitted 4 November, 2021; v1 submitted 26 March, 2021;
originally announced March 2021.
-
Quantum-access security of the Winternitz one-time signature scheme
Authors:
Christian Majenz,
Chanelle Matadah Manfouo,
Maris Ozols
Abstract:
Quantum-access security, where an attacker is granted superposition access to secret-keyed functionalities, is a fundamental security model and its study has inspired results in post-quantum security. We revisit, and fill a gap in, the quantum-access security analysis of the Lamport one-time signature scheme (OTS) in the quantum random oracle model (QROM) by Alagic et al.~(Eurocrypt 2020). We then…
▽ More
Quantum-access security, where an attacker is granted superposition access to secret-keyed functionalities, is a fundamental security model and its study has inspired results in post-quantum security. We revisit, and fill a gap in, the quantum-access security analysis of the Lamport one-time signature scheme (OTS) in the quantum random oracle model (QROM) by Alagic et al.~(Eurocrypt 2020). We then go on to generalize the technique to the Winternitz OTS. Along the way, we develop a tool for the analysis of hash chains in the QROM based on the superposition oracle technique by Zhandry (Crypto 2019) which might be of independent interest.
△ Less
Submitted 24 June, 2021; v1 submitted 23 March, 2021;
originally announced March 2021.
-
Online-Extractability in the Quantum Random-Oracle Model
Authors:
Jelle Don,
Serge Fehr,
Christian Majenz,
Christian Schaffner
Abstract:
We show the following generic result. Whenever a quantum query algorithm in the quantum random-oracle model outputs a classical value $t$ that is promised to be in some tight relation with $H(x)$ for some $x$, then $x$ can be efficiently extracted with almost certainty. The extraction is by means of a suitable simulation of the random oracle and works online, meaning that it is straightline, i.e.,…
▽ More
We show the following generic result. Whenever a quantum query algorithm in the quantum random-oracle model outputs a classical value $t$ that is promised to be in some tight relation with $H(x)$ for some $x$, then $x$ can be efficiently extracted with almost certainty. The extraction is by means of a suitable simulation of the random oracle and works online, meaning that it is straightline, i.e., without rewinding, and on-the-fly, i.e., during the protocol execution and without disturbing it.
The technical core of our result is a new commutator bound that bounds the operator norm of the commutator of the unitary operator that describes the evolution of the compressed oracle (which is used to simulate the random oracle above) and of the measurement that extracts $x$.
We show two applications of our generic online extractability result. We show tight online extractability of commit-and-open $Σ$-protocols in the quantum setting, and we offer the first non-asymptotic post-quantum security proof of the textbook Fujisaki-Okamoto transformation, i.e, without adjustments to facilitate the proof.
△ Less
Submitted 17 September, 2021; v1 submitted 4 March, 2021;
originally announced March 2021.
-
Tight adaptive reprogramming in the QROM
Authors:
Alex B. Grilo,
Kathrin Hövelmanns,
Andreas Hülsing,
Christian Majenz
Abstract:
The random oracle model (ROM) enjoys widespread popularity, mostly because it tends to allow for tight and conceptually simple proofs where provable security in the standard model is elusive or costly. While being the adequate replacement of the ROM in the post-quantum security setting, the quantum-accessible random oracle model (QROM) has thus far failed to provide these advantages in many settin…
▽ More
The random oracle model (ROM) enjoys widespread popularity, mostly because it tends to allow for tight and conceptually simple proofs where provable security in the standard model is elusive or costly. While being the adequate replacement of the ROM in the post-quantum security setting, the quantum-accessible random oracle model (QROM) has thus far failed to provide these advantages in many settings. In this work, we focus on adaptive reprogrammability, a feature of the ROM enabling tight and simple proofs in many settings. We show that the straightforward quantum-accessible generalization of adaptive reprogramming is feasible by proving a bound on the adversarial advantage in distinguishing whether a random oracle has been reprogrammed or not. We show that our bound is tight by providing a matching attack. We go on to demonstrate that our technique recovers the mentioned advantages of the ROM in three QROM applications: 1) We give a tighter proof of security of the message compression routine as used by XMSS. 2) We show that the standard ROM proof of chosen-message security for Fiat-Shamir signatures can be lifted to the QROM, straightforwardly, achieving a tighter reduction than previously known. 3) We give the first QROM proof of security against fault injection and nonce attacks for the hedged Fiat-Shamir transform.
△ Less
Submitted 30 October, 2020; v1 submitted 28 October, 2020;
originally announced October 2020.
-
Quantum copy-protection of compute-and-compare programs in the quantum random oracle model
Authors:
Andrea Coladangelo,
Christian Majenz,
Alexander Poremba
Abstract:
Copy-protection allows a software distributor to encode a program in such a way that it can be evaluated on any input, yet it cannot be "pirated" - a notion that is impossible to achieve in a classical setting. Aaronson (CCC 2009) initiated the formal study of quantum copy-protection schemes, and speculated that quantum cryptography could offer a solution to the problem thanks to the quantum no-cl…
▽ More
Copy-protection allows a software distributor to encode a program in such a way that it can be evaluated on any input, yet it cannot be "pirated" - a notion that is impossible to achieve in a classical setting. Aaronson (CCC 2009) initiated the formal study of quantum copy-protection schemes, and speculated that quantum cryptography could offer a solution to the problem thanks to the quantum no-cloning theorem. In this work, we introduce a quantum copy-protection scheme for a large class of evasive functions known as "compute-and-compare programs" - a more expressive generalization of point functions. A compute-and-compare program $\mathsf{CC}[f,y]$ is specified by a function $f$ and a string $y$ within its range: on input $x$, $\mathsf{CC}[f,y]$ outputs $1$, if $f(x) = y$, and $0$ otherwise. We prove that our scheme achieves non-trivial security against fully malicious adversaries in the quantum random oracle model (QROM), which makes it the first copy-protection scheme to enjoy any level of provable security in a standard cryptographic model. As a complementary result, we show that the same scheme fulfils a weaker notion of software protection, called "secure software leasing", introduced very recently by Ananth and La Placa (eprint 2020), with a standard security bound in the QROM, i.e. guaranteeing negligible adversarial advantage. Finally, as a third contribution, we elucidate the relationship between unclonable encryption and copy-protection for multi-bit output point functions.
△ Less
Submitted 28 July, 2024; v1 submitted 29 September, 2020;
originally announced September 2020.
-
The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More
Authors:
Jelle Don,
Serge Fehr,
Christian Majenz
Abstract:
We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and Zhandry on the security of the Fiat-Shamir transformation of $Σ$-protocols in the quantum random oracle model (QROM). Two natural questions that arise in this context are: (1) whether the results extend to the Fiat-Shamir transformation of multi-round interactive proofs, and (2) whether Don et al.'s $O(q^2)$ loss in security…
▽ More
We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and Zhandry on the security of the Fiat-Shamir transformation of $Σ$-protocols in the quantum random oracle model (QROM). Two natural questions that arise in this context are: (1) whether the results extend to the Fiat-Shamir transformation of multi-round interactive proofs, and (2) whether Don et al.'s $O(q^2)$ loss in security is optimal.
Firstly, we answer question (1) in the affirmative. As a byproduct of solving a technical difficulty in proving this result, we slightly improve the result of Don et al., equipping it with a cleaner bound and an even simpler proof. We apply our result to digital signature schemes showing that it can be used to prove strong security for schemes like MQDSS in the QROM. As another application we prove QROM-security of a non-interactive OR proof by Liu, Wei and Wong.
As for question (2), we show via a Grover-search based attack that Don et al.'s quadratic security loss for the Fiat-Shamir transformation of $Σ$-protocols is optimal up to a small constant factor. This extends to our new multi-round result, proving it tight up to a factor that depends on the number of rounds only, i.e. is constant for any constant-round interactive proof.
△ Less
Submitted 7 March, 2022; v1 submitted 11 March, 2020;
originally announced March 2020.
-
Weak approximate unitary designs and applications to quantum encryption
Authors:
Cécilia Lancien,
Christian Majenz
Abstract:
Unitary $t$-designs are the bread and butter of quantum information theory and beyond. An important issue in practice is that of efficiently constructing good approximations of such unitary $t$-designs. Building on results by Aubrun (Comm. Math. Phys. 2009), we prove that sampling $d^t\mathrm{poly}(t,\log d, 1/ε)$ unitaries from an exact $t$-design provides with positive probability an $ε$-approxi…
▽ More
Unitary $t$-designs are the bread and butter of quantum information theory and beyond. An important issue in practice is that of efficiently constructing good approximations of such unitary $t$-designs. Building on results by Aubrun (Comm. Math. Phys. 2009), we prove that sampling $d^t\mathrm{poly}(t,\log d, 1/ε)$ unitaries from an exact $t$-design provides with positive probability an $ε$-approximate $t$-design, if the error is measured in one-to-one norm distance of the corresponding $t$-twirling channels. As an application, we give a partially derandomized construction of a quantum encryption scheme that has roughly the same key size and security as the quantum one-time pad, but possesses the additional property of being non-malleable against adversaries without quantum side information.
△ Less
Submitted 25 August, 2020; v1 submitted 15 November, 2019;
originally announced November 2019.
-
Efficient simulation of random states and random unitaries
Authors:
Gorjan Alagic,
Christian Majenz,
Alexander Russell
Abstract:
We consider the problem of efficiently simulating random quantum states and random unitary operators, in a manner which is convincing to unbounded adversaries with black-box oracle access.
This problem has previously only been considered for restricted adversaries. Against adversaries with an a priori bound on the number of queries, it is well-known that $t$-designs suffice. Against polynomial-t…
▽ More
We consider the problem of efficiently simulating random quantum states and random unitary operators, in a manner which is convincing to unbounded adversaries with black-box oracle access.
This problem has previously only been considered for restricted adversaries. Against adversaries with an a priori bound on the number of queries, it is well-known that $t$-designs suffice. Against polynomial-time adversaries, one can use pseudorandom states (PRS) and pseudorandom unitaries (PRU), as defined in a recent work of Ji, Liu, and Song; unfortunately, no provably secure construction is known for PRUs.
In our setting, we are concerned with unbounded adversaries. Nonetheless, we are able to give stateful quantum algorithms which simulate the ideal object in both settings of interest. In the case of Haar-random states, our simulator is polynomial-time, has negligible error, and can also simulate verification and reflection through the simulated state. This yields an immediate application to quantum money: a money scheme which is information-theoretically unforgeable and untraceable. In the case of Haar-random unitaries, our simulator takes polynomial space, but simulates both forward and inverse access with zero error.
These results can be seen as the first significant steps in developing a theory of lazy sampling for random quantum objects.
△ Less
Submitted 13 October, 2019;
originally announced October 2019.
-
Secure Multi-party Quantum Computation with a Dishonest Majority
Authors:
Yfke Dulek,
Alex B. Grilo,
Stacey Jeffery,
Christian Majenz,
Christian Schaffner
Abstract:
The cryptographic task of secure multi-party (classical) computation has received a lot of attention in the last decades. Even in the extreme case where a computation is performed between $k$ mutually distrustful players, and security is required even for the single honest player if all other players are colluding adversaries, secure protocols are known. For quantum computation, on the other hand,…
▽ More
The cryptographic task of secure multi-party (classical) computation has received a lot of attention in the last decades. Even in the extreme case where a computation is performed between $k$ mutually distrustful players, and security is required even for the single honest player if all other players are colluding adversaries, secure protocols are known. For quantum computation, on the other hand, protocols allowing arbitrary dishonest majority have only been proven for $k=2$. In this work, we generalize the approach taken by Dupuis, Nielsen and Salvail (CRYPTO 2012) in the two-party setting to devise a secure, efficient protocol for multi-party quantum computation for any number of players $k$, and prove security against up to $k-1$ colluding adversaries. The quantum round complexity of the protocol for computing a quantum circuit of $\{\mathsf{CNOT, T}\}$ depth $d$ is $O(k \cdot (d + \log n))$, where $n$ is the security parameter. To achieve efficiency, we develop a novel public verification protocol for the Clifford authentication code, and a testing protocol for magic-state inputs, both using classical multi-party computation.
△ Less
Submitted 4 May, 2020; v1 submitted 30 September, 2019;
originally announced September 2019.
-
Non-malleability for quantum public-key encryption
Authors:
Christian Majenz,
Christian Schaffner,
Jeroen van Wier
Abstract:
Non-malleability is an important security property for public-key encryption (PKE). Its significance is due to the fundamental unachievability of integrity and authenticity guarantees in this setting, rendering it the strongest integrity-like property achievable using only PKE, without digital signatures. In this work, we generalize this notion to the setting of quantum public-key encryption. Over…
▽ More
Non-malleability is an important security property for public-key encryption (PKE). Its significance is due to the fundamental unachievability of integrity and authenticity guarantees in this setting, rendering it the strongest integrity-like property achievable using only PKE, without digital signatures. In this work, we generalize this notion to the setting of quantum public-key encryption. Overcoming the notorious "recording barrier" known from generalizing other integrity-like security notions to quantum encryption, we generalize one of the equivalent classical definitions, comparison-based non-malleability, and show how it can be fulfilled. In addition, we explore one-time non-malleability notions for symmetric-key encryption from the literature by defining plaintext and ciphertext variants and by characterizing their relation.
△ Less
Submitted 26 March, 2021; v1 submitted 14 May, 2019;
originally announced May 2019.
-
Quantum Lazy Sampling and Game-Playing Proofs for Quantum Indifferentiability
Authors:
Jan Czajkowski,
Christian Majenz,
Christian Schaffner,
Sebastian Zur
Abstract:
Game-playing proofs constitute a powerful framework for non-quantum cryptographic security arguments, most notably applied in the context of indifferentiability. An essential ingredient in such proofs is lazy sampling of random primitives. We develop a quantum game-playing proof framework by generalizing two recently developed proof techniques. First, we describe how Zhandry's compressed quantum o…
▽ More
Game-playing proofs constitute a powerful framework for non-quantum cryptographic security arguments, most notably applied in the context of indifferentiability. An essential ingredient in such proofs is lazy sampling of random primitives. We develop a quantum game-playing proof framework by generalizing two recently developed proof techniques. First, we describe how Zhandry's compressed quantum oracles~(Crypto'19) can be used to do quantum lazy sampling of a class of non-uniform function distributions. Second, we observe how Unruh's one-way-to-hiding lemma~(Eurocrypt'14) can also be applied to compressed oracles, providing a quantum counterpart to the fundamental lemma of game-playing. Subsequently, we use our game-playing framework to prove quantum indifferentiability of the sponge construction, assuming a random internal function.
△ Less
Submitted 12 May, 2021; v1 submitted 25 April, 2019;
originally announced April 2019.
-
Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model
Authors:
Jelle Don,
Serge Fehr,
Christian Majenz,
Christian Schaffner
Abstract:
The famous Fiat-Shamir transformation turns any public-coin three-round interactive proof, i.e., any so-called sigma-protocol, into a non-interactive proof in the random-oracle model. We study this transformation in the setting of a quantum adversary that in particular may query the random oracle in quantum superposition.
Our main result is a generic reduction that transforms any quantum dishone…
▽ More
The famous Fiat-Shamir transformation turns any public-coin three-round interactive proof, i.e., any so-called sigma-protocol, into a non-interactive proof in the random-oracle model. We study this transformation in the setting of a quantum adversary that in particular may query the random oracle in quantum superposition.
Our main result is a generic reduction that transforms any quantum dishonest prover attacking the Fiat-Shamir transformation in the quantum random-oracle model into a similarly successful quantum dishonest prover attacking the underlying sigma-protocol (in the standard model). Applied to the standard soundness and proof-of-knowledge definitions, our reduction implies that both these security properties, in both the computational and the statistical variant, are preserved under the Fiat-Shamir transformation even when allowing quantum attacks. Our result improves and completes the partial results that have been known so far, but it also proves wrong certain claims made in the literature.
In the context of post-quantum secure signature schemes, our results imply that for any sigma-protocol that is a proof-of-knowledge against quantum dishonest provers (and that satisfies some additional natural properties), the corresponding Fiat-Shamir signature scheme is secure in the quantum random-oracle model. For example, we can conclude that the non-optimized version of Fish, which is the bare Fiat-Shamir variant of the NIST candidate Picnic, is secure in the quantum random-oracle model.
△ Less
Submitted 27 July, 2020; v1 submitted 20 February, 2019;
originally announced February 2019.
-
Can you sign a quantum state?
Authors:
Gorjan Alagic,
Tommaso Gagliardoni,
Christian Majenz
Abstract:
Cryptography with quantum states exhibits a number of surprising and counterintuitive features. In a 2002 work, Barnum et al. argue that these features imply that digital signatures for quantum states are impossible (Barnum et al., FOCS 2002). In this work, we ask: can all forms of signing quantum data, even in a possibly weak sense, be completely ruled out? We give two results which shed signific…
▽ More
Cryptography with quantum states exhibits a number of surprising and counterintuitive features. In a 2002 work, Barnum et al. argue that these features imply that digital signatures for quantum states are impossible (Barnum et al., FOCS 2002). In this work, we ask: can all forms of signing quantum data, even in a possibly weak sense, be completely ruled out? We give two results which shed significant light on this basic question.
First, we prove an impossibility result for digital signatures for quantum data, which extends the result of Barnum et al. Specifically, we show that no nontrivial combination of correctness and security requirements can be fulfilled, beyond what is achievable simply by measuring the quantum message and then signing the outcome. In other words, only classical signature schemes exist.
We then show a positive result: a quantum state can be signed with the same security guarantees as classically, provided that it is also encrypted with the public key of the intended recipient. Following classical nomenclature, we call this notion quantum signcryption. Classically, signcryption is only interesting if it provides superior performance to encypt-then-sign. Quantumly, it is far more interesting: it is the only signing method available. We develop "as-strong-as-classical" security definitions for quantum signcryption and give secure constructions based on post-quantum public-key primitives. Along the way, we show that a natural hybrid method of combining classical and quantum schemes can be used to "upgrade" a secure classical scheme to the fully-quantum setting, in a wide range of cryptographic settings including signcryption, authenticated encryption, and CCA security.
△ Less
Submitted 6 December, 2021; v1 submitted 28 November, 2018;
originally announced November 2018.
-
Constraints on Multipartite Quantum Entropies
Authors:
Christian Majenz
Abstract:
The von Neumann entropy plays a vital role in quantum information theory. The von Neumann entropy determines, e.g., the capacities of quantum channels. Also, entropies of composite quantum systems are important for future quantum networks, and their characterization is related to the quantum marginal problem. Furthermore, they play a role in quantum thermodynamics. In this thesis the set of quantu…
▽ More
The von Neumann entropy plays a vital role in quantum information theory. The von Neumann entropy determines, e.g., the capacities of quantum channels. Also, entropies of composite quantum systems are important for future quantum networks, and their characterization is related to the quantum marginal problem. Furthermore, they play a role in quantum thermodynamics. In this thesis the set of quantum entropies of multipartite quantum systems is studied. The problem of its characterization is not new -- however, progress has been sparse, indicating that the problem might be hard and that new methods might be needed. Here, a variety of different and complementary approaches are taken.
First, I look at global properties. It is known that the von Neumann entropy region -- just like its classical counterpart -- forms a convex cone. I describe the symmetries of this cone and highlight geometric similarities and differences to the classical entropy cone.
In a different approach, I utilize the local geometric properties of extremal rays of a cone. I show that quantum states whose entropy lies on such an extremal ray of the quantum entropy cone have a very simple structure.
As the set of all quantum states is very complicated, I look at a simple subset called stabilizer states. I improve on previously known results by showing that under a technical condition on the local dimension, entropies of stabilizer states respect an additional class of information inequalities that is valid for random variables from linear codes.
In a last approach I find a representation-theoretic formulation of the classical marginal problem simplifying the comparison with its quantum mechanical counterpart. This novel correspondence yields a simplified formulation of the group characterization of classical entropies (IEEE Trans. Inf. Theory, 48(7):1992-1995, 2002) in purely combinatorial terms.
△ Less
Submitted 30 October, 2018;
originally announced October 2018.
-
Entropy in Quantum Information Theory -- Communication and Cryptography
Authors:
Christian Majenz
Abstract:
In this Thesis, several results in quantum information theory are collected, most of which use entropy as the main mathematical tool. *While a direct generalization of the Shannon entropy to density matrices, the von Neumann entropy behaves differently. A long-standing open question is, whether there are quantum analogues of unconstrained non-Shannon type inequalities. Here, a new constrained non-…
▽ More
In this Thesis, several results in quantum information theory are collected, most of which use entropy as the main mathematical tool. *While a direct generalization of the Shannon entropy to density matrices, the von Neumann entropy behaves differently. A long-standing open question is, whether there are quantum analogues of unconstrained non-Shannon type inequalities. Here, a new constrained non-von-Neumann type inequality is proven, a step towards a conjectured unconstrained inequality by Linden and Winter. *IID quantum state merging can be optimally achieved using the decoupling technique. The one-shot results by Berta et al. and Anshu at al., however, had to bring in additional mathematical machinery. We introduce a natural generalized decoupling paradigm, catalytic decoupling, that can reproduce the aforementioned results when used analogously to the application of standard decoupling in the asymptotic case. *Port based teleportation, a variant of standard quantum teleportation protocol, cannot be implemented perfectly. We prove several lower bounds on the necessary number of output ports N to achieve port based teleportation for given error and input dimension, showing that N diverges uniformly in the dimension of the teleported quantum system, for vanishing error. As a byproduct, a new lower bound for the size of the program register for an approximate universal programmable quantum processor is derived. *In the last part, we give a new definition for information-theoretic quantum non-malleability, strengthening the previous definition by Ambainis et al. We show that quantum non-malleability implies secrecy, analogous to quantum authentication. Furthermore, non-malleable encryption schemes can be used as a primitive to build authenticating encryption schemes. We also show that the strong notion of authentication recently proposed by Garg et al. can be fulfilled using 2-designs.
△ Less
Submitted 24 October, 2018;
originally announced October 2018.
-
Asymptotic performance of port-based teleportation
Authors:
Matthias Christandl,
Felix Leditzky,
Christian Majenz,
Graeme Smith,
Florian Speelman,
Michael Walter
Abstract:
Quantum teleportation is one of the fundamental building blocks of quantum Shannon theory. While ordinary teleportation is simple and efficient, port-based teleportation (PBT) enables applications such as universal programmable quantum processors, instantaneous non-local quantum computation and attacks on position-based quantum cryptography. In this work, we determine the fundamental limit on the…
▽ More
Quantum teleportation is one of the fundamental building blocks of quantum Shannon theory. While ordinary teleportation is simple and efficient, port-based teleportation (PBT) enables applications such as universal programmable quantum processors, instantaneous non-local quantum computation and attacks on position-based quantum cryptography. In this work, we determine the fundamental limit on the performance of PBT: for arbitrary fixed input dimension and a large number $N$ of ports, the error of the optimal protocol is proportional to the inverse square of $N$. We prove this by deriving an achievability bound, obtained by relating the corresponding optimization problem to the lowest Dirichlet eigenvalue of the Laplacian on the ordered simplex. We also give an improved converse bound of matching order in the number of ports. In addition, we determine the leading-order asymptotics of PBT variants defined in terms of maximally entangled resource states. The proofs of these results rely on connecting recently-derived representation-theoretic formulas to random matrix theory. Along the way, we refine a convergence result for the fluctuations of the Schur-Weyl distribution by Johansson, which might be of independent interest.
△ Less
Submitted 10 December, 2019; v1 submitted 27 September, 2018;
originally announced September 2018.
-
Conditional Decoupling of Quantum Information
Authors:
Mario Berta,
Fernando G. S. L. Brandao,
Christian Majenz,
Mark M. Wilde
Abstract:
Insights from quantum information theory show that correlation measures based on quantum entropy are fundamental tools that reveal the entanglement structure of multipartite states. In that spirit, Groisman, Popescu, and Winter [Physical Review A 72, 032317 (2005)] showed that the quantum mutual information $I(A;B)$ quantifies the minimal rate of noise needed to erase the correlations in a biparti…
▽ More
Insights from quantum information theory show that correlation measures based on quantum entropy are fundamental tools that reveal the entanglement structure of multipartite states. In that spirit, Groisman, Popescu, and Winter [Physical Review A 72, 032317 (2005)] showed that the quantum mutual information $I(A;B)$ quantifies the minimal rate of noise needed to erase the correlations in a bipartite state of quantum systems $AB$. Here, we investigate correlations in tripartite systems $ABE$. In particular, we are interested in the minimal rate of noise needed to apply to the systems $AE$ in order to erase the correlations between $A$ and $B$ given the information in system $E$, in such a way that there is only negligible disturbance on the marginal $BE$. We present two such models of conditional decoupling, called deconstruction and conditional erasure cost of tripartite states $ABE$. Our main result is that both are equal to the conditional quantum mutual information $I(A;B|E)$ -- establishing it as an operational measure for tripartite quantum correlations.
△ Less
Submitted 31 July, 2018;
originally announced August 2018.
-
Quantum-secure message authentication via blind-unforgeability
Authors:
Gorjan Alagic,
Christian Majenz,
Alexander Russell,
Fang Song
Abstract:
Formulating and designing authentication of classical messages in the presence of adversaries with quantum query access has been a longstanding challenge, as the familiar classical notions of unforgeability do not directly translate into meaningful notions in the quantum setting. A particular difficulty is how to fairly capture the notion of "predicting an unqueried value" when the adversary can q…
▽ More
Formulating and designing authentication of classical messages in the presence of adversaries with quantum query access has been a longstanding challenge, as the familiar classical notions of unforgeability do not directly translate into meaningful notions in the quantum setting. A particular difficulty is how to fairly capture the notion of "predicting an unqueried value" when the adversary can query in quantum superposition.
We propose a natural definition of unforgeability against quantum adversaries called blind unforgeability. This notion defines a function to be predictable if there exists an adversary who can use "partially blinded" oracle access to predict values in the blinded region. We support the proposal with a number of technical results. We begin by establishing that the notion coincides with EUF-CMA in the classical setting and go on to demonstrate that the notion is satisfied by a number of simple guiding examples, such as random functions and quantum-query-secure pseudorandom functions. We then show the suitability of blind unforgeability for supporting canonical constructions and reductions. We prove that the "hash-and-MAC" paradigm and the Lamport one-time digital signature scheme are indeed unforgeable according to the definition. To support our analysis, we additionally define and study a new variety of quantum-secure hash functions called Bernoulli-preserving.
Finally, we demonstrate that blind unforgeability is stronger than a previous definition of Boneh and Zhandry [EUROCRYPT '13, CRYPTO '13] in the sense that we can construct an explicit function family which is forgeable by an attack that is recognized by blind-unforgeability, yet satisfies the definition by Boneh and Zhandry.
△ Less
Submitted 20 April, 2023; v1 submitted 10 March, 2018;
originally announced March 2018.
-
Unforgeable Quantum Encryption
Authors:
Gorjan Alagic,
Tommaso Gagliardoni,
Christian Majenz
Abstract:
We study the problem of encrypting and authenticating quantum data in the presence of adversaries making adaptive chosen plaintext and chosen ciphertext queries. Classically, security games use string copying and comparison to detect adversarial cheating in such scenarios. Quantumly, this approach would violate no-cloning. We develop new techniques to overcome this problem: we use entanglement to…
▽ More
We study the problem of encrypting and authenticating quantum data in the presence of adversaries making adaptive chosen plaintext and chosen ciphertext queries. Classically, security games use string copying and comparison to detect adversarial cheating in such scenarios. Quantumly, this approach would violate no-cloning. We develop new techniques to overcome this problem: we use entanglement to detect cheating, and rely on recent results for characterizing quantum encryption schemes. We give definitions for (i.) ciphertext unforgeability , (ii.) indistinguishability under adaptive chosen-ciphertext attack, and (iii.) authenticated encryption. The restriction of each definition to the classical setting is at least as strong as the corresponding classical notion: (i) implies INT-CTXT, (ii) implies IND-CCA2, and (iii) implies AE. All of our new notions also imply QIND-CPA privacy. Combining one-time authentication and classical pseudorandomness, we construct schemes for each of these new quantum security notions, and provide several separation examples. Along the way, we also give a new definition of one-time quantum authentication which, unlike all previous approaches, authenticates ciphertexts rather than plaintexts.
△ Less
Submitted 13 October, 2018; v1 submitted 19 September, 2017;
originally announced September 2017.
-
Disentanglement Cost of Quantum States
Authors:
Mario Berta,
Christian Majenz
Abstract:
We show that the minimal rate of noise needed to catalytically erase the entanglement in a bipartite quantum state is given by the regularized relative entropy of entanglement. This offers a solution to the central open question raised in [Groisman, PRA 72, 032317 (2005)] and complements their main result that the minimal rate of noise needed to erase all correlations is given by the quantum mutua…
▽ More
We show that the minimal rate of noise needed to catalytically erase the entanglement in a bipartite quantum state is given by the regularized relative entropy of entanglement. This offers a solution to the central open question raised in [Groisman, PRA 72, 032317 (2005)] and complements their main result that the minimal rate of noise needed to erase all correlations is given by the quantum mutual information. We extend our discussion to the tripartite setting where we show that an asymptotic rate of noise given by the regularized relative entropy of recovery is sufficient to catalytically transform the state to a locally recoverable version of the state.
△ Less
Submitted 12 November, 2018; v1 submitted 1 August, 2017;
originally announced August 2017.
-
Quantum non-malleability and authentication
Authors:
Gorjan Alagic,
Christian Majenz
Abstract:
In encryption, non-malleability is a highly desirable property: it ensures that adversaries cannot manipulate the plaintext by acting on the ciphertext. Ambainis, Bouda and Winter gave a definition of non-malleability for the encryption of quantum data. In this work, we show that this definition is too weak, as it allows adversaries to "inject" plaintexts of their choice into the ciphertext. We gi…
▽ More
In encryption, non-malleability is a highly desirable property: it ensures that adversaries cannot manipulate the plaintext by acting on the ciphertext. Ambainis, Bouda and Winter gave a definition of non-malleability for the encryption of quantum data. In this work, we show that this definition is too weak, as it allows adversaries to "inject" plaintexts of their choice into the ciphertext. We give a new definition of quantum non-malleability which resolves this problem. Our definition is expressed in terms of entropic quantities, considers stronger adversaries, and does not assume secrecy. Rather, we prove that quantum non-malleability implies secrecy; this is in stark contrast to the classical setting, where the two properties are completely independent. For unitary schemes, our notion of non-malleability is equivalent to encryption with a two-design (and hence also to the definition of Ambainis et al.). Our techniques also yield new results regarding the closely-related task of quantum authentication. We show that "total authentication" (a notion recently proposed by Garg, Yuen and Zhandry) can be satisfied with two-designs, a significant improvement over the eight-design construction of Garg et al. We also show that, under a mild adaptation of the rejection procedure, both total authentication and our notion of non-malleability yield quantum authentication as defined by Dupuis, Nielsen and Salvail.
△ Less
Submitted 4 October, 2017; v1 submitted 13 October, 2016;
originally announced October 2016.
-
Deconstruction and conditional erasure of quantum correlations
Authors:
Mario Berta,
Fernando G. S. L. Brandao,
Christian Majenz,
Mark M. Wilde
Abstract:
We define the deconstruction cost of a tripartite quantum state on systems $ABE$ as the minimum rate of noise needed to apply to the $AE$ systems, such that there is negligible disturbance to the marginal state on the $BE$ systems, while the system $A$ of the resulting state is locally recoverable from the $E$ system alone. We refer to such actions as deconstruction operations and protocols implem…
▽ More
We define the deconstruction cost of a tripartite quantum state on systems $ABE$ as the minimum rate of noise needed to apply to the $AE$ systems, such that there is negligible disturbance to the marginal state on the $BE$ systems, while the system $A$ of the resulting state is locally recoverable from the $E$ system alone. We refer to such actions as deconstruction operations and protocols implementing them as state deconstruction protocols. State deconstruction generalizes Landauer erasure of a single-party quantum state as well the erasure of correlations of a two-party quantum state. We find that the deconstruction cost of a tripartite quantum state on systems $ABE$ is equal to its conditional quantum mutual information (CQMI) $I(A;B|E)$, thus giving the CQMI an operational interpretation in terms of a state deconstruction protocol. We also define a related task called conditional erasure, in which the goal is to apply noise to systems $AE$ in order to decouple system $A$ from systems $BE$, while causing negligible disturbance to the marginal state of systems $BE$. We find that the optimal rate of noise for conditional erasure is also equal to the CQMI $I(A;B|E)$. State deconstruction and conditional erasure lead to operational interpretations of the quantum discord and squashed entanglement, which are quantum correlation measures based on the CQMI. We find that the quantum discord is equal to the cost of simulating einselection, the process by which a quantum system interacts with an environment, resulting in selective loss of information in the system. The squashed entanglement is equal to half the minimum rate of noise needed for deconstruction/conditional erasure if Alice has available the best possible system $E$ to help in the deconstruction/conditional erasure task.
△ Less
Submitted 12 October, 2018; v1 submitted 22 September, 2016;
originally announced September 2016.
-
Catalytic Decoupling of Quantum Information
Authors:
Christian Majenz,
Mario Berta,
Frédéric Dupuis,
Renato Renner,
Matthias Christandl
Abstract:
The decoupling technique is a fundamental tool in quantum information theory with applications ranging from quantum thermodynamics to quantum many body physics to the study of black hole radiation. In this work we introduce the notion of catalytic decoupling, that is, decoupling in the presence of an uncorrelated ancilla system. This removes a restriction on the standard notion of decoupling, whic…
▽ More
The decoupling technique is a fundamental tool in quantum information theory with applications ranging from quantum thermodynamics to quantum many body physics to the study of black hole radiation. In this work we introduce the notion of catalytic decoupling, that is, decoupling in the presence of an uncorrelated ancilla system. This removes a restriction on the standard notion of decoupling, which becomes important for structureless resources, and yields a tight characterization in terms of the max-mutual information. Catalytic decoupling naturally unifies various tasks like the erasure of correlations and quantum state merging, and leads to a resource theory of decoupling.
△ Less
Submitted 2 May, 2016;
originally announced May 2016.
-
Information-Theoretic Implications of Quantum Causal Structures
Authors:
Rafael Chaves,
Christian Majenz,
David Gross
Abstract:
The correlations that can be observed between a set of variables depend on the causal structure underpinning them. Causal structures can be modeled using directed acyclic graphs, where nodes represent variables and edges denote functional dependencies. In this work, we describe a general algorithm for computing information-theoretic constraints on the correlations that can arise from a given inter…
▽ More
The correlations that can be observed between a set of variables depend on the causal structure underpinning them. Causal structures can be modeled using directed acyclic graphs, where nodes represent variables and edges denote functional dependencies. In this work, we describe a general algorithm for computing information-theoretic constraints on the correlations that can arise from a given interaction pattern, where we allow for classical as well as quantum variables. We apply the general technique to two relevant cases: First, we show that the principle of information causality appears naturally in our framework and go on to generalize and strengthen it. Second, we derive bounds on the correlations that can occur in a networked architecture, where a set of few-body quantum systems is distributed among a larger number of parties.
△ Less
Submitted 14 July, 2014;
originally announced July 2014.
-
Coarse-Graining Can Beat the Rotating Wave Approximation in Quantum Markovian Master Equations
Authors:
Christian Majenz,
Tameem Albash,
Heinz-Peter Breuer,
Daniel A. Lidar
Abstract:
We present a first-principles derivation of the Markovian semi-group master equation without invoking the rotating wave approximation (RWA). Instead we use a time coarse-graining approach which leaves us with a free timescale parameter, which we can optimize. Comparing this approach to the standard RWA-based Markovian master equation, we find that significantly better agreement is possible using t…
▽ More
We present a first-principles derivation of the Markovian semi-group master equation without invoking the rotating wave approximation (RWA). Instead we use a time coarse-graining approach which leaves us with a free timescale parameter, which we can optimize. Comparing this approach to the standard RWA-based Markovian master equation, we find that significantly better agreement is possible using the coarse-graining approach, for a three-level model coupled to a bath of oscillators, whose exact dynamics we can solve for at zero temperature. The model has the important feature that the RWA has a non-trivial effect on the dynamics of the populations. We show that the two different master equations can exhibit strong qualitative differences for the population of the energy eigenstates even for such a simple model. The RWA-based master equation misses an important feature which the coarse-graining based scheme does not. By optimizing the coarse-graining timescale the latter scheme can be made to approach the exact solution much more closely than the RWA-based master equation.
△ Less
Submitted 26 March, 2013;
originally announced March 2013.