Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source
|
|
- Jacob Riley
- 5 years ago
- Views:
Transcription
1 Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source Jan Bouda, Marcin Paw lowski, Matej Pivoluska, Martin Plesch J. B., M. P. 3 DI Extraction from min-entropy sources / 20
2 Outline Motivation and Related Work. Ingredients. Our Protocol. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
3 Importance of Randomness Randomness is useful in: Gambling. Simulation and Computation. Cryptography. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
4 Importance of Randomness Randomness is useful in: Gambling. Simulation and Computation. Cryptography. Impact of imperfect randomness can be devastating: Attacks on RSA [Lenstra et. al. (2012)] Attacks on QKD[Bouda et. al. (2012), Huber and Paw lowski (2013)] J. B., M. P. 3 DI Extraction from min-entropy sources / 20
5 Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware Seed Initialization function Transformation function State PRNG Random bits J. B., M. P. 3 DI Extraction from min-entropy sources / 20
6 Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware J. B., M. P. 3 DI Extraction from min-entropy sources / 20
7 Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware J. B., M. P.3 DI Extraction from min-entropy sources / 20
8 Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware Statistical tests vs. Unpredictability Official certification J. B., M. P. 3 DI Extraction from min-entropy sources / 20
9 Device Independent Approach Challenge Untrusted Device Response Passed? Randomness Yes Challenges have to be random. Similarity to randomness extraction. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
10 Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
11 Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. Classical Extraction Additional Independent Randomness Imperfect Randomness Classical Extractor Uniform Randomness J. B., M. P. 3 DI Extraction from min-entropy sources / 20
12 Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. Classical Extraction Additional Independent Randomness Quantum Extraction Additional Independent Randomness Imperfect Randomness Classical Extractor Imperfect Randomness Quantum Extractor Uniform Randomness Uniform Randomness J. B., M. P. 3 DI Extraction from min-entropy sources / 20
13 Related work Santha-Vazirani sources Colbeck and Renner (2012). Gallego et. al. (2013). Brandão et. al. (2013). Min-Entropy sources Chung, Shi, Wu (2014). This presentation. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
14 Quantum Device - GHZ test Quantum Extractor Quantum Device Quantum Device. Quantum Device x y z A B C a b c J. B., M. P. 3 DI Extraction from min-entropy sources / 20
15 Quantum Device - GHZ test Quantum Extractor Quantum Device Quantum Device. Quantum Device x y z A B C a b c Input xyz {111, 001, 010, 100}. Test if a b c = x y z. Classical strategies succeed with probability at most 3/4. Quantum strategy succeeds with probability 1 and produces perfect random bits. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
16 GHZ devices - rigidity (MP bound) Let inputs into D i be uniform. If D i wins GHZ game with probability p > f (ɛ) then bias of a m is at most ɛ. Function f (ɛ) obtained by SDP. 1 0,98 0,96 0,94 f( ) 0,92 0,9 0,88 0,86 0 0,05 0,1 0,15 0,2 0,25 0,3 0,35 0,4 0,45 0,5 J. B., M. P. 3 DI Extraction from min-entropy sources / 20
17 Weak Source of Randomness - Definition Source of randomness {X i } i N is (n, k) block source if X i is random variable with n bit output. It holds that x 1,, x i 1 {0, 1} n, e I(E), H (X i X i 1 = x i 1,, X 1 = x 1, E = e) k. H is min-entropy. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
18 Weak Source of Randomness - Definition Source of randomness {X i } i N is (n, k) block source if Notes: X i is random variable with n bit output. It holds that H is min-entropy. x 1,, x i 1 {0, 1} n, e I(E), H (X i X i 1 = x i 1,, X 1 = x 1, E = e) k. Classically cannot be extracted. For n = 1 Santha Vazirani (SV) source is recovered. For n > 1 cannot be transformed into SV source existing protocols do not work. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
19 Set of Hashing Functions {0, 1} n h h 2 Let h i : {0, 1} n {0, 1} 2. Let H = {h i } m i=1. For each subset S of {0, 1} n of size 4 there exists h i, such that h i (S) = {00, 01, 10, 11}. There is a construction of H with size polynomial in n. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
20 One Round of Protocol 1 We obtain the (weakly) random n bit string r i from an (n, 2) block source. 2 Into each device D i we input the 3 bit string inputs X i, Y i and Z i derived from h i (r i ) and obtain the outputs A i, B i and C i. 3 We verify whether for each device D i the condition Z i Y i Z i = A i B i C i holds. If this is not true, we abort the protocol. 4 We define the output bit of the protocol as b i = m j=1 A j. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
21 Protocol Scheme (n, 2) r i R X i D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources / 20
22 Single Round Analysis - The Flat Sources (n, 2) flat source 4 elements of {0, 1} n with probability 1 4, others with probability 0. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
23 Single Round Analysis - The Flat Sources Uniform Input (n, 2) flat source 4 elements of {0, 1} n with probability 1 4, others with probability 0. D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources / 20
24 Single Round Analysis - The Non-Flat Sources = ( ) ( ) Any (n, 2) distribution d can be expressed as a convex combination of at most N = 2 n (n, 2) flat distributions d i. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
25 Single Round Analysis - The Non-Flat Sources II = D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources / 20
26 Multiple Rounds Repeat the protocol l times. Output b = If b has bias greater than ɛ, each of b i has bias at least ɛ. To achieve bias ɛ adversary has to risk l times - success f (ɛ) l. For target parameters ɛ, δ set l > log δ/ log f (ɛ) l j=1 b j. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources / 20
27 Robustness - Imperfect Honest Devices 1 f (ɛ) 2m Let us allow µ = fraction of all the ml devices to fail the test. Then honest but faulty devices with failure probability µ/2 pass the protocol with high probability. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources / 20
28 Malicious Devices Adversary needs to cheat for devices with uniform input. By increasing number of rounds we can make sure that (a lot) less errors are allowed than the number of devices adversary needs to cheat. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources / 20
29 Conclusion Protocol uses arbitrary block source. Protocol produces single bit biased at most ɛ with probability 1 δ for arbitrary ɛ, δ. Number of devices used scales polynomially with the length of the block. J. B., M. P. 3 DI Extraction from min-entropy sources / 20
30 Conclusion Protocol uses arbitrary block source. Protocol produces single bit biased at most ɛ with probability 1 δ for arbitrary ɛ, δ. Number of devices used scales polynomially with the length of the block. THANK YOU! J. B., M. P. 3 DI Extraction from min-entropy sources / 20
Tutorial: Device-independent random number generation. Roger Colbeck University of York
Tutorial: Device-independent random number generation Roger Colbeck University of York Outline Brief motivation of random number generation Discuss what we mean by a random number Discuss some ways of
More informationUntrusted quantum devices. Yaoyun Shi University of Michigan updated Feb. 1, 2014
Untrusted quantum devices Yaoyun Shi University of Michigan updated Feb. 1, 2014 Quantum power is incredible! Quantum power is incredible! Quantum power is incredible! Spooky action at a distance Quantum
More informationRobust protocols for securely expanding randomness and distributing keys using untrusted quantum devices
Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices Carl A. Miller and Yaoyun Shi Department of Electrical Engineering and Computer Science University
More informationRobust protocols for securely expanding randomness and distributing keys using untrusted quantum devices
Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices Carl A. Miller and Yaoyun Shi Department of Electrical Engineering and Computer Science University
More informationUniversal security for randomness expansion
Universal security for randomness expansion Carl A. Miller and Yaoyun Shi Department of Electrical Engineering and Computer Science University of Michigan, Ann Arbor, MI 48109, USA carlmi,shiyy@umich.edu
More informationMore Randomness From Noisy Sources
More Randomness From Noisy Sources Jean-Daniel Bancal and Valerio Scarani,2 Centre for Quantum Technologies, National University of Singapore 3 Science Drive 2, Singapore 7543 2 Department of Physics,
More informationXXXX Robust Protocols for Securely Expanding Randomness and Distributing Keys Using Untrusted Quantum Devices
XXXX Robust Protocols for Securely Expanding Randomness and Distributing Keys Using Untrusted Quantum Devices CARL A. MILLER, University of Michigan YAOYUN SHI, University of Michigan Randomness is a vital
More informationEntropy Accumulation in Device-independent Protocols
Entropy Accumulation in Device-independent Protocols QIP17 Seattle January 19, 2017 arxiv: 1607.01796 & 1607.01797 Rotem Arnon-Friedman, Frédéric Dupuis, Omar Fawzi, Renato Renner, & Thomas Vidick Outline
More informationUnconditionally secure deviceindependent
Unconditionally secure deviceindependent quantum key distribution with only two devices Roger Colbeck (ETH Zurich) Based on joint work with Jon Barrett and Adrian Kent Physical Review A 86, 062326 (2012)
More informationarxiv: v1 [quant-ph] 21 Aug 2013
Robust Device Independent Randomness Amplification arxiv:308.4635v [quant-ph] Aug 03 Ravishankar Ramanathan,, Fernando G. S. L. Brandão, 3 Andrzej Grudka, 4 Karol Horodecki,, 5 Michał Horodecki,, and Paweł
More informationTrustworthy Quantum Information. Yaoyun Shi University of Michigan
Trustworthy Quantum Information Yaoyun Shi University of Michigan QI 2.0 QI 2.0 Some hairy questions QI 1.0: using trusted q. device QI 2.0: using untrusted q. device The device(s) prove to you their trustworthiness
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationPhysical Randomness Extractors: Generating Random Numbers with Minimal Assumptions
Physical Randomness Extractors: Generating Random Numbers with Minimal Assumptions Kai-Min Chung Yaoyun Shi Xiaodi Wu Abstract How to generate provably true randomness with minimal assumptions? This question
More informationSecret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More informationCS/Ph120 Homework 8 Solutions
CS/Ph0 Homework 8 Solutions December, 06 Problem : Thinking adversarially. Solution: (Due to De Huang) Attack to portocol : Assume that Eve has a quantum machine that can store arbitrary amount of quantum
More informationA semi-device-independent framework based on natural physical assumptions
AQIS 2017 4-8 September 2017 A semi-device-independent framework based on natural physical assumptions and its application to random number generation T. Van Himbeeck, E. Woodhead, N. Cerf, R. García-Patrón,
More informationKolmogorov-Loveland Randomness and Stochasticity
Kolmogorov-Loveland Randomness and Stochasticity Wolfgang Merkle 1 Joseph Miller 2 André Nies 3 Jan Reimann 1 Frank Stephan 4 1 Institut für Informatik, Universität Heidelberg 2 Department of Mathematics,
More informationBit-Commitment and Coin Flipping in a Device-Independent Setting
Bit-Commitment and Coin Flipping in a Device-Independent Setting J. Silman Université Libre de Bruxelles Joint work with: A. Chailloux & I. Kerenidis (LIAFA), N. Aharon (TAU), S. Pironio & S. Massar (ULB).
More informationLecture 09: Next-bit Unpredictability. Lecture 09: Next-bit Unpredictability
Indistinguishability Consider two distributions X and Y over the sample space Ω. The distributions X and Y are ε-indistinguishable from each other if: For all algorithms A: Ω {0, 1} the following holds
More informationFree randomness can be amplified
Free randomness can be amplified Colbeck and Renner June 18, 2013 arxiv Abstract Are there fundamentally random processes in nature? Theoretical predictions, confirmed experimentally, such as the violation
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationRandom number generators
s generators Comp Sci 1570 Introduction to Outline s 1 2 s generator s The of a sequence of s or symbols that cannot be reasonably predicted better than by a random chance, usually through a random- generator
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More information: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8
0368.4170: Cryptography and Game Theory Ran Canetti and Alon Rosen Lecture 8 December 9, 2009 Scribe: Naama Ben-Aroya Last Week 2 player zero-sum games (min-max) Mixed NE (existence, complexity) ɛ-ne Correlated
More informationOn the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses
On the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses Per Austrin, Kai-Min Chung, Mohammad Mahmoody, Rafael Pass, Karn Seth November 12, 2012 Abstract We initiate
More informationPseudo-Random Generators
Pseudo-Random Generators Topics Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationPseudo-Random Generators
Pseudo-Random Generators Why do we need random numbers? Simulation Sampling Numerical analysis Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols
More informationContents. ID Quantique SA Tel: Chemin de la Marbrerie 3 Fax : Carouge
Contents Introduction... 3 Quantis TRNG... 3 Quantifying Randomness... 4 Randomness Extractor... 4 Randomness Extraction in the Quantis Software Package... 5 Conclusion... 7 References... 7 ID Quantique
More informationTopics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers
Topics Pseudo-Random Generators Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationRandomness in nonlocal games between mistrustful players
Randomness in nonlocal games between mistrustful players Carl A. Miller and Yaoyun Shi* Source paper: Forcing classical behavior for quantum players by C. Miller and Y. Shi (2016), attached. One of the
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationExtractors and the Leftover Hash Lemma
6.889 New Developments in Cryptography March 8, 2011 Extractors and the Leftover Hash Lemma Instructors: Shafi Goldwasser, Yael Kalai, Leo Reyzin, Boaz Barak, and Salil Vadhan Lecturer: Leo Reyzin Scribe:
More informationIntroduction to Quantum Key Distribution
Fakultät für Physik Ludwig-Maximilians-Universität München January 2010 Overview Introduction Security Proof Introduction What is information? A mathematical concept describing knowledge. Basic unit is
More informationDevice-independent Quantum Key Distribution and Randomness Generation. Stefano Pironio Université Libre de Bruxelles
Device-independent Quantum Key Distribution and Randomness Generation Stefano Pironio Université Libre de Bruxelles Tropical QKD, Waterloo, June 14-17, 2010 Device-independent security proofs establish
More informationChair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics
Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle Network Security Chapter 2 Basics 2.4 Random Number Generation for Cryptographic Protocols Motivation It is
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationQuantum Technology: Challenges and Opportunities for Cyber Security. Yaoyun Shi University of Michigan
Quantum Technology: Challenges and Opportunities for Cyber Security Yaoyun Shi University of Michigan The Alien Monsters Are Coming! Written by Yaoyun Shi Illustrated by Oriana Shi Ultimatum to Earthlings
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More informationNon-Malleable Extractors with Short Seeds and Applications to Privacy Amplification
Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification Gil Cohen Ran Raz Gil Segev Abstract Motivated by the classical problem of privacy amplification, Dodis and Wichs [DW09]
More informationMultichannel liar games with a fixed number of lies
Multichannel liar games with a fixed number of lies Robert Ellis 1 Kathryn Nyman 2 1 Illinois Institute of Technology 2 Loyola University SIAM Discrete Mathematics 2006 Ellis, Nyman (June 27, 2006) Multichannel
More informationQuantum Simultaneous Contract Signing
Quantum Simultaneous Contract Signing J. Bouda, M. Pivoluska, L. Caha, P. Mateus, N. Paunkovic 22. October 2010 Based on work presented on AQIS 2010 J. Bouda, M. Pivoluska, L. Caha, P. Mateus, N. Quantum
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationRandomness and non-uniformity
Randomness and non-uniformity JASS 2006 Course 1: Proofs and Computers Felix Weninger TU München April 2006 Outline Randomized computation 1 Randomized computation 2 Computation with advice Non-uniform
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLecture Hardness of Set Cover
PCPs and Inapproxiability CIS 6930 October 5, 2009 Lecture Hardness of Set Cover Lecturer: Dr. My T. Thai Scribe: Ying Xuan 1 Preliminaries 1.1 Two-Prover-One-Round Proof System A new PCP model 2P1R Think
More informationQuantum Supremacy and its Applications
Quantum Supremacy and its Applications HELLO HILBERT SPACE Scott Aaronson (University of Texas, Austin) Simons Institute, Berkeley, June 12, 2018 Based on joint work with Lijie Chen (CCC 2017, arxiv: 1612.05903)
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationDeterministic Extractors - Lecture Notes
Deterministic Extractors - Lecture Notes Speaker: Avi Wigderson Scribe: Zeev Dvir February 4, 2009 1 Motivation Randomness is used in many places in our daily lives. Some examples are gambling, statistics,
More informationCOMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.
COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationThe Entropy Bogeyman. Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference
The Entropy Bogeyman Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference Topics Overview Background Design Problems Public Entropy Vulnerabilities Recommendations International
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationLecture 15: Privacy Amplification against Active Attackers
Randomness in Cryptography April 25, 2013 Lecture 15: Privacy Amplification against Active Attackers Lecturer: Yevgeniy Dodis Scribe: Travis Mayberry 1 Last Time Previously we showed that we could construct
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. Notes for Lectures 3 5: Pseudo-Randomness; PRGs 1 Randomness Randomness
More informationLecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationSimple extractors via crypto pseudo-random generators
Simple extractors via crypto pseudo-random generators Marius Zimand (Towson University) Extractors vs. Pseudo-Rand. Generators Fundamental primitives in derandomization, cryptography,... They manufacture
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationarxiv: v3 [quant-ph] 1 Mar 2018
Local Randomness: Examples and Application Honghao Fu 1 and Carl A. Miller 1,2 1 Department of Computer Science, Institute for Advanced Computer Studies and Joint Institute for Quantum Information and
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationOn the (Im)possibility of Cryptography with Imperfect Randomness
On the (Im)possibility of Cryptography with Imperfect Randomness Yevgeniy Dodis New York University Manoj Prabhakaran Princeton University and UCLA Shien Jin Ong Harvard University Amit Sahai Princeton
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationQuantum information and quantum mechanics: fundamental issues. John Preskill, Caltech 23 February
Quantum information and uantum mechanics: fundamental issues John Preskill, Caltech 23 February 2004 http://www.ii.caltech.edu/ Some important issues in uantum cryptography: Can we close the gap between
More informationYale University Department of Computer Science
Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Mike Paterson Ewa Syta YALEU/DCS/TR-1466 October 24, 2012
More informationQuantum to Classical Randomness Extractors
Quantum to Classical Randomness Extractors Mario Berta, Omar Fawzi, Stephanie Wehner - Full version preprint available at arxiv: 1111.2026v3 08/23/2012 - CRYPTO University of California, Santa Barbara
More informationQuantum Supremacy and its Applications
Quantum Supremacy and its Applications HELLO HILBERT SPACE Scott Aaronson (University of Texas at Austin) USC, October 11, 2018 Based on joint work with Lijie Chen (CCC 2017, arxiv:1612.05903) and on forthcoming
More informationUnconditionally Secure and Universally Composable Commitments from Physical Assumptions
Unconditionally Secure and Universally Composable Commitments from Physical Assumptions Ivan Damgård Aarhus University, Denmark Alessandra Scafuro UCLA, USA Abstract We present a constant-round unconditional
More informationDevice-Independent Quantum Information Processing
Device-Independent Quantum Information Processing Antonio Acín ICREA Professor at ICFO-Institut de Ciencies Fotoniques, Barcelona Chist-Era kick-off seminar, March 2012, Warsaw, Poland Quantum Information
More informationNotes for Lecture 25
U.C. Berkeley CS276: Cryptography Handout N25 Luca Trevisan April 23, 2009 Notes for Lecture 25 Scribed by Alexandra Constantin, posted May 4, 2009 Summary Today we show that the graph isomorphism protocol
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationNew Imperfect Random Source with Applications to Coin-Flipping
New Imperfect Random Source with Applications to Coin-Flipping Yevgeniy Dodis MIT December 4, 2000 Abstract We introduce a new imperfect random source that realistically generalizes the SV-source of Sántha
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationPractical quantum-key. key- distribution post-processing
Practical quantum-key key- distribution post-processing processing Xiongfeng Ma 马雄峰 IQC, University of Waterloo Chi-Hang Fred Fung, Jean-Christian Boileau, Hoi Fung Chau arxiv:0904.1994 Hoi-Kwong Lo, Norbert
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationSome limits on non-local randomness expansion
Some limits on non-local randomness expansion Matt Coudron and Henry Yuen December 12, 2012 1 Introduction God does not play dice. Albert Einstein Einstein, stop telling God what to do. Niels Bohr One
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationMore Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries
More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad Asharov 1, Yehuda Lindell 2, Thomas Schneider 3, and Michael Zohner 3 1 The Hebrew University of Jerusalem, Israel
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More information