%0 Journal Article %J v4: version for publication in Quantum, v5: CC license %D 2021 %T Can you sign a quantum state? %A Gorjan Alagic %A Tommaso Gagliardoni %A Christian Majenz %X

Cryptography with quantum states exhibits a number of surprising and counterintuitive features. In a 2002 work, Barnum et al. argued informally that these strange features should imply that digital signatures for quantum states are impossible (Barnum et al., FOCS 2002). In this work, we perform the first rigorous study of the problem of signing quantum states. We first show that the intuition of Barnum et al. was correct, by proving an impossibility result which rules out even very weak forms of signing quantum states. Essentially, we show that any non-trivial combination of correctness and security requirements results in negligible security. This rules out all quantum signature schemes except those which simply measure the state and then sign the outcome using a classical scheme. In other words, only classical signature schemes exist. We then show a positive result: it is possible to sign quantum states, provided that they are also encrypted with the public key of the intended recipient. Following classical nomenclature, we call this notion quantum signcryption. Classically, signcryption is only interesting if it provides superior efficiency to simultaneous encryption and signing. Our results imply that, quantumly, it is far more interesting: by the laws of quantum mechanics, it is the only signing method available. We develop security definitions for quantum signcryption, ranging from a simple one-time two-user setting, to a chosen-ciphertext-secure many-time multi-user setting. We also give secure constructions based on post-quantum public-key primitives. Along the way, we show that a natural hybrid method of combining classical and quantum schemes can be used to "upgrade" a secure classical scheme to the fully-quantum setting, in a wide range of cryptographic settings including signcryption, authenticated encryption, and chosen-ciphertext security.

%B v4: version for publication in Quantum, v5: CC license %8 12/6/2021 %G eng %U https://arxiv.org/abs/1811.11858 %0 Journal Article %J In: Nielsen J., Rijmen V. (eds) Advances in Cryptology – EUROCRYPT 2018. Lecture Notes in Computer Science, Springer, Cham %D 2018 %T Unforgeable Quantum Encryption %A Gorjan Alagic %A Tommaso Gagliardoni %A Christian Majenz %X

We study the problem of encrypting and authenticating quantum data in the presence of adversaries making adaptive chosen plaintext and chosen ciphertext queries. Classically, security games use string copying and comparison to detect adversarial cheating in such scenarios. Quantumly, this approach would violate no-cloning. We develop new techniques to overcome this problem: we use entanglement to detect cheating, and rely on recent results for characterizing quantum encryption schemes. We give definitions for (i) ciphertext unforgeability, (ii) indistinguishability under adaptive chosen-ciphertext attack, and (iii) authenticated encryption. The restriction of each definition to the classical setting is at least as strong as the corresponding classical notion: (i) implies   INT-CTXT , (ii) implies   IND-CCA2 , and (iii) implies   AE . All of our new notions also imply   QIND-CPA  privacy. Combining one-time authentication and classical pseudorandomness, we construct symmetric-key quantum encryption schemes for each of these new security notions, and provide several separation examples. Along the way, we also give a new definition of one-time quantum authentication which, unlike all previous approaches, authenticates ciphertexts rather than plaintexts.

%B In: Nielsen J., Rijmen V. (eds) Advances in Cryptology – EUROCRYPT 2018. Lecture Notes in Computer Science, Springer, Cham %V 10822 %G eng %R https://doi.org/10.1007/978-3-319-78372-7_16 %0 Journal Article %D 2017 %T Unforgeable Quantum Encryption %A Gorjan Alagic %A Tommaso Gagliardoni %A Christian Majenz %X

We study the problem of encrypting and authenticating quantum data in the presence of adversaries making adaptive chosen plaintext and chosen ciphertext queries. Classically, security games use string copying and comparison to detect adversarial cheating in such scenarios. Quantumly, this approach would violate no-cloning. We develop new techniques to overcome this problem: we use entanglement to detect cheating, and rely on recent results for characterizing quantum encryption schemes. We give definitions for (i.) ciphertext unforgeability , (ii.) indistinguishability under adaptive chosen-ciphertext attack, and (iii.) authenticated encryption. The restriction of each definition to the classical setting is at least as strong as the corresponding classical notion: (i) implies INT-CTXT, (ii) implies IND-CCA2, and (iii) implies AE. All of our new notions also imply QIND-CPA privacy. Combining one-time authentication and classical pseudorandomness, we construct schemes for each of these new quantum security notions, and provide several separation examples. Along the way, we also give a new definition of one-time quantum authentication which, unlike all previous approaches, authenticates ciphertexts rather than plaintexts.

%8 2017/09/19 %G eng %U https://arxiv.org/abs/1709.06539 %0 Conference Paper %B Computational Security of Quantum Encryption. In: Nascimento A., Barreto P. (eds) Information Theoretic Security. %D 2016 %T Computational Security of Quantum Encryption %A Gorjan Alagic %A Anne Broadbent %A Bill Fefferman %A Tommaso Gagliardoni %A Christian Schaffner %A Michael St. Jules %X

Quantum-mechanical devices have the potential to transform cryptography. Most research in this area has focused either on the information-theoretic advantages of quantum protocols or on the security of classical cryptographic schemes against quantum attacks. In this work, we initiate the study of another relevant topic: the encryption of quantum data in the computational setting. In this direction, we establish quantum versions of several fundamental classical results. First, we develop natural definitions for private-key and public-key encryption schemes for quantum data. We then define notions of semantic security and indistinguishability, and, in analogy with the classical work of Goldwasser and Micali, show that these notions are equivalent. Finally, we construct secure quantum encryption schemes from basic primitives. In particular, we show that quantum-secure one-way functions imply IND-CCA1-secure symmetric-key quantum encryption, and that quantum-secure trapdoor one-way permutations imply semantically-secure public-key quantum encryption.

%B Computational Security of Quantum Encryption. In: Nascimento A., Barreto P. (eds) Information Theoretic Security. %8 2016/11/10 %G eng %U https://link.springer.com/chapter/10.1007%2F978-3-319-49175-2_3