Christian Matt

Causal Boxes: Quantum Information-Processing Systems Closed Under Composition

Complex information-processing systems, for example, quantum circuits, cryptographic protocols, or multi-player games, are naturally described as networks composed of more basic information-processing systems. A modular analysis of such systems requires a mathematical model of systems that is closed under composition, i.e., a network of these objects is again an object of the same type. We propose such a model and call the corresponding systems <italic>causal boxes</italic>. Causal boxes capture superpositions of causal structures, e.g., messages sent by a causal box <inline-formula> <tex-math notation=LaTeX>

Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer

A

Idealizing Identity-Based Encryption

</tex-math></inline-formula> can be in a superposition of different orders or in a superposition of being sent to box <inline-formula> <tex-math notation=LaTeX>

Strengthening Access Control Encryption

B

A Definitional Framework for Functional Encryption

</tex-math></inline-formula> and box <inline-formula> <tex-math notation=LaTeX>

Robust Authenticated Encryption and the Limits of Symmetric Cryptography

C

Toward an algebraic theory of systems

</tex-math></inline-formula>. Furthermore, causal boxes can model systems whose behavior depends on time. By instantiating the abstract cryptography framework with causal boxes, we obtain the first composable security framework that can handle arbitrary quantum protocols and relativistic protocols.

The one-time pad revisited

Motivated by the wide adoption of authenticated encryption and TLS, we suggest a basic channel abstraction, an augmented secure channeli¾?ASC, that allows a sender to send a receiver messages consisting of two parts, where one is privacy-protected and both are authenticity-protected. Working in the tradition of constructive cryptography, we formalize this idea and provide a construction of this kind of channel using the lower-level tool authenticated-encryption. n nWe look at recent proposals on TLSi¾?1.3 and suggest that the criterion by which their security can be judged is quite simple: do they construct an ASC? Due to this precisely defined goal, we are able to give a natural construction that comes with a rigorous security proof and directly leads to a proposal on TLSi¾?1.3 that is provably secure.

A Constructive Approach to Functional Encryption.

We formalize the standard application of identity-based encryption IBE, namely non-interactive secure communication, as realizing an ideal system which we call delivery controlled channel DCC. This system allows users to be registered by a central authority for an identity and to send messages securely to other users only known by their identity. n nQuite surprisingly, we show that existing security definitions for IBE are not sufficient to realize DCC. In fact, it is impossible to do so in the standard model. We show, however, how to adjust any IBE scheme that satisfies the standard security definition IND-ID-CPA to achieve this goal in the random oracle model. n nWe also show that the impossibility result can be avoided in the standard model by considering a weaker ideal system that requires all users to be registered in an initial phase before any messages are sent. To achieve this, a weaker security notion, which we introduce and call IND-ID1-CPA, is actually sufficient. This justifies our new security definition and might open the door for more efficient schemes. We further investigate which ideal systems can be realized with schemes satisfying the standard notion and variants of selective security. n nAs a contribution of independent interest, we show how to model features of an ideal system that are potentially available to dishonest parties but not guaranteed, and which such features arise when using IBE.

Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer.

Access control encryption (ACE) was proposed by Damgard et al. to enable the control of information flow between several parties according to a given policy specifying which parties are, or are not, allowed to communicate. By involving a special party, called the sanitizer, policy-compliant communication is enabled while policy-violating communication is prevented, even if sender and receiver are dishonest. To allow outsourcing of the sanitizer, the secrecy of the message contents and the anonymity of the involved communication partners is guaranteed.