Re: QC-proof cipher?

Stefan Tillich wrote:

Peter Fairbrother wrote:

Alice has to authenticate herself to Bob. Alice will lose benefit if she
fails to authenticate, ie keep the secret.

What has keeping a secret to do with authentication?

In this case Bob gives Alice a secret - in order to authenticate herself to
Bob at a later time, Alice proves that she knows the secret.

That's how most if not all cryptographic signature and authentication
schemes work - the signer/authenticated person proves she knows a secret.

In order to avoid someone else pretending to be her, Alice must keep the
secret secret.

Maybe you could explain your security goals in more detail.

It isn't that complex - Bob and Alice share a secret. At some future time
Alice (or her heir) will prove to Bob (or his heir) that she knows the
secret, and Bob will give Alice (or rather the first person who can prove
she knows the secret) a benefit.

Alice keeps the secret, and Bob keeps some data relating to the secret,
presumably calculated from the secret. Bob can't keep the secret itself as
his data store does not have confidentiality, and an attacker could get
Bob's copy of the secret and use it to pretend to be Alice.

Alice uses her copy of the secret and Bob's data to prove that she knows the
secret. But Bob doesn't know the secret itself any more, just the data
relating to it.

This might be a long time in the future, after quantum computers have become
commonplace.

Assume multiple attackers with maximum possible resources.

Think of a numbered account in a bank with a hundred trillion dollars in it,
where Alice is the account holder and Bob is the bank. One difference: to
prove that Bob is honest, data sufficient that any person who knows the
secret can prove she knows the secret is inscribed on a monument for
everyone to see.

Eg, if a hash is on the monument, and Alice can provide a preimage. Anyone
providing a preimage gets the money.


Can't use OTP as Bob may not have confidentiality, although he does have
assurance.

Assurance of what?

Assurance that his copy of the stored data is the data he stored, and not a
forgery. Bit like data integrity.

Can't use PK as we assume QC's are available. Any other
suggestions?

Have a look here:
http://postquantum.cr.yp.to/

Aargh - just too late!!

Ta anyway


--
Peter Fairbrother


Regards

Stefan Tillich

.

Relevant Pages

  • Re: Variation on prisoners dilemma
    ... the digital domain --- where Alice and Bob have two secrets they want ... They each have two coins, a heavy '1' coin and a light '0' coin, ... their secret bit down a tube into the same pan of a balance. ... learns Alice's secret, but Alice learns only the value of Bob's random ...
    (rec.puzzles)
  • Re: QC-proof cipher?
    ... What has keeping a secret to do with authentication? ... In this case Bob gives Alice a secret - in order to authenticate herself to ... Bob at a later time, Alice proves that she knows the secret. ...
    (sci.crypt)
  • Re: privacy amplification
    ... >> I understand that Bob and Alice randomly select a compression function ... >> gwhere W is the input string. ... she will be unable to deduce the secret K from the ...
    (sci.crypt)
  • Re: Truncated multiplication (is it secure???)
    ... | secret in Diffie-Hellman. ... But what if in the XEVRON scheme Eve ... Alice and Bob to choose an insecure "Sh"? ...
    (sci.crypt)
  • Re: Variation on prisoners dilemma
    ... the digital domain --- where Alice and Bob have two secrets they want ... They each have two coins, a heavy '1' coin and a light '0' coin, ... their secret bit down a tube into the same pan of a balance. ... learns Alice's secret, but Alice learns only the value of Bob's random ...
    (rec.puzzles)