## CryptoDB

### Claude Crépeau

#### Publications

Year
Venue
Title
2015
EPRINT
2015
EPRINT
2011
ASIACRYPT
2006
EUROCRYPT
2006
EUROCRYPT
2006
EPRINT
The standard security definition of unconditional secure function evaluation, which is based on the ideal/real model paradigm, has the disadvantage of being overly complicated to work with in practice. On the other hand, simpler ad-hoc definitions tailored to special scenarios have often been flawed. Motivated by this unsatisfactory situation, we give an information-theoretic security definition of secure function evaluation which is very simple yet provably equivalent to the standard, simulation-based definitions.
2005
EUROCRYPT
2004
TCC
2003
JOFC
2002
EPRINT
Authentication is a well-studied area of classical cryptography: a sender A and a receiver B sharing a classical private key want to exchange a classical message with the guarantee that the message has not been modified or replaced by a dishonest party with control of the communication line. In this paper we study the authentication of messages composed of quantum states. We give a formal definition of authentication in the quantum setting. Assuming A and B have access to an insecure quantum channel and share a private, classical random key, we provide a non-interactive scheme that both enables A to encrypt and authenticate (with unconditional security) an m qubit message by encoding it into m+s qubits, where the probability decreases exponentially in the security parameter s. The scheme requires a private key of size 2m+O(s). To achieve this, we give a highly efficient protocol for testing the purity of shared EPR pairs. It has long been known that learning information about a general quantum state will necessarily disturb it. We refine this result to show that such a disturbance can be done with few side effects, allowing it to circumvent cryptographic protections. Consequently, any scheme to authenticate quantum messages must also encrypt them. In contrast, no such constraint exists classically: authentication and encryption are independent tasks, and one can authenticate a message while leaving it publicly readable. This reasoning has two important consequences: On one hand, it allows us to give a lower bound of 2m key bits for authenticating m qubits, which makes our protocol asymptotically optimal. On the other hand, we use it to show that digitally signing quantum states is impossible, even with only computational security.
2002
EPRINT
We present extremely simple ways of embedding a backdoor in the key generation scheme of RSA. Three of our schemes generate two genuinely random primes $p$ and $q$ of a given size, to obtain their public product $n=pq$. However they generate private/public exponents pairs $(d,e)$ in such a way that appears very random while allowing the author of the scheme to easily factor $n$ given only the public information $(n,e)$. Our last scheme, similar to the PAP method of Young and Yung, but more secure, works for any public exponent $e$ such as $3,17,65537$ by revealing the factorization of $n$ in its own representation. This suggests that nobody should rely on RSA key generation schemes provided by a third party.
2001
EUROCRYPT
1997
EUROCRYPT
1997
EUROCRYPT
1997
EPRINT
The Wire-Tap Channel of Wyner shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key. Later, Crepeau and Kilian showed how a BSC may be used to implement Oblivious Transfer. Unfortunately, this result is rather impractical as it requires $n sup 11$ bits to be sent through the BSC to accomplish a single OT. The current paper provides efficient protocols to achieve Bit Commitment and Oblivious Transfer based on the existence of a BSC. Our protocols respectively use the BSC $n$ times and $n sup 3$ times. These results are based on a technique known as Generalized Privacy Amplification.
1996
EPRINT
Assume A owns t secret k-bit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement One-out-of-t String Oblivious Transfer. An apparently simpler task corresponds to the case k=1 and t=2 of two one-bit secrets: this is known as One-out-of-two Bit OT. We address the question of implementing the former assuming the existence of the later. In particular, we prove that the general protocol can be implemented from O(tk) calls to One-out-of-two Bit OT. This is optimal up to a small multiplicative constant. Our solution is based on the notion of self-intersecting codes. Of independent interest, we give several efficient new constructions for such codes. Another contribution of this paper is a set of information-theoretic definitions for correctness and privacy of unconditionally-secure oblivious transfer.
1996
JOFC
1995
CRYPTO
1995
EUROCRYPT
1993
CRYPTO
1991
CRYPTO
1991
EUROCRYPT
1990
CRYPTO
1989
EUROCRYPT
1989
EUROCRYPT
1989
EUROCRYPT
1988
CRYPTO
1988
JOFC
1987
CRYPTO
1987
CRYPTO
1986
CRYPTO
1986
CRYPTO
1986
CRYPTO
1986
CRYPTO
1985
CRYPTO

Eurocrypt 2004
CHES 2004
Crypto 2001
PKC 2001
Eurocrypt 1999
Eurocrypt 1996
Eurocrypt 1994
Eurocrypt 1990
Crypto 1989