pith. sign in

arxiv: 2605.03230 · v2 · pith:33GKW5RFnew · submitted 2026-05-04 · 💻 cs.CR

SILMARILS: Information-Theoretic and Quantum-Secure Designated-Verifier Signatures

Hassan Khodaiemehr , Khadijeh Bagheri , Chen Feng , Dariia Porechna This is my paper

Pith reviewed 2026-05-20 23:19 UTC · model grok-4.3

classification 💻 cs.CR
keywords designated-verifier signaturestransferable signaturesinformation-theoretic securityShamir secret sharingquantum random oracle modelsimulation-based securityblockchain authentication
0
0 comments X

The pith

SILMARILS builds transferable designated-verifier signatures from Shamir secret sharing over finite fields that stay secure for non-designated parties even against quantum attackers.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper constructs a signature scheme called SILMARILS from a simple algebraic structure over the finite field F_p that uses true randomness and 2-out-of-2 secret sharing. In the two-party case it produces transferable designated-verifier signatures where the designated verifier can simulate real-looking transcripts that no outsider can distinguish from genuine signatures, even after the verifier publishes a receipt. The scheme proves that non-designated parties cannot forge signatures in both the classical and quantum random-oracle models while the three-party version yields a statistically secure protocol with simulation-based security. A sympathetic reader would care because the construction stays lightweight and avoids the heavy assumptions of standard post-quantum signature schemes, making it attractive for blockchain authentication tasks that need designated verification without public forgery.

Core claim

SILMARILS realizes a transferable designated-verifier signature scheme achieving Jakobsson-Sako-Impagliazzo DV security, with EUF-CMA^¬DV security for all non-designated verifiers in both ROM and QROM, and a statistically secure signature protocol with simulation-based security and error 1/p in the three-party broadcast model.

What carries the argument

The minimal algebraic core over F_p together with perfect 2-out-of-2 Shamir secret sharing, which lets the designated verifier simulate indistinguishable transcripts while preserving unforgeability for everyone else.

If this is right

  • Non-designated verifiers obtain EUF-CMA^¬DV security in both the random oracle model and the quantum random oracle model.
  • The designated verifier can produce simulated accepting transcripts that remain indistinguishable from real ones even after publishing the receipt.
  • In the three-party broadcast setting the protocol achieves simulation-based security with statistical error 1/p against quantum adversaries that have classical input-output access.
  • Keys and signatures remain compact enough for lightweight authentication in blockchain environments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same secret-sharing core could be reused to build other lightweight multi-party primitives that require simulation by one designated party.
  • Practical deployments would need to verify that true randomness sources remain quantum-resistant when feeding the algebraic core.
  • If the broadcast model of Fitzi et al. holds in real networks, the three-party mode could support new forms of private multi-party authentication.

Load-bearing premise

The security reductions assume that 2-out-of-2 Shamir secret sharing over F_p remains perfectly secret and that true random bits stay hidden even when the adversary has quantum power but only classical input-output.

What would settle it

An explicit algorithm that, given only the public key and a transcript from a non-designated verifier, outputs a valid forgery that the designated verifier cannot simulate or a simulated transcript that an external party can distinguish from a real signature with probability noticeably larger than 1/p.

Figures

Figures reproduced from arXiv: 2605.03230 by Chen Feng, Dariia Porechna, Hassan Khodaiemehr, Khadijeh Bagheri.

Figure 1
Figure 1. Figure 1: Ideal three-party digital-signature functionality view at source ↗
read the original abstract

SILMARILS is built from a minimal algebraic core over $\mathbb{F}_p$ using true randomness and perfect $2$-out-of-$2$ Shamir secret sharing. The framework supports both two-party and three-party modes. In the two-party setting, SILMARILS realizes a transferable designated-verifier (TDV) signature scheme. The designated verifier can simulate accepting transcripts indistinguishable from real ones, achieving Jakobsson-Sako-Impagliazzo DV security. The verifier may publish a receipt $r$ enabling public verification, yet even with $r$, no external party can tell whether a transcript was signed or simulated. As DV signatures permit simulation, standard EUF-CMA cannot hold for the designated verifier; instead, we prove $\mathsf{EUF\text{-}CMA}^{\neg\mathsf{DV}}$ security for all non-designated verifiers in both the random oracle model (ROM) and quantum random oracle model (QROM). In the three-party mode, adopting the broadcast model of Fitzi et al., we obtain a statistically secure signature protocol with simulation-based security and error $1/p$. We analyze security in the Pure IT model, the IT+ROM, and the QROM, extending the Fitzi et al. framework to quantum adversaries with classical I/O. Correctness, secrecy, transferability, and unforgeability for non-designated parties remain equivalent to simulation-based security. Thanks to its simple algebraic structure, SILMARILS offers very compact keys and signatures for the blockchain settings we target, where standardized PQC schemes are already more than sufficient. Our goal is not to compare SILMARILS with PQC, but to highlight its suitability for lightweight TDV authentication. A fair comparison with other DV schemes is omitted due to space and the complexity of aligning models.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript presents SILMARILS, a framework for transferable designated-verifier signatures constructed from 2-out-of-2 Shamir secret sharing over F_p with true randomness. In two-party mode it realizes Jakobsson-Sako-Impagliazzo DV security together with EUF-CMA^¬DV for non-designated verifiers in both ROM and QROM; in three-party mode, using an extension of the Fitzi et al. broadcast model to quantum adversaries with classical I/O, it yields a statistically secure signature protocol with simulation-based security and error 1/p. Security is analyzed in the pure IT, IT+ROM, and QROM models, with emphasis on compact keys and signatures for blockchain settings.

Significance. If the claimed reductions are correct, the construction supplies a lightweight, algebraically simple DV scheme that simultaneously achieves statistical simulation security, transferability, and QROM unforgeability for non-DV parties, offering a targeted alternative to general-purpose PQC signatures when only designated-verifier functionality is required.

major comments (2)
  1. [§5.3] §5.3 (QROM extension of Fitzi broadcast model): the manuscript asserts that perfect 2-out-of-2 Shamir secrecy composes with the broadcast model to preserve simulation-based security (error 1/p) against quantum adversaries restricted to classical I/O; however, no explicit bound is given on the distinguishing advantage when the adversary issues superposition queries to the random oracle while the underlying shares remain classical. This reduction step is load-bearing for the claimed equivalence between simulation security and EUF-CMA^¬DV for non-designated verifiers.
  2. [§6] §6 (Equivalence of security notions): correctness, secrecy, transferability, and unforgeability for non-DV parties are stated to be equivalent to simulation-based security, yet the argument relies on the QROM extension without exhibiting the concrete simulator or hybrid argument that handles classical message interfaces for quantum adversaries. This equivalence is central to the three-party security claim.
minor comments (2)
  1. The abstract claims 'very compact keys and signatures' but provides no concrete bit-lengths or comparison table; adding a small table of sizes for typical p would strengthen the blockchain suitability argument.
  2. Notation EUF-CMA^¬DV is used without a self-contained definition in the preliminaries; a short formal statement would improve readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the thorough review and insightful comments on our manuscript. We are grateful for the opportunity to address the concerns raised regarding the QROM extension and the equivalence of security notions. Below, we provide point-by-point responses to the major comments and outline the revisions we will make to strengthen the presentation.

read point-by-point responses

  1. Referee: [§5.3] §5.3 (QROM extension of Fitzi broadcast model): the manuscript asserts that perfect 2-out-of-2 Shamir secrecy composes with the broadcast model to preserve simulation-based security (error 1/p) against quantum adversaries restricted to classical I/O; however, no explicit bound is given on the distinguishing advantage when the adversary issues superposition queries to the random oracle while the underlying shares remain classical. This reduction step is load-bearing for the claimed equivalence between simulation security and EUF-CMA^¬DV for non-designated verifiers.

    Authors: We appreciate the referee pointing out the need for an explicit bound. The composition relies on the perfect statistical secrecy of the 2-out-of-2 Shamir shares over F_p together with the classical I/O restriction in the extended Fitzi broadcast model. Superposition queries to the random oracle are handled via standard QROM simulation techniques that do not disturb the classical shares, yielding an overall distinguishing advantage of at most 1/p + negl(λ). To make the argument fully explicit, we will insert a detailed hybrid argument and the concrete bound into the revised §5.3. revision: yes

  2. Referee: [§6] §6 (Equivalence of security notions): correctness, secrecy, transferability, and unforgeability for non-DV parties are stated to be equivalent to simulation-based security, yet the argument relies on the QROM extension without exhibiting the concrete simulator or hybrid argument that handles classical message interfaces for quantum adversaries. This equivalence is central to the three-party security claim.

    Authors: We agree that exhibiting the concrete simulator and the hybrid argument would improve clarity and rigor. In the three-party mode the simulation-based security (error 1/p) implies the remaining properties via standard reductions that preserve classical message interfaces. We will add an explicit description of the simulator (which leverages the broadcast channel to produce consistent classical shares) together with the sequence of hybrids in the revised §6. revision: yes

Circularity Check

0 steps flagged

No circularity: security reductions rest on external primitives

full rationale

The paper constructs SILMARILS directly from the perfect secrecy of 2-out-of-2 Shamir secret sharing over F_p, true randomness, and the Fitzi et al. broadcast model (extended to QROM with classical I/O). Security claims for EUF-CMA^¬DV in ROM/QROM and simulation-based security (error 1/p) are derived via standard reductions to these independent assumptions rather than by redefining outputs in terms of inputs or fitting parameters. No self-definitional loops, fitted predictions, or load-bearing self-citations appear in the derivation chain; the algebraic core and model extensions remain self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

1 free parameters · 2 axioms · 0 invented entities

The central claims rest on the perfect security of Shamir secret sharing and the existence of true randomness; no new particles or forces are postulated, and the only free parameter is the field prime p chosen for security level.

free parameters (1)
  • p
    Prime defining the finite field F_p; its size is chosen to achieve the target security level and error probability 1/p.
axioms (2)
  • standard math Perfect secrecy of 2-out-of-2 Shamir secret sharing
    Invoked as the minimal algebraic core that enables the simulation property and information-theoretic security.
  • domain assumption Availability of true randomness
    Required for the construction to achieve perfect sharing and simulation indistinguishability.

pith-pipeline@v0.9.0 · 5873 in / 1571 out tokens · 52950 ms · 2026-05-20T23:19:46.201293+00:00 · methodology

Review history (2 revisions) →

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

53 extracted references · 53 canonical work pages

  1. [1]

    Digital signature standard (DSS). Federal Information Processing Standard FIPS 186-1, National Institute of Standards and Technology, Gaithersburg, MD, USA (Dec 1998), https://csrc.nist.gov/pubs/fips/186-1/final, supersedes FIPS 186 (1996); Withdrawn January 27, 2000

    work page 1998

  2. [2]

    Aardal, M.A., Adj, G., Aranha, D.F., Basso, A., Canales Martínez, I.A., Chávez- Saab, J., Corte-Real Santos, M., Dartois, P., De Feo, L., Duparc, M., Eriksen, J.K., Fouotsa, T.B., Gazzoni Filho, D.L., Hess, B., Kohel, D., Leroux, A., Longa, P., Maino, L., Meyer, M., Nakagawa, K., Onuki, H., Panny, L., Patranabis, S., Petit, C., Pope, G., Reijnders, K., Ro...

    work page 2025

  3. [3]

    In: Applied Cryptography and Network Security

    Amiri, R., Abidin, A., Wallden, P., Andersson, E.: Efficient unconditionally secure signatures using universal hashing. In: Applied Cryptography and Network Security. Lecture Notes in Computer Science, vol. 10892, pp. 143–162. Springer (2018)

    work page 2018

  4. [4]

    Distributed Com- puting16, 165–175 (2003)

    Aspnes, J.: Randomized protocols for asynchronous consensus. Distributed Com- puting16, 165–175 (2003)

    work page 2003

  5. [5]

    In: Proceedings of the ACM Symposium on Principles of Distributed Computing

    Ben-Or, M.: Another advantage of free choice: Completely asynchronous protocols. In: Proceedings of the ACM Symposium on Principles of Distributed Computing. pp. 27–30. ACM (1983)

    work page 1983

  6. [6]

    Matryoshka: Fuzzing Deeply Nested Branches

    Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS+ signature framework. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. p. 2129–2146. Association for Computing Machinery, New York, NY, USA (2019).https://doi.org/10.1145/ 3319535.3363229,https://doi.org/10.1145/33195...

    work page doi:10.1145/3319535.3363229 2019

  7. [7]

    In: Dodis, Y., Shrimp- ton, T

    Beullens, W.: Breaking Rainbow takes a weekend on a laptop. In: Dodis, Y., Shrimp- ton, T. (eds.) Advances in Cryptology – CRYPTO 2022. pp. 464–479. Springer Na- ture Switzerland, Cham (2022).https://doi.org/10.1007/978-3-031-15979-4_ 16

    work page doi:10.1007/978-3-031-15979-4_ 2022

  8. [8]

    Beullens, W., Chen, M.S., Ding, J., Gong, B., Kannwischer, M.J., Patarin, J., Peng, B.Y., Schmidt, D., Shih, C.J., Tao, C., Yang, B.Y.: UOV: Unbal- anced oil and vinegar — algorithm specifications and supporting documenta- tion (round 2). Tech. rep., NIST Post-Quantum Cryptography Project (Feb 2025), https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/d...

    work page 2025

  9. [9]

    In: van Tilborg, H.C.A

    Boneh, D.: Schnorr digital signature scheme. In: van Tilborg, H.C.A. (ed.) En- cyclopedia of Cryptography and Security. Springer, Boston, MA (2005).https: //doi.org/10.1007/0-387-23483-7_369

    work page doi:10.1007/0-387-23483-7_369 2005

  10. [10]

    In: CRYPTO 2013

    Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: CRYPTO 2013. Lecture Notes in Computer Science, vol. 8043, pp. 361–379. Springer (2013). https://doi.org/10.1007/ 978-3-642-40084-1_21

    work page 2013

  11. [11]

    Cao, N., Fitzsimmons, M., Mann, Z., Pereira, R., Laflamme, R.: Quantum maps between CPTP and HPTP (2023),https://arxiv.org/abs/2308.01894

    work page arXiv 2023

  12. [12]

    In: Advances in Cryptology – CRYPTO ’90

    Chaum, D., Roijakkers, S.: Unconditionally-secure digital signatures. In: Advances in Cryptology – CRYPTO ’90. Lecture Notes in Computer Science, vol. 537, pp. 206–214. Springer (1990) Title Suppressed Due to Excessive Length 29

    work page 1990

  13. [13]

    Journal of Cryptology18, 191–217 (2005)

    Considine, J., Fitzi, M., Franklin, M., Levin, L.A., Maurer, U., Metcalf, D.: Byzan- tine agreement given partial broadcast. Journal of Cryptology18, 191–217 (2005)

    work page 2005

  14. [14]

    In: Boyd, C

    Courtois, N., Finiasz, M., Sendrier, N.: How to achieve a McEliece-based digital signature scheme. In: Boyd, C. (ed.) Advances in Cryptology – ASIACRYPT 2001. Lecture Notes in Computer Science, vol. 2248, pp. 157–174. Springer (2001)

    work page 2001

  15. [15]

    In: Advances in Cryptology – EUROCRYPT ’99

    Cramer, R., Damgård, I., Dziembowski, S., Hirt, M., Rabin, T.: Efficient multiparty computations secure against an adaptive adversary. In: Advances in Cryptology – EUROCRYPT ’99. Lecture Notes in Computer Science, vol. 1592, pp. 311–326. Springer (1999)

    work page 1999

  16. [16]

    Cambridge University Press (2015)

    Cramer, R., Damgård, I., Nielsen, J.: Secure Multiparty Computation and Secret Sharing. Cambridge University Press (2015)

    work page 2015

  17. [17]

    NIST Special Publication 800-230 (Initial Public Draft), National Insti- tute of Standards and Technology (Apr 2026).https://doi.org/10.6028/NIST

    Dang, Q., Moody, D.: Additional SLH-DSA parameter sets for limited-signature use cases. NIST Special Publication 800-230 (Initial Public Draft), National Insti- tute of Standards and Technology (Apr 2026).https://doi.org/10.6028/NIST. SP.800-230.ipd, https://doi.org/10.6028/NIST.SP.800-230.ipd, initial Public Draft

    work page doi:10.6028/nist 2026

  18. [18]

    SIAM Journal on Computing12(4), 656–666 (1983)

    Dolev, D., Strong, R.: Authenticated algorithms for Byzantine agreement. SIAM Journal on Computing12(4), 656–666 (1983)

    work page 1983

  19. [19]

    IACR Transac- tions on Cryptographic Hardware and Embedded Systems2018(1), 238–268 (Feb 2018).https://doi.org/10.13154/tches.v2018.i1.238-268

    Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALS-Dilithium: A lattice-based digital signature scheme. IACR Transac- tions on Cryptographic Hardware and Embedded Systems2018(1), 238–268 (Feb 2018).https://doi.org/10.13154/tches.v2018.i1.238-268

    work page doi:10.13154/tches.v2018.i1.238-268 2018

  20. [20]

    https://github.com/ eternax-ai/silmarils-paper(2026), accessed: 2026-04-24

    Eternax Labs: SILMARILS implementation repository. https://github.com/ eternax-ai/silmarils-paper(2026), accessed: 2026-04-24

    work page 2026

  21. [21]

    SIAM Journal on Computing26(4), 873–933 (1997)

    Feldman, P., Micali, S.: An optimal probabilistic protocol for synchronous Byzantine agreement. SIAM Journal on Computing26(4), 873–933 (1997)

    work page 1997

  22. [22]

    Distributed Computing1(1), 26–39 (1986)

    Fischer, M.J., Lynch, N.A., Merritt, M.: Easy impossibility proofs for distributed consensus problems. Distributed Computing1(1), 26–39 (1986)

    work page 1986

  23. [23]

    Journal of the ACM32(2), 374–382 (1985)

    Fischer, M.J., Lynch, N.A., Paterson, M.S.: Impossibility of distributed consensus with one faulty process. Journal of the ACM32(2), 374–382 (1985)

    work page 1985

  24. [24]

    Journal of Cryptology18, 37–61 (2005)

    Fitzi, M., Garay, J.A., Maurer, U., Ostrovsky, R.: Minimal complete primitive for secure multi-party computation. Journal of Cryptology18, 37–61 (2005)

    work page 2005

  25. [25]

    In: Advances in Cryptology – EUROCRYPT 2002

    Fitzi, M., Gisin, N., Maurer, U., Rotz, O.V.: Unconditional byzantine agreement and multi-party computation secure against dishonest minorities from scratch. In: Advances in Cryptology – EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332, pp. 482–501. Springer (2002)

    work page 2002

  26. [26]

    In: Advances in Cryptology – CRYPTO

    Fitzi, M., Wolf, S., Wullschleger, J.: Pseudo-signatures, broadcast, and multiparty computation from correlated randomness. In: Advances in Cryptology – CRYPTO

    work page

  27. [27]

    3152, pp

    Lecture Notes in Computer Science, vol. 3152, pp. 562–578. Springer (2004)

    work page 2004

  28. [28]

    In: Krawczyk, H

    Fitzi, M., Hirt, M., Maurer, U.: Trading correctness for privacy in uncondi- tional multi-party computation. In: Krawczyk, H. (ed.) Advances in Cryptology — CRYPTO 1998. pp. 121–136. Springer Berlin Heidelberg, Berlin, Heidelberg (1998)

    work page 1998

  29. [29]

    https://research.ibm.com/publications/ falcon-fast-fourier-lattice-based-compact-signatures-over-ntru (Jan- uary 2020), iBM Research

    Fouque, P.A., Hoffstein, J., Kirchner, P., Lyubashevsky, V., Pornin, T., Prest, T., Ricosset, T., Seiler, G., Whyte, W., Zhang, Z.: Falcon: Fast-fourier lattice-based compact signatures over NTRU. https://research.ibm.com/publications/ falcon-fast-fourier-lattice-based-compact-signatures-over-ntru (Jan- uary 2020), iBM Research

    work page 2020

  30. [30]

    In: Advances in Cryptology – ASIACRYPT

    Hanaoka, G., Shikata, J., Zheng, Y., Imai, H.: Unconditionally secure digital signa- ture schemes admitting transferability. In: Advances in Cryptology – ASIACRYPT

    work page

  31. [31]

    1976, pp

    Lecture Notes in Computer Science, vol. 1976, pp. 130–142. Springer (2000) 30 Hassan Khodaiemehr, Khadijeh Bagheri, Chen Feng, and Dariia Porechna

    work page 1976

  32. [32]

    IEEE Access13, 9015–9031 (2025).https://doi.org/10.1109/ACCESS.2025.3526632

    Iwamura, K., Kamal, A.A.A.M.: Secure user authentication with information theoretic security using secret sharing-based secure computation. IEEE Access13, 9015–9031 (2025).https://doi.org/10.1109/ACCESS.2025.3526632

    work page doi:10.1109/access.2025.3526632 2025

  33. [33]

    In: Advances in Cryptology – EUROCRYPT ’96

    Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Advances in Cryptology – EUROCRYPT ’96. Lecture Notes in Computer Science, vol. 1070, pp. 143–154. Springer (1996)

    work page 1996

  34. [34]

    Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur.1(1), 36–63 (Aug 2001).https://doi.org/10.1007/ s102070100002,https://doi.org/10.1007/s102070100002

    work page doi:10.1007/s102070100002 2001

  35. [35]

    RFC 3447, Internet Engineering Task Force (IETF) (Feb 2003),https://datatracker.ietf.org/doc/html/rfc3447

    Jonsson, J., Kaliski, B.: Public-key cryptography standards (pkcs) #1: Rsa cryp- tography specifications version 2.1. RFC 3447, Internet Engineering Task Force (IETF) (Feb 2003),https://datatracker.ietf.org/doc/html/rfc3447

    work page 2003

  36. [36]

    Journal of Computer and System Sciences75(2), 91–112 (2009)

    Katz, J., Koo, C.Y.: On expected constant-round protocols for byzantine agreement. Journal of Computer and System Sciences75(2), 91–112 (2009)

    work page 2009

  37. [37]

    Krotou, A.: Shamir’s secret sharing (sss) for quantum-safe data storage (October 2025), https://vault12.com/learn/advanced-crypto-security/cryptography/ quantum-safe-data/, vault12

    work page 2025

  38. [38]

    ACM Trans- actions on Programming Languages and Systems4(3), 382–401 (1982)

    Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. ACM Trans- actions on Programming Languages and Systems4(3), 382–401 (1982)

    work page 1982

  39. [39]

    Lamport, L.: Constructing digital signatures from a one way function. Tech. Rep. CSL-98, SRI International, Computer Science Laboratory, Menlo Park, California (Oct 1979),https://lamport.azurewebsites.net/pubs/dig-sig.pdf

    work page 1979

  40. [40]

    Morgan Kaufmann (1996)

    Lynch, N.A.: Distributed Algorithms. Morgan Kaufmann (1996)

    work page 1996

  41. [41]

    Deep Space Network Progress Report44, 114–116 (Jan 1978), https://ui

    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Network Progress Report44, 114–116 (Jan 1978), https://ui. adsabs.harvard.edu/abs/1978DSNPR..44..114M, provided by the SAO/NASA As- trophysics Data System

    work page 1978

  42. [42]

    In: CRYPTO

    Merkle, R.: A certified digital signature. In: CRYPTO. pp. 218–238. Springer (1989)

    work page 1989

  43. [43]

    Cambridge University Press, 10th anniversary edition edn

    Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, 10th anniversary edition edn. (2010)

    work page 2010

  44. [44]

    Journal of the ACM27(2), 228–234 (1980)

    Pease, M., Shostak, R., Lamport, L.: Reaching agreement in the presence of faults. Journal of the ACM27(2), 228–234 (1980)

    work page 1980

  45. [45]

    In: 24th Annual Symposium on Foundations of Computer Science (FOCS)

    Rabin, M.O.: Randomized Byzantine generals. In: 24th Annual Symposium on Foundations of Computer Science (FOCS). pp. 403–409. IEEE Computer Society (1983)

    work page 1983

  46. [46]

    Shamir, A.: How to share a secret. Commun. ACM22(11), 612–613 (Nov 1979). https://doi.org/10.1145/359168.359176

    work page doi:10.1145/359168.359176 1979

  47. [47]

    Cambridge University Press (2023)

    Tyagi, H., Watanabe, S.: Information-theoretic Cryptography. Cambridge University Press (2023)

    work page 2023

  48. [48]

    In: EURO- CRYPT 2010

    Unruh, D.: Universally composable quantum multi-party computation. In: EURO- CRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 486–505. Springer (2010).https://doi.org/10.1007/978-3-642-13190-5_25

    work page doi:10.1007/978-3-642-13190-5_25 2010

  49. [49]

    In: Advances in Cryptology — EUROCRYPT 2015

    Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Advances in Cryptology — EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer (2015)

    work page 2015

  50. [50]

    Watrous, The Theory of Quantum Information, Cambridge University Press, 2018

    Watrous, J.: The Theory of Quantum Information. Cambridge University Press (2018).https://doi.org/10.1017/9781316848142

    work page doi:10.1017/9781316848142 2018

  51. [51]

    Communi- cations in Mathematical Physics347(1), 291–313 (2016).https://doi.org/10

    Winter, A.: Tight uniform continuity bounds for quantum entropies. Communi- cations in Mathematical Physics347(1), 291–313 (2016).https://doi.org/10. 1007/s00220-016-2609-8 Title Suppressed Due to Excessive Length 31

    work page 2016

  52. [52]

    In: 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science

    Zhandry, M.: How to construct quantum random functions. In: 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science. pp. 679–687 (2012). https://doi.org/10.1109/FOCS.2012.37

    work page doi:10.1109/focs.2012.37 2012

  53. [53]

    In: Boldyreva, A., Micciancio, D

    Zhandry, M.: How to record quantum queries, and applications to quantum in- differentiability. In: Boldyreva, A., Micciancio, D. (eds.) Advances in Cryptology – CRYPTO 2019. Lecture Notes in Computer Science, vol. 11693, pp. 239–268. Springer (2019)

    work page 2019