|
|
| Line 1: |
Line 1: |
| The '''noisy-storage model'''<ref name="initial">{{cite journal|last=Wehner|first=S.|coauthors=C. Schaffner, B. Terhal|title=Cryptography from noisy-storage|journal=Physical Review Letters|year=2008|volume=100|pages=220502|doi=10.1103/PhysRevLett.100.220502|arxiv=0711.2895|issue=22|pmid=18643410}}</ref> refers to a cryptographic model employed in [[quantum cryptography]]. It assumes that the quantum memory device of an attacker ([[Adversary (cryptography)|adversary]]) trying to break the protocol is imperfect (noisy).
| |
| The main goal of this model is to enable the secure implementation of two-party cryptographic primitives, such as [[bit commitment]], [[oblivious transfer]] and [[Smart_Card#Applications|secure identification]].
| |
|
| |
|
| ==Motivation==
| |
| Quantum communication has proven to be extremely useful when it comes to distributing encryption keys. It allows two distant parties Alice and Bob to expand a small initial [[secret key]] into an arbitrarily long secret key by sending [[qubits]] (quantum bits) to each other. Most importantly, it can be shown that any [[eavesdropper]] trying to listen into their communication cannot intercept any information about the long key. This is known as [[quantum key distribution]] (QKD).
| |
|
| |
|
| Yet, it has been shown that even quantum communication does not allow the secure implementation of many other two-party cryptographic tasks.<ref name="bitcom1">
| | Shares in LVMH, the world's biggest luxury goods group, fell sharply on Wednesday after an unexpected slowdown in sales growth at its fashion and leather business, which includes the Louis Vuitton, [http://www.pcs-systems.co.uk/Images/celinebag.aspx Celine handbags] and Dior brands.<br>The share price was down 6.4 percent at 135.50 euros by 1140 GMT, a six-week low and wiping around 4.8 billion euros ($6.5 billion)off the market value of France's fourth-biggest listed company.<br>The group, which also owns Ruinart champagne and Hennessy cognac, saw sales growth at the fashion and leather division slide to 3 percent in the third quarter, against expectations of 7 to 8 percent.<br>In a conference call, Chief Financial Officer Jean-Jacques Guiony blamed price increases in Japan for the slowdown, as well as softer demand for some brands.<br>However, one London-based analyst noted that Japan accounted for only around 15 percent of LVMH's fashion and leather sales, "so we did not get a full explanation".<br>LVMH has been trying to stem a decline in Louis Vuitton's sales growth by introducing new and pricier leather bags, which analysts expected would lead to [http://www.Wikipedia.org/wiki/short-term+losses short-term losses] in sales.<br>"I understand that the repositioning of Louis Vuitton takes time and may be a bumpy ride," said Exane BNP Paribas analyst Luca Solca.<br>Before the results were announced, LVMH shares were up 4.4 percent since Jan. 1, underperforming the overall luxury sector, which was up more than 20 percent.<br>Analysts said concerns about the future growth of Louis Vuitton had been exacerbated by the announcement this month that it was parting company with its star designer, Marc Jacobs.<br><br>SUPPLY CONSTRAINTS<br>Guiony said the recent launch of new leather collections had not come in time to have a meaningful impact on sales, and acknowledged that production was constrained by a lack of high-quality leather.<br>"Without these supply constraints, we would produce more than what we do," Guiony said.<br>Louis Vuitton shop assistants polled by Reuters last month said they had been provided with only a small number of new handbags, such as the Capucines model, priced at 3,500 euros, which had flown off the shelves.<br>LVMH has been buying tanneries to secure supplies but experts say the market is under pressure partly because the number of calves raised and slaughtered is driven more by demand for meat -- which has been in decline -- than by demand for quality hides.<br>In addition, China, the luxury industry's main driver since the late 2000s, has started to run out of steam in the last year due to an economic slowdown and a government crackdown on gift-giving.<br>Guiony said Vuitton's sales in mainland China were "flattish" but, thanks to sales to Chinese tourists, overall sales growth to Chinese customers was in the "mid-single digits plus".<br>Guiony said trends in watches and jewellery had slightly improved in China, but not in fashion and leather.<br>He said trading remained difficult in Europe, particularly for perfume and cosmetics, where sales were "flattish".<br>LVMH's overall sales grew 2 percent in the third quarter. Organic growth was 8 percent, of which 6 percentage points were accounted for by the relative weakness of the U.S. dollar and the [http://www.dict.cc/?s=Japanese+yen Japanese yen] against the euro. ($1=0.7406 euros) (Additional reporting by James Regan; Editing by James Jukwey and Kevin Liffey) |
| {{cite journal|
| |
| last=Lo|
| |
| first=H.|
| |
| coauthors = H. Chau|
| |
| title = Is quantum bit commitment really possible?|
| |
| journal = Physical Review Letters|
| |
| volume = 78|
| |
| pages = 3410|
| |
| year = 1997|
| |
| doi=10.1103/PhysRevLett.78.3410|
| |
| issue=17
| |
| }}
| |
| </ref><ref name="lo2">
| |
| {{cite journal|
| |
| last=Lo|
| |
| first=H|
| |
| title = Insecurity of Quantum Secure Computations|
| |
| journal = Physical Review A|
| |
| volume = 56|
| |
| pages = 1154|
| |
| year = 1997|
| |
| doi=10.1103/PhysRevA.56.1154|
| |
| issue=2
| |
| }}
| |
| </ref><ref name="mayers2">
| |
| {{cite journal|
| |
| last=Mayers|
| |
| first=D.|
| |
| title = Unconditionally Secure Quantum Bit Commitment is Impossible|
| |
| journal = Physical Review Letters|
| |
| volume = 78|
| |
| pages = 3414––3417|
| |
| year = 1997|
| |
| doi=10.1103/PhysRevLett.78.3414|
| |
| issue=17
| |
| }}
| |
| </ref><ref name="qbc">
| |
| {{cite journal|
| |
| last=D'Ariano|
| |
| first=G.|
| |
| coauthors=D. Kretschmann and D. Schlingemann and R.F. Werner|
| |
| title = Quantum Bit Commitment Revisited: the Possible and the Impossible|
| |
| url = http://www.arXiv.org/abs/quant-ph/0605224v2|
| |
| journal = Physical Review A|
| |
| volume = 76|
| |
| pages = 032328|
| |
| year=2007|
| |
| doi=10.1103/PhysRevA.76.032328|
| |
| issue=3
| |
| }}
| |
| </ref> These all form instances of [[secure function evaluation]]. An example is [[oblivious transfer]]. What sets these tasks apart from key distribution is that they aim to solve problems between two parties, Alice and Bob, who do ''not'' trust each other. That is, there is no outside party like an [[eavesdropper]], only Alice and Bob. Intuitively, it is this lack of trust that makes the problem hard. Unlike in [[quantum key distribution]], Alice and Bob cannot collaborate to try and detect any eavesdropping activity. Instead, each party has to fend for himself. | |
| | |
| Since tasks like [[Smart_Card#Applications|secure identification]] are of practical interest, one is willing to make assumptions on how powerful the [[Adversary (cryptography)|adversary]] can be. Security then holds as long as these assumptions are satisfied. In classical cryptography, i.e., without the use of quantum tools, most of these are [[Computational hardness assumption|computational assumptions]]. Such assumptions consists of two parts. First, one assumes that a particular problem is difficult to solve. For example, one might assume that it is hard to [[Integer factorization|factor]] a large [[integer]] into its [[prime]] factors (e.g. 15=5x3). Second, one assumes that the adversary has a limited amount of computing power, namely less than what is (thought to be) required to solve the chosen problem.
| |
| | |
| ===Bounded storage ===
| |
| In [[information theoretic security|information theoretic cryptography]] physical assumptions appear, which do not rely on any hardness assumptions, but merely assume a limit on some other resource. In classical cryptography, the '''bounded-storage model''' introduced by [[Ueli Maurer (cryptographer)|Ueli Maurer]] assumes that the [[Adversary (cryptography)|adversary]] can only store a certain number of classical bits.<ref name="maurer92">
| |
| {{cite journal|
| |
| last=Maurer|
| |
| first=U.|
| |
| title = Conditionally-Perfect Secrecy and a Provably-Secure Randomized Cipher|
| |
| journal = Journal of Cryptology|
| |
| pages = 53––66|
| |
| volume = 5|
| |
| year = 1992|
| |
| issue = 1
| |
| }}
| |
| </ref><ref name="maurer97">
| |
| {{cite journal|
| |
| last=Cachin|
| |
| first=C.|
| |
| coauthors = U. Maurer|
| |
| title = Unconditional Security Against Memory-Bounded Adversaries|
| |
| journal=Proceedings of CRYPTO 1997|
| |
| year=1997|
| |
| pages=292–306
| |
| }}
| |
| </ref> Protocols are known that do (in principle) allow the secure implementation of any cryptographic task as long as the adversary's storage is small. Very intuitively, security becomes possible under this assumption since the adversary has to make a choice which information to keep. That is, the protocol effectively overflows his memory device leading to an inevitable lack on information for the adversary. It was later discovered that any classical [[Protocol (object-oriented programming)|protocol]] which requires the honest parties to store <math>n</math> bits in order to execute it successfully can be broken by an adversary that can store more than about <math>O(n^2)</math> bits.<ref name="maurerimposs"> | |
| {{cite journal|
| |
| last=Dziembowski|
| |
| first=S.|
| |
| coauthors = U. Maurer|
| |
| title = On Generating the Initial Key in the Bounded-Storage Model|
| |
| journal = Proceedings of EUROCRYPT|
| |
| year=2004|
| |
| pages=126–137
| |
| }}
| |
| </ref> That is, the gap between what is required to execute the protocol, and what is required to break the security is relatively small.
| |
| | |
| ===Bounded quantum storage===
| |
| This gap changes dramatically when using [[quantum communication]]<ref name="bounded">
| |
| {{cite journal|
| |
| first=Damgaard|
| |
| last=I.|
| |
| coauthors= S. Fehr and L. Salvail and C. Schaffner|
| |
| title = Cryptography in the Bounded-Quantum-Storage Model|
| |
| year = 2005|
| |
| journal = Proceedings of 46th IEEE Symposium on Foundations of Computer Science|
| |
| pages = 449–458|
| |
| url = http://www.arXiv.org/abs/quant-ph/0508222v2
| |
| }}
| |
| </ref>
| |
| . That is, Alice and Bob can send [[qubit]]s to each other as part of the protocol. Likewise, one now assumes that the adversary's quantum storage is limited to a certain number of qubits. There is no restriction on how many classical bits the adversary can store. This is known as the '''bounded-''quantum''-storage model'''.<ref name=bounded/><ref name="damgardHighOrder">
| |
| {{cite journal|
| |
| last = Damgaard|
| |
| first = I.|
| |
| coauthors = S. Fehr and R. Renner and L. Salvail and C. Schaffner|
| |
| title = A Tight High-Order Entropic Quantum Uncertainty Relation With Applications|
| |
| journal = Proceedings of CRYPTO 2007|
| |
| pages = 360––378|
| |
| year = 2007|
| |
| url = http://www.arXiv.org/abs/quant-ph/0612014v2
| |
| }}
| |
| </ref> It was shown that there exist quantum protocols in which the honest parties need ''no'' quantum storage at all to execute them, but are nevertheless secure as long as Alice transmits more than twice the number of qubits than the adversary can store.
| |
| | |
| ===Noisy storage===
| |
| More generally, security is possible as long as the amount of information that the adversary can store in his memory device is limited. This intuition is captured by the '''noisy-storage model''',<ref name=initial/> which includes the bounded-quantum-storage model as a special case.<ref name="unconditional">
| |
| {{cite journal|
| |
| last=Koenig|
| |
| first=Robert|
| |
| coauthors = S. Wehner and J. Wullschleger|
| |
| url = http://www.arXiv.org/abs/0906.1030v3|
| |
| title = Unconditional security from noisy quantum storage|
| |
| year = 2009}}
| |
| </ref> Such a limitation can, for example, come about if the memory device is extremely large, but very imperfect. In [[information theory]] such an imperfect memory device is also called a [[noisy channel]]. The motivation for this more general model is threefold. First, it allows one to make statements about much more general memory devices that the adversary may have available. Second, security statements could be made when the signals transmitted, or the storage device itself, uses [[Quantum key distribution|continuous variables]] whose dimension is infinite and thus cannot be captured by a bounded storage assumption without additional constraints. Third, even if the dimension of the signals itself is small, the noisy-storage analysis allows security beyond the regime where bounded-storage itself can make any security statement. For example, if the storage channel is entanglement breaking, security is possible even if the storage device is arbitrarily large (i.e., not bounded in any way).
| |
| | |
| ==Assumption==
| |
| | |
| The assumption of the noisy-storage model is that during waiting times <math>\Delta t</math> introduced into the protocol, the [[Adversary (cryptography)|adversary]] can only store [[quantum information]] in his noisy memory device.<ref name=unconditional/> Such a device is simply a [[quantum channel]] <math>\mathcal{F}:\mathcal{S}(\mathcal{H}_{\rm in}) \rightarrow \mathcal{S}(\mathcal{H}_{\rm out})</math> that takes input [[quantum state|states]] <math>\rho_{\rm in} \in \mathcal{S}(\mathcal{H}_{\rm in})</math> to some noisy output states <math>\rho_{\rm out} \in \mathcal{S}(\mathcal{H}_{\rm out})</math>. Otherwise, the adversary is all powerful. For example, he can store an unlimited amount of classical information and perform any computation instantaneously.
| |
| | |
| [[File:NoisyStorageModel.png|right|thumb|During waiting times <math>\Delta t</math> the storage device has to be used.]]
| |
| The latter assumption also implies that he can perform any form of [[Error-correcting|error correcting encoding]] before and after using the noisy memory device, even if it is computationally very difficult to do (i.e., it requires a long time). In this context, this is generally referred to as an encoding attack <math>\mathcal{E}</math> and a decoding attack <math>\mathcal{D}</math>. Since the adversary's classical memory can be arbitrarily large, the encoding <math>\mathcal{E}</math> may not only generate some [[quantum state]] as input to the storage device <math>\mathcal{F}</math> but also output classical information. The adversary's decoding attack <math>\mathcal{D}</math> can make use of this extra classical information, as well as any additional information that the adversary may gain after the waiting time has passed.
| |
| | |
| In practise, one often considers storage devices that consist of <math>N</math> memory cells, each of which is subject to noise. In information-theoretic terms, this means that the device has the form <math>\mathcal{F} = \mathcal{N}^{\otimes N}</math>, where <math>\mathcal{N}: S(\Complex^d) \rightarrow S(\Complex^d)</math> is a noisy [[quantum channel]] acting on a memory cell of dimension <math>d</math>.
| |
| | |
| ===Examples===
| |
| | |
| * The storage device consists of <math>N</math> [[qubit]]s, each of which is subject to [[Quantum depolarizing channel|depolarizing noise]]. That is, <math>\mathcal{F} = \mathcal{N}^{\otimes N}</math>, where <math>\mathcal{N}(\rho) = \lambda \rho + (1-\lambda) \mathsf{id}/2</math> is the 2-dimensional [[Quantum depolarizing channel|depolarizing channel]].
| |
| | |
| * The storage device consists of <math>N</math> [[qubit]]s, which are noise-free. This corresponds to the special case of '''bounded-quantum-storage'''. That is, <math>\mathcal{F} = \mathsf{id}^{\otimes N}</math>, where <math>\mathsf{id}</math> is the [[identity channel]].
| |
| | |
| ==Protocols==
| |
| | |
| Most protocols proceed in two steps. First, Alice and Bob exchange <math>n</math> [[qubit]]s encoded in two or three [[mutually unbiased bases]]. These are the same encodings which are used in the [[BB84]] or six-state protocols of [[quantum key distribution]]. Typically, this takes the form of Alice sending such qubits to Bob, and Bob measuring them immediately on arrival. This has the advantage that Alice and Bob need no quantum storage to execute the protocol. It is furthermore experimentally relatively easy to create such [[qubits]], making it possible to implement such protocols using currently available technology.<ref name="curty">
| |
| {{cite journal|
| |
| last = Wehner|
| |
| first = S.|
| |
| coauthors = M. Curty and C. Schaffner and H. Lo|
| |
| journal = Physical Review A|
| |
| url = http://www.arXiv.org/abs/0911.2302v2|
| |
| pages = 052336|
| |
| title = Implementation of two-party protocols in the noisy-storage model|
| |
| volume = 81|
| |
| year = 2010|
| |
| doi = 10.1103/PhysRevA.81.052336|
| |
| issue = 5}}
| |
| </ref>
| |
| | |
| The second step is to perform classical post-processing of the measurement data obtained in step one. Techniques used depend on the protocol in question and include [[privacy amplification]], [[error-correcting codes]], min-entropy sampling, and interactive hashing.
| |
| | |
| ===General===
| |
| | |
| To demonstrate that all [[secure function evaluation|two-party cryptographic tasks]] can be implemented securely, a common approach is to show that a simple cryptographic primitive can be implemented that is known to be ''universal'' for [[secure function evaluation]]. That is, once one manages to build a protocol for such a cryptographic primitive all other tasks can be implemented by using this primitive as a basic building block. One such primitive is [[oblivious transfer]]. In turn, [[oblivious transfer]] can be constructed from an even simpler building block known as [[weak string erasure]] in combination with cryptographic techniques such as [[privacy amplification]].
| |
| | |
| All protocols proposed to date allow one of the parties (Alice) to have even an unlimited amount of noise-free quantum memory. I.e., the noisy-storage assumption is applied to only one of the parties (Bob). For storage devices of the form <math>\mathcal{F} = \mathcal{N}^{\otimes N}</math> it is known that any [[secure function evaluation|two-party cryptographic task]] can be implemented securely by means of [[weak string erasure]] and [[oblivious transfer]] whenever any of the following conditions hold.
| |
| | |
| * For bounded-quantum-storage (i.e., <math>\mathcal{N} = \mathsf{id}</math>), security can be achieved using a protocol in which Alice sends <math>n > 2N</math> [[BB84]] encoded [[qubit]]s.<ref name=unconditional/> That is, security can be achieved when Alice sends more than twice the number of qubits than Bob can store. One can also look at this from Bob's perspective and say that security can be achieved when Bob can store strictly less than half of the qubits that Alice sent, i.e., <math>N < n/2</math>.
| |
| | |
| * For bounded-quantum-storage using higher dimensional memory cells (i.e., each cell is not a [[qubit]], but a [[Qudit#Variations_of_the_qubit|qudit]]), security can be achieved in a protocol in which Alice sends <math>n</math> higher dimensional qudits encoded one of the possible [[mutually unbiased bases]]. In the limit of large dimensions, security can be achieved whenever <math>n \gtrapprox N</math>. That is, security can always be achieved as long as Bob cannot store any constant fraction of the transmitted signals.<ref name="limits">
| |
| {{cite journal|
| |
| last=Mandayam|
| |
| first=P.|
| |
| coauthors = S. Wehner|
| |
| title = Achieving the physical limits of the bounded-storage model|
| |
| journal=Physical Review A|
| |
| volume=83|
| |
| pages=022329|
| |
| year=2011|
| |
| url=http://www.arXiv.org/abs/1009.1596v2|
| |
| doi=10.1103/PhysRevA.83.022329|
| |
| issue=2
| |
| }}
| |
| </ref> This is optimal for the protocols considered since for <math>n = N</math> a dishonest Bob can store all qudits sent by Alice. It is not known whether the same is possible using merely [[BB84]] encoded qubits.
| |
| | |
| * For noisy-storage and devices of the form <math>\mathcal{F} = \mathcal{N}^{\otimes N}</math> security can be achieved using a protocol in which Alice sends <math>n</math> [[BB84]] encoded [[qubits]] if
| |
| | |
| :* <math>n > 2 \cdot N \cdot C(\mathcal{N})</math>,<ref name=unconditional/> where <math>C(\mathcal{N})</math> is the [[classical capacity]] of the [[quantum channel]] <math>\mathcal{N}</math>, and <math>\mathcal{N}</math> obeys the so-called ''strong converse property'',<ref name="converse">{{cite journal|
| |
| last=Koenig|
| |
| first=R.|
| |
| coauthors=S. Wehner|
| |
| journal = Physical Review Letters|
| |
| url = http://www.arXiv.org/abs/quant-ph/0903.2838v1|
| |
| pages = 070504|
| |
| title = A Strong Converse for Classical Channel Coding Using Entangled Inputs|
| |
| volume = 103|
| |
| year = 2009|
| |
| doi=10.1103/PhysRevLett.103.070504|
| |
| pmid=19792627|
| |
| issue=7}}
| |
| </ref> or, if | |
| | |
| :* <math>n > 2 \cdot N \cdot E_C(\mathcal{N})</math>,<ref name="entanglementcost">
| |
| {{cite journal|
| |
| first=M.|
| |
| last=Berta|
| |
| coauthors = F. Brandao and M. Christandl and S. Wehner|
| |
| title = Entanglement cost of quantum channels|
| |
| year=2011|
| |
| url = http://www.arXiv.org/abs/1108.5357
| |
| }}
| |
| </ref> where <math>E_C(\mathcal{N})</math> is the [[entanglement cost]] of the [[quantum channel]] <math>\mathcal{N}</math>. This is generally much better than the condition on the [[classical capacity]], however it is harder to evaluate <math>E_C(\mathcal{N})</math>. | |
| | |
| * For noisy-storage and devices of the form <math>\mathcal{F} = \mathcal{N}^{\otimes N}</math> security can be achieved using a protocol in which Alice sends <math>n</math> [[qubit]]s encoded in one of the three [[mutually unbiased bases]] per qubit, if
| |
| | |
| :* <math>n > Q(\mathcal{N}) N</math>,<ref name="qcap">{{cite journal|
| |
| last=Berta|
| |
| first=M.|
| |
| coauthors = O. Fawzi, and S. Wehner|
| |
| title = Quantum to classical randomness extractors|
| |
| year=2011|
| |
| arxiv =1111.2026
| |
| }}</ref> where <math>Q</math> is the [[quantum capacity]] of <math>\mathcal{N}</math>, and the strong converse parameter of <math>\mathcal{N}</math> is not too small.
| |
| | |
| The three [[mutually unbiased bases]] are the same encodings as in the six-state protocol of [[quantum key distribution]]. The last condition does form the best known condition for most channels, yet the [[quantum capacity]] as well as the strong converse parameter are generally not easy to determine.
| |
| | |
| ===Specific tasks===
| |
| | |
| Using such basic primitives as building blocks is not always the most efficient way to solve a cryptographic task. Specialized protocols targeted to solve specific problems are generally more efficient. Examples of known protocols are
| |
| | |
| * [[Bit commitment]] in the noisy-storage model,<ref name=unconditional/><ref name=limits/> and in the case of bounded-quantum-storage<ref name=damgardHighOrder/>
| |
| | |
| * [[Oblivious transfer]] in the noisy-storage model,<ref name=unconditional/> and in the case of bounded-quantum-storage<ref name=bounded/><ref name=damgardHighOrder/>
| |
| | |
| * [[Smart_Card#Applications|Secure identification]] in the bounded-quantum-storage model<ref name="secureid">
| |
| {{cite journal|
| |
| last=Damgaard|
| |
| first=I.|
| |
| coauthors = S. Fehr and L. Salvail and C. Schaffner|
| |
| title = Identification and QKD in the Bounded-Quantum-Storage Model|
| |
| journal = Proceedings of CRYPTO 2007|
| |
| pages = 342––359|
| |
| year = 2007|
| |
| url =http://www.arXiv.org/abs/0708.2557v3
| |
| }}
| |
| </ref><ref name="id2">
| |
| {{cite journal|
| |
| last=Bouman|
| |
| first=N.|
| |
| coauthors = S. Fehr, C. Gonzales-Guillen and C. Schaffner|
| |
| title = An All-But-One Entropic Uncertainty Relations, and Application to Password-based Identification|
| |
| url = http://www.arXiv.org/abs/1105.6212v1|
| |
| year=2011
| |
| }}
| |
| </ref>
| |
| | |
| ==Noisy-storage and QKD==
| |
| | |
| The assumption of bounded-quantum-storage has also been applied outside the realm of [[secure function evaluation]]. In particular, it has been shown that if the eavesdropper in [[quantum key distribution]] is memory bounded, higher bit error rates can be tolerated in an experimental implementation.<ref name=damgardHighOrder/>
| |
| | |
| ==References==
| |
| {{reflist}}
| |
| <!--- After listing your sources please cite them using inline citations and place them after the information they cite. Please see http://en.wikipedia.org/wiki/Wikipedia:REFB for instructions on how to add citations. --->
| |
| | |
| [[Category:Quantum cryptography]]
| |
| [[Category:Cryptography]]
| |
Shares in LVMH, the world's biggest luxury goods group, fell sharply on Wednesday after an unexpected slowdown in sales growth at its fashion and leather business, which includes the Louis Vuitton, Celine handbags and Dior brands.
The share price was down 6.4 percent at 135.50 euros by 1140 GMT, a six-week low and wiping around 4.8 billion euros ($6.5 billion)off the market value of France's fourth-biggest listed company.
The group, which also owns Ruinart champagne and Hennessy cognac, saw sales growth at the fashion and leather division slide to 3 percent in the third quarter, against expectations of 7 to 8 percent.
In a conference call, Chief Financial Officer Jean-Jacques Guiony blamed price increases in Japan for the slowdown, as well as softer demand for some brands.
However, one London-based analyst noted that Japan accounted for only around 15 percent of LVMH's fashion and leather sales, "so we did not get a full explanation".
LVMH has been trying to stem a decline in Louis Vuitton's sales growth by introducing new and pricier leather bags, which analysts expected would lead to short-term losses in sales.
"I understand that the repositioning of Louis Vuitton takes time and may be a bumpy ride," said Exane BNP Paribas analyst Luca Solca.
Before the results were announced, LVMH shares were up 4.4 percent since Jan. 1, underperforming the overall luxury sector, which was up more than 20 percent.
Analysts said concerns about the future growth of Louis Vuitton had been exacerbated by the announcement this month that it was parting company with its star designer, Marc Jacobs.
SUPPLY CONSTRAINTS
Guiony said the recent launch of new leather collections had not come in time to have a meaningful impact on sales, and acknowledged that production was constrained by a lack of high-quality leather.
"Without these supply constraints, we would produce more than what we do," Guiony said.
Louis Vuitton shop assistants polled by Reuters last month said they had been provided with only a small number of new handbags, such as the Capucines model, priced at 3,500 euros, which had flown off the shelves.
LVMH has been buying tanneries to secure supplies but experts say the market is under pressure partly because the number of calves raised and slaughtered is driven more by demand for meat -- which has been in decline -- than by demand for quality hides.
In addition, China, the luxury industry's main driver since the late 2000s, has started to run out of steam in the last year due to an economic slowdown and a government crackdown on gift-giving.
Guiony said Vuitton's sales in mainland China were "flattish" but, thanks to sales to Chinese tourists, overall sales growth to Chinese customers was in the "mid-single digits plus".
Guiony said trends in watches and jewellery had slightly improved in China, but not in fashion and leather.
He said trading remained difficult in Europe, particularly for perfume and cosmetics, where sales were "flattish".
LVMH's overall sales grew 2 percent in the third quarter. Organic growth was 8 percent, of which 6 percentage points were accounted for by the relative weakness of the U.S. dollar and the Japanese yen against the euro. ($1=0.7406 euros) (Additional reporting by James Regan; Editing by James Jukwey and Kevin Liffey)