Cryptography In the Bounded Quantum-Storage Model
description
Transcript of Cryptography In the Bounded Quantum-Storage Model
![Page 1: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/1.jpg)
Cryptography In theCryptography In theBounded Quantum-Storage Bounded Quantum-Storage
ModelModel
Christian Schaffner, BRICSChristian Schaffner, BRICS
University of University of Århus, DenmarkÅrhus, Denmark
ECRYPT Autumn School, BertinoroECRYPT Autumn School, BertinoroWednesday, October 19Wednesday, October 19thth 2005 2005
joint work with Ivan Damgård, Serge Fehr and Louis Salvailjoint work with Ivan Damgård, Serge Fehr and Louis Salvail
![Page 2: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/2.jpg)
2 / 42
AgendaAgenda
““Known” ResultsKnown” Results Protocol for Oblivious TransferProtocol for Oblivious Transfer Security ProofSecurity Proof Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues Open ProblemsOpen Problems
![Page 3: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/3.jpg)
3 / 42
Classical 2-party primitives: Classical 2-party primitives: Rabin Oblivious TransferRabin Oblivious Transfer
bb b / ?b / ?
correct:correct: For honest Alice and Bob, Bob gets the For honest Alice and Bob, Bob gets the bit b with probability ½. bit b with probability ½.
oblivious:oblivious: Even if Bob is dishonest, he does not Even if Bob is dishonest, he does not get information about b with probability ½. get information about b with probability ½.
private:private: Even if Alice is dishonest, she does not Even if Alice is dishonest, she does not learn, whether Bob received the bit or not.learn, whether Bob received the bit or not.
OTSenderSender
BobBobAliceAlice
ReceiverReceiver
![Page 4: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/4.jpg)
4 / 42
Classical 2-party primitives:Classical 2-party primitives:Bit CommitmentBit Commitment
correct:correct: BC allows Alice to commit to a bit b. BC allows Alice to commit to a bit b. Later, she can open CLater, she can open Cbb to Bob. to Bob.
hiding:hiding: Even if Bob is dishonest, he does not get Even if Bob is dishonest, he does not get information on b from Cinformation on b from Cbb..
binding:binding: Even if Alice is dishonest, she cannot Even if Alice is dishonest, she cannot open Copen Cb b to another value than b.to another value than b.
CommitterCommitter VerifierVerifierbb CCbb
bb b in Cb in Cbb??
BC
![Page 5: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/5.jpg)
5 / 42
Classical 2-party primitives: RelationsClassical 2-party primitives: Relations
Oblivious TransferOblivious Transfer
bb b / ?b / ? obliviousoblivious privateprivate
hidinghiding bindingbinding
Bit CommitmentBit Commitment
bb CCbb
bb b in Cb in Cbb??
OT
BC
OT OT )) BC, BC, OT OT ¸̧ BC BC OT OT is complete for two-party cryptography
![Page 6: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/6.jpg)
6 / 42
Known Impossibility ResultsKnown Impossibility Results
OT In the classical unconditionally In the classical unconditionally
secure model without further secure model without further assumptionsassumptions
BC
![Page 7: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/7.jpg)
7 / 42
Classical 2-party primitives:Classical 2-party primitives:Bit CommitmentBit Commitment
hiding:hiding: Even if Bob is dishonest, he does not get Even if Bob is dishonest, he does not get information on b from Cinformation on b from Cbb..
binding:binding: Even if Alice is dishonest, she cannot Even if Alice is dishonest, she cannot open Copen Cb b to another value than b.to another value than b.
CommitterCommitter VerifierVerifierbb CCbb
bb b in Cb in Cbb??
BC
![Page 8: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/8.jpg)
8 / 42
Known Impossibility ResultsKnown Impossibility Results
OT In the classical unconditionally In the classical unconditionally
secure model without further secure model without further assumptionsassumptions
BC In the unconditionally secure model In the unconditionally secure model
with quantum communicationwith quantum communication[Mayers97, Lo-Chau97][Mayers97, Lo-Chau97]
![Page 9: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/9.jpg)
9 / 42
Three Ways OutThree Ways Out
OT Bound computing power (schemes Bound computing power (schemes
based on complexity assumptions)based on complexity assumptions) Noisy communication Noisy communication
[see Ivan’s talk this morning] [see Ivan’s talk this morning] Physical limitationsPhysical limitations
BC
Physical limitationsPhysical limitations
e.g. bounded memory sizee.g. bounded memory size
![Page 10: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/10.jpg)
10 / 42
Classical Bounded-Storage ModelClassical Bounded-Storage Model
OT
BC
()
()
random string which players try to random string which players try to storestore
a memory bound applies at a specified a memory bound applies at a specified momentmoment
protocol for OT [DHRS, TCC04]: protocol for OT [DHRS, TCC04]: memory size of honest players:memory size of honest players: k k memory of dishonest players:memory of dishonest players: <k<k22
Tight bound [DM, EC04]Tight bound [DM, EC04] can be can be improved improved by allowingby allowing
quantum communicationquantum communication
![Page 11: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/11.jpg)
11 / 42
Quantum Bounded-Storage ModelQuantum Bounded-Storage Model
OT
quantum memory bound applies at a quantum memory bound applies at a specified momentspecified moment
besides that, players are unbounded besides that, players are unbounded (in time and space)(in time and space)
unconditional secureunconditional secure against against adversaries with quantum memory of adversaries with quantum memory of less then less then half of the transmitted half of the transmitted qubits qubits (honest players (honest players do not needdo not need quantumquantum memory memory at allat all))
honest players:honest players: 00 kkdishonest players:dishonest players: <n/2<n/2 <k<k22
BC
![Page 12: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/12.jpg)
12 / 42
AgendaAgenda
Known ResultsKnown Results Protocol for Oblivious TransferProtocol for Oblivious Transfer Security ProofSecurity Proof Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues Open ProblemsOpen Problems
![Page 13: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/13.jpg)
13 / 42
Quantum Mechanics IQuantum Mechanics I
+ basis
£ basis
j i j i
j i£ j i£
with prob. 1 yields 1
with prob. ½ yields 0
Measurements:
with prob. ½ yields 1
![Page 14: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/14.jpg)
14 / 42
Quantum Protocol for OTQuantum Protocol for OT
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
x0 r0
memory bound: store < n/2 qubits
Alice Bob
Example: honest players
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
0110…
b2 f ;g
![Page 15: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/15.jpg)
15 / 42
Quantum Protocol for OT IIQuantum Protocol for OT II
r; h;sh 2R Hn
s b©hx
x0 r0
memory bound: store < n/2 qubits
Alice Bob
honest players? private?
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
0011…
b s ©hx0 r r0
x 6 x0) hx0 ;hx b
![Page 16: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/16.jpg)
16 / 42
Obliviousness against dishonest Bob?Obliviousness against dishonest Bob?
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
x0 r0
memory bound: store < n/2 qubits
Alice Bob
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
…
…
11…
![Page 17: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/17.jpg)
17 / 42
Quantum Mechanics IIQuantum Mechanics II
+ basis
£ basis
j i j i
j i£ j i£
EPR pairs:prob. ½ : 0 prob. ½ : 1
prob. ½ : 0prob. ½ : 1prob. 1 : 0
![Page 18: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/18.jpg)
18 / 42
Proof of Obliviousness: PurificationProof of Obliviousness: Purification
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
jxi r
x 2R f ;gnr 2R f ;£ g
![Page 19: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/19.jpg)
19 / 42
Proof of Obliviousness: Purification IIProof of Obliviousness: Purification II
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
r 2R f ;£ g
0 1 1 0x 2R f ;gn
![Page 20: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/20.jpg)
20 / 42
Proof of Obliviousness: EPR-VersionProof of Obliviousness: EPR-Version
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
r 2R f ;£ g
![Page 21: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/21.jpg)
21 / 42
r 2R f ;£ g
Proof of Obliviousness: DistributionsProof of Obliviousness: Distributions
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
2-4
000100100011010001010110
…
…
0000000100100011010001010110
…
…
0000
p q
2-4
![Page 22: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/22.jpg)
22 / 42
r 2R f ;£ g
Proof of Obliviousness: ExampleProof of Obliviousness: Example
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
0000000100100011010001010110
p
2-4
…
…
0000000100100011010001010110
q
2-4
…
…
![Page 23: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/23.jpg)
23 / 42
r 2R f ;£ g
Proof of Obliviousness: Distributions IIProof of Obliviousness: Distributions II
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
001…
2-4
000100100011010001010110
…
…
0000
p
x 0000000100100011010001010110
…
…
q
2-4
x
![Page 24: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/24.jpg)
24 / 42
Proof of Obliviousness: GoalProof of Obliviousness: Goal
However Bob prepares his memory
and the distributions p and q, he cannot guess h(x) in both bases simultaneously ) oblivious
001…
000100100011010001010110
0000
p
x
q
x
0111100010011010
000100100011010001010110
0000
0111100010011010
… …
2R f ;£ g
![Page 25: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/25.jpg)
25 / 42
Privacy AmplificationPrivacy Amplification
…
p
Privacy Amplification against Quantum Adversaries [Renner König, TCC 2005]
X f ;gn
h f ;gn ! f ; g hX
¡ n
SS
< n
… X
X
¡ p1 X H1 X > n
hX
![Page 26: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/26.jpg)
26 / 42
Obliviousness: Uncertainty RelationObliviousness: Uncertainty Relation
…
p
x
…
q
x
¡ n
SS
H n
¡ n
S S
pS qS ¸
![Page 27: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/27.jpg)
27 / 42
Proof of Obliviousness: FinaleProof of Obliviousness: Finale
…
p
x
…
q
x
¡ n
SS
¡ n
S S
E f x 2 Sg
2R f ;£ g
pS qS ¸
) E f pS qSg ¸
![Page 28: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/28.jpg)
28 / 42
Proof of Obliviousness: RecapProof of Obliviousness: Recap
memory bound: store ≤ n/2 qubits
Alice Bob
jxi r
r 2R f ;£ gx 2R f ;gn
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
![Page 29: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/29.jpg)
29 / 42
Proof of Obliviousness: Recap IIProof of Obliviousness: Recap II
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store ≤ n/2 qubits
Alice Bob
2R f ;£ g
![Page 30: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/30.jpg)
30 / 42
Proof of Obliviousness: Recap IIIProof of Obliviousness: Recap III
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store ≤ n/2 qubits
Alice Bob
001…
…
p
x
…
q
x
2R f ;£ g
![Page 31: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/31.jpg)
31 / 42
Proof of Obliviousness: Recap IVProof of Obliviousness: Recap IV
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
Alice Bob
…
p
x
…
q
x
2R f ;£ g
SS S S
E f x 2 Sg E ¸
![Page 32: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/32.jpg)
32 / 42
AgendaAgenda
Known ResultsKnown Results Protocol for Oblivious TransferProtocol for Oblivious Transfer Security ProofSecurity Proof Protocol forProtocol for Bit CommitmentBit Commitment Practicality IssuesPracticality Issues Open ProblemsOpen Problems
![Page 33: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/33.jpg)
33 / 42
Quantum Protocol for Bit CommitmentQuantum Protocol for Bit Commitment
BC
Verifier Committer
b; x0
x0 b
b2 f ;£ g
jx i r; ::; jxni rn
x 2R f ;gn
r 2R f ;£ gn
xi x0i
ri b
memory bound: store < n/2 qubits
![Page 34: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/34.jpg)
34 / 42
BC
Verifier Committer
b; x0
b2 f ;g
one roundone round non-interactive (commit by receiving)non-interactive (commit by receiving) unconditionally hidingunconditionally hiding unconditionally binding:unconditionally binding:
classically:classically: MemMemdisdis < 2 < 2 ¢¢ Mem Memhonhon
quantum:quantum: MemMemdisdis < n / 2 < n / 2
n
memory bound: store < n/2 qubits
Quantum Protocol for Bit Commitment IIQuantum Protocol for Bit Commitment II
![Page 35: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/35.jpg)
35 / 42
Binding Property: Proof IdeaBinding Property: Proof Idea
BC
Verifier Committer
b; x0
x0 b
b2 f ;£ g
jx i r; ::; jxni rn
x 2R f ;gn
r 2R f ;£ gn
xi x0i
ri b
memory bound: store < n/2 qubits
![Page 36: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/36.jpg)
36 / 42
AgendaAgenda
Known ResultsKnown Results Protocol for Oblivious TransferProtocol for Oblivious Transfer Security ProofSecurity Proof Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues Open ProblemsOpen Problems
![Page 37: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/37.jpg)
37 / 42
Practicality IssuesPracticality Issues
OT
BC
With today’s technology, weWith today’s technology, we cancan transmit quantum bits transmit quantum bits
encode bits in the correct basisencode bits in the correct basis send them over optical fiberssend them over optical fibers receive and measure themreceive and measure them
cannot storecannot store them for longer than a them for longer than a few millisecondsfew milliseconds
Problems:Problems: imperfect sources (multi-pulse imperfect sources (multi-pulse
emissions)emissions) transmission errorstransmission errors
![Page 38: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/38.jpg)
38 / 42
Practicality Issues IIPracticality Issues II
OT
Our protocols can be modified toOur protocols can be modified to resist resist attacks based onattacks based on multi-photon multi-photon
emissions emissions tolerate (quantum) tolerate (quantum) noisenoise
BC
Well within reach of Well within reach of current current
technology technology and and unconditionally unconditionally securesecure as long as nobody can store as long as nobody can store large amounts of quantum bits.large amounts of quantum bits.
![Page 39: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/39.jpg)
39 / 42
Open Problems and Next StepsOpen Problems and Next Steps
OT
Other flavors of OT:Other flavors of OT:e.g. 1-out-of-2 Oblivious Transfer, String-e.g. 1-out-of-2 Oblivious Transfer, String-OT, …OT, …
Better memory boundsBetter memory bounds
Composability? What happens to the Composability? What happens to the memory bound?memory bound?
Better uncertainty relations for more MUBBetter uncertainty relations for more MUB
……
BC
![Page 40: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/40.jpg)
41 / 42
SummarySummary
OT
Protocols for OT and BC that areProtocols for OT and BC that are efficientefficient non-interactivenon-interactive unconditionally secureunconditionally secure against against
adversaries with bounded quantum adversaries with bounded quantum memorymemory
practical:practical: honest players do not need quantum honest players do not need quantum
memorymemory fault-tolerantfault-tolerant
BC
![Page 41: Cryptography In the Bounded Quantum-Storage Model](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814716550346895db44e04/html5/thumbnails/41.jpg)
42 / 42
Questions and Comments?Questions and Comments?
OT
BC