Evolving Notions of Security for Quantum Protocols Adam Smith Weizmann Institute of Science asmith...

Evolving Notions of Security for Quantum Protocols

Adam SmithWeizmann Institute of Sciencehttp://theory.csail.mit.edu/~asmith

Caltech Workshop on Security of Classical and Quantum ProtocolsDecember 16, 2005

Evolving Notions of Security for Quantum Protocols

Adam SmithWeizmann Institute of Sciencehttp://theory.csail.mit.edu/~asmith

Caltech Workshop on Security of Classical and Quantum ProtocolsDecember 16, 2005

ProofsOccasionally MistakenUsually Correct,

Frequently

Interesting,

3

Cryptography in a Quantum World• Landscape changes!

New things are possible New difficulties arise

• Needed: Tools and language for reasoning about quantum adversaries

• The field is still very young Some successes… … occasional mistakes Lots of questions!

quantumthinkersneeded

Isaac Newton

1642-1727

4

This talk

• Basics of quantum computing

• New Possibilities E.g. quantum key distribution

• New Difficulties, Partial Solutions E.g. rewinding in ZK proofs

• Conclusions & Questions

5

Quantum Information: Pure States

• “Pure states” = vectors in complex space

• “qubit” = Basic unit of quantum information

|0i + |1i : , 2C , ||2+||2 =1

• Register of n qubits:

xx|xi (where x 2{0,1}n)

• NB: qubit-by-qubit description not enough 2n numbers vs 2n numbers

|0i + |1i

|1i

|0i

6

Quantum Circuits: 2 kinds of gates

• Invertible operations on n qubits

= 2n£2n unitary matrices ( U-1 = Uy ) |i U |i e.g. Hadamard

• Projective measurements: Ask a qubit: are you 0 or 1? State becomes |0i or |1i

(according to output) Destructive!

|0i + |1i

|1i

|0i

w.prob. |2|

w.prob. |2|

1 11 1

1√2..

7

Information vs Disturbance

• Important principle of quantum mechanics

• Consequence: No copying!

• Theorem: If A = |i for all inputs |i then B is independent of |i

• Information ) Disturbance

Secrecy ( Resilience to errors

U| i

A

B

8

This talk





9

New Possibilities• Key Distribution w/o computational assumptions [BB84]

• Coin flipping with constant bias (see Andris’ talk) • Public-key cryptography with limited keys (see Daniel’s talk)

• Non-locality games (see Ben Toner’s talk) • Uncloneable encryption [G]

• Fast Byzantine agreement [BH05]

• Key re-use (see Louis Salvail’s talk)

• Crypto with quantum data [AMTW00,CGS02,BCGST02,…]

Not a panacea:• Bit commitment, OT, etc are still impossible [M,LC]

• (Probably) does not circumvent composability issues

10

Quantum Key Distribution [BB84]

• Alice and Bob want to generate a secret key

Alice Bob

Evequantum channelcontrolled by Eve

classical authenticated channelvisible to Eve

11

Quantum Key Distribution (simplified [E91,LC99])

• Basic tool: EPR pairs State on two qubits

• Say Alice and Bob share an EPR pair Measure each half to get shared, secret bit

• Goal: set up many clean, shared EPR pairs

• Phase I: Alice creates n EPR pairs, send halves to Bob

• Phase II: Alice and Bob test the pairs for tamperingusing classical channel

|+i =|00iAB+|11iAB

|+ni = x |xiA |xiB

Alice Bob

12

Phase I

• Alice generates n EPR pairs

• Sends halves of these pairs to Bob

• Bob acknowledges receipt

Alice Bob

Eve Eve’s memory

|+ni

“Got them.”

13

Phase II: Testing

Intuition:

• Many symmetries U such that(UA UB)|+

niAB= |+niAB.

Alice Bob

|+ni

Eve Eve’s memory

“Got them.”

14

Phase II: Testing• Alice picks symmetry U at random

Applies U and measures last k qubits Sends U and results to Bob Bob applies U and measures last k qubits

• ACCEPT iff measurements agree

Alice Bob

|+ni

Eve Eve’s memory

U, results

U

U

Intuition: ACCEPT )

n – k ‘good’ EPR pairs

15

Example Symmetries [E91,BCGST02]

• For any invertible binary matrix M 2 {0,1}n£ n :UM|xi = |Mxi

• Alice picks random invertible matrix M,

applies UM

applies Hadamard with probability ½ to each qubit

• Exercise: This preserves |+ni = x |xiA |xiB

16

Analyzing Security

• Joint state A,B = |n+i

) test passes w.p. 1

• Joint state A,B ? |n+i

) test passes w.p. 2-k

• How can we use this? What’s the security statement? How can we prove it?

span(|+ni)

span(|+ni)?

17

Analyzing Security

• We want “n–k perfect EPR pairs or REJECT”with high probability

• To show closeness, look at state before test:

|iABE = (AB || |+ni) + (AB ? |+

ni)

• Each piece mapped close to good subspace

EveU

U

subspace subspace+

18

Analyzing Security

• Theorem: Global state is close to subspace

“n–k perfect EPR pairs or REJECT”

• Are we done? Intuitively meaningful What’s the definition of security here?

• This can be used to build a simulator Good enough to prove UC security [BM, BHLMO’05]

19

Security as Simulatability [BHLMO’05]



• Ideal protocol: Trusted party asks Eve “Abort or run?” Eve answers 1 bit If “Run” then give good keys to Alice and Bob

real Adv idealSim

20

Security as Simulatability



• Simulator: Runs dummy execution Output Eve’s view If Eve aborts, send “abort”, else send “run”

real Adv idealdummyexecution

Strong guarantee!

abort?

21

Lessons of QKD

• We can sometimes test for disturbance Hence for information

• Security proven through simulator Proximity to “good” subspace [LC’99,CGS’02, BHLMO‘05]

Simple form of simulator is good All* QKD protocols have simulator! [BHLMO ‘05]

• Deniability and adaptivity more tricky Some protocols but not all [B‘02]

22

This talk





23

New Difficulties (& Partial Solutions)

Computational Assumptions Broken• Factoring and discrete logarithm in BQP [S’94]

• Still lots of candidate one-way functions

• Few candidates for public-key encryption, OT Lattices, codes

• No candidates for Trapdoor 1-Way Permutations (though see [OTU’00]) Non-interactive ZK for NP (though see [K’03])

• See workshop http://postquantum.cr.yp.to/

24


Computational Assumptions Broken

Definitional Paradigms May No Longer Apply• UC paradigm is ok ([BM’05]) what else?

• Bit Commitment Standard requirement: adversary cannot produce a pair:

( decommitment to 0, decommitment to 1 ) OK if commitment is perfectly binding Claim: unconditionally-secure QBC [BCJL]

Adversary cannot decommit to both 0 and 1. But… she can decommit to either!

Workable definitions given later (but complicated) [CDMS,DFS]

25



Definitional Paradigms May No Longer Apply

Information-theoretic Proofs Also Get Broken• Protocols based on extractors: not clear if they remain

secure against bounded quantum memory (Pairwise-independent hashing is ok [KMR])

• Multi-prover commitment schemes can be broken [CST] Some of them can still be fixed, but require very careful proofs. E.g: adversary can win magic square game See Ben Toner’s talk

26



Definitional Paradigms May No Longer Apply

Information-theoretic Proofs Also Get Broken

Basic Proof Techniques May Fail• Fixing random coins

Binding in multiprover commitment schemes Many other places

• Rewinding in ZK proof systems Exception: [Watrous, 2005]

27

Rewinding and Simulation

• Wanted: simulator that fools quantum adversaries

• Some simulators do work Key distribution Multiparty computation [BGW88,CCD88,RB89,etc]

• “Rigid straight-line simulator” Uses only one black-box run of adversary, even in

proof of correctness of simulation

real Adv idealSim

Few protocols have rigid simulators!

28

Rewinding in Zero Knowledge: Graph Isomorphism

• ZK proof for graph ismorphism: Input G0, G1.

Given s.t. (G0)=G1.

• Ã Sn.

b Ã {0,1}G0)

b¢bP

rove

rV

erifier

29

Rewinding in Zero Knowledge: Graph Isomorphism

• Classical simulator:

• g Ã {0,1}• Ã Sn. Vic

Gg)

bS

imul

ator

aux

• If g=b, output state of VicElse, start over!

• What if Vic and aux are quantum? Need to copy to start over First execution might destroy aux

Is the protocol still deniable?

30

Simulator for Quantum Verifier [W’05]

• Classical simulator: aux

• g Ã {0,1}• Ã Sn. Vic

Gg)

bS

imul

ator

Output ( g=b? , state of Vic)1. “Purify” protocol

• Postpone measurements, keep all outputs quantum

31


• Classical simulator: aux

• g Ã {0,1}• Ã Sn. Vic

Gg)

bS

imul

ator

Output ( g=b? , state of Vic)1. “Purify” protocol

• Postpone measurements, keep all outputs quantum

32



1. “Purify” protocol• Postpone measurements, keep all outputs quantum

2. Measure 1 qubit: g©b If simulation successful, output Vic’s state. Else

aux

• g Ã {0,1}• Ã Sn. Vic

Gg)b

Sim

ulat

or

Output ( g=b? , state of Vic)

Make it successful

33


• Classical simulator:aux

• g Ã {0,1}• Ã Sn. Vic

Gg)b

Sim

ulat

or


• Measuring g©b defines two subspaces W0, W1.

Every verifier Vic defines two states |0i,|1i.

• Theorem[Watrous’05]: there is poly-time unitary UVic s.t.

UVic|0i = |1i.

W0

W1

34



1. “Purify” protocol• Postpone measurements, keep all outputs quantum

2. Measure 1 qubit: g©b If simulation successful, output Vic’s state. Else

aux

• g Ã {0,1}• Ã Sn. Vic

Gg)b

Sim

ulat

or


Apply UVic

Output state

35

Lessons from Watrous’ Simulation

• Quantum simulators are surprisingly powerful NB: Strict poly-time simulation

• Refines our understanding of protocols This simulation works for a sublcass of protocols

Simulator’s success prob. independent* of aux In particular, Hamiltonian path and 3-coloring

Not a subclass that had appeared before (?)

• Use quantum tricks to defeat a quantum adversary

36

This talk




• Questions to think about

37

Quantum Information Requires New Intuitions

• Multi-prover Interacitive Proofs [CHTW04,CST05] Soundness proofs via impossibility of supra-luminal signaling

• Composability and auxiliary information Some primitives require keys only half as long if input is

unentangled with outside world

• Classical Secrecy Sometimes the Best Analogue Secret sharing schemes $ Error-Correcting codes

Approximate quantum codes beat quantum Singleton bound Secret key capacity $ quantum conditional entropy

Negative entropies have similar interpretations

38

Things I Didn’t Talk About

• Key re-use

• Deniability

• Bounded Quantum Memory / Processing

• Uncloneable encryption

• …

39

Interesting Open Questions

• Extending Watrous’ argument: What types of rewinding for quantum adversaries? E.g. can we get quantum proofs of knowledge for NP?

• Two-party quantum computation?

• One-way (or trapdoor) permutation candidates which are classically computable in the forward direction? See [OUT’00] for partial version

• UC impossibility results?

(to me) that might be Open

40

Cryptography in a Quantum World• Landscape changes!

New things are possible New difficulties arise

• Needed: Tools and language for reasoning about quantum adversaries

• The field is still very young Some successes… … occasional mistakes Lots of questions!

quantumthinkersneeded

Isaac Newton

1642-1727

41

Some references from the talk (a very partial list!)• [AMTW00] Andris Ambainis, Michele Mosca, Alain Tapp, Ronald de Wolf: Private Quantum Channels. FOCS 2000: 547-553• [BCGST02] H. Barnum, C. Crepeau, D. Gottesman, A. Smith, A. Tapp, "Authentication of Quantum Messages," Proc. 43rd IEEE

Symposium on the Foundations of Computer Science, 449-458 (2002), full version quant-ph/0205128.• [BCJL] Gilles Brassard, Claude Crépeau, Richard Jozsa, Denis Langlois: A Quantum Bit Commitment Scheme Provably Unbreakable by

both Parties FOCS 1993: 362-371.• [BH05] Michael Ben-Or, Avinatan Hassidim: Fast quantum byzantine agreement. STOC 2005: 481-485• [BHLMO'05] Michael Ben-Or, Michal Horodecki, Debbie W. Leung, Dominic Mayers, Jonathan Oppenheim: The Universal Composable

Security of Quantum Key Distribution. TCC 2005: 386-406. quant-ph/0409078• [BM'05] Michael Ben-Or, Dominic Mayers. General Security Definition and Composability for Quantum & Classical Protocols.

quant-ph/0409062.• [CDMS] Claude Crépeau, Paul Dumais, Dominic Mayers, Louis Salvail: Computational Collapse of Quantum State with Application to

Oblivious Transfer. TCC 2004: 374-393.• [CGS02] C. Crepeau, D. Gottesman, A. Smith, "Secure Multi-Party Quantum Computation," Proc. 34th ACM Symposium on the Theory of

Computing, 643-652 (New York, NY, ACM Press, 2002), quant-ph/0206138. • [CHTW04] R. Cleve, P. Høyer, B. Toner, and J. Watrous, Consequences and Limits of Nonlocal Strategies, Proceedings of the 19th IEEE

Annual Conference on Computational Complexity (CCC 2004), pp. 236- 249 (2004).• [CST'05] C. Crepeau, J.-R. Simard, A. Tapp. Classical and quantum strategies for two-prover bit commitments. Manuscrip, 2005.• [DFS] Ivan Damgård, Serge Fehr, Louis Salvail: Zero-Knowledge Proofs and String Commitments Withstanding Quantum Attacks.

CRYPTO 2004: 254-272• [E91] Artur K. Ekert. Quantum cryptography based on Bell's theorem. Phys. Rev. Lett. 67, 661–663 (1991).• [G] D. Gottesman, "Uncloneable Encryption," Proc. 6th International Conf. on Quantum Communication, Measurement, and Computing,

eds. J. H. Shapiro and O. Hirota, pp. 405-410 (Princeton, NJ, Rinton Press, 2003), full version Quantum Information and Computation 3, No. 6, 581-602 (2003), quant-ph/0210062.

• [K'03] Hirotada Kobayashi: Non-interactive Quantum Perfect and Statistical Zero-Knowledge. ISAAC 2003: 178-188.• [KMR] Robert Koenig, Ueli Maurer, and Renato Renner. On the Power of Quantum Memory. IEEE Transaction on Information Theory, vol.

51, no. 7, pp. 2391-2401, Jul 2005, eprint archive: http://arxiv.org/abs/quant-ph/0305154.• [LC99] Hoi-Kwong Lo, H. F. Chau. Unconditional Security of Quantum Key Distribution over Arbitrarily Long Distances. Science 26 March

1999: Vol. 283. no. 5410, pp. 2050 - 2056• [M,LC] D. Mayers. Unconditonally secure quantum bit commitment is impossible, Phys. Rev. Lett. 78, (1997) 3414-3417. --and-- H.-K. Lo,

H. F. Chau. Why Quantum Bit Commitment And Ideal Quantum Coin Tossing Are Impossible. Physica D120 (1998) 177-187. quant-ph/9711065.

• [OTU'00] Tatsuaki Okamoto, Keisuke Tanaka, Shigenori Uchiyama: Quantum Public-Key Cryptosystems. CRYPTO 2000: 147-165.• [S'94] Peter W. Shor: Algorithms for Quantum Computation: Discrete Logarithms and Factoring FOCS 1994: 124-134.• [W'05] J. Watrous. Zero-knowledge against quantum attacks. arXiv.org e-Print quant-ph/0511020, 2005.

Thank you

Questions?

This talk to be posted on:http://theory.csail.mit.edu/~asmith

Evolving Notions of Security for Quantum Protocols Adam Smith Weizmann Institute of Science asmith...

Documents

Transcript of Evolving Notions of Security for Quantum Protocols Adam Smith Weizmann Institute of Science asmith...