Embed Size (px)
Citation preview
Cryptography In theCryptography In theBounded Quantum-Storage Bounded Quantum-Storage
ModelModel
Christian Schaffner, BRICSChristian Schaffner, BRICS
University of University of Århus, DenmarkÅrhus, Denmark
ECRYPT Autumn School, BertinoroECRYPT Autumn School, BertinoroWednesday, October 19Wednesday, October 19thth 2005 2005
joint work with Ivan Damgård, Serge Fehr and Louis Salvailjoint work with Ivan Damgård, Serge Fehr and Louis Salvail
2 / 42
AgendaAgenda
““Known” ResultsKnown” Results Protocol for Oblivious TransferProtocol for Oblivious Transfer Security ProofSecurity Proof Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues Open ProblemsOpen Problems
3 / 42
Classical 2-party primitives: Classical 2-party primitives: Rabin Oblivious TransferRabin Oblivious Transfer
bb b / ?b / ?
correct:correct: For honest Alice and Bob, Bob gets the For honest Alice and Bob, Bob gets the bit b with probability ½. bit b with probability ½.
oblivious:oblivious: Even if Bob is dishonest, he does not Even if Bob is dishonest, he does not get information about b with probability ½. get information about b with probability ½.
private:private: Even if Alice is dishonest, she does not Even if Alice is dishonest, she does not learn, whether Bob received the bit or not.learn, whether Bob received the bit or not.
OTSenderSender
BobBobAliceAlice
ReceiverReceiver
4 / 42
Classical 2-party primitives:Classical 2-party primitives:Bit CommitmentBit Commitment
correct:correct: BC allows Alice to commit to a bit b. BC allows Alice to commit to a bit b. Later, she can open CLater, she can open Cbb to Bob. to Bob.
hiding:hiding: Even if Bob is dishonest, he does not get Even if Bob is dishonest, he does not get information on b from Cinformation on b from Cbb..
binding:binding: Even if Alice is dishonest, she cannot Even if Alice is dishonest, she cannot open Copen Cb b to another value than b.to another value than b.
CommitterCommitter VerifierVerifierbb CCbb
bb b in Cb in Cbb??
BC
5 / 42
Classical 2-party primitives: RelationsClassical 2-party primitives: Relations
Oblivious TransferOblivious Transfer
bb b / ?b / ? obliviousoblivious privateprivate
hidinghiding bindingbinding
Bit CommitmentBit Commitment
bb CCbb
bb b in Cb in Cbb??
OT
BC
OT OT )) BC, BC, OT OT ¸̧ BC BC OT OT is complete for two-party cryptography
6 / 42
Known Impossibility ResultsKnown Impossibility Results
OT In the classical unconditionally In the classical unconditionally
secure model without further secure model without further assumptionsassumptions
BC
7 / 42
Classical 2-party primitives:Classical 2-party primitives:Bit CommitmentBit Commitment
hiding:hiding: Even if Bob is dishonest, he does not get Even if Bob is dishonest, he does not get information on b from Cinformation on b from Cbb..
binding:binding: Even if Alice is dishonest, she cannot Even if Alice is dishonest, she cannot open Copen Cb b to another value than b.to another value than b.
CommitterCommitter VerifierVerifierbb CCbb
bb b in Cb in Cbb??
BC
8 / 42
Known Impossibility ResultsKnown Impossibility Results
OT In the classical unconditionally In the classical unconditionally
secure model without further secure model without further assumptionsassumptions
BC In the unconditionally secure model In the unconditionally secure model
with quantum communicationwith quantum communication[Mayers97, Lo-Chau97][Mayers97, Lo-Chau97]
9 / 42
Three Ways OutThree Ways Out
OT Bound computing power (schemes Bound computing power (schemes
based on complexity assumptions)based on complexity assumptions) Noisy communication Noisy communication
[see Ivan’s talk this morning] [see Ivan’s talk this morning] Physical limitationsPhysical limitations
BC
Physical limitationsPhysical limitations
e.g. bounded memory sizee.g. bounded memory size
10 / 42
Classical Bounded-Storage ModelClassical Bounded-Storage Model
OT
BC
()
()
random string which players try to random string which players try to storestore
a memory bound applies at a specified a memory bound applies at a specified momentmoment
protocol for OT [DHRS, TCC04]: protocol for OT [DHRS, TCC04]: memory size of honest players:memory size of honest players: k k memory of dishonest players:memory of dishonest players: <k<k22
Tight bound [DM, EC04]Tight bound [DM, EC04] can be can be improved improved by allowingby allowing
quantum communicationquantum communication
11 / 42
Quantum Bounded-Storage ModelQuantum Bounded-Storage Model
OT
quantum memory bound applies at a quantum memory bound applies at a specified momentspecified moment
besides that, players are unbounded besides that, players are unbounded (in time and space)(in time and space)
unconditional secureunconditional secure against against adversaries with quantum memory of adversaries with quantum memory of less then less then half of the transmitted half of the transmitted qubits qubits (honest players (honest players do not needdo not need quantumquantum memory memory at allat all))
honest players:honest players: 00 kkdishonest players:dishonest players: <n/2<n/2 <k<k22
BC
12 / 42
AgendaAgenda
Known ResultsKnown Results Protocol for Oblivious TransferProtocol for Oblivious Transfer Security ProofSecurity Proof Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues Open ProblemsOpen Problems
13 / 42
Quantum Mechanics IQuantum Mechanics I
+ basis
£ basis
j i j i
j i£ j i£
with prob. 1 yields 1
with prob. ½ yields 0
Measurements:
with prob. ½ yields 1
14 / 42
Quantum Protocol for OTQuantum Protocol for OT
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
x0 r0
memory bound: store < n/2 qubits
Alice Bob
Example: honest players
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
0110…
b2 f ;g
15 / 42
Quantum Protocol for OT IIQuantum Protocol for OT II
r; h;sh 2R Hn
s b©hx
x0 r0
memory bound: store < n/2 qubits
Alice Bob
honest players? private?
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
0011…
b s ©hx0 r r0
x 6 x0) hx0 ;hx b
16 / 42
Obliviousness against dishonest Bob?Obliviousness against dishonest Bob?
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
x0 r0
memory bound: store < n/2 qubits
Alice Bob
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
…
…
11…
17 / 42
Quantum Mechanics IIQuantum Mechanics II
+ basis
£ basis
j i j i
j i£ j i£
EPR pairs:prob. ½ : 0 prob. ½ : 1
prob. ½ : 0prob. ½ : 1prob. 1 : 0
18 / 42
Proof of Obliviousness: PurificationProof of Obliviousness: Purification
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
jxi r
x 2R f ;gnr 2R f ;£ g
19 / 42
Proof of Obliviousness: Purification IIProof of Obliviousness: Purification II
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
r 2R f ;£ g
0 1 1 0x 2R f ;gn
20 / 42
Proof of Obliviousness: EPR-VersionProof of Obliviousness: EPR-Version
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
r 2R f ;£ g
21 / 42
r 2R f ;£ g
Proof of Obliviousness: DistributionsProof of Obliviousness: Distributions
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
2-4
000100100011010001010110
…
…
0000000100100011010001010110
…
…
0000
p q
2-4
22 / 42
r 2R f ;£ g
Proof of Obliviousness: ExampleProof of Obliviousness: Example
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
0000000100100011010001010110
p
2-4
…
…
0000000100100011010001010110
q
2-4
…
…
23 / 42
r 2R f ;£ g
Proof of Obliviousness: Distributions IIProof of Obliviousness: Distributions II
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store < n/2 qubits
Alice Bob
001…
2-4
000100100011010001010110
…
…
0000
p
x 0000000100100011010001010110
…
…
q
2-4
x
24 / 42
Proof of Obliviousness: GoalProof of Obliviousness: Goal
However Bob prepares his memory
and the distributions p and q, he cannot guess h(x) in both bases simultaneously ) oblivious
001…
000100100011010001010110
0000
p
x
q
x
0111100010011010
000100100011010001010110
0000
0111100010011010
… …
2R f ;£ g
25 / 42
Privacy AmplificationPrivacy Amplification
…
p
Privacy Amplification against Quantum Adversaries [Renner König, TCC 2005]
X f ;gn
h f ;gn ! f ; g hX
¡ n
SS
< n
… X
X
¡ p1 X H1 X > n
hX
26 / 42
Obliviousness: Uncertainty RelationObliviousness: Uncertainty Relation
…
p
x
…
q
x
¡ n
SS
H n
¡ n
S S
pS qS ¸
27 / 42
Proof of Obliviousness: FinaleProof of Obliviousness: Finale
…
p
x
…
q
x
¡ n
SS
¡ n
S S
E f x 2 Sg
2R f ;£ g
pS qS ¸
) E f pS qSg ¸
28 / 42
Proof of Obliviousness: RecapProof of Obliviousness: Recap
memory bound: store ≤ n/2 qubits
Alice Bob
jxi r
r 2R f ;£ gx 2R f ;gn
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
29 / 42
Proof of Obliviousness: Recap IIProof of Obliviousness: Recap II
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store ≤ n/2 qubits
Alice Bob
2R f ;£ g
30 / 42
Proof of Obliviousness: Recap IIIProof of Obliviousness: Recap III
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
memory bound: store ≤ n/2 qubits
Alice Bob
001…
…
p
x
…
q
x
2R f ;£ g
31 / 42
Proof of Obliviousness: Recap IVProof of Obliviousness: Recap IV
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
Alice Bob
…
p
x
…
q
x
2R f ;£ g
SS S S
E f x 2 Sg E ¸
32 / 42
AgendaAgenda
Known ResultsKnown Results Protocol for Oblivious TransferProtocol for Oblivious Transfer Security ProofSecurity Proof Protocol forProtocol for Bit CommitmentBit Commitment Practicality IssuesPracticality Issues Open ProblemsOpen Problems
33 / 42
Quantum Protocol for Bit CommitmentQuantum Protocol for Bit Commitment
BC
Verifier Committer
b; x0
x0 b
b2 f ;£ g
jx i r; ::; jxni rn
x 2R f ;gn
r 2R f ;£ gn
xi x0i
ri b
memory bound: store < n/2 qubits
34 / 42
BC
Verifier Committer
b; x0
b2 f ;g
one roundone round non-interactive (commit by receiving)non-interactive (commit by receiving) unconditionally hidingunconditionally hiding unconditionally binding:unconditionally binding:
classically:classically: MemMemdisdis < 2 < 2 ¢¢ Mem Memhonhon
quantum:quantum: MemMemdisdis < n / 2 < n / 2
n
memory bound: store < n/2 qubits
Quantum Protocol for Bit Commitment IIQuantum Protocol for Bit Commitment II
35 / 42
Binding Property: Proof IdeaBinding Property: Proof Idea
BC
Verifier Committer
b; x0
x0 b
b2 f ;£ g
jx i r; ::; jxni rn
x 2R f ;gn
r 2R f ;£ gn
xi x0i
ri b
memory bound: store < n/2 qubits
36 / 42
AgendaAgenda
Known ResultsKnown Results Protocol for Oblivious TransferProtocol for Oblivious Transfer Security ProofSecurity Proof Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues Open ProblemsOpen Problems
37 / 42
Practicality IssuesPracticality Issues
OT
BC
With today’s technology, weWith today’s technology, we cancan transmit quantum bits transmit quantum bits
encode bits in the correct basisencode bits in the correct basis send them over optical fiberssend them over optical fibers receive and measure themreceive and measure them
cannot storecannot store them for longer than a them for longer than a few millisecondsfew milliseconds
Problems:Problems: imperfect sources (multi-pulse imperfect sources (multi-pulse
emissions)emissions) transmission errorstransmission errors
38 / 42
Practicality Issues IIPracticality Issues II
OT
Our protocols can be modified toOur protocols can be modified to resist resist attacks based onattacks based on multi-photon multi-photon
emissions emissions tolerate (quantum) tolerate (quantum) noisenoise
BC
Well within reach of Well within reach of current current
technology technology and and unconditionally unconditionally securesecure as long as nobody can store as long as nobody can store large amounts of quantum bits.large amounts of quantum bits.
39 / 42
Open Problems and Next StepsOpen Problems and Next Steps
OT
Other flavors of OT:Other flavors of OT:e.g. 1-out-of-2 Oblivious Transfer, String-e.g. 1-out-of-2 Oblivious Transfer, String-OT, …OT, …
Better memory boundsBetter memory bounds
Composability? What happens to the Composability? What happens to the memory bound?memory bound?
Better uncertainty relations for more MUBBetter uncertainty relations for more MUB
……
BC
41 / 42
SummarySummary
OT
Protocols for OT and BC that areProtocols for OT and BC that are efficientefficient non-interactivenon-interactive unconditionally secureunconditionally secure against against
adversaries with bounded quantum adversaries with bounded quantum memorymemory
practical:practical: honest players do not need quantum honest players do not need quantum
memorymemory fault-tolerantfault-tolerant
BC
42 / 42
Questions and Comments?Questions and Comments?
OT
BC
