Cryptography In theCryptography In theBounded Quantum-Storage Bounded Quantum-Storage

ModelModel

Ivan Damgård, Louis Salvail, Ivan Damgård, Louis Salvail, Christian SchaffnerChristian SchaffnerBRICS, University of Århus, DKBRICS, University of Århus, DK

Serge FehrSerge FehrCWI, Amsterdam, NLCWI, Amsterdam, NL

2 / 18

Classical 2-party primitivesClassical 2-party primitives

Rabin Oblivious TransferRabin Oblivious Transfer

bb b / ?b / ? privateprivate obliviousoblivious

bindingbinding hidinghiding

Bit CommitmentBit Commitment

bb CCbb

bb b in Cb in Cbb??

OT

BC

OT OT )) BC BC OT OT is complete for two-party cryptography

3 / 18

Known Impossibility ResultsKnown Impossibility Results

OT In the classical unconditionally In the classical unconditionally

secure model without further secure model without further assumptionsassumptions

BC In the unconditionally secure model In the unconditionally secure model

with quantum communicationwith quantum communication[Mayers97, Lo-Chau97][Mayers97, Lo-Chau97]

4 / 18

Classical Bounded-Storage ModelClassical Bounded-Storage Model

OT

BC

()

()

random string which players try to random string which players try to storestore

a memory bound applies at a specified a memory bound applies at a specified momentmoment

protocol for OT [DHRS, TCC04]: protocol for OT [DHRS, TCC04]: memory size of honest players:memory size of honest players: k k memory of dishonest players:memory of dishonest players: <k<k22

Tight bound [DM, EC04]Tight bound [DM, EC04] can be can be improved improved by allowingby allowing

quantum communicationquantum communication

5 / 18

Quantum Bounded-Storage ModelQuantum Bounded-Storage Model

OT

quantum memory bound applies at a quantum memory bound applies at a specified moment. Besides that, players specified moment. Besides that, players are unbounded (in time and space)are unbounded (in time and space)

unconditional secureunconditional secure against against adversaries with quantum memory of adversaries with quantum memory of less then less then half of the transmitted qubitshalf of the transmitted qubits

honest players honest players do not needdo not need quantumquantum memory memory at allat all

honest players:honest players: 00 kkdishonest players:dishonest players: <n/2<n/2 <k<k22

ratio:ratio: 11 kk

BC

6 / 18

AgendaAgenda

Quantum Bounded-Storage ModelQuantum Bounded-Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues

7 / 18

Quantum Mechanics (Toy Version)Quantum Mechanics (Toy Version)

+ basis

£ basis

j i j i

j i£ j i£

with prob. 1 yields 1

with prob. ½ yields 0

Measurements:

with prob. ½ yields 1

8 / 18

Quantum Protocol for OTQuantum Protocol for OT

r; h;sh 2R Hn

s b©hx b s ©hx0 r r0

x0 r0

memory bound: store < n/2 qubits

Alice Bob

Example: honest players

jxi r

r 2R f ;£ gx 2R f ;gn

0110…

0110…

b2 f ;g

9 / 18

Quantum Protocol for OT IIQuantum Protocol for OT II

r; h;sh 2R Hn

s b©hx

x0 r0

memory bound: store < n/2 qubits

Alice Bob

honest players? private?

jxi r

r 2R f ;£ gx 2R f ;gn

0110…

0011…

b s ©hx0 r r0

x 6 x0) hx0 ;hx b

10 / 18

Obliviousness against dishonest Bob?Obliviousness against dishonest Bob?

r; h;sh 2R Hn

s b©hx b s ©hx0 r r0

x0 r0

memory bound: store < n/2 qubits

Alice Bob

jxi r

r 2R f ;£ gx 2R f ;gn

0110…

…

…

11…

x 6 x0) hx0 ;hx b

11 / 18

Proof of Obliviousness: ToolsProof of Obliviousness: Tools

OT

Purification techniques like in the Purification techniques like in the Shor-Preskill security proof of BB84Shor-Preskill security proof of BB84

Privacy Amplification against Quantum Privacy Amplification against Quantum Adversaries [RK, TCC05]Adversaries [RK, TCC05]

new min-entropy based uncertainty new min-entropy based uncertainty relation:relation:

For a For a nn-qubit register A in state -qubit register A in state AA, ,

let Plet P++ and P and P££ be the probabilities of measuring A be the probabilities of measuring A in the +-basis respectively in the +-basis respectively ££-basis. Then it holds-basis. Then it holds

PP++11 + P + P££

11 ·· 1 + negl(n). 1 + negl(n).

12 / 18

AgendaAgenda

Quantum Bounded Storage ModelQuantum Bounded Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues

13 / 18

Quantum Protocol for Bit CommitmentQuantum Protocol for Bit Commitment

BC

Verifier Committer

b; x0

x0 b

b2 f ;£ g

jx i r; ::; jxni rn

x 2R f ;gn

r 2R f ;£ gn

xi x0i

ri b

memory bound: store < n/2 qubits

14 / 18

BC

Verifier Committer

b; x0

b2 f ;g

one round, non-interactive one round, non-interactive commit by receiving!commit by receiving! unconditionally hidingunconditionally hiding unconditionally binding as long as unconditionally binding as long as

MemMemcommittercommitter < n / 2 < n / 2

n

memory bound: store < n/2 qubits

Quantum Protocol for Bit Commitment IIQuantum Protocol for Bit Commitment II

) proof uses same tools as for OT !

15 / 18

AgendaAgenda

Quantum Bounded Storage ModelQuantum Bounded Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues

16 / 18

Practicality IssuesPracticality Issues

OT

BC

With today’s technology, weWith today’s technology, we cancan transmit quantum bits encoded in transmit quantum bits encoded in

photonsphotons cannot storecannot store them for longer than a few them for longer than a few

millisecondsmilliseconds

Problems:Problems: imperfect sources (multi-pulse imperfect sources (multi-pulse

emissions)emissions) transmission errorstransmission errors

17 / 18

Practicality Issues IIPracticality Issues II

OT

Our protocols can be modified toOur protocols can be modified to resist resist attacks based onattacks based on multi-photon multi-photon

emissions emissions tolerate (quantum) tolerate (quantum) noisenoise

BC

Well within reach of Well within reach of current current

technologytechnology.. makes sense over short distances makes sense over short distances

(in contrast to QKD)(in contrast to QKD)

18 / 18

SummarySummary

OT

Protocols for OT and BC that areProtocols for OT and BC that are efficient, non-interactiveefficient, non-interactive unconditionally secureunconditionally secure against against

adversaries with bounded quantum adversaries with bounded quantum memorymemory

practical:practical: honest players do not need quantum honest players do not need quantum

memorymemory fault-tolerantfault-tolerant

BC

Thank you for Thank you for your attention!your attention!