1 / 41

Cryptography In the Bounded Quantum-Storage Model

Cryptography In the Bounded Quantum-Storage Model. joint work with Ivan Damgård, Serge Fehr and Louis Salvail. Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October 19 th 2005. Agenda. “Known” Results Protocol for Oblivious Transfer

freya
Download Presentation

Cryptography In the Bounded Quantum-Storage Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography In theBounded Quantum-Storage Model joint work with Ivan Damgård, Serge Fehr and Louis Salvail Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October 19th 2005

  2. Agenda • “Known” Results • Protocol for Oblivious Transfer • Security Proof • Protocol for Bit Commitment • Practicality Issues • Open Problems

  3. Classical 2-party primitives: Rabin Oblivious Transfer Bob Receiver Sender OT b b / ? Alice • correct: For honest Alice and Bob, Bob gets the bit b with probability ½. • oblivious: Even if Bob is dishonest, he does not get information about b with probability ½. • private: Even if Alice is dishonest, she does not learn, whether Bob received the bit or not.

  4. Classical 2-party primitives:Bit Commitment BC Verifier Committer b Cb b b in Cb? • correct: BC allows Alice to commit to a bit b. Later, she can open Cb to Bob. • hiding: Even if Bob is dishonest, he does not get information on b from Cb. • binding: Even if Alice is dishonest, she cannot open Cb to another value than b.

  5. Oblivious Transfer b b / ? Bit Commitment b Cb b b in Cb? Classical 2-party primitives: Relations • oblivious • private OT BC • hiding • binding • OT ) BC, OT ¸ BC • OT is complete for two-party cryptography

  6. Known Impossibility Results • In the classical unconditionally secure model without further assumptions OT BC

  7. Classical 2-party primitives:Bit Commitment BC Verifier Committer b Cb b b in Cb? • hiding: Even if Bob is dishonest, he does not get information on b from Cb. • binding: Even if Alice is dishonest, she cannot open Cb to another value than b.

  8. Known Impossibility Results • In the classical unconditionally secure model without further assumptions OT • In the unconditionally secure model with quantum communication [Mayers97, Lo-Chau97] BC

  9. Three Ways Out • Bound computing power (schemes based on complexity assumptions) • Noisy communication [see Ivan’s talk this morning] • Physical limitations OT  • Physical limitations e.g. bounded memory size BC 

  10. ()  ()  Classical Bounded-Storage Model • random string which players try to store • a memory bound applies at a specified moment • protocol for OT [DHRS, TCC04]: memory size of honest players: k memory of dishonest players: <k2 • Tight bound [DM, EC04] • can be improved by allowing quantum communication OT BC

  11. Quantum Bounded-Storage Model • quantum memory bound applies at a specified moment • besides that, players are unbounded (in time and space) • unconditional secure against adversaries with quantum memory of less then half of the transmitted qubits (honest players do not needquantum memory at all) • honest players: 0 k dishonest players: <n/2 <k2 OT  BC 

  12. Agenda • Known Results • Protocol for Oblivious Transfer • Security Proof • Protocol for Bit Commitment • Practicality Issues • Open Problems

  13. Quantum Mechanics I + basis £ basis Measurements: with prob. 1 yields 1 with prob. ½ yields 0 with prob. ½ yields 1

  14. memory bound: store < n/2 qubits Quantum Protocol for OT Bob Alice 0110… 0110… Example: honest players

  15. memory bound: store < n/2 qubits Quantum Protocol for OT II Bob Alice 0110… 0011…   honest players? private?

  16. memory bound: store < n/2 qubits Obliviousness against dishonest Bob? Bob Alice 0110… … 11…

  17. prob. ½ : 0prob. ½ : 1 prob. 1 : 0 Quantum Mechanics II + basis £ basis EPR pairs: prob. ½ : 0 prob. ½ : 1

  18. memory bound: store < n/2 qubits Proof of Obliviousness: Purification Bob Alice

  19. memory bound: store < n/2 qubits Proof of Obliviousness: Purification II Bob Alice 0 1 1 0

  20. memory bound: store < n/2 qubits Proof of Obliviousness: EPR-Version Bob Alice

  21. p q 2-4 2-4 … … 0000 0001 0010 0011 0100 0101 0110 0000 0001 0010 0011 0100 0101 0110 … … memory bound: store < n/2 qubits Proof of Obliviousness: Distributions Bob Alice

  22. memory bound: store < n/2 qubits Proof of Obliviousness: Example Bob Alice p q 2-4 2-4 … … 0000 0001 0010 0011 0100 0101 0110 0000 0001 0010 0011 0100 0101 0110 … …

  23. p q 2-4 2-4 … … x x 0000 0001 0010 0011 0100 0101 0110 0000 0001 0010 0011 0100 0101 0110 … … memory bound: store < n/2 qubits Proof of Obliviousness: Distributions II Bob Alice 001…

  24. However Bob prepares his memory and the distributions p and q, he cannot guess h(x) in both bases simultaneously) oblivious 001… Proof of Obliviousness: Goal p q … … 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 x 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 x

  25. Privacy Amplification Privacy Amplification against Quantum Adversaries [Renner König, TCC 2005] p …

  26. Obliviousness: Uncertainty Relation p q … … x x

  27. Proof of Obliviousness: Finale p q … … x x

  28. memory bound: store ≤ n/2 qubits Proof of Obliviousness: Recap Bob Alice

  29. memory bound: store ≤ n/2 qubits Proof of Obliviousness: Recap II Bob Alice

  30. memory bound: store ≤ n/2 qubits Proof of Obliviousness: Recap III Bob Alice p q … … x x 001…

  31. Proof of Obliviousness: Recap IV Bob Alice p q … … x x

  32. Agenda • Known Results • Protocol for Oblivious Transfer • Security Proof • Protocol forBit Commitment • Practicality Issues • Open Problems

  33. memory bound: store < n/2 qubits Quantum Protocol for Bit Commitment Verifier Committer BC

  34. Quantum Protocol for Bit Commitment II Verifier Committer memory bound: store < n/2 qubits • one round • non-interactive (commit by receiving) • unconditionally hiding • unconditionally binding: • classically: Memdis < 2 ¢ Memhon • quantum: Memdis < n / 2 BC

  35. memory bound: store < n/2 qubits Binding Property: Proof Idea Verifier Committer BC 

  36. Agenda • Known Results • Protocol for Oblivious Transfer • Security Proof • Protocol for Bit Commitment • Practicality Issues • Open Problems

  37. Practicality Issues With today’s technology, we • can transmit quantum bits • encode bits in the correct basis • send them over optical fibers • receive and measure them • cannot store them for longer than a few milliseconds OT BC Problems: • imperfect sources (multi-pulse emissions) • transmission errors

  38. Practicality Issues II Our protocols can be modified to • resist attacks based onmulti-photon emissions • tolerate (quantum) noise OT  • Well within reach of current technology and unconditionally secure as long as nobody can store large amounts of quantum bits. BC 

  39. Open Problems and Next Steps • Other flavors of OT:e.g. 1-out-of-2 Oblivious Transfer, String-OT, … • Better memory bounds • Composability? What happens to the memory bound? • Better uncertainty relations for more MUB • … OT  BC 

  40. Summary Protocols for OT and BC that are • efficient • non-interactive • unconditionally secure against adversaries with bounded quantum memory • practical: • honest players do not need quantum memory • fault-tolerant OT  BC 

  41. Questions and Comments? OT  BC 

More Related