1 / 38

Cryptography with Quantum Data

Cryptography with Quantum Data. Adam Smith Weizmann à IPAM à Penn State IPAM Workshop on Foundations of Cryptography November 14, 2006. quantum thinkers needed. Isaac Newton 1642-1727. Cryptography in a Quantum World. Landscape changes! New features appear

madaline-ewing
Download Presentation

Cryptography with Quantum Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography with Quantum Data Adam Smith Weizmann à IPAM à Penn State IPAM Workshop on Foundations of Cryptography November 14, 2006

  2. quantum thinkers needed Isaac Newton 1642-1727 Cryptography in a Quantum World • Landscape changes! • New features appear • New difficulties arise • Some key pieces unchanged • Needed: Tools and language for reasoning about quantum adversaries • The field is still very young • Some successes… • … occasional mistakes • Lots of questions!

  3. Some Things That Change • Unconditional key exchange [BB84,…] • Factoring + DL broken [Sho] • Weak 2-party unconditional primitives • coin flipping [ATVY,Amb] • string commitment [BCHLW] • Some multi-prover commitments insecure [CST] • Some extractors fail vs quantum memory [IKW] • But some are OK [KMR] • Some simulators for ZK proofs fail • but new ones can sometimes be built[Wat] • Bounded Storage Model more Powerful [DFSS] • See survey talk on http://theory.csail.mit.edu/~asmith

  4. = incomplete and biased This talk: Salient Features (a partial* list) • Multiparty Quantum Computing • Parties hold quantum inputs • Want to evaluate a quantum circuit • Generalizes classical MPC • Two Feasibility results • Statistical MPQC , cheating minorityà la [RB’89] • Computational MPQC for arbitrary subsets à la [GMW’87] under non-standard assumption • Along the way: • Some infeasibility results • Authentication and Approximate Error-Correction • ZK Proofs of Knowledge

  5. This Talk • Basics of quantum computing • Multiparty Quantum Computing (MPQC) • Codes and Authentication • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries

  6. Quantum Information: Pure States • “Pure states” = vectors in complex space • “qubit” = Basic unit of quantum information |0i + |1i : ,2C, ||2+||2 =1 • Register of n qubits:xx|x i (where x 2{0,1}n) • NB: qubit-by-qubit description not enough • 2n numbers vs 2n numbers |1i |0i + |1i |0i

  7. 1 √2.. Quantum Circuits: 2 kinds of gates • Invertible operations on n qubits = 2n£2n unitary matrices ( U-1 = Uy) • |iU |i • e.g. Hadamard • Projective measurements: • Ask a qubit: are you 0 or 1? • State becomes |0i or |1i(according to output) • Destructive! 1 1 1 ­1 w.prob. |2| |1i |0i + |1i |0i w.prob. |2|

  8. Information versus Disturbance • Important principle of quantum mechanics • Consequence: No cloning! • Theorem: If A = |i for all inputs |i then B is independent of |i • Information ) Disturbance Secrecy ( Resilience to errors A U |i Dolly B

  9. This Talk • Basics of quantum computing • Multiparty Quantum Computing • Codes and Authentication • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries

  10. Classical Multiparty Computation • Resource: number of honest players Simulator Charlie (xC) Bob (xB) Trusted Classical Circuit C Alice (xA) Harriet (xH) Cheaters Diane (xD) George (xG) Eve (xE) Fred (xF)

  11. Simulator Charlie (xC) Bob (xB) Trusted Quantum Circuit C Alice (xA) Harriet (xH) Cheaters Diane (xD) George (xG) Eve (xE) Fred (xF) Quantum Multiparty Computation • Each player sends quantum input • Receives quantum output • Secure against UC distinguisher

  12. Quantum Multiparty Computation • Each player sends quantum input • Receives quantum output • Secure against UC distinguisher • Generalizes Classical SFE • New techniques are needed • Players cannot keep copies of their input • Rewinding may not be possible • Need to operate on encoded / encrypted quantum states Dolly

  13. Some Terminology • With Abort? • This talk: unfair abort (based on cheaters’ output) • Perfect / statistical security • Computational security

  14. Perfect MPC impossible Basic Feasibility Results (assuming broadcast) n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Statistical MPC impossible (even w. abort)

  15. n/6 t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)

  16. n/6 t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) • [CGS’02]: use error-correcting codes and fault-tolerant circuits [AB] • 2nd real proof of quantum security • Barrier at n/4 : quantum codes [KL] • Authentication codes [BCGST ‘02] give • approximate codes [CGS ‘05] • reduction to computation on keys n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)

  17. This Talk • Basics of quantum computing • Multiparty Quantum Computing • Codes and Authentication • Quantum error-correcting codes • A spurious lower bound • Authentication • Approximate Codes and Secret Sharing • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries

  18. Error Correcting Codes • Map k qubits ! n qubits • introduce redundancy • If few qubits corrupted or erased, decoder recovers input exactly • Tricky because of no cloning • repetition code doesn’t work • Good codes exist. [CSS] Over large alphabet [AB99]: • Correct (n-1)/4 errors or (n-1)/2 erasures |i E(|i) channel E(|i) corrupted decoding |i

  19. t 2t t Quantum codes cannot correct n/4 errors • As in the classical case:correct t errors, correct 2t erasures

  20. Dolly decoder decoder |i |i Quantum codes cannot correct n/4 errors • As in the classical case:correct t errors, correct 2t erasures • Quantum codes cannotcorrect n/2 erasures • No cloning )Quantum codes cannot correct n/4 errors(not true of classical codes – repetition) E(|i)

  21. Charlie (xC) Bob (xB) Alice (xA) Protocol Harriet (xH) Diane (xD) Perfect [CGS’05] George (xG) Eve (xE) Fred (xF) A spurious lower bound Lemma: Every MPQC protocol tolerating t cheatersimplies existence of a code correcting t errorswith high fidelity • Honest players should be able to reconstruct output • [CGS’02] MPQC is impossible for t< n/4 • How do we get around this? • Authenticating Quantum States [BCGST] • Approximate QECC break n/4 bound • Connection to secret sharing FALSE

  22. How does Alice know it’s Bob? classical MACs What if he needs to send her qubits? Authenticating Quantum Messages[BCGST]

  23. Dolly Authenticating Quantum Messages[BCGST] • System behaves like “channel with veto” • Eve inputs one bit (accept/reject) • No cloning) If Bob accepts, Eve learns nothing • In fact, Eve learns nothing. Ever. • Authentication ) encryption • [BCGST’02] poly-time protocols • m qubits Ã2m + 2log (m/) bits of key • Construction on board? Classical key k |i Eve |i Ak(|i) or ? Alice Bob

  24. Ak(|1i) Ak(|2i) + classical shares + MAC of authentication keys Ak(|3i) Ak(|4i) Ak(|5i) Approximate Codes [CGS’05] • Code “correcting” (n-1)/2 errors • Start with (n-1)/2 erasure-correcting code • Authenticate each piece • Secret-share keys • Use classical MACs to authenticate keys E(|i) |i

  25. Approximate Codes [CGS’05] • AQECC “correcting” (n-1)/2 errors • If any majority of pieces untouched • Then original state recovered approximately • Correct twice as many errors • No classical analogue in codes… (see also [LNCY]) E(|i) Ak(|1i) Ak(|2i) + classical shares + MAC of authentication keys Ak(|3i) |i Ak(|4i) Ak(|5i)

  26. Dolly Secret Sharing and Quantum Codes • AQECC smell like secret sharing • Similar to Rabin – Ben-Or ’89 • [CGL] Every quantum code is a SS scheme • Lesson of AQECC: • best viewed as robust SS (a.k.a. PSMT) • secret sharing is the right classical analogue of quantum error-correction • “Cryptography is everything!” (S. Micali) E(|i) erased decoding no info |i

  27. This Talk • Basics of quantum computing • Multiparty Quantum Computing • Codes and Authentication • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries

  28. n/6 t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)

  29. MPQC with a cheating minority • AQECC is basic underlying code • Need to operate on encoded states • Two more tools • Computing on keys • Authenticate data using [BCGST] • Operate on state by changing classical key • Trivial example: One-Time Pad • Ek(x) = x+k and matrix A • A(Ek(x)) = EAk(Ax) • This performs Clifford operations • Fault-tolerant QC [Shor,AB,BCGHS] • Can use Clifford ops to verify universal set of gates • Get cheaters to perform gates then check

  30. MPQC with a cheating minority • Share inputs • Verify using RB-style machinery • a few more layers… • Compute • Reduce quantum computations toclassical computations on keys • Use classical SFE to manipulate keys • UC framework allows modular design [BM] • Distribute • Bonus: get straight-line simulator

  31. n/6 Dolly t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) • Complete picture of robust MPQC(with no abort) • Insights into coding along the way • New tools for fault-tolerant computing • Major factor: n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)

  32. This Talk • Basics of quantum computing • Multiparty Quantum Computing • Codes and Authentication • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries

  33. Two-party Quantum Computation • Many ideas of MPQC can apply here • AQECC replaced by commitment • As before: operate on classical keys • Need classical 2-party QC Ak(|i) |i Commit(k)

  34. Dolly Two-party Quantum Computation • Problem: standard ZK simulation + extraction arguments may not work in quantum world • Rewinding = cloning auxiliary info • Sequential composition is lost • Big step: Watrous’ simulator for 3-round ZK • Does not give knowledge extractor • Idea: We can lie, need to read minds • Attach special preamble • Work in progress: need funny assumptions • Refine understanding of how we argue security

  35. n/6 t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)

  36. quantum thinkers needed Isaac Newton 1642-1727 Cryptography in a Quantum World • Landscape changes! • New features appear • New difficulties arise • Some key pieces unchanged • Needed: Tools and language for reasoning about quantum adversaries • The field is still very young • Some successes… • … occasional mistakes • Lots of questions!

  37. Things I Did Not Talk About • Proofs! • Quantum Key Distribution • Byzantine Agreement in full info model [BH] • Randomness Extraction with Quantum Memories • [AS.’04, KMR’04, D’06, GIKRdW’06] • Fault-tolerant QC • Multiprover commitments [CST] • …

  38. Thanks Co-authors: Howard Barnum(LANL), Michael Ben-Or(HUJI), Claude Crépeau(McGill), Daniel Gottesman(Perimeter/Waterloo), Avinatan Hasidim(HUJI), Alain Tapp(Montreal) Discussions: Boaz Barak, Louis Salvail, Jon Katz, …

More Related