cryptography in the bounded quantum-storage model focs 2005 - pittsburgh tuesday, october 25 th 2005...
TRANSCRIPT
![Page 1: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/1.jpg)
Cryptography In theCryptography In theBounded Quantum-Storage Bounded Quantum-Storage
ModelModel
Ivan Damgård, Louis Salvail, Ivan Damgård, Louis Salvail, Christian SchaffnerChristian SchaffnerBRICS, University of Århus, DKBRICS, University of Århus, DK
Serge FehrSerge FehrCWI, Amsterdam, NLCWI, Amsterdam, NL
![Page 2: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/2.jpg)
2 / 18
Classical 2-party primitivesClassical 2-party primitives
Rabin Oblivious TransferRabin Oblivious Transfer
bb b / ?b / ? privateprivate obliviousoblivious
bindingbinding hidinghiding
Bit CommitmentBit Commitment
bb CCbb
bb b in Cb in Cbb??
OT
BC
OT OT )) BC BC OT OT is complete for two-party cryptography
![Page 3: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/3.jpg)
3 / 18
Known Impossibility ResultsKnown Impossibility Results
OT In the classical unconditionally In the classical unconditionally
secure model without further secure model without further assumptionsassumptions
BC In the unconditionally secure model In the unconditionally secure model
with quantum communicationwith quantum communication[Mayers97, Lo-Chau97][Mayers97, Lo-Chau97]
![Page 4: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/4.jpg)
4 / 18
Classical Bounded-Storage ModelClassical Bounded-Storage Model
OT
BC
()
()
random string which players try to random string which players try to storestore
a memory bound applies at a specified a memory bound applies at a specified momentmoment
protocol for OT [DHRS, TCC04]: protocol for OT [DHRS, TCC04]: memory size of honest players:memory size of honest players: k k memory of dishonest players:memory of dishonest players: <k<k22
Tight bound [DM, EC04]Tight bound [DM, EC04] can be can be improved improved by allowingby allowing
quantum communicationquantum communication
![Page 5: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/5.jpg)
5 / 18
Quantum Bounded-Storage ModelQuantum Bounded-Storage Model
OT
quantum memory bound applies at a quantum memory bound applies at a specified moment. Besides that, players specified moment. Besides that, players are unbounded (in time and space)are unbounded (in time and space)
unconditional secureunconditional secure against against adversaries with quantum memory of adversaries with quantum memory of less then less then half of the transmitted qubitshalf of the transmitted qubits
honest players honest players do not needdo not need quantumquantum memory memory at allat all
honest players:honest players: 00 kkdishonest players:dishonest players: <n/2<n/2 <k<k22
ratio:ratio: 11 kk
BC
![Page 6: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/6.jpg)
6 / 18
AgendaAgenda
Quantum Bounded-Storage ModelQuantum Bounded-Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues
![Page 7: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/7.jpg)
7 / 18
Quantum Mechanics (Toy Version)Quantum Mechanics (Toy Version)
+ basis
£ basis
j i j i
j i£ j i£
with prob. 1 yields 1
with prob. ½ yields 0
Measurements:
with prob. ½ yields 1
![Page 8: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/8.jpg)
8 / 18
Quantum Protocol for OTQuantum Protocol for OT
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
x0 r0
memory bound: store < n/2 qubits
Alice Bob
Example: honest players
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
0110…
b2 f ;g
![Page 9: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/9.jpg)
9 / 18
Quantum Protocol for OT IIQuantum Protocol for OT II
r; h;sh 2R Hn
s b©hx
x0 r0
memory bound: store < n/2 qubits
Alice Bob
honest players? private?
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
0011…
b s ©hx0 r r0
x 6 x0) hx0 ;hx b
![Page 10: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/10.jpg)
10 / 18
Obliviousness against dishonest Bob?Obliviousness against dishonest Bob?
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
x0 r0
memory bound: store < n/2 qubits
Alice Bob
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
…
…
11…
x 6 x0) hx0 ;hx b
![Page 11: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/11.jpg)
11 / 18
Proof of Obliviousness: ToolsProof of Obliviousness: Tools
OT
Purification techniques like in the Purification techniques like in the Shor-Preskill security proof of BB84Shor-Preskill security proof of BB84
Privacy Amplification against Quantum Privacy Amplification against Quantum Adversaries [RK, TCC05]Adversaries [RK, TCC05]
new min-entropy based uncertainty new min-entropy based uncertainty relation:relation:
For a For a nn-qubit register A in state -qubit register A in state AA, ,
let Plet P++ and P and P££ be the probabilities of measuring A be the probabilities of measuring A in the +-basis respectively in the +-basis respectively ££-basis. Then it holds-basis. Then it holds
PP++11 + P + P££
11 ·· 1 + negl(n). 1 + negl(n).
![Page 12: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/12.jpg)
12 / 18
AgendaAgenda
Quantum Bounded Storage ModelQuantum Bounded Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues
![Page 13: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/13.jpg)
13 / 18
Quantum Protocol for Bit CommitmentQuantum Protocol for Bit Commitment
BC
Verifier Committer
b; x0
x0 b
b2 f ;£ g
jx i r; ::; jxni rn
x 2R f ;gn
r 2R f ;£ gn
xi x0i
ri b
memory bound: store < n/2 qubits
![Page 14: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/14.jpg)
14 / 18
BC
Verifier Committer
b; x0
b2 f ;g
one round, non-interactive one round, non-interactive commit by receiving!commit by receiving! unconditionally hidingunconditionally hiding unconditionally binding as long as unconditionally binding as long as
MemMemcommittercommitter < n / 2 < n / 2
n
memory bound: store < n/2 qubits
Quantum Protocol for Bit Commitment IIQuantum Protocol for Bit Commitment II
) proof uses same tools as for OT !
![Page 15: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/15.jpg)
15 / 18
AgendaAgenda
Quantum Bounded Storage ModelQuantum Bounded Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues
![Page 16: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/16.jpg)
16 / 18
Practicality IssuesPracticality Issues
OT
BC
With today’s technology, weWith today’s technology, we cancan transmit quantum bits encoded in transmit quantum bits encoded in
photonsphotons cannot storecannot store them for longer than a few them for longer than a few
millisecondsmilliseconds
Problems:Problems: imperfect sources (multi-pulse imperfect sources (multi-pulse
emissions)emissions) transmission errorstransmission errors
![Page 17: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/17.jpg)
17 / 18
Practicality Issues IIPracticality Issues II
OT
Our protocols can be modified toOur protocols can be modified to resist resist attacks based onattacks based on multi-photon multi-photon
emissions emissions tolerate (quantum) tolerate (quantum) noisenoise
BC
Well within reach of Well within reach of current current
technologytechnology.. makes sense over short distances makes sense over short distances
(in contrast to QKD)(in contrast to QKD)
![Page 18: Cryptography In the Bounded Quantum-Storage Model FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005 Ivan Damgård, Louis Salvail, Christian Schaffner BRICS,](https://reader036.vdocuments.site/reader036/viewer/2022062520/5697c0071a28abf838cc64eb/html5/thumbnails/18.jpg)
18 / 18
SummarySummary
OT
Protocols for OT and BC that areProtocols for OT and BC that are efficient, non-interactiveefficient, non-interactive unconditionally secureunconditionally secure against against
adversaries with bounded quantum adversaries with bounded quantum memorymemory
practical:practical: honest players do not need quantum honest players do not need quantum
memorymemory fault-tolerantfault-tolerant
BC
Thank you for Thank you for your attention!your attention!