joint work with: harry buhrman (cwi), nishanth chandran (ucla
TRANSCRIPT
CWI Amsterdamwww.cwi.nl/~fehr
Joint work with:Harry Buhrman (CWI), Nishanth Chandran (UCLA), Ran Gelles (UCLA),Vipul Goyal (MS), Rafail Ostrovsky (UCLA), and Christian Schaffner (CWI)
Position-based Cryptography
Position-based Cryptographic Tasks
Position-based Identification
PEGGYVICTOR VINCENT
position
time
×
Gaol: To convince Victor & Vincent of Peggy’s location.
For simplicity: consider 1 dimension. For 2 dimensions, 3 verifiers are needed, etc.
Position-based Identification
PEGGYVICTOR VINCENT
challenge enge C challenge chal g C’ position
time
arrive at same time
×
Position-based Identification
PEGGYVICTOR VINCENT
challenge enge C challenge l g C’ position
time
chalcoommppuuttee mp teec RRR=ff((fff CC,CC C’))’
×
Position-based Identification
PEGGYVICTOR VINCENT
challenge enge C challenge chal g C’
reply p y R reply RR
position
time
verify
×
verify
PEGGYVICTOR VINCENT
challenge enge C challenge chal g C’
reply p y R reply RR
position
Too late !!!
EEEVVVVEEEEVICTOR VINCENT
C’R
position
time
◦
R
C
time
×
×
Position-based Identification
verify verify
R
PEGGYVICTOR VINCENT
challenge enge C challenge chal g C’
reply p y R reply RR
position
VICTOR & VINCENT accept !!!
EEEVVVVEEEEVICTOR VINCENT
C’
R
positionC
EEEEDDDD
time
×
×◦ ◦
time
Position-based Identification
verify verify
[Chandran,Goyal,Moriarty,Ostrovsky 2009]
R
EEVVEEVICTOR VINCENT
’
R
positionC
EEDD×◦ ◦
time
copy CR
CCCCcopy C’
Position-based Identification
PEGGYVICTOR VINCENT
HθHH |x⟩⟩x θ position
time
×
verify verify
A Simple Candidate Scheme
xxx
Bit x is obtained by measuring qubit Hθ|x⟩ in basis {Hθ|0⟩,Hθ|1⟩}.
????
PEGGYVICTOR VINCENT
HθHH |x⟩⟩x θ position
time
×
verify verify
A Simple Candidate Scheme
xxx
EEEVVVVEEEEVICTOR VINCENT
θ positionHθHH |x⟩x
EEEEDDDD×◦ ◦
time
?????
Eve cannot both keep Hθ|x⟩ and send it to Ed !
Conclusion: Scheme is secure ???
??????????????????????????????? ????????????????????????????
Our Results
August 2009. Chandran, Goyal, Moriarty, Ostrovsky (CRYPTO):Impossibility of ccllaassssiiccaall position-based crypto.
History of Position-based Quantum Crypto
March 2010. Malaney (arXiv):Quantum scheme for position-based identification, nnnooo ppprrrooooofff.ff
May 2010. Chandran, F., Gelles, Goyal, Ostrovsky (arXiv):Quantum scheme for position-based identification (and other tasks)
with rrrriiiiggggoooorrrroooouuuusss ssseeeeccccuuurrriittttyyyy pppprrrrooooooooffff,ffffbut iiimmmmpppplllliicccciittttlllyyy aaaassssssssuuummmmiiinnnngggg nnnnoooo pppprrrreeee----sssshhhaaaarrrreeeeddd eeeennnnttttaaaannnngggglllleeeemmmmeeeennnntttt.tttt
August 2010. Kent, Munro, Spiller (arXiv):IIInnnssseeeeccccuuuurrriitttyyy of proposed scheme with pre-shared entanglement.Proposal of new (secure?) schemes.
March 2010. Malaney (arXiv):Quantum scheme for position-based identification, nnoo pprrooooff.fff
May 2010. Chandran, F., Gelles, Goyal, Ostrovsky (arXiv):Quantum scheme for position-based identification (and other tasks)
with rrriiigggoooorrrooouuuusss ssseeeccccuuurrriiittyyy ppprrrroooooofff,fffbut iiimmmmpppplllliiiccciiittttllyyyy aaasssssssuuuummmmiiinnnngggg nnnoo pppprrreee---sssshhhhaaarrrreeeedddd eeennnnttttaaannnngggllleeeemmmeeennntttt.ttt
August 2010. Kent, Munro, Spiller (arXiv):IIIInnnnssseeeeccccuuuurrrriiitttyyyy of proposed scheme with pre-shared entanglement.Proposal of new (secure?) schemes.
September 2010. Lau, Lo (arXiv):Extension of Kent et al.’s attack to higher dimensions.Proposal of new (secure?) schemes.Security proof against 3-qubit entangled state
p p pIIIImmmmpppppppppppppppoooossssssssiiiibbbbiiiilllliiiittttyyyyyyyyyyyyyyy ooooffff ccccllllaaaassssssssiiiiccccaaaallll pppppppppppppppoooossssiiiittttiiiioooonnnn bbbbaaaasssseeeedddd ccccrrrryyyyyyyyyyyyyyypppppppppppppppttttoooo..Augguusstt 2200009. Chandran, Goyal, Moriarty, Ostrovsky (CRYPTO):IIIImmmmppppoooossssssssiiiibbbbiiillliiitttyyy ooofff ccllaassssiiccaall ppooosssiiitttiiiooonnn---bbbaaassseeeddd cccrrryyyppptttoo History of Position-based Quantum Crypto
May 2010. Chandran, F., Gelles, Goyal, Ostrovsky (arXiv):Quantum scheme for position-based identification (and other tasks)
with rrriiggoorroouuss sseeccuurriittyy pprrrooooff,fffbut iimmmppplliiccciittllyyy aaasssssuummiinnggg nnnoo ppprreee--sshhhaarreedd eennttaannngglleeemmeennnttt.tt
August 2010. Kent, Munro, Spiller (arXiv):IIInnnssseeeccccuuuurrrriiitttyyyy of proposed scheme with pre-shared entanglement.Proposal of new (secure?) schemes.
QQQQuuuuaaaannnnttttuuuummmm sssscccchhhheeeemmmmeeee ffffoooorrrr pppppppppppppppoooossssiiiittttiiiioooonnnn bbbbaaaasssseeeedddd iiiiddddeeeennnnttttiiiifififificcccaaaattttiiiioooonnnn,,,, nnnnoooo ppppppppppppppppprrrrooooooooffff....ffffffffMarcchh 22001100. Malaney (arXiv):QQQQuuuuaaaannnnttttuuuummmm sssccchhheeemmmee ffoorr ppoossiittiiiooonnn-bbbaaassseeeddd iiidddeeennntttiiififificccaaattiioonn,, nnoo pprrooooff..ffff History of Position-based Quantum Crypto
September 2010. Buhrman, Chandran, F., Gelles, Goyal, Ostrovsky,Schaffner (arXiv): IIIImmmmppppoooossssssssiiibbbbiiilliiittttyyyy oooofff ppppoooossssiiittttiiiioooonnnn---bbbbaaaasssseeeedddd qqqquuuuaaannnnttttuuuummmm cccrrrryyyyppptttoooo.
September 2010. Lau, Lo (arXiv):Extension of Kent et al.’s attack to higher dimensions.Proposal of new (secure?) schemes.Security proof against 3-qubit entangled state
Road Map
Teleportation
ALICE BOB
|ψ〉 ∈ H = C2n
Teleportation
ALICE BOB
|ψ〉 ∈ H = C2n
measure
Teleportation
ALICE BOB
measure
2n k Instantaneously!
k = 0...0 Vk =id
Teleportation
ALICE BOB
measure
2n k Instantaneously!
k = 0...0 Vk =id
Teleportation
ALICE BOB
measure
2n k Instantaneously!
k = 0...0 Vk =id
Road Map
PEGGYVICTOR VINCENT
position
time
×
The General Scheme
|ψΑΒΕ⟩
A B E
PEGGYVICTOR VINCENT
position
time
×
The General Scheme
|ψΑΒΕ⟩
AA BBBE
PEGGYVICTOR VINCENT
position
time
×
The General Scheme
|ψΑΒΕ⟩
AA BBBE
PEGGYVICTOR VINCENT
position
time
×
verify verify
The General Scheme
|ψΑΒΕ⟩
AAA BBB
E
PEGGYVICTOR VINCENT
position
time
×
verify verify
The General Scheme
|ψΑΒΕ⟩
AAA BBB
E
EEEEVVVVEEEVICTOR VINCENT
position
EEEEDDD×◦ ◦
time
AA BBE
PEGGYVICTOR VINCENT
The General Scheme
|ψΑΒΕ⟩
EEEEVVVVEEEVICTOR VINCENT
position
EEEEDDD×◦ ◦
time
AAA BBBBE
U
??
P GGYVICTOR VINC NT
noooposiiiiitttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttiiiiiiiiiooo
ttiimmee
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiifffffffffffffffffffffffffffffffffffffffffffffffffffffff iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiffffffffffffffffffffffffffffffffffffffffffffffff
AAA BBB
EEve and Ed need to apply U to joint system AB, where A and B are geographically separated
vveerrify vvvvveeeeeerrrrrriiifffyyyΑΒΕΑΒΕ
vveerrriiifffffyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy vvvvvvvvvvvvvvvvvvvvvvvvvvvveeeeeeeerrrrrrrrriiiiiiiiiffffffffffyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyΑΑΑΑΒΕ
=> (in general) two rounds of communication needed ???
PEGGYVICTOR VINCENT
The General Scheme
|ψΑΒΕ⟩
AAA BBBBE
U
??
P GGYVICTOR VINC NT
noooposiiiiitttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttiiiiiiiiiooo
ttiimmee
veriiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiifffffffffffffffffffffffffffffffffffffffffffffffffffffffy veriiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiffffffffffffffffffffffffffffffffffffffffffffffffy
AAA BBB
EEve and Ed need to apply U to joint system AB, where A and B are geographically separated
nE
vverrify vvvvveeeeerrrrriiifffyyyvveerrify vvvvvveeeeeerrrrrriiifffyyy
ppppppppppoooooooosssssssiiiiiittttttiioooooooooEEEE
ΑΒΕ
EVEVICTOR VINCENT
poosiittio
ED
ΑΒΕvveerrriiifffyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy vvvvveeeeerrrrrrriiiiiiiffffffffyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
ΑΑΑΑΒΒΒΕWe show:Is possible with one round of communication(when given a “large” amount of entanglement).
Remarks:
Trivially doable in two rounds.No quantum communication needed.
ALICE BOB
Nonlocal Quantum Computation
|ψΑΒ⟩ ∈ HA ⊗HB
One round of communication
|ϕΑΒ⟩ = U |ψΑΒ⟩
BBBB
AAA BBBB
Remarks:
Trivially doable in two rounds.No quantum communication needed.
Theorem: Single-round nonlocal quantum computationis possible (given “many” pre-shared EPR pairs).
Proof: Follows... (based on ideas from [Vaidman2003])
ALICE BOB
Nonlocal Quantum Computation
|ψΑΒ⟩ ∈ HA ⊗HB
One round of communication
|ϕΑΒ⟩ = U |ψΑΒ⟩
BBBB
AAA BBBB
ALICE BOB
Step 1: Introducing Classical Inputs
AA BBBB
xxxxyyy xxxx∈∈∈∈XXXX,,,,yyyy∈∈∈∈YYYYYY
Is (obviously) equivalent to original single-round nonlocal quantum computation problem.
|ψΑΒ⟩ ∈ HA ⊗HB
x ∈ X, y ∈ Y
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩BBBB
|ψΑΒ⟩ ∈ HA ⊗HB
xy x∈XX,y∈∈YYYALICE BOB
Step 2: Removing Bob’s Quantum Input
x ∈ X, y ∈ Y
AA BBBB
AAA BBBB |ϕΑΒ⟩ = Uxy |ψΑΒ⟩
|ψΑΒ⟩ ∈ HA ⊗HB
xy x∈XX,y∈∈YYYALICE BOB
Step 2: Removing Bob’s Quantum Input
x ∈ X, y ∈ Y
AA
AAA BBBB
BBBBBB
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
|ψΑΒ⟩ ∈ HA ⊗HB
xy x∈XX,y∈∈YYYALICE BOB
Step 2: Removing Bob’s Quantum Input
x ∈ X, y ∈ Ykk ΑΒΑΒ
= Uxy(id ⊗Vk-1) (id ⊗Vk)|ψΑΒ⟩
AA
AAA BBBB
BBBBmeasure
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
B
|ψΑΒ⟩ ∈ HA ⊗HB
xy x∈XX,y∈∈YYYALICE BOB
Step 2: Removing Bob’s Quantum Input
x ∈ X, y ∈ Ykk ΑΒΑΒ
= Uxy(id ⊗Vk-1) (id ⊗Vk)|ψΑΒ⟩
AA
AAA BBBB
BBBBmeasure
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
B
xy′ ΑΒ
|ψΑΒ⟩ ∈ HA ⊗HB
xy x∈XX,y∈∈YYYALICE BOB
Step 2: Removing Bob’s Quantum Input
x ∈ X, y ∈ Y
Sufficient to consider the case where Bob has no quantum input, i.e., Alice holds A and B.
BBBB
AAA BBBB |ϕΑΒ⟩ = Uxy |ψΑΒ⟩′
′∈∈ ′
|ψΑΒ⟩ ∈ HA ⊗HB
xy x∈XX,y∈∈YYYALICE BOB
Step 2: Removing Bob’s Quantum Input
x ∈ X, y ∈ Y
Sufficient to consider the case where Bob has no quantum input, i.e., Alice holds A and B.
BBBB
AAA BBBB |ϕΑΒ⟩ = Uxy |ψΑΒ⟩
A B
xyy y AA BB
Easy Instances
xy
UAxy UB
xy
Uxy = UAxy ⊗ UB
xy
BBBB
|ψΑΒ⟩
A B
xyy y AA BB
Easy Instances
xy
UAxy UB
xy
Uxy = UAxy ⊗ UB
xy
AA BBBB
|ψΑΒ⟩
A B
xyy y AA BB
Easy Instances
xy
UAxy UB
xy
Uxy = UAxy ⊗ UB
xy
AA BBBB
|ψΑΒ⟩
UAxy UB
xy
A B
xyy y AA BB
Easy Instances
xy
UAxy UB
xy
Uxy = UAxy ⊗ UB
xy
AA BBBB
|ψΑΒ⟩UAxy ⊗ UB
xy
AA BBBB
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
AA BBBB
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ψAB〉
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
AA BBBB
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
1
x
N
|ψAB〉
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
AA
BBBB
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
1
x
N
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
1
x
N
measure
measure
� AA
BBB(Vk⊗V�)|ψAB〉
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
1
x
N
measure
measure
� AA
BBB
U1,y
Ux,y
UN,y
(Vk⊗V�)|ψAB〉
BBB
A
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
x
1,y
NN,NN yyy
Ux,y
(Vk⊗V�)|ψAB〉
Uxy
BBB
A
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
x
1,y
NN,NN yyy
(Vk⊗V�)|ψAB〉
BBB
A
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
eeeeqqqquuuuaaaallll iiiffff eqqquuaallll iifffqq kk==0...00 0==
Uxy (Vk⊗V�)|ψAB〉
BBB
A
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
eeeeqqqquuuuaaaallll iiiffff eqqquuaallll iifffqq kk==0...00 0==
Uxy (Vk⊗V�)|ψAB〉
BBB
A
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
eeeeqqqquuuuaaaallll iiiffff eqqquuaallll iifffqq kk==0...00 0==
measure
measureBBB
A
Uxy (Vk⊗V�)|ψAB〉
BBB
A
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
measure
measureBBB
A
(Vk⊗V�)|ψAB〉|ψ′AB〉 = (Vm⊗Vn)Uxy
BBB
A
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
measure
measureBBB
A
(Vk⊗V�)|ψAB〉|ψ′AB〉 = (Vm⊗Vn)Uxy
xy x∈X,y∈YYALICE BOBALICE BOB
If k=0...0= l (happens with prob. >0) then:
Vk =id =Vl and thus Alice & Bob can compute |ϕΑΒ⟩ in one round.
|ϕAB〉 = (V −1m ⊗V −1
n ) |ψ′AB〉
ΑΑΑΑΒΒΒΒ
xy x∈XX,y∈∈YYYALICE BOB
Pre-Processing the Inputs
|ϕΑΒ⟩ = Uxy |ψΑΒ⟩
measure
measure
(Vk⊗V�)|ψAB〉|ψ′AB〉 = (Vm⊗Vn)Uxy
xy x∈X,y∈YYALICE BOBALICE BOB
If k=0...0= l (happens with prob. >0) then:
Vk =id =Vl and thus Alice & Bob can compute |ϕΑΒ⟩ in one round.
|ϕAB〉 = (V −1m ⊗V −1
n ) |ψ′AB〉
mmmmeeeeasssurrrrrrrreee
measurre
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaassssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuurrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrreeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
A
kk ll
ΑΒ
AB−1m
−1n
′AB
Else: Alice & Bob
set x′:= (x,k, l) and y′:= (y,m,n) ,set so that
repeat the pre-processing step.
U ′x′y′ := Uxy (V
−1k ⊗V −1
� )U−1xy (V −1
m ⊗V −1n )
|ϕAB〉 = U ′x′y′ |ψ′
AB〉
2n
Recap
n
Road Map
The Simple BB84-based Scheme
PEGGYVICTOR VINCENT
HθHH |x⟩⟩x θ position
time
×
verify verifyxxx
Eve cannot both keep Hθ|x⟩ and send it to Ed !
Conclusion: Scheme is secure ???
EEEVVVVEEEEVICTOR VINCENT
position
EEEEDDDD×◦ ◦
time?????
θHθHH |x⟩x?????
??????????????????????????????? ????????????????????????????
The Simple BB84-based Scheme
EEVVEEVICTOR VINCENT
position
EEDD×◦ ◦
time???
θ???
?????????? ???????????
HθHH |x⟩x
The Simple BB84-based Scheme
EEVVEEVICTOR VINCENT
position
EEDD×◦ ◦
time
θ
?????????? ???????????θθ
θθEEEEEFFFFHHθθHHHH ||xx⟩⟩xx
The Simple BB84-based Scheme
EEVVEEVICTOR VINCENT
position
EEDD×◦ ◦
time
θ
?????????? ???????????θθ
θθEEEFFFFBBBBBAAAAA
The Simple BB84-based Scheme
EEVVEEVICTOR VINCENT
position
EEDD×◦ ◦ θ
?????????? ???????????θθ
θθEEEFFFF
measure
BBBBBAAAAA
The Simple BB84-based Scheme
EEVVEEVICTOR VINCENT
position
EEDD×◦ ◦ θ
?????????? ???????????θθ
θθEEEEFFF
measure
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAA
The Simple BB84-based Scheme
EEVVEEVICTOR VINCENT
position
EEDD×◦ ◦ θ
?????????? ???????????θθ
θθEEEEFFF
AEF
measure
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAA
AEF A 2
Remarks
Summary
Summary
Summary