quantum cryptography beyond key distribution
DESCRIPTION
Quantum Cryptography beyond Key Distribution. Christian Schaffner CWI Amsterdam, Netherlands. Workshop on Post-Quantum Security Models Paris, France Tuesday , 12 October 2010. Outline. Cryptographic Primitives Noisy -Storage Model Position- Based Quantum Cryptography Conclusion. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/1.jpg)
Christian SchaffnerCWI Amsterdam, Netherlands
Quantum Cryptography beyond
Key Distribution
Workshop on Post-Quantum Security ModelsParis, FranceTuesday , 12 October 2010
![Page 2: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/2.jpg)
2 Outline
Cryptographic PrimitivesNoisy-Storage ModelPosition-Based Quantum Cryptography Conclusion
![Page 3: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/3.jpg)
3Cryptography
settings where parties do not trust each other: secure communication authentication
AliceBob
Eve
three-party scenario
= ?
use the same quantum hardware for applications in two- and multi-party scenarios
![Page 4: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/4.jpg)
4Example: ATM
PIN-based identification scheme should be a secure evaluation of the equality function
dishonest player can exclude only one possible password
=a
a = b?
?b
a = b?
![Page 5: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/5.jpg)
5
Modern Cryptography
two-party scenarios:
password-based identification (=) millionaire‘s problem (<) dating problem (AND)
multi-party scenarios:
sealed-bid auctions e-voting …
use QKD hardware for applications in two- and multi-party scenarios
![Page 6: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/6.jpg)
6
In the plain model (no restrictions on adversaries, using quantum communication, as in QKD):
Secure function evaluation is impossible (Lo ‘97)
Restrict the adversary: Computational assumptions (e.g. factoring or
discrete logarithms are hard)
Can we implement these primitives?
unproven
![Page 7: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/7.jpg)
7
use the technical difficulties in building a quantum computer to our advantage
storing quantum information is a technical challenge
Bounded-Quantum-Storage Model :bound the number of qubits an adversary can store (Damgaard, Fehr, Salvail, S ‘05)
Noisy-(Quantum-)Storage Model:more general and realistic model (Wehner, S, Terhal ’07; König, Wehner, Wullschleger ‘09)
Exploit Quantum-Storage Imperfections
Conversion can fail Error in storage Readout can fail
![Page 8: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/8.jpg)
8 Outline
Cryptographic Primitives Noisy-Storage Model Position-Based Quantum Cryptography Conclusion
![Page 9: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/9.jpg)
9
The Noisy-Storage Model (Wehner, S, Terhal ’07)
![Page 10: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/10.jpg)
10
what an (active) adversary can do: change messages computationally all-powerful actions are ‘instantaneous’ unlimited classical storage
restriction: noisy quantum storage
The Noisy-Storage Model (Wehner, S, Terhal ’07)
waiting time: ¢t
![Page 11: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/11.jpg)
11
The Noisy-Storage Model (Wehner, S, Terhal ’07)
Arbitrary encoding
attack
Unlimited classical storage
change messages computationally all-powerful unlimited classical storage actions are ‘instantaneous’
waiting time: ¢t
Adversary’s state Noisy quantum storage
models: transfer into storage (photonic states onto different carrier) decoherence in memory
![Page 12: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/12.jpg)
12
General case [König Wehner Wullschleger 09]: Storage channels with “strong converse” property,
e.g. depolarizing channel Some simplifications [S 10]
Protocol Structure12
weak string erasure
waiting time: ¢t
quantum part as in BB84
Noisy quantum storage
oblivious transfer
secure identification
bit commitment
classical post-processing
![Page 13: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/13.jpg)
13Summary
=
defined the noisy-storage model exactly specified capabilities of adversary protocol structure
quantum: BB84 classical post-processing resulting in
security proofs: entropic uncertainty relations quantum channel properties quantum information theory
change messages computationally all-powerful unlimited classical storage actions are ‘instantaneous’
< AND
![Page 14: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/14.jpg)
14 Outline
Cryptographic Primitives
Noisy-Storage Model Position-Based Quantum Cryptography Conclusion
![Page 15: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/15.jpg)
15
Example: Position Verification
Prover wants to convince verifiers that she is at a particular position
assumptions: communication at speed of light instantaneous computation verifiers can coordinate
no coalition of (fake) provers, i.e. not at the claimed position, can convince verifiers
Verifier1 Verifier2Prover
![Page 16: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/16.jpg)
16
Position Verification: First Try
Verifier1 Verifier2Prover
time
![Page 17: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/17.jpg)
17
Position Verification: Second Try
Verifier1 Verifier2Prover
position verification is classically impossible ! even using computational assumptions
[Chandran Goyal Moriarty Ostrovsky: CRYPTO ‘09]
![Page 18: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/18.jpg)
18
Verifier1 Verifier2Prover
Position-Based Quantum Cryptography[Kent Munro Spiller 03/10, Chandran Fehr Gelles Goyal Ostrovsky, Malaney 10]
intuitively: security follows from no cloning formally, usage of recently established [Renes Boileau 09]
strong complementary information trade-off
![Page 19: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/19.jpg)
19
Position-Based QC: Teleportation Attack[Kent Munro Spiller 03/10, Lau Lo 10]
![Page 20: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/20.jpg)
20
Position Verification: Fourth Try[Kent Munro Spiller 03/10, Malaney 10, Lau Lo 10]
exercise: insecure if adversaries share 2 EPR pairs!
![Page 21: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/21.jpg)
21
Impossibility of Position-Based Q Crypto[Buhrman Chandran Fehr Gelles Goyal Ostrovsky S 10]
general attack clever way of back-and-forth teleportation, based on
ideas by [Vaidman 03] for “instantaneous measurement of nonlocal variables”
![Page 22: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/22.jpg)
22
Position-Based Quantum Cryptography
can be generalized to more dimensions plain model: classically and quantumly impossible basic scheme for secure positioning if adversaries have
no pre-shared entanglement more advanced schemes allow message authentication
and key distribution
Verifier1 Verifier2Prover
[Buhrman Chandran Fehr Gelles Goyal Ostrovsky S 10]
![Page 23: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/23.jpg)
23
Open Questions
no-go theorem vs. secure schemes how much entanglement is required to break the
scheme? security in the bounded-entanglement model?
interesting connections to entropic uncertainty relations and non-local games
Verifier1 Verifier2Prover
[Buhrman Chandran Fehr Gelles Goyal Ostrovsky S 10]
![Page 24: Quantum Cryptography beyond Key Distribution](https://reader035.vdocuments.site/reader035/viewer/2022081512/568161e7550346895dd21197/html5/thumbnails/24.jpg)
24Conclusion
=
cryptographic primitives
noisy-storage model: well-defined adversary model
position-based q cryptography general no-go theorem security if no entanglement
QKD hardware and know-how is useful in applications beyond key distribution