Post on 29-Jan-2016
Cryptography In theCryptography In theBounded Quantum-Storage Bounded Quantum-Storage
ModelModel
Ivan Damgård, Louis Salvail, Ivan Damgård, Louis Salvail, Christian SchaffnerChristian SchaffnerBRICS, University of Århus, DKBRICS, University of Århus, DK
Serge FehrSerge FehrCWI, Amsterdam, NLCWI, Amsterdam, NL
2 / 18
Classical 2-party primitivesClassical 2-party primitives
Rabin Oblivious TransferRabin Oblivious Transfer
bb b / ?b / ? privateprivate obliviousoblivious
bindingbinding hidinghiding
Bit CommitmentBit Commitment
bb CCbb
bb b in Cb in Cbb??
OT
BC
OT OT )) BC BC OT OT is complete for two-party cryptography
3 / 18
Known Impossibility ResultsKnown Impossibility Results
OT In the classical unconditionally In the classical unconditionally
secure model without further secure model without further assumptionsassumptions
BC In the unconditionally secure model In the unconditionally secure model
with quantum communicationwith quantum communication[Mayers97, Lo-Chau97][Mayers97, Lo-Chau97]
4 / 18
Classical Bounded-Storage ModelClassical Bounded-Storage Model
OT
BC
()
()
random string which players try to random string which players try to storestore
a memory bound applies at a specified a memory bound applies at a specified momentmoment
protocol for OT [DHRS, TCC04]: protocol for OT [DHRS, TCC04]: memory size of honest players:memory size of honest players: k k memory of dishonest players:memory of dishonest players: <k<k22
Tight bound [DM, EC04]Tight bound [DM, EC04] can be can be improved improved by allowingby allowing
quantum communicationquantum communication
5 / 18
Quantum Bounded-Storage ModelQuantum Bounded-Storage Model
OT
quantum memory bound applies at a quantum memory bound applies at a specified moment. Besides that, players specified moment. Besides that, players are unbounded (in time and space)are unbounded (in time and space)
unconditional secureunconditional secure against against adversaries with quantum memory of adversaries with quantum memory of less then less then half of the transmitted qubitshalf of the transmitted qubits
honest players honest players do not needdo not need quantumquantum memory memory at allat all
honest players:honest players: 00 kkdishonest players:dishonest players: <n/2<n/2 <k<k22
ratio:ratio: 11 kk
BC
6 / 18
AgendaAgenda
Quantum Bounded-Storage ModelQuantum Bounded-Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues
7 / 18
Quantum Mechanics (Toy Version)Quantum Mechanics (Toy Version)
+ basis
£ basis
j i j i
j i£ j i£
with prob. 1 yields 1
with prob. ½ yields 0
Measurements:
with prob. ½ yields 1
8 / 18
Quantum Protocol for OTQuantum Protocol for OT
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
x0 r0
memory bound: store < n/2 qubits
Alice Bob
Example: honest players
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
0110…
b2 f ;g
9 / 18
Quantum Protocol for OT IIQuantum Protocol for OT II
r; h;sh 2R Hn
s b©hx
x0 r0
memory bound: store < n/2 qubits
Alice Bob
honest players? private?
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
0011…
b s ©hx0 r r0
x 6 x0) hx0 ;hx b
10 / 18
Obliviousness against dishonest Bob?Obliviousness against dishonest Bob?
r; h;sh 2R Hn
s b©hx b s ©hx0 r r0
x0 r0
memory bound: store < n/2 qubits
Alice Bob
jxi r
r 2R f ;£ gx 2R f ;gn
0110…
…
…
11…
x 6 x0) hx0 ;hx b
11 / 18
Proof of Obliviousness: ToolsProof of Obliviousness: Tools
OT
Purification techniques like in the Purification techniques like in the Shor-Preskill security proof of BB84Shor-Preskill security proof of BB84
Privacy Amplification against Quantum Privacy Amplification against Quantum Adversaries [RK, TCC05]Adversaries [RK, TCC05]
new min-entropy based uncertainty new min-entropy based uncertainty relation:relation:
For a For a nn-qubit register A in state -qubit register A in state AA, ,
let Plet P++ and P and P££ be the probabilities of measuring A be the probabilities of measuring A in the +-basis respectively in the +-basis respectively ££-basis. Then it holds-basis. Then it holds
PP++11 + P + P££
11 ·· 1 + negl(n). 1 + negl(n).
12 / 18
AgendaAgenda
Quantum Bounded Storage ModelQuantum Bounded Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues
13 / 18
Quantum Protocol for Bit CommitmentQuantum Protocol for Bit Commitment
BC
Verifier Committer
b; x0
x0 b
b2 f ;£ g
jx i r; ::; jxni rn
x 2R f ;gn
r 2R f ;£ gn
xi x0i
ri b
memory bound: store < n/2 qubits
14 / 18
BC
Verifier Committer
b; x0
b2 f ;g
one round, non-interactive one round, non-interactive commit by receiving!commit by receiving! unconditionally hidingunconditionally hiding unconditionally binding as long as unconditionally binding as long as
MemMemcommittercommitter < n / 2 < n / 2
n
memory bound: store < n/2 qubits
Quantum Protocol for Bit Commitment IIQuantum Protocol for Bit Commitment II
) proof uses same tools as for OT !
15 / 18
AgendaAgenda
Quantum Bounded Storage ModelQuantum Bounded Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues
16 / 18
Practicality IssuesPracticality Issues
OT
BC
With today’s technology, weWith today’s technology, we cancan transmit quantum bits encoded in transmit quantum bits encoded in
photonsphotons cannot storecannot store them for longer than a few them for longer than a few
millisecondsmilliseconds
Problems:Problems: imperfect sources (multi-pulse imperfect sources (multi-pulse
emissions)emissions) transmission errorstransmission errors
17 / 18
Practicality Issues IIPracticality Issues II
OT
Our protocols can be modified toOur protocols can be modified to resist resist attacks based onattacks based on multi-photon multi-photon
emissions emissions tolerate (quantum) tolerate (quantum) noisenoise
BC
Well within reach of Well within reach of current current
technologytechnology.. makes sense over short distances makes sense over short distances
(in contrast to QKD)(in contrast to QKD)
18 / 18
SummarySummary
OT
Protocols for OT and BC that areProtocols for OT and BC that are efficient, non-interactiveefficient, non-interactive unconditionally secureunconditionally secure against against
adversaries with bounded quantum adversaries with bounded quantum memorymemory
practical:practical: honest players do not need quantum honest players do not need quantum
memorymemory fault-tolerantfault-tolerant
BC
Thank you for Thank you for your attention!your attention!