Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University.

Published byMatthew Chapman Modified over 8 years ago

Similar presentations

Presentation on theme: "Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University."— Presentation transcript:

1 Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University

2 2 Are classical cryptographic protocols secure against quantum attackers? Are classical cryptographic protocols secure against quantum attackers?

3 3 Are classical cryptographic protocols secure against quantum attackers? Are classical cryptographic protocols secure against quantum attackers? Some protocols: no longer secure Computational assumptions broken by efficient quantum alg’s Factoring and Discrete Logarithm [ Shor’94 ] Principal ideal problem [ Hallgren’02 ] Information-theoretical classically secure protocol also broken A two prover commitment scheme becomes non-binding [ Crepeau,Salvail,Simard,Tapp’06 ] Attackers only need storing entanglement Many protocols: unknown how to prove security Classical proof techniques may no longer apply: e.g. rewinding General question: how to reason about quantum adversaries?

4 Some tasks are achievable Zero-Knowledge (ZK) for NP [ Watrous’09 ] Quantum rewinding in a special case ZK for a larger class of languages [ Hallgren,Kolla,Sen,Zhang’08 ] Coin-flipping [ Damgaard,Lunemann’09 ] Proofs of knowledge (PoK) [ Unruh’10 ] a. proving security of existing protocols b. designing new protocols 4 Question: using classical protocols, is every task achievable against classical attackers also achievable against quantum attackers?

5 Secure Function Evaluation (SFE) Correctness: Jointly evaluate f(x,y) correctly Privacy: Bob does not learn anything about x beyond f(x,y); same for Alice 5 AliceBob x y f(x,y) Parallels classical feasibility results: [ Yao’86;Goldreich,Micali,Wigderson’87 ] Main Result: ∃ classical secure function evaluation protocols against quantum attacks Main Result: ∃ classical secure function evaluation protocols against quantum attacks

6 6 Parallels classical feasibility results: [ Yao’86;Goldreich,Micali,Wigderson’87 ] a. Prove a family of classical arguments goes through against quantum adversaries Corollary: fully simulatable ZKPoK  quantum-secure SFE b. Construct a fully simulatable ZKPoK against quantum adv’s Get around difficulty of quantum rewinding Revisit quantum stand-alone security models (see paper) Main Result: ∃ classical secure function evaluation protocols against quantum attacks Main Result: ∃ classical secure function evaluation protocols against quantum attacks

7 Identify a family of hybrid arguments that goes through against quantum adv’s Adjacent pairs only differs by “simple” changes: E.g., changing the plaintext of an encryption Formalize a Simple Hybrid Argument framework Resembles code-based games [ Bellare,Rogaway’06 ] A classical construction [ Canetti,Lindell,Ostrovsky,Sahai’02 ] fits SHA framework [CLOS’02]: fully simulatable ZKPoK  classically secure SFE Corollary: fully simulatable ZKPoK  quantum-secure SFE, assuming Quantum-secure dense encryption & pseudorandom generators Implied by, e.g, Learning-with-errors (LWE) assumption DE D’ D’’    7 

8 8 Parallels classical feasibility results: [ Yao’86;Goldreich,Micali,Wigderson’87 ] a. Prove a family of classical arguments goes through against quantum adversaries Corollary: Fully simulatable ZKPoK  quantum secure SFE b. Construct a fully simulatable ZKPoK against quantum adv’s Get around difficulty of quantum rewinding Revisit quantum stand-alone security models (see paper) Main Result: ∃ classical secure function evaluation protocols against quantum attacks Main Result: ∃ classical secure function evaluation protocols against quantum attacks

9 Alice wants to convince Bob graph G is 3-colorable Zero knowledge: Bob does NOT learn the coloring w ∀ Bob, ∃ Simulator such that ∀ quantum state ρ : 9 w G protocol ρ ρ Sim G View: transcript + Bob’s state transcript + Bob’s state  Quantum Poly-time

10 10 PoK: Bob wants to be sure that Alice has some real w in mind ∀ Alice, ∃ Simulator such that ∀ quantum ρ Extra condition on simulator: if simulated transcript accepts, then extracting a 3-coloring w’of G. “Witness-extended simulator” Fully simulatable: Simulation + Extraction G protocol ρ Alice’s state + transcript. w’ Alice’s state + transcript  ρ Sim Quantum Poly-time

11 Classical technique to construct a simulator: Rewinding In every real interaction, prover answers questions from verifier Without a witness, simulator may not be able to answer all questions Pick a random branch from all interactions, check if could proceed If NOT, “rewind” and try again from the same auxiliary input ρ Naïve rewinding requires taking a snapshot of the adversary’s state and later returning to it Quantum no-cloning! Even just checking success/failure may destroy ρ 11 ρ Sim r ρ ρ r’’ r’ × ×

12 Theorem [ Watrous’09 ]: ∃ ZK proof for NP against quantum verifiers. “Oblivious” quantum rewinding If: probability of succ/failure independent of ρ Then: safe to go back; but cannot remember anything However, NOT enough for PoK: Simulation + Extraction Collecting answers from multiple branches Mere extraction is possible [ Unruh’10 ] Unclear how to do both simultaneously 12 ρ Sim r ρ’ Sim r’ ρ’’ Sim r’’ w’

13 Phase 2 Phase 1 G w c=Commit(a) b a ZK Proof that Decommit(c) =a e = Encrypt pk (w) ZK Proof that e encodes a witness for G pk = a+b: interpret as public key for a special encryption scheme Dense: valid public key looks random Lossy: if pk is truly random, then ∀ w 1, w 2 Encrypt pk (w 1 )  Encrypt pk (w 2 ) 13 Idea (inherited from Non- interactive ZK): Start with a “coin-flipping” preamble Honest prover can make sure the outcome is uniformly random A PoK simulator (playing the verifier) can control the outcome

14 Simulator succ. w.h.p because input is a true instance G The outcome of Phase 1 is pk : a truly random string Under such a key, any ciphertext can be “decoded” to any plaintext 14 Phase 2 Phase 1 c=Commit(a) b a ZK Proof that Decommit(c) =a ZK Proof that e encodes a witness for G e = Enc pk (0,r) = Enc pk (w,r’) ρ aux

15 e = Enc pk (w) Soundness ensures that: if ZK succ, w’ is a valid witness for G w.h.p. Simulator succ. w.h.p. because comm(0) is indistinguishable from comm(a’) If succ., coin flipping will be a’+b = pk, of which the simulator knows the decrypting key ZK Proof that e encodes a witness for G c = Commit(0) b a’ = b+pk Run Watrous’s simulator to fake a proof that c is a commitment of a’ (pk,sk) = KeyGen e 15 w’ = Dec sk (e) ρ aux

16 Recap: Fully simulatable ZKPoK  quantum-secure SFE ∃ Fully simulatable ZKPoK Protocol Corollary1: Modular composition  Quantum-secure SFE in plain model (i.e., no trusted set-up) assuming quantum-secure dense & lossy encryption pseudorandom generator Corollary2: An interesting equivalence: CF = ZKPoK Round-complexity preserving reductions Independent Work [ Lunemann,Nielsen’11 ] Fully simulatable quantum-secure coin-flipping Plug into [ GMW’87 ] and obtain similar feasibility results as ours What I didn’t talk about our work: Models, UC-security etc. (see paper) 16

17 Some key pieces of classical crypto unchanged in presence of quantum attackers A lot more remains unclear… Open Questions: Can we extend to other settings: e.g., multi-party and concurrent security? Round complexity: ∃ quantum-secure constant round ZK/CF? Is there any natural two-party classical protocol that is broken by quantum adv’s NOT because of computational assumptions? Thank you! 17

18 [BB’84] C.H. Bennett, G. Brassard "Quantum cryptography: Public-key distribution and coin tossing". Proceedings of IEEE International Conference on Computers, Systems and Signal Processing 1984. [BM'05] Michael Ben-Or, Dominic Mayers. “General Security Definition and Composability for Quantum & Classical Protocols”. quant-ph/0409062. [C’00] Ran Canetti. “Security and Composition of Multiparty Cryptographic Protocols”. J. Cryptology. 2000. [CF’01] Ran Canetti, Marc Fischlin. “Universally Composable Commitments”. Crypto 2001. [CLOS’02] Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai, “Universally composable two-party and multi-party secure computation”. STOC 2002, pp. 494–503. [CSST'05] C. Crepeau, Louis Salvail J.-R. Simard, A. Tapp. “Classical and quantum strategies for two-prover bit commitments”. Manuscript 2005. [DL’09] Ivan Damgård, Carolin Lunemann. “Quantum-Secure Coin-Flipping and Applications”. ASIACRYPT 2009. [FS’09] Serge Fehr, Christian Schaffner. “Composing Quantum Protocols in a Classical Environment”. TCC 2009. [LC’98] H.-K. Lo, H. F. Chau. “Why Quantum Bit Commitment And Ideal Quantum Coin Tossing Are Impossible”. Physica D120 (1998) 177-187. quant-ph/9711065. [LC99] Hoi-Kwong Lo, H. F. Chau. “Unconditional Security of Quantum Key Distribution over Arbitrarily Long Distances”. Science 26 March 1999: Vol. 283. no. 5410, pp. 2050 - 2056 [M’97] D. Mayers. “Unconditonally secure quantum bit commitment is impossible”. Phys. Rev. Lett. 78, (1997) 3414-3417. [S'94] Peter W. Shor. “Algorithms for Quantum Computation: Discrete Logarithms and Factoring” FOCS 1994: 124-134. [W'09] J. Watrous. “Zero-knowledge against quantum attacks”. J. on Computing, 2009. [U’10a] Dominique Unruh. “Quantum proofs of knowledge” April 2010, Preprint on IACR ePrint 2010/212. [U’10b] Dominique Unruh. “Universally composable quantum multi-party computation”. EUROCRYPT 2010 18

Download ppt "Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

Similar presentations

Ads by Google