Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October.

Slides:



Advertisements
Similar presentations
A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,
Advertisements

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Implementation of Practically Secure Quantum Bit Commitment Protocol Ariel Danan School of Physics Tel Aviv University September 2008.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
QUANTUM CRYPTOGRAPHY ABHINAV GUPTA CSc Introduction [1,2]  Quantum cryptography is an emerging technology in which two parties can secure network.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Experimental Bit String Generation Serge Massar Université Libre de Bruxelles.
Short course on quantum computing Andris Ambainis University of Latvia.
Oblivious Transfer and Bit Commitment from Noisy Channels Ivan Damgård BRICS, Århus University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (University.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Oblivious Transfer based on the McEliece Assumptions
Superdense coding. How much classical information in n qubits? Observe that 2 n  1 complex numbers apparently needed to describe an arbitrary n -qubit.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
Quantum Key Establishment Wade Trappe. Talk Overview Quantum Demo Quantum Key Establishment.
BB84 Quantum Key Distribution 1.Alice chooses (4+  )n random bitstrings a and b, 2.Alice encodes each bit a i as {|0>,|1>} if b i =0 and as {|+>,|->}
Quantum Cryptography Prafulla Basavaraja CS 265 – Spring 2005.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Lo-Chau Quantum Key Distribution 1.Alice creates 2n EPR pairs in state each in state |  00 >, and picks a random 2n bitstring b, 2.Alice randomly selects.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.
Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Quantum Cryptography.
Public Key Model 8. Cryptography part 2.
Adaptively Secure Broadcast, Revisited
How to play ANY mental game
A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.
Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Quantum Cryptography (III)
Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Workshop on Post-Quantum Security Models Paris, France Tuesday,
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.
Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January.
Quantum Teleportation and Bit Commitment Chi-Yee Cheung Chung Yuan Christian University June 9, 2009.
Practical Aspects of Quantum Coin Flipping Anna Pappa Presentation at ACAC 2012.
Introduction to Quantum Key Distribution
Christian Schaffner, PhD student NF-årsfest 2005 A A R H U S U N I V E R S I T E T DAIMI – Department of Computer Science BRICS – Basic Research in Computer.
Entanglement sampling and applications Omar Fawzi (ETH Zürich) Joint work with Frédéric Dupuis (Aarhus University) and Stephanie Wehner (CQT, Singapore)
CS555Topic 251 Cryptography CS 555 Topic 25: Quantum Crpytography.
Quantum Cryptography Slides based in part on “A talk on quantum cryptography or how Alice outwits Eve,” by Samuel Lomonaco Jr. and “Quantum Computing”
Nawaf M Albadia
Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Tropical QKD Waterloo, ON, Canada Wednesday, 16 June 2010.
Cryptography In the Bounded Quantum-Storage Model
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam.
1 Conference key-agreement and secret sharing through noisy GHZ states Kai Chen and Hoi-Kwong Lo Center for Quantum Information and Quantum Control, Dept.
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam.
Page 1 COMPSCI 290.2: Computer Security “Quantum Cryptography” including Quantum Communication Quantum Computing.
Quantum Cryptography Antonio Acín
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam.
Cryptography in the Bounded-Quantum-Storage Model Christian Schaffner BRICS, University of Aarhus PhD Defense Friday, April 27 th 2007.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
15-853Page 1 COMPSCI 290.2: Computer Security “Quantum Cryptography” Including Quantum Communication Quantum Computing.
Topic 36: Zero-Knowledge Proofs
COMPSCI 290.2: Computer Security
Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel Kiyoshi Tamaki * *Perimeter Institute for.
Quantum Cryptography Alok.T.J EC 11.
Richard Cleve DC 2117 Introduction to Quantum Information Processing CS 667 / PH 767 / CO 681 / AM 871 Lecture 22 (2009) Richard.
Based on results by: Masanes, Renner, Christandl, Winter and Barrett
Quantum-security of commitment schemes and hash functions
Presentation transcript:

Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October 19 th 2005 joint work with Ivan Damgård, Serge Fehr and Louis Salvail

2 / 42 Agenda  “Known” Results  Protocol for Oblivious Transfer  Security Proof  Protocol for Bit Commitment  Practicality Issues  Open Problems

3 / 42 Classical 2-party primitives: Rabin Oblivious Transfer b b / ? correct: For honest Alice and Bob, Bob gets the bit b with probability ½. correct: For honest Alice and Bob, Bob gets the bit b with probability ½. oblivious: Even if Bob is dishonest, he does not get information about b with probability ½. oblivious: Even if Bob is dishonest, he does not get information about b with probability ½. private: Even if Alice is dishonest, she does not learn, whether Bob received the bit or not. private: Even if Alice is dishonest, she does not learn, whether Bob received the bit or not. OT Sender Bob Alice Receiver

4 / 42 Classical 2-party primitives: Bit Commitment correct: BC allows Alice to commit to a bit b. Later, she can open C b to Bob. correct: BC allows Alice to commit to a bit b. Later, she can open C b to Bob. hiding: Even if Bob is dishonest, he does not get information on b from C b. hiding: Even if Bob is dishonest, he does not get information on b from C b. binding: Even if Alice is dishonest, she cannot open C b to another value than b. binding: Even if Alice is dishonest, she cannot open C b to another value than b. Committer Verifier b CbCbCbCb b b in C b ? BC

5 / 42 Classical 2-party primitives: Relations Oblivious Transfer b b / ? oblivious oblivious private private hiding hiding binding binding Bit Commitment b CbCbCbCb b b in C b ? OT BC OT ) BC, OT ¸ BC OT ) BC, OT ¸ BC OT OT is complete for two-party cryptography

6 / 42 Known Impossibility Results OT In the classical unconditionally secure model without further assumptions In the classical unconditionally secure model without further assumptions BC

7 / 42 Classical 2-party primitives: Bit Commitment hiding: Even if Bob is dishonest, he does not get information on b from C b. hiding: Even if Bob is dishonest, he does not get information on b from C b. binding: Even if Alice is dishonest, she cannot open C b to another value than b. binding: Even if Alice is dishonest, she cannot open C b to another value than b. Committer Verifier b CbCbCbCb b b in C b ? BC

8 / 42 Known Impossibility Results OT In the classical unconditionally secure model without further assumptions In the classical unconditionally secure model without further assumptions BC In the unconditionally secure model with quantum communication In the unconditionally secure model with quantum communication [Mayers97, Lo-Chau97]

9 / 42 Three Ways Out OT Bound computing power (schemes based on complexity assumptions) Bound computing power (schemes based on complexity assumptions) Noisy communication [see Ivan’s talk this morning] Noisy communication [see Ivan’s talk this morning] Physical limitations Physical limitations BC  Physical limitations e.g. bounded memory size

10 / 42 Classical Bounded-Storage Model OT BC ( ) random string which players try to store random string which players try to store a memory bound applies at a specified moment a memory bound applies at a specified moment protocol for OT [DHRS, TCC04]: memory size of honest players:k memory of dishonest players:<k 2 protocol for OT [DHRS, TCC04]: memory size of honest players:k memory of dishonest players:<k 2 Tight bound [DM, EC04] Tight bound [DM, EC04] can be improved by allowing quantum communication can be improved by allowing quantum communication

11 / 42 Quantum Bounded-Storage Model OT quantum memory bound applies at a specified moment quantum memory bound applies at a specified moment besides that, players are unbounded (in time and space) besides that, players are unbounded (in time and space) unconditional secure against adversaries with quantum memory of less then half of the transmitted qubits (honest players do not need quantum memory at all) unconditional secure against adversaries with quantum memory of less then half of the transmitted qubits (honest players do not need quantum memory at all) honest players:0k dishonest players:<n/2<k 2 honest players:0k dishonest players:<n/2<k 2 BC

12 / 42 Agenda Known Results Known Results  Protocol for Oblivious Transfer  Security Proof  Protocol for Bit Commitment  Practicality Issues  Open Problems

13 / 42 Quantum Mechanics I + basis £ basis with prob. 1 yields 1 with prob. ½ yields 0 Measurements: with prob. ½ yields 1

14 / 42 Quantum Protocol for OT memory bound: store < n/2 qubits Alice Bob Example: honest players 0110…

15 / 42 Quantum Protocol for OT II memory bound: store < n/2 qubits Alice Bob honest players? private? 0110… 0011…0011…

16 / 42 Obliviousness against dishonest Bob? memory bound: store < n/2 qubits Alice Bob 0110… … … 11…11…

17 / 42 Quantum Mechanics II + basis £ basis EPR pairs: prob. ½ : 0prob. ½ : 1 prob. ½ : 0 prob. ½ : 1 prob. 1 : 0

18 / 42 Proof of Obliviousness: Purification memory bound: store < n/2 qubits Alice Bob

19 / 42 Proof of Obliviousness: Purification II memory bound: store < n/2 qubits Alice Bob 011 0

20 / 42 Proof of Obliviousness: EPR-Version memory bound: store < n/2 qubits Alice Bob

21 / 42 Proof of Obliviousness: Distributions memory bound: store < n/2 qubits Alice Bob … … … … 0000 pq 2 -4

22 / 42 Proof of Obliviousness: Example memory bound: store < n/2 qubits Alice Bob p 2 -4 … … q 2 -4 … …

23 / 42 Proof of Obliviousness: Distributions II memory bound: store < n/2 qubits Alice Bob 001… … … 0000 p x … … q 2 -4 x

24 / 42 Proof of Obliviousness: Goal However Bob prepares his memory and the distributions p and q, he cannot guess h(x) in both bases simultaneously ) oblivious 001… p x q x ……

25 / 42 Privacy Amplification … p Privacy Amplification against Quantum Adversaries [Renner König, TCC 2005] …

26 / 42 Obliviousness: Uncertainty Relation … p x … q x

27 / 42 Proof of Obliviousness: Finale … p x … q x

28 / 42 Proof of Obliviousness: Recap memory bound: store ≤ n/2 qubits Alice Bob

29 / 42 Proof of Obliviousness: Recap II memory bound: store ≤ n/2 qubits Alice Bob

30 / 42 Proof of Obliviousness: Recap III memory bound: store ≤ n/2 qubits Alice Bob 001… … p x … q x

31 / 42 Proof of Obliviousness: Recap IV Alice Bob … p x … q x

32 / 42 Agenda Known Results Known Results Protocol for Oblivious Transfer Protocol for Oblivious Transfer Security Proof Security Proof  Protocol for Bit Commitment  Practicality Issues  Open Problems

33 / 42 Quantum Protocol for Bit Commitment BC VerifierCommitter memory bound: store < n/2 qubits

34 / 42 BC VerifierCommitter one round one round non-interactive (commit by receiving) non-interactive (commit by receiving) unconditionally hiding unconditionally hiding unconditionally binding: unconditionally binding: classically:Mem dis < 2 ¢ Mem hon classically:Mem dis < 2 ¢ Mem hon quantum:Mem dis < n / 2 quantum:Mem dis < n / 2 memory bound: store < n/2 qubits Quantum Protocol for Bit Commitment II

35 / 42 Binding Property: Proof Idea BC VerifierCommitter memory bound: store < n/2 qubits

36 / 42 Agenda Known Results Known Results Protocol for Oblivious Transfer Protocol for Oblivious Transfer Security Proof Security Proof Protocol for Bit Commitment Protocol for Bit Commitment  Practicality Issues  Open Problems

37 / 42 Practicality Issues OT BC With today’s technology, we can transmit quantum bits can transmit quantum bits encode bits in the correct basis encode bits in the correct basis send them over optical fibers send them over optical fibers receive and measure them receive and measure them cannot store them for longer than a few milliseconds cannot store them for longer than a few milliseconds Problems: imperfect sources (multi-pulse emissions) imperfect sources (multi-pulse emissions) transmission errors transmission errors

38 / 42 Practicality Issues II OT Our protocols can be modified to resist attacks based on multi-photon emissions resist attacks based on multi-photon emissions tolerate (quantum) noise tolerate (quantum) noise BC  Well within reach of current technology and unconditionally secure as long as nobody can store large amounts of quantum bits.

39 / 42 Open Problems and Next Steps OT Other flavors of OT: e.g. 1-out-of-2 Oblivious Transfer, String-OT, … Other flavors of OT: e.g. 1-out-of-2 Oblivious Transfer, String-OT, … Better memory bounds Better memory bounds Composability? What happens to the memory bound? Composability? What happens to the memory bound? Better uncertainty relations for more MUB Better uncertainty relations for more MUB … BC

40 / 42 Quantum Protocol for 1-2-OT memory bound: store < 0.4n qubits Alice Bob

41 / 42 Summary OT Protocols for OT and BC that are efficient efficient non-interactive non-interactive unconditionally secure against adversaries with bounded quantum memory unconditionally secure against adversaries with bounded quantum memory practical: practical: honest players do not need quantum memory honest players do not need quantum memory fault-tolerant fault-tolerant BC

42 / 42 Questions and Comments? OT BC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.