Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic, Language and Computation Monday, 21 September 2015

2 1969: Man on the Moon NASA The Great Moon-Landing Hoax? How can you prove that you are at a specific location?

3 What will you Learn from this Talk? Classical Cryptography Quantum Computation & Teleportation Position-Based Cryptography Garden-Hose Model

4 Classical Cryptography 3000 years of fascinating history until 1970: private communication was the only goal

5 Modern Cryptography is everywhere! is concerned with all settings where people do not trust each other

6 Secure Encryption k = ? Alice Bob Goal: Eve does not learn the message Setting: Alice and Bob share a secret key k Eve k = m = m = “I love you”

eXclusive OR (XOR) Function xyx © y Some properties: 8 x : x © 0 = x 8 x : x © x = 0 7 ) 8 x,y : x © y © y = x

One-Time Pad Encryption Alice Bob Goal: Eve does not learn the message Setting: Alice and Bob share a key k Recipe: Is it secure? Eve xyx © y k = m = c = m © k = c © k= c © k= m © k © k = m © 0 = m c = k = m = c = m © k = m = c © k = k = k = ? 8

Perfect Security Alice Bob Given that c = , is it possible that m = ? Yes, if k = is it possible that m = ? Yes, if k = it is possible that m = ? Yes, if k = In fact, every m is possible. Hence, the one-time pad is perfectly secure! Eve xyx © y m = ? k = ? c = m © k = m = c © k = ? k = ? 9

Problems With One-Time Pad Alice Bob The key has to be as long as the message (Shannon’s theorem) The key can only be used once. Eve m = k = c = m © k = m = c © k = k = ? 10

11 Information Theory 6 ECTS MoL course, given in 2 nd block: Nov/Dec 2015 mandatory for Logic & Computation track first lecture: Tuesday, 28 October 2015, 9:00, G3.13

Problems With One-Time Pad Alice Bob The key has to be as long as the message (Shannon’s theorem) The key can only be used once. In practice, other encryption schemes (such as AES) are used which allow to encrypt long messages with short keys.AES One-time pad does not provide authentication: Eve can easily flip bits in the messageauthentication Eve m = k = c = m © k = m = c © k = k = ? 12

Symmetric-Key Cryptography Alice Encryption insures secrecy: Eve does not learn the message, e.g. one-time padone-time pad Authentication insures integrity: Eve cannot alter the message General problem: players have to exchange a key to start with Eve Bob 13

14 Introduction to Modern Cryptography 6 ECTS MoL course, usually given in Feb/March 2016: probably not

15 What to Learn from this Talk? Classical Cryptography Quantum Computing & Teleportation Position-Based Cryptography Garden-Hose Model

16 Quantum Bit: Polarization of a Photon qu b i t asun i t vec t or i n C 2

17 Qubit: Rectilinear/Computational Basis

18 Detecting a Qubit Bob no photons: 0 Alice

19 Measuring a Qubit Bob no photons: 0 photons: 1 with prob. 1 yields 1 measurement: 0/1 Alice

20 Diagonal/Hadamard Basis with prob. ½ yields 0 with prob. ½ yields 1 Measurement: 0/1 =

21 Illustration of a Superposition with prob. ½ yields 0 with prob. ½ yields 1 Measurement: 0/1 =

22 Illustration of a Superposition = =

23 Quantum Mechanics with prob. 1 yields 1 Measurements: + basis £ basis with prob. ½ yields 0 with prob. ½ yields 1 0/1

Wonderland of Quantum Mechanics

25 Quantum is Real! 25 generation of random numbers (diagram from idQuantique white paper) no quantum computation, only quantum communication required 50%

26 Possible to build in theory, no fundamental theoretical obstacles have been found yet. Canadian company “D-Wave” claims to have build a quantum computer with 1024 qubits. Did they? 2014: Martinis group “acquired” by Googleacquired 2014/15: Mio € investment in QuTech centre in Delft 2015: QuSoft center in Amsterdam Can We Build Quantum Computers? Martinis group (UCSB) 9 qubits

27 No-Cloning Theorem quantum operations: U Proof: copying is a non-linear operation

Quantum Key Distribution (QKD) Alice Bob Eve security against unrestricted eavesdroppers: quantum states are unknown to Eve, she cannot copy them honest players can check whether Eve interfered technically feasible: no quantum computation required, only quantum communication [Bennett Brassard 84]

29 EPR Pairs prob. ½ : 0prob. ½ : 1 prob. 1 : 0 [Einstein Podolsky Rosen 1935] “spukhafte Fernwirkung” (spooky action at a distance) EPR pairs do not allow to communicate (no contradiction to relativity theory) can provide a shared random bit EPR magic!

30 Quantum Teleportation [Bennett Brassard Crépeau Jozsa Peres Wootters 1993] does not contradict relativity theory teleported state can only be recovered once the classical information ¾ arrives [Bell]

31 What to Learn from this Talk? Classical Cryptography Quantum Computing & Teleportation Position-Based Cryptography Garden-Hose Model

32 How to Convince Someone of Your Presence at a Location The Great Moon Landing Hoax

33 Position-Based Cryptography Possible Applications: Launching-missile command comes from within the military headquarters Talking to the correct country Pizza-delivery problem / avoid fake calls to emergency services … Can the geographical location of a player be used as sole cryptographic credential ?

34 Position-Based Cryptography swatteam-in-zn-nek-swatting.html

35 Basic task: Position Verification Prover wants to convince verifiers that she is at a particular position no coalition of (fake) provers, i.e. not at the claimed position, can convince verifiers assumptions: communication at speed of light instantaneous computation verifiers can coordinate Verifier1 Verifier2 Prover

36 Position Verification: First Try Verifier1 Verifier2 Prover time distance bounding [Brands Chaum ‘93]

37 Position Verification: Second Try Verifier1 Verifier2 Prover position verification is classically impossible ! [Chandran Goyal Moriarty Ostrovsky: CRYPTO ’09]

38 Equivalent Attacking Game independent messages m x and m y copying classical information this is impossible quantumly

39 Position Verification: Quantum Try [Kent Munro Spiller 03/10] Let us study the attacking game

40 Attacking Game impossible but possible with entanglement!! ? ?

41 Entanglement attack done if b=1 [Bell]

42 Entanglement attack the correct person can reconstruct the qubit in time! the scheme is completely broken [Bell]

43 more complicated schemes? Different schemes proposed by Chandran, Fehr, Gelles, Goyal, Ostrovsky [2010] Malaney [2010] Kent, Munro, Spiller [2010] Lau, Lo [2010] Unfortunately they can all be broken! general no-go theorem [Buhrman, Chandran, Fehr, Gelles, Goyal, Ostrovsky, S 2014]

44 U Most General Single-Round Scheme Let us study the attacking game

45 U Distributed Q Computation in 1 Round using some form of back-and-forth teleportation, players succeed with probability arbitrarily close to 1 requires an exponential amount of EPR pairs

46 No-Go Theorem Any position-verification protocol can be broken using an exponential number of EPR-pairs Question: is this optimal? Does there exist a protocol such that: any attack requires many EPR-pairs honest prover and verifiers efficient

47 Single-Qubit Protocol: SQP f [Kent Munro Spiller 03/10] if f(x,y)=0 if f(x,y)=1 efficiently computable

48 Attacking Game for SQP f Define E(SQP f ) := minimum number of EPR pairs required for attacking SQP f if f(x,y)=0if f(x,y)=1 xy

49 What to Learn from this Talk? Classical Cryptography Quantum Computing & Teleportation Position-Based Cryptography Garden-Hose Model Buhrman, Fehr, S, Speelman

share s waterpipes 50 The Garden-Hose Model

based on their inputs, players connect pipes with pieces of hose Alice also connects a water tap 51 if water Alice if water Bob

Garden-Hose complexity of f: GH(f) := minimum number of pipes needed to compute f 52 if water Alice if water Bob The Garden-Hose Model

Demonstration: Inequality on Two Bits 53

GH( Inequality ) · demonstration: 3n challenge: 2n + 1 (first student to me solution wins) world record: ~1.359n [Chiu Szegedy et al 13] GH( Inequality ) ¸ n [Pietrzak ‘11] n-Bit Inequality Puzzle 54

Relationship between E(SQP f ) and GH(f)

GH(f) ¸ E(SQP f ) Garden-HoseAttacking Game teleport

GH(f) ¸ E(SQP f ) Garden-HoseAttacking Game teleport y, Bob’s telep. keys x, Alice’s telep. keys using x & y, can follow the water/qubit correct water/qubit using all measurement outcomes

58 last slide: GH(f) ¸ E(SQP f ) The two models are not equivalent: exists f such that GH(f) = n, but E(SQP f ) · log(n) Quantum garden-hose model: give Alice & Bob also entanglement research question: are the models now equivalent? GH(f) = E(SQP f ) ?

59 Garden-Hose Complexity Theory every f has GH(f) · 2 n+1 if f in logspace, then GH(f) · polynomial efficient f & no efficient attack ) P  L exist f with GH(f) exponential (counting argument) for g 2 {equality, IP, majority}: GH(g) ¸ n / log(n) techniques from communication complexity Many open problems!

60 What Have You Learned from this Talk? Classical Cryptography Quantum Computing & Teleportation

61 What Have You Learned from this Talk? No-Go Theorem Impossible unconditionally, but attack requires unrealistic amounts of resources Garden-Hose Model model of communication complexity Position-Based Cryptography

62 Take on the crypto challenge! GH( Inequality ) = 2n + 1 pipes the first person to tell me the protocol course “Information Theory” see you in the next block on 28 October 2015!

00… 0 2 n+1 pipes 11… 1 x 1 x 2 …x n connects iff f(00…0,y)=0 connects iff f(11…1,y)=0 connects iff f(x,y)=0 f(x,y)=1 Any f has GH(f) · 2 n+1 x 1 x 2 …x n y 1 y 2 …y n f(x,y)=0f(x,y)=1

00… 0 n 11… 1 n x 1 x 2 …x n connects iff f(00…0,y)=0 connects iff f(11…1,y)=0 connects iff f(x,y)=0 Any f has GH(f) · 2 n+1 x 1 x 2 …x n y 1 y 2 …y n 2 n+1 pipes f(x,y)=0 f(x,y)=1

65 Open Problems Is Quantum-GH(f) equivalent to E(SQP f )? Find good lower bounds on E(SQP f ) Does P  L/poly imply f in P with GH(f) > poly ? Are there other position-verification schemes? Parallel repetition, link with Semi-Definite Programming (SDP) and non-locality. Implementation: handle noise & limited precision Can we achieve other position-based primitives?

66 Quantum Operations are linear isometries can be described by a unitary matrix: examples: identity bitflip (Pauli X): mirroring at axis X X X X

67 Quantum Operations are linear isometries can be described by a unitary matrix: examples: identity bitflip (Pauli X): mirroring at axis phase-flip (Pauli Z): mirroring at axis both (Pauli XZ) Z

Quantum Key Distribution (QKD) Alice Bob Eve inf-theoretic security against unrestricted eavesdroppers: quantum states are unknown to Eve, she cannot copy them honest players can check whether Eve interfered technically feasible: no quantum computation required, only quantum communication [Bennett Brassard 84]

69 Efficient quantum algorithm for factoring [Shor’94] breaks public-key cryptography (RSA) Fast quantum search algorithm [Grover’96] quadratic speedup, widely applicable Quantum communication complexity exponential savings in communication Quantum Cryptography [Bennett-Brassard’84,Ekert’91] Quantum key distribution Early results of QIP