Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January.

Published byJulianna Weaver Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January."— Presentation transcript:

1 Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January 17 th 2006 joint work with Ivan Damgård, Serge Fehr and Louis Salvail

2 2 / 42 Agenda  Two-Party Crypto Primitives  Protocol for Oblivious Transfer  Security Proof  Protocol for Bit Commitment  Practicality Issues  Open Problems

3 3 / 42 Classical 2-party primitives: Rabin Oblivious Transfer b b / ? correct: For honest Alice and Bob, Bob gets the bit b with probability ½. correct: For honest Alice and Bob, Bob gets the bit b with probability ½. sender-private: If Alice is honest, (cheating) Bob does not get information about b with probability bigger than ½. sender-private: If Alice is honest, (cheating) Bob does not get information about b with probability bigger than ½. receiver-private: If Bob is honest, (cheating) Alice does not learn, whether Bob received the bit or not. receiver-private: If Bob is honest, (cheating) Alice does not learn, whether Bob received the bit or not. OT Sender Bob Alice Receiver

4 4 / 42 Classical 2-party primitives: Bit Commitment correct: BC allows Alice to commit to a bit b. Later, she can open C b to Bob. correct: BC allows Alice to commit to a bit b. Later, she can open C b to Bob. hiding: If Alice is honest, (cheating) Bob does not get information on b from C b. hiding: If Alice is honest, (cheating) Bob does not get information on b from C b. binding: If Bob is honest, (cheating) Alice cannot open C b to a bit b’  b. binding: If Bob is honest, (cheating) Alice cannot open C b to a bit b’  b. Committer Verifier b CbCbCbCb b b in C b ? BC

5 5 / 42 Classical 2-party primitives: Relations Oblivious Transfer b b / ? sender-private sender-private receiver-private receiver-private hiding hiding binding binding Bit Commitment b CbCbCbCb b b in C b ? OT BC OT ) BC OT ) BC OT OT is complete for two-party cryptography

6 6 / 42 Known Impossibility Results OT In the classical unconditionally secure model without further assumptions In the classical unconditionally secure model without further assumptions BC In the unconditionally secure model with quantum communication In the unconditionally secure model with quantum communication [Mayers97, Lo-Chau97] )

7 7 / 42 Three Ways Out OT Bound computing power (schemes based on complexity assumptions) Bound computing power (schemes based on complexity assumptions) Noisy communication [CrépeauKilian88, Crépeau97, …] Noisy communication [CrépeauKilian88, Crépeau97, …] Physical limitations Physical limitations BC  Physical limitations e.g. bound memory size of the players

8 8 / 42 Classical Bounded-Storage Model [Maurer92] OT BC ( ) long random string in the sky which players try to store long random string in the sky which players try to store a memory bound applies at a specified moment (string disappears) a memory bound applies at a specified moment (string disappears) protocol for OT [CCM98, DHRS04]: memory size of honest players:k memory of dishonest players:<k 2 protocol for OT [CCM98, DHRS04]: memory size of honest players:k memory of dishonest players:<k 2 Tight bound [DM04] Tight bound [DM04] can be improved by allowing quantum communication can be improved by allowing quantum communication

9 9 / 42 Bounded Quantum-Storage Model OT quantum memory bound applies at a specified moment quantum memory bound applies at a specified moment besides that, players are unbounded (in time and space) besides that, players are unbounded (in time and space) unconditional security against adversaries with quantum memory of less then half of the transmitted qubits unconditional security against adversaries with quantum memory of less then half of the transmitted qubits honest players do not need quantum memory at all honest players do not need quantum memory at all honest players:0k dishonest players:<n/2<k 2 honest players:0k dishonest players:<n/2<k 2 BC

10 10 / 42 Agenda Two-Party Crypto Primitives Two-Party Crypto Primitives  Protocol for Oblivious Transfer  Security Proof  Protocol for Bit Commitment  Practicality Issues  Open Problems

11 11 / 42 Quantum Notation + basis £ basis with prob. ½ yields 0 Measurements: with prob. ½ yields 1 prob. ½ : 0prob. ½ : 1 prob. ½ : 0 prob. ½ : 1 EPR pairs:

12 12 / 42 Quantum Protocol for OT memory bound: store < n/2 qubits Alice Bob Example: honest players 0110… [Wiesner70]

13 13 / 42 Quantum Protocol for OT II memory bound: store < n/2 qubits Alice Bob honest players? receiver-private? 0110… 0011…0011…

14 14 / 42 Sender-privacy against dishonest Bob? memory bound: store < n/2 qubits Alice Bob 0110… … … 11…11… unbounded classical memory!

15 15 / 42 Proof of Sender-Privacy: Purification Proof of Sender-Privacy: Purification [Ekert91] memory bound: store < n/2 qubits Alice Bob

16 16 / 42 Proof of Sender-Privacy: Distributions memory bound: store < n/2 qubits Alice Bob 2 -4 000100100011010001010110 … … 0000000100100011010001010110 … … 0000 pq 2 -4

17 17 / 42 Proof of Sender-Privacy: Example memory bound: store < n/2 qubits Alice Bob 0000000100100011010001010110 p 2 -4 … … 0000000100100011010001010110 q 2 -4 … …

18 18 / 42 Proof of Obliviousness: Distributions II memory bound: store < n/2 qubits Alice Bob 001… 2 -4 000100100011010001010110 … … 0000 p x 000100100011010001010110 … … q 2 -4 x

19 19 / 42 Proof of Sender-Privacy: Goal However Bob prepares his memory and the distributions p and q, he cannot guess h(x) in both bases simultaneously ) sender-private 001… 0001001000110100010101100000 p x q x 011110001001101000010010001101000101011000000111100010011010 ……

20 20 / 42 Privacy Amplification … p Privacy Amplification against Quantum Adversaries [Renner König, TCC 2005] Theorem: … d ( h ( X ) j h ­ ½ ) · 2 ¡ 1 2 ( H 1 ( f X g ­ ½ ) ¡ H 0 ( ½ ) ¡ 1 ) · 2 ¡ 1 2 ( H 1 ( X ) ¡ n = 2 ¡ 1 ) x 2 S ) h ( x ) = ???

21 21 / 42 j L j · 2 n = 2 ) Sender-Privacy: Transformation … p x … q x H ­ n X x 2 L p p x j x i = X z µ 2 ¡ n = 2 X x 2 L p p x ( ¡ 1 ) x ¢ z |{z} · neg l ( n ) ¶ j z i

22 22 / 42 Sender-Privacy: Uncertainty Relation … p x … q x

23 23 / 42 General Uncertainty Relation L + ; L £ ½ f 0 ; 1 g n p ( L + ) + q ( L £ ) · ³ 1 + p 2 ¡ n j L + jj L £ j ´ 2 pq

24 24 / 42 Proof of Sender-Privacy: Finale … p x … q x

25 25 / 42 Proof of Sender-Privacy: Recap memory bound: store < n/2 qubits Alice Bob

26 26 / 42 Proof of Sender-Privacy: Recap II memory bound: store < n/2 qubits Alice Bob

27 27 / 42 Proof of Sender-Privacy: Recap III memory bound: store < n/2 qubits Alice Bob 001… … p x … q x

28 28 / 42 Proof of Sender-Privacy: Recap IV Alice Bob … p x … q x

29 29 / 42 Privacy Amplification is Necessary memory bound: store < n/2 qubits Alice Bob

30 30 / 42 Privacy Amplification is Necessary II memory bound: store < n/2 qubits Alice Bob Bell- j © + i ; j ª + i ; j © ¡ i ; j ª ¡ i

31 31 / 42 Privacy Amplification is Necessary ! memory bound: store < n/2 qubits Alice Bob Bell- j ª + i

32 32 / 42 Agenda Two-Party Crypto Primitives Two-Party Crypto Primitives Protocol for Oblivious Transfer Protocol for Oblivious Transfer Security Proof Security Proof  Protocol for Bit Commitment  Practicality Issues  Open Problems

33 33 / 42 Quantum Protocol for Bit Commitment BC VerifierCommitter memory bound: store < n/2 qubits

34 34 / 42 BC VerifierCommitter one round, non-interactive one round, non-interactive commit by receiving! application: e.g. passive time-stamping commit by receiving! application: e.g. passive time-stamping unconditionally hiding unconditionally hiding unconditionally binding: unconditionally binding: classically:Mem dis < 2 ¢ Mem hon classically:Mem dis < 2 ¢ Mem hon quantum:Mem dis < n / 2 quantum:Mem dis < n / 2 memory bound: store < n/2 qubits Quantum Protocol for Bit Commitment II

35 35 / 42 Binding Property: Proof Idea BC VerifierCommitter memory bound: store < n/2 qubits

36 36 / 42 Agenda Two-Party Crypto Primitives Two-Party Crypto Primitives Protocol for Oblivious Transfer Protocol for Oblivious Transfer Security Proof Security Proof Protocol for Bit Commitment Protocol for Bit Commitment  Practicality Issues  Open Problems

37 37 / 42 Practicality Issues OT BC Use polarization of photons as quantum states Use polarization of photons as quantum states state-of-the-art technology state-of-the-art technology can transmit (encode, send over fibers, receive and measure) quantum bits can transmit (encode, send over fibers, receive and measure) quantum bits cannot store them for longer than a few milliseconds cannot store them for longer than a few milliseconds Problems: imperfect sources (multi-pulse emissions) imperfect sources (multi-pulse emissions) transmission errors transmission errors

38 38 / 42 Practicality Issues II OT Our protocols can be modified to resist attacks based on multi-photon emissions resist attacks based on multi-photon emissions tolerate (quantum) noise in transmission tolerate (quantum) noise in transmission BC  Well within reach of current technology  unconditionally secure as long as nobody can store large amounts of quantum bits

39 39 / 42 More Realistic: Noisy Memory Models OT BC Privacy Amplification: d ( h ( X ) j h ­ ½ ) · 2 ¡ 1 2 ( H 1 ( f X g ­ ½ ) ¡ H 0 ( ½ ) ¡ 1 ) 001… memory bound: store < n/2 qubits noise encode = l og ( ran k ( ½ )) < n = 2 Uncertainty relation: ¸ n = 2, g i ven E

40 40 / 42 Open Problem: Noisy Memory Models OT BC Privacy Amplification: d ( h ( X ) j h ­ ½ ) · 2 ¡ 1 2 ( H 1 ( f X g ­ ½ ) ¡ H 0 ( ½ ) ¡ 1 ) noise encode 0 = l og ( ran k ( ½ )) = n ? ? ? 1 = l og ( ran k ( ½ )) < n = 2

41 41 / 42 Open Problems and Next Steps OT Noisy Memory Model Noisy Memory Model Other flavors of OT: e.g. 1-out-of-2 Oblivious Transfer Other flavors of OT: e.g. 1-out-of-2 Oblivious Transfer Better memory bounds Better memory bounds Composability? What happens to the memory bound? Composability? What happens to the memory bound? Cryptographic primitives for which we can show lower bounds Cryptographic primitives for which we can show lower bounds BC ? ?

42 42 / 42 Summary OT Simple protocols for OT and BC that are efficient, non-interactive efficient, non-interactive unconditionally secure against adversaries with bounded quantum memory unconditionally secure against adversaries with bounded quantum memory practical: practical: honest players do not need quantum memory honest players do not need quantum memory fault-tolerant fault-tolerant work in more practical noisy memory models work in more practical noisy memory models BC

43 43 / 42 Quantum Protocol for 1-2-OT memory bound: store < 0.4n qubits Alice Bob

44 44 / 42 Questions and Comments? OT BC

Download ppt "Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January."

Similar presentations

A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,

A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Quantum Computing MAS 725 Hartmut Klauck NTU 5.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.

Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.
Implementation of Practically Secure Quantum Bit Commitment Protocol Ariel Danan School of Physics Tel Aviv University September 2008.

Implementation of Practically Secure Quantum Bit Commitment Protocol Ariel Danan School of Physics Tel Aviv University September 2008.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic Tea, ILLC Tuesday, 14/02/2012.

Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic Tea, ILLC Tuesday, 14/02/2012.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
QUANTUM CRYPTOGRAPHY ABHINAV GUPTA CSc 8230. Introduction [1,2]  Quantum cryptography is an emerging technology in which two parties can secure network.

QUANTUM CRYPTOGRAPHY ABHINAV GUPTA CSc Introduction [1,2]  Quantum cryptography is an emerging technology in which two parties can secure network.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Experimental Bit String Generation Serge Massar Université Libre de Bruxelles.

Experimental Bit String Generation Serge Massar Université Libre de Bruxelles.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Oblivious Transfer and Bit Commitment from Noisy Channels Ivan Damgård BRICS, Århus University.

Oblivious Transfer and Bit Commitment from Noisy Channels Ivan Damgård BRICS, Århus University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (University.

A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (University.

Similar presentations

Ads by Google