410 likes | 519 Views
Cryptography In the Bounded Quantum-Storage Model. joint work with Ivan Damgård, Serge Fehr and Louis Salvail. Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October 19 th 2005. Agenda. “Known” Results Protocol for Oblivious Transfer
E N D
Cryptography In theBounded Quantum-Storage Model joint work with Ivan Damgård, Serge Fehr and Louis Salvail Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October 19th 2005
Agenda • “Known” Results • Protocol for Oblivious Transfer • Security Proof • Protocol for Bit Commitment • Practicality Issues • Open Problems
Classical 2-party primitives: Rabin Oblivious Transfer Bob Receiver Sender OT b b / ? Alice • correct: For honest Alice and Bob, Bob gets the bit b with probability ½. • oblivious: Even if Bob is dishonest, he does not get information about b with probability ½. • private: Even if Alice is dishonest, she does not learn, whether Bob received the bit or not.
Classical 2-party primitives:Bit Commitment BC Verifier Committer b Cb b b in Cb? • correct: BC allows Alice to commit to a bit b. Later, she can open Cb to Bob. • hiding: Even if Bob is dishonest, he does not get information on b from Cb. • binding: Even if Alice is dishonest, she cannot open Cb to another value than b.
Oblivious Transfer b b / ? Bit Commitment b Cb b b in Cb? Classical 2-party primitives: Relations • oblivious • private OT BC • hiding • binding • OT ) BC, OT ¸ BC • OT is complete for two-party cryptography
Known Impossibility Results • In the classical unconditionally secure model without further assumptions OT BC
Classical 2-party primitives:Bit Commitment BC Verifier Committer b Cb b b in Cb? • hiding: Even if Bob is dishonest, he does not get information on b from Cb. • binding: Even if Alice is dishonest, she cannot open Cb to another value than b.
Known Impossibility Results • In the classical unconditionally secure model without further assumptions OT • In the unconditionally secure model with quantum communication [Mayers97, Lo-Chau97] BC
Three Ways Out • Bound computing power (schemes based on complexity assumptions) • Noisy communication [see Ivan’s talk this morning] • Physical limitations OT • Physical limitations e.g. bounded memory size BC
() () Classical Bounded-Storage Model • random string which players try to store • a memory bound applies at a specified moment • protocol for OT [DHRS, TCC04]: memory size of honest players: k memory of dishonest players: <k2 • Tight bound [DM, EC04] • can be improved by allowing quantum communication OT BC
Quantum Bounded-Storage Model • quantum memory bound applies at a specified moment • besides that, players are unbounded (in time and space) • unconditional secure against adversaries with quantum memory of less then half of the transmitted qubits (honest players do not needquantum memory at all) • honest players: 0 k dishonest players: <n/2 <k2 OT BC
Agenda • Known Results • Protocol for Oblivious Transfer • Security Proof • Protocol for Bit Commitment • Practicality Issues • Open Problems
Quantum Mechanics I + basis £ basis Measurements: with prob. 1 yields 1 with prob. ½ yields 0 with prob. ½ yields 1
memory bound: store < n/2 qubits Quantum Protocol for OT Bob Alice 0110… 0110… Example: honest players
memory bound: store < n/2 qubits Quantum Protocol for OT II Bob Alice 0110… 0011… honest players? private?
… memory bound: store < n/2 qubits Obliviousness against dishonest Bob? Bob Alice 0110… … 11…
prob. ½ : 0prob. ½ : 1 prob. 1 : 0 Quantum Mechanics II + basis £ basis EPR pairs: prob. ½ : 0 prob. ½ : 1
memory bound: store < n/2 qubits Proof of Obliviousness: Purification Bob Alice
memory bound: store < n/2 qubits Proof of Obliviousness: Purification II Bob Alice 0 1 1 0
memory bound: store < n/2 qubits Proof of Obliviousness: EPR-Version Bob Alice
p q 2-4 2-4 … … 0000 0001 0010 0011 0100 0101 0110 0000 0001 0010 0011 0100 0101 0110 … … memory bound: store < n/2 qubits Proof of Obliviousness: Distributions Bob Alice
memory bound: store < n/2 qubits Proof of Obliviousness: Example Bob Alice p q 2-4 2-4 … … 0000 0001 0010 0011 0100 0101 0110 0000 0001 0010 0011 0100 0101 0110 … …
p q 2-4 2-4 … … x x 0000 0001 0010 0011 0100 0101 0110 0000 0001 0010 0011 0100 0101 0110 … … memory bound: store < n/2 qubits Proof of Obliviousness: Distributions II Bob Alice 001…
However Bob prepares his memory and the distributions p and q, he cannot guess h(x) in both bases simultaneously) oblivious 001… Proof of Obliviousness: Goal p q … … 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 x 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 x
… Privacy Amplification Privacy Amplification against Quantum Adversaries [Renner König, TCC 2005] p …
Obliviousness: Uncertainty Relation p q … … x x
Proof of Obliviousness: Finale p q … … x x
memory bound: store ≤ n/2 qubits Proof of Obliviousness: Recap Bob Alice
memory bound: store ≤ n/2 qubits Proof of Obliviousness: Recap II Bob Alice
memory bound: store ≤ n/2 qubits Proof of Obliviousness: Recap III Bob Alice p q … … x x 001…
Proof of Obliviousness: Recap IV Bob Alice p q … … x x
Agenda • Known Results • Protocol for Oblivious Transfer • Security Proof • Protocol forBit Commitment • Practicality Issues • Open Problems
memory bound: store < n/2 qubits Quantum Protocol for Bit Commitment Verifier Committer BC
Quantum Protocol for Bit Commitment II Verifier Committer memory bound: store < n/2 qubits • one round • non-interactive (commit by receiving) • unconditionally hiding • unconditionally binding: • classically: Memdis < 2 ¢ Memhon • quantum: Memdis < n / 2 BC
memory bound: store < n/2 qubits Binding Property: Proof Idea Verifier Committer BC
Agenda • Known Results • Protocol for Oblivious Transfer • Security Proof • Protocol for Bit Commitment • Practicality Issues • Open Problems
Practicality Issues With today’s technology, we • can transmit quantum bits • encode bits in the correct basis • send them over optical fibers • receive and measure them • cannot store them for longer than a few milliseconds OT BC Problems: • imperfect sources (multi-pulse emissions) • transmission errors
Practicality Issues II Our protocols can be modified to • resist attacks based onmulti-photon emissions • tolerate (quantum) noise OT • Well within reach of current technology and unconditionally secure as long as nobody can store large amounts of quantum bits. BC
Open Problems and Next Steps • Other flavors of OT:e.g. 1-out-of-2 Oblivious Transfer, String-OT, … • Better memory bounds • Composability? What happens to the memory bound? • Better uncertainty relations for more MUB • … OT BC
Summary Protocols for OT and BC that are • efficient • non-interactive • unconditionally secure against adversaries with bounded quantum memory • practical: • honest players do not need quantum memory • fault-tolerant OT BC
Questions and Comments? OT BC