380 likes | 545 Views
Cryptography with Quantum Data. Adam Smith Weizmann à IPAM à Penn State IPAM Workshop on Foundations of Cryptography November 14, 2006. quantum thinkers needed. Isaac Newton 1642-1727. Cryptography in a Quantum World. Landscape changes! New features appear
E N D
Cryptography with Quantum Data Adam Smith Weizmann à IPAM à Penn State IPAM Workshop on Foundations of Cryptography November 14, 2006
quantum thinkers needed Isaac Newton 1642-1727 Cryptography in a Quantum World • Landscape changes! • New features appear • New difficulties arise • Some key pieces unchanged • Needed: Tools and language for reasoning about quantum adversaries • The field is still very young • Some successes… • … occasional mistakes • Lots of questions!
Some Things That Change • Unconditional key exchange [BB84,…] • Factoring + DL broken [Sho] • Weak 2-party unconditional primitives • coin flipping [ATVY,Amb] • string commitment [BCHLW] • Some multi-prover commitments insecure [CST] • Some extractors fail vs quantum memory [IKW] • But some are OK [KMR] • Some simulators for ZK proofs fail • but new ones can sometimes be built[Wat] • Bounded Storage Model more Powerful [DFSS] • See survey talk on http://theory.csail.mit.edu/~asmith
= incomplete and biased This talk: Salient Features (a partial* list) • Multiparty Quantum Computing • Parties hold quantum inputs • Want to evaluate a quantum circuit • Generalizes classical MPC • Two Feasibility results • Statistical MPQC , cheating minorityà la [RB’89] • Computational MPQC for arbitrary subsets à la [GMW’87] under non-standard assumption • Along the way: • Some infeasibility results • Authentication and Approximate Error-Correction • ZK Proofs of Knowledge
This Talk • Basics of quantum computing • Multiparty Quantum Computing (MPQC) • Codes and Authentication • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries
Quantum Information: Pure States • “Pure states” = vectors in complex space • “qubit” = Basic unit of quantum information |0i + |1i : ,2C, ||2+||2 =1 • Register of n qubits:xx|x i (where x 2{0,1}n) • NB: qubit-by-qubit description not enough • 2n numbers vs 2n numbers |1i |0i + |1i |0i
1 √2.. Quantum Circuits: 2 kinds of gates • Invertible operations on n qubits = 2n£2n unitary matrices ( U-1 = Uy) • |iU |i • e.g. Hadamard • Projective measurements: • Ask a qubit: are you 0 or 1? • State becomes |0i or |1i(according to output) • Destructive! 1 1 1 1 w.prob. |2| |1i |0i + |1i |0i w.prob. |2|
Information versus Disturbance • Important principle of quantum mechanics • Consequence: No cloning! • Theorem: If A = |i for all inputs |i then B is independent of |i • Information ) Disturbance Secrecy ( Resilience to errors A U |i Dolly B
This Talk • Basics of quantum computing • Multiparty Quantum Computing • Codes and Authentication • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries
Classical Multiparty Computation • Resource: number of honest players Simulator Charlie (xC) Bob (xB) Trusted Classical Circuit C Alice (xA) Harriet (xH) Cheaters Diane (xD) George (xG) Eve (xE) Fred (xF)
Simulator Charlie (xC) Bob (xB) Trusted Quantum Circuit C Alice (xA) Harriet (xH) Cheaters Diane (xD) George (xG) Eve (xE) Fred (xF) Quantum Multiparty Computation • Each player sends quantum input • Receives quantum output • Secure against UC distinguisher
Quantum Multiparty Computation • Each player sends quantum input • Receives quantum output • Secure against UC distinguisher • Generalizes Classical SFE • New techniques are needed • Players cannot keep copies of their input • Rewinding may not be possible • Need to operate on encoded / encrypted quantum states Dolly
Some Terminology • With Abort? • This talk: unfair abort (based on cheaters’ output) • Perfect / statistical security • Computational security
Perfect MPC impossible Basic Feasibility Results (assuming broadcast) n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Statistical MPC impossible (even w. abort)
n/6 t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)
n/6 t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) • [CGS’02]: use error-correcting codes and fault-tolerant circuits [AB] • 2nd real proof of quantum security • Barrier at n/4 : quantum codes [KL] • Authentication codes [BCGST ‘02] give • approximate codes [CGS ‘05] • reduction to computation on keys n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)
This Talk • Basics of quantum computing • Multiparty Quantum Computing • Codes and Authentication • Quantum error-correcting codes • A spurious lower bound • Authentication • Approximate Codes and Secret Sharing • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries
Error Correcting Codes • Map k qubits ! n qubits • introduce redundancy • If few qubits corrupted or erased, decoder recovers input exactly • Tricky because of no cloning • repetition code doesn’t work • Good codes exist. [CSS] Over large alphabet [AB99]: • Correct (n-1)/4 errors or (n-1)/2 erasures |i E(|i) channel E(|i) corrupted decoding |i
t 2t t Quantum codes cannot correct n/4 errors • As in the classical case:correct t errors, correct 2t erasures
Dolly decoder decoder |i |i Quantum codes cannot correct n/4 errors • As in the classical case:correct t errors, correct 2t erasures • Quantum codes cannotcorrect n/2 erasures • No cloning )Quantum codes cannot correct n/4 errors(not true of classical codes – repetition) E(|i)
Charlie (xC) Bob (xB) Alice (xA) Protocol Harriet (xH) Diane (xD) Perfect [CGS’05] George (xG) Eve (xE) Fred (xF) A spurious lower bound Lemma: Every MPQC protocol tolerating t cheatersimplies existence of a code correcting t errorswith high fidelity • Honest players should be able to reconstruct output • [CGS’02] MPQC is impossible for t< n/4 • How do we get around this? • Authenticating Quantum States [BCGST] • Approximate QECC break n/4 bound • Connection to secret sharing FALSE
How does Alice know it’s Bob? classical MACs What if he needs to send her qubits? Authenticating Quantum Messages[BCGST]
Dolly Authenticating Quantum Messages[BCGST] • System behaves like “channel with veto” • Eve inputs one bit (accept/reject) • No cloning) If Bob accepts, Eve learns nothing • In fact, Eve learns nothing. Ever. • Authentication ) encryption • [BCGST’02] poly-time protocols • m qubits Ã2m + 2log (m/) bits of key • Construction on board? Classical key k |i Eve |i Ak(|i) or ? Alice Bob
Ak(|1i) Ak(|2i) + classical shares + MAC of authentication keys Ak(|3i) Ak(|4i) Ak(|5i) Approximate Codes [CGS’05] • Code “correcting” (n-1)/2 errors • Start with (n-1)/2 erasure-correcting code • Authenticate each piece • Secret-share keys • Use classical MACs to authenticate keys E(|i) |i
Approximate Codes [CGS’05] • AQECC “correcting” (n-1)/2 errors • If any majority of pieces untouched • Then original state recovered approximately • Correct twice as many errors • No classical analogue in codes… (see also [LNCY]) E(|i) Ak(|1i) Ak(|2i) + classical shares + MAC of authentication keys Ak(|3i) |i Ak(|4i) Ak(|5i)
Dolly Secret Sharing and Quantum Codes • AQECC smell like secret sharing • Similar to Rabin – Ben-Or ’89 • [CGL] Every quantum code is a SS scheme • Lesson of AQECC: • best viewed as robust SS (a.k.a. PSMT) • secret sharing is the right classical analogue of quantum error-correction • “Cryptography is everything!” (S. Micali) E(|i) erased decoding no info |i
This Talk • Basics of quantum computing • Multiparty Quantum Computing • Codes and Authentication • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries
n/6 t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)
MPQC with a cheating minority • AQECC is basic underlying code • Need to operate on encoded states • Two more tools • Computing on keys • Authenticate data using [BCGST] • Operate on state by changing classical key • Trivial example: One-Time Pad • Ek(x) = x+k and matrix A • A(Ek(x)) = EAk(Ax) • This performs Clifford operations • Fault-tolerant QC [Shor,AB,BCGHS] • Can use Clifford ops to verify universal set of gates • Get cheaters to perform gates then check
MPQC with a cheating minority • Share inputs • Verify using RB-style machinery • a few more layers… • Compute • Reduce quantum computations toclassical computations on keys • Use classical SFE to manipulate keys • UC framework allows modular design [BM] • Distribute • Bonus: get straight-line simulator
n/6 Dolly t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) • Complete picture of robust MPQC(with no abort) • Insights into coding along the way • New tools for fault-tolerant computing • Major factor: n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)
This Talk • Basics of quantum computing • Multiparty Quantum Computing • Codes and Authentication • MPQC with a cheating minority • Beyond a faulty minority: 2-party QC • ZK for quantum adversaries
Two-party Quantum Computation • Many ideas of MPQC can apply here • AQECC replaced by commitment • As before: operate on classical keys • Need classical 2-party QC Ak(|i) |i Commit(k)
Dolly Two-party Quantum Computation • Problem: standard ZK simulation + extraction arguments may not work in quantum world • Rewinding = cloning auxiliary info • Sequential composition is lost • Big step: Watrous’ simulator for 3-round ZK • Does not give knowledge extractor • Idea: We can lie, need to read minds • Attach special preamble • Work in progress: need funny assumptions • Refine understanding of how we argue security
n/6 t < n/6[CGS’02] Perfect MPQC impossible [CGS’02-’05] Basic Feasibility Results (assuming broadcast) n/4 t = 0 n/3 n/2 n Perfect MPC [BGW,CCD] Statistical MPC [RB] Computational MPC w. abort [GMW] Q Q Q Q Q Perfect MPC impossible Statistical MPC impossible (even w. abort) Statistical MPQC [BCGHS’06] Computational* MPQC w. abort [S] Statistical MPQC impossible (even w. abort)
quantum thinkers needed Isaac Newton 1642-1727 Cryptography in a Quantum World • Landscape changes! • New features appear • New difficulties arise • Some key pieces unchanged • Needed: Tools and language for reasoning about quantum adversaries • The field is still very young • Some successes… • … occasional mistakes • Lots of questions!
Things I Did Not Talk About • Proofs! • Quantum Key Distribution • Byzantine Agreement in full info model [BH] • Randomness Extraction with Quantum Memories • [AS.’04, KMR’04, D’06, GIKRdW’06] • Fault-tolerant QC • Multiprover commitments [CST] • …
Thanks Co-authors: Howard Barnum(LANL), Michael Ben-Or(HUJI), Claude Crépeau(McGill), Daniel Gottesman(Perimeter/Waterloo), Avinatan Hasidim(HUJI), Alain Tapp(Montreal) Discussions: Boaz Barak, Louis Salvail, Jon Katz, …