Upload
beryl-lawson
View
215
Download
0
Embed Size (px)
Citation preview
Evolving Notions of Security for Quantum Protocols
Adam SmithWeizmann Institute of Sciencehttp://theory.csail.mit.edu/~asmith
Caltech Workshop on Security of Classical and Quantum ProtocolsDecember 16, 2005
Evolving Notions of Security for Quantum Protocols
Adam SmithWeizmann Institute of Sciencehttp://theory.csail.mit.edu/~asmith
Caltech Workshop on Security of Classical and Quantum ProtocolsDecember 16, 2005
ProofsOccasionally MistakenUsually Correct,
Frequently
Interesting,
3
Cryptography in a Quantum World• Landscape changes!
New things are possible New difficulties arise
• Needed: Tools and language for reasoning about quantum adversaries
• The field is still very young Some successes… … occasional mistakes Lots of questions!
quantumthinkersneeded
Isaac Newton
1642-1727
4
This talk
• Basics of quantum computing
• New Possibilities E.g. quantum key distribution
• New Difficulties, Partial Solutions E.g. rewinding in ZK proofs
• Conclusions & Questions
5
Quantum Information: Pure States
• “Pure states” = vectors in complex space
• “qubit” = Basic unit of quantum information
|0i + |1i : , 2C , ||2+||2 =1
• Register of n qubits:
xx|xi (where x 2{0,1}n)
• NB: qubit-by-qubit description not enough 2n numbers vs 2n numbers
|0i + |1i
|1i
|0i
6
Quantum Circuits: 2 kinds of gates
• Invertible operations on n qubits
= 2n£2n unitary matrices ( U-1 = Uy ) |i U |i e.g. Hadamard
• Projective measurements: Ask a qubit: are you 0 or 1? State becomes |0i or |1i
(according to output) Destructive!
|0i + |1i
|1i
|0i
w.prob. |2|
w.prob. |2|
1 11 1
1√2..
7
Information vs Disturbance
• Important principle of quantum mechanics
• Consequence: No copying!
• Theorem: If A = |i for all inputs |i then B is independent of |i
• Information ) Disturbance
Secrecy ( Resilience to errors
U| i
A
B
8
This talk
• Basics of quantum computing
• New Possibilities E.g. quantum key distribution
• New Difficulties, Partial Solutions E.g. rewinding in ZK proofs
• Conclusions & Questions
9
New Possibilities• Key Distribution w/o computational assumptions [BB84]
• Coin flipping with constant bias (see Andris’ talk) • Public-key cryptography with limited keys (see Daniel’s talk)
• Non-locality games (see Ben Toner’s talk) • Uncloneable encryption [G]
• Fast Byzantine agreement [BH05]
• Key re-use (see Louis Salvail’s talk)
• Crypto with quantum data [AMTW00,CGS02,BCGST02,…]
Not a panacea:• Bit commitment, OT, etc are still impossible [M,LC]
• (Probably) does not circumvent composability issues
10
Quantum Key Distribution [BB84]
• Alice and Bob want to generate a secret key
Alice Bob
Evequantum channelcontrolled by Eve
classical authenticated channelvisible to Eve
11
Quantum Key Distribution (simplified [E91,LC99])
• Basic tool: EPR pairs State on two qubits
• Say Alice and Bob share an EPR pair Measure each half to get shared, secret bit
• Goal: set up many clean, shared EPR pairs
• Phase I: Alice creates n EPR pairs, send halves to Bob
• Phase II: Alice and Bob test the pairs for tamperingusing classical channel
|+i =|00iAB+|11iAB
|+ni = x |xiA |xiB
Alice Bob
12
Phase I
• Alice generates n EPR pairs
• Sends halves of these pairs to Bob
• Bob acknowledges receipt
Alice Bob
Eve Eve’s memory
|+ni
“Got them.”
13
Phase II: Testing
Intuition:
• Many symmetries U such that(UA UB)|+
niAB= |+niAB.
Alice Bob
|+ni
Eve Eve’s memory
“Got them.”
14
Phase II: Testing• Alice picks symmetry U at random
Applies U and measures last k qubits Sends U and results to Bob Bob applies U and measures last k qubits
• ACCEPT iff measurements agree
Alice Bob
|+ni
Eve Eve’s memory
U, results
U
U
Intuition: ACCEPT )
n – k ‘good’ EPR pairs
15
Example Symmetries [E91,BCGST02]
• For any invertible binary matrix M 2 {0,1}n£ n :UM|xi = |Mxi
• Alice picks random invertible matrix M,
applies UM
applies Hadamard with probability ½ to each qubit
• Exercise: This preserves |+ni = x |xiA |xiB
16
Analyzing Security
• Joint state A,B = |n+i
) test passes w.p. 1
• Joint state A,B ? |n+i
) test passes w.p. 2-k
• How can we use this? What’s the security statement? How can we prove it?
span(|+ni)
span(|+ni)?
17
Analyzing Security
• We want “n–k perfect EPR pairs or REJECT”with high probability
• To show closeness, look at state before test:
|iABE = (AB || |+ni) + (AB ? |+
ni)
• Each piece mapped close to good subspace
EveU
U
subspace subspace+
18
Analyzing Security
• Theorem: Global state is close to subspace
“n–k perfect EPR pairs or REJECT”
• Are we done? Intuitively meaningful What’s the definition of security here?
• This can be used to build a simulator Good enough to prove UC security [BM, BHLMO’05]
19
Security as Simulatability [BHLMO’05]
• Theorem: Global state is close to subspace
“n–k perfect EPR pairs or REJECT”
• Ideal protocol: Trusted party asks Eve “Abort or run?” Eve answers 1 bit If “Run” then give good keys to Alice and Bob
real Adv idealSim
20
Security as Simulatability
• Theorem: Global state is close to subspace
“n–k perfect EPR pairs or REJECT”
• Simulator: Runs dummy execution Output Eve’s view If Eve aborts, send “abort”, else send “run”
real Adv idealdummyexecution
Strong guarantee!
abort?
21
Lessons of QKD
• We can sometimes test for disturbance Hence for information
• Security proven through simulator Proximity to “good” subspace [LC’99,CGS’02, BHLMO‘05]
Simple form of simulator is good All* QKD protocols have simulator! [BHLMO ‘05]
• Deniability and adaptivity more tricky Some protocols but not all [B‘02]
22
This talk
• Basics of quantum computing
• New Possibilities E.g. quantum key distribution
• New Difficulties, Partial Solutions E.g. rewinding in ZK proofs
• Conclusions & Questions
23
New Difficulties (& Partial Solutions)
Computational Assumptions Broken• Factoring and discrete logarithm in BQP [S’94]
• Still lots of candidate one-way functions
• Few candidates for public-key encryption, OT Lattices, codes
• No candidates for Trapdoor 1-Way Permutations (though see [OTU’00]) Non-interactive ZK for NP (though see [K’03])
• See workshop http://postquantum.cr.yp.to/
24
New Difficulties (& Partial Solutions)
Computational Assumptions Broken
Definitional Paradigms May No Longer Apply• UC paradigm is ok ([BM’05]) what else?
• Bit Commitment Standard requirement: adversary cannot produce a pair:
( decommitment to 0, decommitment to 1 ) OK if commitment is perfectly binding Claim: unconditionally-secure QBC [BCJL]
Adversary cannot decommit to both 0 and 1. But… she can decommit to either!
Workable definitions given later (but complicated) [CDMS,DFS]
25
New Difficulties (& Partial Solutions)
Computational Assumptions Broken
Definitional Paradigms May No Longer Apply
Information-theoretic Proofs Also Get Broken• Protocols based on extractors: not clear if they remain
secure against bounded quantum memory (Pairwise-independent hashing is ok [KMR])
• Multi-prover commitment schemes can be broken [CST] Some of them can still be fixed, but require very careful proofs. E.g: adversary can win magic square game See Ben Toner’s talk
26
New Difficulties (& Partial Solutions)
Computational Assumptions Broken
Definitional Paradigms May No Longer Apply
Information-theoretic Proofs Also Get Broken
Basic Proof Techniques May Fail• Fixing random coins
Binding in multiprover commitment schemes Many other places
• Rewinding in ZK proof systems Exception: [Watrous, 2005]
27
Rewinding and Simulation
• Wanted: simulator that fools quantum adversaries
• Some simulators do work Key distribution Multiparty computation [BGW88,CCD88,RB89,etc]
• “Rigid straight-line simulator” Uses only one black-box run of adversary, even in
proof of correctness of simulation
real Adv idealSim
Few protocols have rigid simulators!
28
Rewinding in Zero Knowledge: Graph Isomorphism
• ZK proof for graph ismorphism: Input G0, G1.
Given s.t. (G0)=G1.
• Ã Sn.
b à {0,1}G0)
b¢bP
rove
rV
erifier
29
Rewinding in Zero Knowledge: Graph Isomorphism
• Classical simulator:
• g à {0,1}• à Sn. Vic
Gg)
bS
imul
ator
aux
• If g=b, output state of VicElse, start over!
• What if Vic and aux are quantum? Need to copy to start over First execution might destroy aux
Is the protocol still deniable?
30
Simulator for Quantum Verifier [W’05]
• Classical simulator: aux
• g à {0,1}• à Sn. Vic
Gg)
bS
imul
ator
Output ( g=b? , state of Vic)1. “Purify” protocol
• Postpone measurements, keep all outputs quantum
31
Simulator for Quantum Verifier [W’05]
• Classical simulator: aux
• g à {0,1}• à Sn. Vic
Gg)
bS
imul
ator
Output ( g=b? , state of Vic)1. “Purify” protocol
• Postpone measurements, keep all outputs quantum
32
Simulator for Quantum Verifier [W’05]
• Classical simulator:
1. “Purify” protocol• Postpone measurements, keep all outputs quantum
2. Measure 1 qubit: g©b If simulation successful, output Vic’s state. Else
aux
• g à {0,1}• à Sn. Vic
Gg)b
Sim
ulat
or
Output ( g=b? , state of Vic)
Make it successful
33
Simulator for Quantum Verifier [W’05]
• Classical simulator:aux
• g à {0,1}• à Sn. Vic
Gg)b
Sim
ulat
or
Output ( g=b? , state of Vic)
• Measuring g©b defines two subspaces W0, W1.
Every verifier Vic defines two states |0i,|1i.
• Theorem[Watrous’05]: there is poly-time unitary UVic s.t.
UVic|0i = |1i.
W0
W1
34
Simulator for Quantum Verifier [W’05]
• Classical simulator:
1. “Purify” protocol• Postpone measurements, keep all outputs quantum
2. Measure 1 qubit: g©b If simulation successful, output Vic’s state. Else
aux
• g à {0,1}• à Sn. Vic
Gg)b
Sim
ulat
or
Output ( g=b? , state of Vic)
Apply UVic
Output state
35
Lessons from Watrous’ Simulation
• Quantum simulators are surprisingly powerful NB: Strict poly-time simulation
• Refines our understanding of protocols This simulation works for a sublcass of protocols
Simulator’s success prob. independent* of aux In particular, Hamiltonian path and 3-coloring
Not a subclass that had appeared before (?)
• Use quantum tricks to defeat a quantum adversary
36
This talk
• Basics of quantum computing
• New Possibilities E.g. quantum key distribution
• New Difficulties, Partial Solutions E.g. rewinding in ZK proofs
• Questions to think about
37
Quantum Information Requires New Intuitions
• Multi-prover Interacitive Proofs [CHTW04,CST05] Soundness proofs via impossibility of supra-luminal signaling
• Composability and auxiliary information Some primitives require keys only half as long if input is
unentangled with outside world
• Classical Secrecy Sometimes the Best Analogue Secret sharing schemes $ Error-Correcting codes
Approximate quantum codes beat quantum Singleton bound Secret key capacity $ quantum conditional entropy
Negative entropies have similar interpretations
38
Things I Didn’t Talk About
• Key re-use
• Deniability
• Bounded Quantum Memory / Processing
• Uncloneable encryption
• …
39
Interesting Open Questions
• Extending Watrous’ argument: What types of rewinding for quantum adversaries? E.g. can we get quantum proofs of knowledge for NP?
• Two-party quantum computation?
• One-way (or trapdoor) permutation candidates which are classically computable in the forward direction? See [OUT’00] for partial version
• UC impossibility results?
(to me) that might be Open
40
Cryptography in a Quantum World• Landscape changes!
New things are possible New difficulties arise
• Needed: Tools and language for reasoning about quantum adversaries
• The field is still very young Some successes… … occasional mistakes Lots of questions!
quantumthinkersneeded
Isaac Newton
1642-1727
41
Some references from the talk (a very partial list!)• [AMTW00] Andris Ambainis, Michele Mosca, Alain Tapp, Ronald de Wolf: Private Quantum Channels. FOCS 2000: 547-553• [BCGST02] H. Barnum, C. Crepeau, D. Gottesman, A. Smith, A. Tapp, "Authentication of Quantum Messages," Proc. 43rd IEEE
Symposium on the Foundations of Computer Science, 449-458 (2002), full version quant-ph/0205128.• [BCJL] Gilles Brassard, Claude Crépeau, Richard Jozsa, Denis Langlois: A Quantum Bit Commitment Scheme Provably Unbreakable by
both Parties FOCS 1993: 362-371.• [BH05] Michael Ben-Or, Avinatan Hassidim: Fast quantum byzantine agreement. STOC 2005: 481-485• [BHLMO'05] Michael Ben-Or, Michal Horodecki, Debbie W. Leung, Dominic Mayers, Jonathan Oppenheim: The Universal Composable
Security of Quantum Key Distribution. TCC 2005: 386-406. quant-ph/0409078• [BM'05] Michael Ben-Or, Dominic Mayers. General Security Definition and Composability for Quantum & Classical Protocols.
quant-ph/0409062.• [CDMS] Claude Crépeau, Paul Dumais, Dominic Mayers, Louis Salvail: Computational Collapse of Quantum State with Application to
Oblivious Transfer. TCC 2004: 374-393.• [CGS02] C. Crepeau, D. Gottesman, A. Smith, "Secure Multi-Party Quantum Computation," Proc. 34th ACM Symposium on the Theory of
Computing, 643-652 (New York, NY, ACM Press, 2002), quant-ph/0206138. • [CHTW04] R. Cleve, P. Høyer, B. Toner, and J. Watrous, Consequences and Limits of Nonlocal Strategies, Proceedings of the 19th IEEE
Annual Conference on Computational Complexity (CCC 2004), pp. 236- 249 (2004).• [CST'05] C. Crepeau, J.-R. Simard, A. Tapp. Classical and quantum strategies for two-prover bit commitments. Manuscrip, 2005.• [DFS] Ivan Damgård, Serge Fehr, Louis Salvail: Zero-Knowledge Proofs and String Commitments Withstanding Quantum Attacks.
CRYPTO 2004: 254-272• [E91] Artur K. Ekert. Quantum cryptography based on Bell's theorem. Phys. Rev. Lett. 67, 661–663 (1991).• [G] D. Gottesman, "Uncloneable Encryption," Proc. 6th International Conf. on Quantum Communication, Measurement, and Computing,
eds. J. H. Shapiro and O. Hirota, pp. 405-410 (Princeton, NJ, Rinton Press, 2003), full version Quantum Information and Computation 3, No. 6, 581-602 (2003), quant-ph/0210062.
• [K'03] Hirotada Kobayashi: Non-interactive Quantum Perfect and Statistical Zero-Knowledge. ISAAC 2003: 178-188.• [KMR] Robert Koenig, Ueli Maurer, and Renato Renner. On the Power of Quantum Memory. IEEE Transaction on Information Theory, vol.
51, no. 7, pp. 2391-2401, Jul 2005, eprint archive: http://arxiv.org/abs/quant-ph/0305154.• [LC99] Hoi-Kwong Lo, H. F. Chau. Unconditional Security of Quantum Key Distribution over Arbitrarily Long Distances. Science 26 March
1999: Vol. 283. no. 5410, pp. 2050 - 2056• [M,LC] D. Mayers. Unconditonally secure quantum bit commitment is impossible, Phys. Rev. Lett. 78, (1997) 3414-3417. --and-- H.-K. Lo,
H. F. Chau. Why Quantum Bit Commitment And Ideal Quantum Coin Tossing Are Impossible. Physica D120 (1998) 177-187. quant-ph/9711065.
• [OTU'00] Tatsuaki Okamoto, Keisuke Tanaka, Shigenori Uchiyama: Quantum Public-Key Cryptosystems. CRYPTO 2000: 147-165.• [S'94] Peter W. Shor: Algorithms for Quantum Computation: Discrete Logarithms and Factoring FOCS 1994: 124-134.• [W'05] J. Watrous. Zero-knowledge against quantum attacks. arXiv.org e-Print quant-ph/0511020, 2005.
Thank you
Questions?
This talk to be posted on:http://theory.csail.mit.edu/~asmith