Evolving Notions of Security for Quantum Protocols Adam Smith Weizmann Institute of Science asmith Caltech Workshop on Security

Evolving Notions of Security for Quantum Protocols

Adam SmithWeizmann Institute of Sciencehttp://theory.csail.mit.edu/~asmith

Caltech Workshop on Security of Classical and Quantum ProtocolsDecember 16, 2005

Evolving Notions of Security for Quantum Protocols

Adam SmithWeizmann Institute of Sciencehttp://theory.csail.mit.edu/~asmith

Caltech Workshop on Security of Classical and Quantum ProtocolsDecember 16, 2005

ProofsOccasionally MistakenUsually Correct,

Frequently

Interesting,

3

Cryptography in a Quantum World• Landscape changes!

New things are possible New difficulties arise

• Needed: Tools and language for reasoning about quantum adversaries

• The field is still very young Some successes… … occasional mistakes Lots of questions!

quantumthinkersneeded

Isaac Newton

1642-1727

4

This talk

• Basics of quantum computing

• New Possibilities E.g. quantum key distribution

• New Difficulties, Partial Solutions E.g. rewinding in ZK proofs

• Conclusions & Questions

5

Quantum Information: Pure States

• “Pure states” = vectors in complex space

• “qubit” = Basic unit of quantum information

|0i + |1i : , 2C , ||2+||2 =1

• Register of n qubits:

xx|xi (where x 2{0,1}n)

• NB: qubit-by-qubit description not enough 2n numbers vs 2n numbers

|0i + |1i

|1i

|0i

6

Quantum Circuits: 2 kinds of gates

• Invertible operations on n qubits

= 2n£2n unitary matrices ( U-1 = Uy ) |i U |i e.g. Hadamard

• Projective measurements: Ask a qubit: are you 0 or 1? State becomes |0i or |1i

(according to output) Destructive!

|0i + |1i

|1i

|0i

w.prob. |2|

w.prob. |2|

1 11 1

1√2..

7

Information vs Disturbance

• Important principle of quantum mechanics

• Consequence: No copying!

• Theorem: If A = |i for all inputs |i then B is independent of |i

• Information ) Disturbance

Secrecy ( Resilience to errors

U| i

A

B

8

This talk





9

New Possibilities• Key Distribution w/o computational assumptions [BB84]

• Coin flipping with constant bias (see Andris’ talk) • Public-key cryptography with limited keys (see Daniel’s talk)

• Non-locality games (see Ben Toner’s talk) • Uncloneable encryption [G]

• Fast Byzantine agreement [BH05]

• Key re-use (see Louis Salvail’s talk)

• Crypto with quantum data [AMTW00,CGS02,BCGST02,…]

Not a panacea:• Bit commitment, OT, etc are still impossible [M,LC]

• (Probably) does not circumvent composability issues

10

Quantum Key Distribution [BB84]

• Alice and Bob want to generate a secret key

Alice Bob

Evequantum channelcontrolled by Eve

classical authenticated channelvisible to Eve

11

Quantum Key Distribution (simplified [E91,LC99])

• Basic tool: EPR pairs State on two qubits

• Say Alice and Bob share an EPR pair Measure each half to get shared, secret bit

• Goal: set up many clean, shared EPR pairs

• Phase I: Alice creates n EPR pairs, send halves to Bob

• Phase II: Alice and Bob test the pairs for tamperingusing classical channel

|+i =|00iAB+|11iAB

|+ni = x |xiA |xiB

Alice Bob

12

Phase I

• Alice generates n EPR pairs

• Sends halves of these pairs to Bob

• Bob acknowledges receipt

Alice Bob

Eve Eve’s memory

|+ni

“Got them.”

13

Phase II: Testing

Intuition:

• Many symmetries U such that(UA UB)|+

niAB= |+niAB.

Alice Bob

|+ni

Eve Eve’s memory

“Got them.”

14

Phase II: Testing• Alice picks symmetry U at random

Applies U and measures last k qubits Sends U and results to Bob Bob applies U and measures last k qubits

• ACCEPT iff measurements agree

Alice Bob

|+ni

Eve Eve’s memory

U, results

U

U

Intuition: ACCEPT )

n – k ‘good’ EPR pairs

15

Example Symmetries [E91,BCGST02]

• For any invertible binary matrix M 2 {0,1}n£ n :UM|xi = |Mxi

• Alice picks random invertible matrix M,

applies UM

applies Hadamard with probability ½ to each qubit

• Exercise: This preserves |+ni = x |xiA |xiB

16

Analyzing Security

• Joint state A,B = |n+i

) test passes w.p. 1

• Joint state A,B ? |n+i

) test passes w.p. 2-k

• How can we use this? What’s the security statement? How can we prove it?

span(|+ni)

span(|+ni)?

17

Analyzing Security

• We want “n–k perfect EPR pairs or REJECT”with high probability

• To show closeness, look at state before test:

|iABE = (AB || |+ni) + (AB ? |+

ni)

• Each piece mapped close to good subspace

EveU

U

subspace subspace+

18

Analyzing Security

• Theorem: Global state is close to subspace

“n–k perfect EPR pairs or REJECT”

• Are we done? Intuitively meaningful What’s the definition of security here?

• This can be used to build a simulator Good enough to prove UC security [BM, BHLMO’05]

19

Security as Simulatability [BHLMO’05]



• Ideal protocol: Trusted party asks Eve “Abort or run?” Eve answers 1 bit If “Run” then give good keys to Alice and Bob

real Adv idealSim

20

Security as Simulatability



• Simulator: Runs dummy execution Output Eve’s view If Eve aborts, send “abort”, else send “run”

real Adv idealdummyexecution

Strong guarantee!

abort?

21

Lessons of QKD

• We can sometimes test for disturbance Hence for information

• Security proven through simulator Proximity to “good” subspace [LC’99,CGS’02, BHLMO‘05]

Simple form of simulator is good All* QKD protocols have simulator! [BHLMO ‘05]

• Deniability and adaptivity more tricky Some protocols but not all [B‘02]

22

This talk





23

New Difficulties (& Partial Solutions)

Computational Assumptions Broken• Factoring and discrete logarithm in BQP [S’94]

• Still lots of candidate one-way functions

• Few candidates for public-key encryption, OT Lattices, codes

• No candidates for Trapdoor 1-Way Permutations (though see [OTU’00]) Non-interactive ZK for NP (though see [K’03])

• See workshop http://postquantum.cr.yp.to/

24


Computational Assumptions Broken

Definitional Paradigms May No Longer Apply• UC paradigm is ok ([BM’05]) what else?

• Bit Commitment Standard requirement: adversary cannot produce a pair:

( decommitment to 0, decommitment to 1 ) OK if commitment is perfectly binding Claim: unconditionally-secure QBC [BCJL]

Adversary cannot decommit to both 0 and 1. But… she can decommit to either!

Workable definitions given later (but complicated) [CDMS,DFS]

25



Definitional Paradigms May No Longer Apply

Information-theoretic Proofs Also Get Broken• Protocols based on extractors: not clear if they remain

secure against bounded quantum memory (Pairwise-independent hashing is ok [KMR])

• Multi-prover commitment schemes can be broken [CST] Some of them can still be fixed, but require very careful proofs. E.g: adversary can win magic square game See Ben Toner’s talk

26



Definitional Paradigms May No Longer Apply

Information-theoretic Proofs Also Get Broken

Basic Proof Techniques May Fail• Fixing random coins

Binding in multiprover commitment schemes Many other places

• Rewinding in ZK proof systems Exception: [Watrous, 2005]

27

Rewinding and Simulation

• Wanted: simulator that fools quantum adversaries

• Some simulators do work Key distribution Multiparty computation [BGW88,CCD88,RB89,etc]

• “Rigid straight-line simulator” Uses only one black-box run of adversary, even in

proof of correctness of simulation

real Adv idealSim

Few protocols have rigid simulators!

28

Rewinding in Zero Knowledge: Graph Isomorphism

• ZK proof for graph ismorphism: Input G0, G1.

Given s.t. (G0)=G1.

• Ã Sn.

b Ã {0,1}G0)

b¢bP

rove

rV

erifier

29

Rewinding in Zero Knowledge: Graph Isomorphism

• Classical simulator:

• g Ã {0,1}• Ã Sn. Vic

Gg)

bS

imul

ator

aux

• If g=b, output state of VicElse, start over!

• What if Vic and aux are quantum? Need to copy to start over First execution might destroy aux

Is the protocol still deniable?

30

Simulator for Quantum Verifier [W’05]

• Classical simulator: aux

• g Ã {0,1}• Ã Sn. Vic

Gg)

bS

imul

ator

Output ( g=b? , state of Vic)1. “Purify” protocol

• Postpone measurements, keep all outputs quantum

31


• Classical simulator: aux

• g Ã {0,1}• Ã Sn. Vic

Gg)

bS

imul

ator

Output ( g=b? , state of Vic)1. “Purify” protocol

• Postpone measurements, keep all outputs quantum

32



1. “Purify” protocol• Postpone measurements, keep all outputs quantum

2. Measure 1 qubit: g©b If simulation successful, output Vic’s state. Else

aux

• g Ã {0,1}• Ã Sn. Vic

Gg)b

Sim

ulat

or

Output ( g=b? , state of Vic)

Make it successful

33


• Classical simulator:aux

• g Ã {0,1}• Ã Sn. Vic

Gg)b

Sim

ulat

or


• Measuring g©b defines two subspaces W0, W1.

Every verifier Vic defines two states |0i,|1i.

• Theorem[Watrous’05]: there is poly-time unitary UVic s.t.

UVic|0i = |1i.

W0

W1

34



1. “Purify” protocol• Postpone measurements, keep all outputs quantum

2. Measure 1 qubit: g©b If simulation successful, output Vic’s state. Else

aux

• g Ã {0,1}• Ã Sn. Vic

Gg)b

Sim

ulat

or


Apply UVic

Output state

35

Lessons from Watrous’ Simulation

• Quantum simulators are surprisingly powerful NB: Strict poly-time simulation

• Refines our understanding of protocols This simulation works for a sublcass of protocols

Simulator’s success prob. independent* of aux In particular, Hamiltonian path and 3-coloring

Not a subclass that had appeared before (?)

• Use quantum tricks to defeat a quantum adversary

36

This talk




• Questions to think about

37

Quantum Information Requires New Intuitions

• Multi-prover Interacitive Proofs [CHTW04,CST05] Soundness proofs via impossibility of supra-luminal signaling

• Composability and auxiliary information Some primitives require keys only half as long if input is

unentangled with outside world

• Classical Secrecy Sometimes the Best Analogue Secret sharing schemes $ Error-Correcting codes

Approximate quantum codes beat quantum Singleton bound Secret key capacity $ quantum conditional entropy

Negative entropies have similar interpretations

38

Things I Didn’t Talk About

• Key re-use

• Deniability

• Bounded Quantum Memory / Processing

• Uncloneable encryption

• …

39

Interesting Open Questions

• Extending Watrous’ argument: What types of rewinding for quantum adversaries? E.g. can we get quantum proofs of knowledge for NP?

• Two-party quantum computation?

• One-way (or trapdoor) permutation candidates which are classically computable in the forward direction? See [OUT’00] for partial version

• UC impossibility results?

(to me) that might be Open

40

Cryptography in a Quantum World• Landscape changes!

New things are possible New difficulties arise

• Needed: Tools and language for reasoning about quantum adversaries

• The field is still very young Some successes… … occasional mistakes Lots of questions!

quantumthinkersneeded

Isaac Newton

1642-1727

41

Some references from the talk (a very partial list!)• [AMTW00] Andris Ambainis, Michele Mosca, Alain Tapp, Ronald de Wolf: Private Quantum Channels. FOCS 2000: 547-553• [BCGST02] H. Barnum, C. Crepeau, D. Gottesman, A. Smith, A. Tapp, "Authentication of Quantum Messages," Proc. 43rd IEEE

Symposium on the Foundations of Computer Science, 449-458 (2002), full version quant-ph/0205128.• [BCJL] Gilles Brassard, Claude Crépeau, Richard Jozsa, Denis Langlois: A Quantum Bit Commitment Scheme Provably Unbreakable by

both Parties FOCS 1993: 362-371.• [BH05] Michael Ben-Or, Avinatan Hassidim: Fast quantum byzantine agreement. STOC 2005: 481-485• [BHLMO'05] Michael Ben-Or, Michal Horodecki, Debbie W. Leung, Dominic Mayers, Jonathan Oppenheim: The Universal Composable

Security of Quantum Key Distribution. TCC 2005: 386-406. quant-ph/0409078• [BM'05] Michael Ben-Or, Dominic Mayers. General Security Definition and Composability for Quantum & Classical Protocols.

quant-ph/0409062.• [CDMS] Claude Crépeau, Paul Dumais, Dominic Mayers, Louis Salvail: Computational Collapse of Quantum State with Application to

Oblivious Transfer. TCC 2004: 374-393.• [CGS02] C. Crepeau, D. Gottesman, A. Smith, "Secure Multi-Party Quantum Computation," Proc. 34th ACM Symposium on the Theory of

Computing, 643-652 (New York, NY, ACM Press, 2002), quant-ph/0206138. • [CHTW04] R. Cleve, P. Høyer, B. Toner, and J. Watrous, Consequences and Limits of Nonlocal Strategies, Proceedings of the 19th IEEE

Annual Conference on Computational Complexity (CCC 2004), pp. 236- 249 (2004).• [CST'05] C. Crepeau, J.-R. Simard, A. Tapp. Classical and quantum strategies for two-prover bit commitments. Manuscrip, 2005.• [DFS] Ivan Damgård, Serge Fehr, Louis Salvail: Zero-Knowledge Proofs and String Commitments Withstanding Quantum Attacks.

CRYPTO 2004: 254-272• [E91] Artur K. Ekert. Quantum cryptography based on Bell's theorem. Phys. Rev. Lett. 67, 661–663 (1991).• [G] D. Gottesman, "Uncloneable Encryption," Proc. 6th International Conf. on Quantum Communication, Measurement, and Computing,

eds. J. H. Shapiro and O. Hirota, pp. 405-410 (Princeton, NJ, Rinton Press, 2003), full version Quantum Information and Computation 3, No. 6, 581-602 (2003), quant-ph/0210062.

• [K'03] Hirotada Kobayashi: Non-interactive Quantum Perfect and Statistical Zero-Knowledge. ISAAC 2003: 178-188.• [KMR] Robert Koenig, Ueli Maurer, and Renato Renner. On the Power of Quantum Memory. IEEE Transaction on Information Theory, vol.

51, no. 7, pp. 2391-2401, Jul 2005, eprint archive: http://arxiv.org/abs/quant-ph/0305154.• [LC99] Hoi-Kwong Lo, H. F. Chau. Unconditional Security of Quantum Key Distribution over Arbitrarily Long Distances. Science 26 March

1999: Vol. 283. no. 5410, pp. 2050 - 2056• [M,LC] D. Mayers. Unconditonally secure quantum bit commitment is impossible, Phys. Rev. Lett. 78, (1997) 3414-3417. --and-- H.-K. Lo,

H. F. Chau. Why Quantum Bit Commitment And Ideal Quantum Coin Tossing Are Impossible. Physica D120 (1998) 177-187. quant-ph/9711065.

• [OTU'00] Tatsuaki Okamoto, Keisuke Tanaka, Shigenori Uchiyama: Quantum Public-Key Cryptosystems. CRYPTO 2000: 147-165.• [S'94] Peter W. Shor: Algorithms for Quantum Computation: Discrete Logarithms and Factoring FOCS 1994: 124-134.• [W'05] J. Watrous. Zero-knowledge against quantum attacks. arXiv.org e-Print quant-ph/0511020, 2005.

Thank you

Questions?

This talk to be posted on:http://theory.csail.mit.edu/~asmith

Documents

Evolving Notions of Security for Quantum Protocols Adam Smith Weizmann Institute of Science asmith Caltech Workshop on Security