Download Evolving Notions of Security for Quantum Protocols

Evolving Notions of Security
for Quantum Protocols
Adam Smith
Weizmann Institute of Science
http://theory.csail.mit.edu/~asmith
Caltech Workshop on Security of Classical and Quantum Protocols
December 16, 2005
Evolving Notions of Security
for Quantum Protocols
Adam Smith
Weizmann Institute of Science
http://theory.csail.mit.edu/~asmith
Caltech Workshop on Security of Classical and Quantum Protocols
December 16, 2005
Cryptography in a Quantum World
•
Landscape changes!
New things are possible
 New difficulties arise
Needed:
Tools and language for reasoning
about quantum adversaries
The field is still very young

•
•



Some successes…
… occasional mistakes
Lots of questions!
3
This talk
•
Basics of quantum computing
•
New Possibilities

•
New Difficulties, Partial Solutions

•
E.g. quantum key distribution
E.g. rewinding in ZK proofs
Conclusions & Questions
4
Quantum Information: Pure States
•
“Pure states” = vectors in complex space
•
“qubit” = Basic unit of quantum information
|0i + |1i : , 2C , ||2+||2 =1
•
•
Register of n qubits:
xx|xi (where x 2{0,1}n)
|1i
NB: qubit-by-qubit description not enough

|0i + |1i
|0i
2n numbers vs 2n numbers
5
Quantum Circuits: 2 kinds of gates
•
Invertible operations on n qubits
= 2n£2n unitary matrices ( U-1 = Uy )


•
|i  U |i
e.g. Hadamard
1 1 1
√2.. 1 1
Projective measurements:

Ask a qubit: are you 0 or 1?

State becomes |0i or |1i
(according to output)

Destructive!
|1i w.prob. |2|
|0i + |1i
|0i
w.prob. |2|
6
Information vs Disturbance
•
Important principle of quantum mechanics
•
Consequence: No copying!
| i
A
U
•
Theorem: If A = |i for all inputs |i
then B is independent of |i
•
Information
Secrecy
)
(
B
Disturbance
Resilience to errors
7
This talk
•
Basics of quantum computing
•
New Possibilities

•
New Difficulties, Partial Solutions

•
E.g. quantum key distribution
E.g. rewinding in ZK proofs
Conclusions & Questions
8
New Possibilities
Key Distribution w/o computational assumptions [BB84]
• Coin flipping with constant bias (see Andris’ talk)
• Public-key cryptography with limited keys (see Daniel’s talk)
• Non-locality games (see Ben Toner’s talk)
• Uncloneable encryption [G]
• Fast Byzantine agreement [BH05]
• Key re-use (see Louis Salvail’s talk)
• Crypto with quantum data [AMTW00,CGS02,BCGST02,…]
Not a panacea:
• Bit commitment, OT, etc are still impossible [M,LC]
• (Probably) does not circumvent composability issues
•
9
Quantum Key Distribution [BB84]
•
Alice and Bob want to generate a secret key
quantum channel
controlled by Eve
Alice
Eve
classical authenticated channel
visible to Eve
Bob
10
Quantum Key Distribution (simplified [E91,LC99])
•
Basic tool: EPR pairs

•
State on two qubits
|+i =|00iAB+|11iAB
Say Alice and Bob share an EPR pair

Measure each half to get shared, secret bit
•
Goal: set up many clean, shared EPR pairs
•
Phase I: Alice creates n EPR pairs, send halves to Bob
Phase II: Alice and Bob test the pairs for tampering
using classical channel
•
Alice
|+ni = x |xiA |xiB
Bob
11
Phase I
•
Alice generates n EPR pairs
•
Sends halves of these pairs to Bob
•
Bob acknowledges receipt
|+ni
Eve
Alice
“Got them.”
Eve’s
memory
Bob
12
Phase II: Testing
Intuition:
•
Many symmetries U such that
(UA UB)|+niAB= |+niAB.
|+ni
Eve
Alice
“Got them.”
Eve’s
memory
Bob
13
Phase II: Testing
•
•
Alice picks symmetry U at random

Applies U and measures last k qubits

Sends U and results to Bob

Bob applies U and measures last k qubits
Intuition:
ACCEPT )
n – k ‘good’
EPR pairs
ACCEPT iff measurements agree
|+
ni
U
Eve
Alice
U, results
U
Eve’s
memory
Bob
14
Example Symmetries [E91,BCGST02]
•
For any invertible binary matrix M 2 {0,1}n£ n :
UM|xi = |Mxi
•
Alice
•

picks random invertible matrix M,

applies UM

applies Hadamard with probability ½ to each qubit
Exercise: This preserves |+ni = x |xiA |xiB
15
Analyzing Security
•
•
•
Joint state A,B = |n+i
) test passes w.p. 1
Joint state A,B ? |n+i
) test passes w.p. 2-k
span(|+ni)
span(|+ni)?
How can we use this?

What’s the security statement?

How can we prove it?
16
Analyzing Security
•
We want “n–k perfect EPR pairs or REJECT”
with high probability subspace + subspace
•
To show closeness, look at state before test:
|iABE =  (AB || |+ni) +  (AB ? |+ni)
•
Each piece mapped close to good subspace
U
U
Eve
17
Analyzing Security
•
Theorem: Global state is close to subspace
“n–k perfect EPR pairs or REJECT”
•
Are we done?
•

Intuitively meaningful

What’s the definition of security here?
This can be used to build a simulator

Good enough to prove UC security [BM, BHLMO’05]
18
Security as Simulatability [BHLMO’05]
•
Theorem: Global state is close to subspace
“n–k perfect EPR pairs or REJECT”
real
•
Adv
Sim
ideal
Ideal protocol:

Trusted party asks Eve “Abort or run?”

Eve answers 1 bit

If “Run” then give good keys to Alice and Bob
19
Strong
Security as Simulatability
guarantee!
• Theorem: Global state is close to subspace
“n–k perfect EPR pairs or REJECT”
real
•
Adv
dummy
execution
abort?
ideal
Simulator:

Runs dummy execution

Output Eve’s view

If Eve aborts, send “abort”, else send “run”
20
Lessons of QKD
•
We can sometimes test for disturbance

•
•
Hence for information
Security proven through simulator

Proximity to “good” subspace [LC’99,CGS’02, BHLMO‘05]

Simple form of simulator is good

All* QKD protocols have simulator! [BHLMO ‘05]
Deniability and adaptivity more tricky

Some protocols but not all [B‘02]
21
This talk
•
Basics of quantum computing
•
New Possibilities

•
New Difficulties, Partial Solutions

•
E.g. quantum key distribution
E.g. rewinding in ZK proofs
Conclusions & Questions
22
New Difficulties (& Partial Solutions)
Computational Assumptions Broken
•
Factoring and discrete logarithm in BQP [S’94]
•
Still lots of candidate one-way functions
•
Few candidates for public-key encryption, OT

•
•
Lattices, codes
No candidates for

Trapdoor 1-Way Permutations (though see [OTU’00])

Non-interactive ZK for NP (though see [K’03])
See workshop http://postquantum.cr.yp.to/
23
New Difficulties (& Partial Solutions)
Computational Assumptions Broken
Definitional Paradigms May No Longer Apply
•
UC paradigm is ok ([BM’05]) what else?
•
Bit Commitment

Standard requirement: adversary cannot produce a pair:
( decommitment to 0, decommitment to 1 )

OK if commitment is perfectly binding

Claim: unconditionally-secure QBC [BCJL]


Adversary cannot decommit to both 0 and 1.

But… she can decommit to either!
Workable definitions given later (but complicated) [CDMS,DFS]
24
New Difficulties (& Partial Solutions)
Computational Assumptions Broken
Definitional Paradigms May No Longer Apply
Information-theoretic Proofs Also Get Broken
•
Protocols based on extractors: not clear if they remain
secure against bounded quantum memory

•
(Pairwise-independent hashing is ok [KMR])
Multi-prover commitment schemes can be broken [CST]

Some of them can still be fixed, but require very careful proofs.

E.g: adversary can win magic square game

See Ben Toner’s talk
25
New Difficulties (& Partial Solutions)
Computational Assumptions Broken
Definitional Paradigms May No Longer Apply
Information-theoretic Proofs Also Get Broken
Basic Proof Techniques May Fail
•
•
Fixing random coins

Binding in multiprover commitment schemes

Many other places
Rewinding in ZK proof systems

Exception: [Watrous, 2005]
26
Rewinding and Simulation
•
Wanted: simulator that fools quantum adversaries
real
Adv
Sim
•
Some simulators do work
•
“Rigid straight-line simulator”
ideal
Few protocols
 Key distribution
have rigid
simulators!
 Multiparty computation [BGW88,CCD88,RB89,etc]

Uses only one black-box run of adversary, even in
proof of correctness of simulation
27
Rewinding in Zero Knowledge: Graph Isomorphism
ZK proof for graph ismorphism: Input G0, G1.
Given  s.t.
(G0)=G1.
•  Ã Sn.
(G0)
b
¢ b
b à {0,1}
Verifier
Prover
•
28
Rewinding in Zero Knowledge: Graph Isomorphism
Simulator
•
•
•
Classical simulator:
• g à {0,1}
•  Ã Sn.
aux
(Gg)
b

If g=b, output state of Vic
Else, start over!
What if Vic and aux are quantum?

Need to copy to start over

First execution might destroy aux
Vic
Is the protocol
still deniable?
29
Simulator for Quantum Verifier [W’05]
Simulator
•
Classical simulator:
• g à {0,1}
•  Ã Sn.
aux
(Gg)
b

Vic
Output ( g=b? , state of Vic)
1. “Purify” protocol
•
Postpone measurements, keep all outputs quantum
30
Simulator for Quantum Verifier [W’05]
Simulator
•
Classical simulator:
• g à {0,1}
•  Ã Sn.
aux
(Gg)
b

Vic
Output ( g=b? , state of Vic)
1. “Purify” protocol
•
Postpone measurements, keep all outputs quantum
31
Simulator for Quantum Verifier [W’05]
•
Classical simulator:
Simulator
aux
• g à {0,1}
•  Ã Sn.
(Gg)
b

Vic
Output ( g=b? , state of Vic)
1. “Purify” protocol
•
Postpone measurements, keep all outputs quantum
2. Measure 1 qubit: g©b

Make it
If simulation successful, output Vic’s state. Else successful
32
Simulator for Quantum Verifier [W’05]
•
Classical simulator:
Simulator
aux
• g à {0,1}
•  Ã Sn.
(Gg)
b

Vic
W1
W0
Output ( g=b? , state of Vic)
•
Measuring g©b defines two subspaces W0, W1.

•
Every verifier Vic defines two states |0i,|1i.
Theorem[Watrous’05]: there is poly-time unitary UVic s.t.
UVic|0i = |1i.
33
Simulator for Quantum Verifier [W’05]
•
Classical simulator:
Simulator
aux
• g à {0,1}
•  Ã Sn.
(Gg)
b

Vic
Output ( g=b? , state of Vic)
1. “Purify” protocol
•
Postpone measurements, keep all outputs quantum
2. Measure 1 qubit: g©b

Apply UVic
If simulation successful, output Vic’s state. Else Output state
34
Lessons from Watrous’ Simulation
•
Quantum simulators are surprisingly powerful

•
NB: Strict poly-time simulation
Refines our understanding of protocols

This simulation works for a sublcass of protocols
 Simulator’s
 In

•
success prob. independent* of aux
particular, Hamiltonian path and 3-coloring
Not a subclass that had appeared before (?)
Use quantum tricks to defeat a quantum adversary
35
This talk
•
Basics of quantum computing
•
New Possibilities

•
New Difficulties, Partial Solutions

•
E.g. quantum key distribution
E.g. rewinding in ZK proofs
Questions to think about
36
Quantum Information Requires New Intuitions
•
Multi-prover Interacitive Proofs [CHTW04,CST05]

•
Composability and auxiliary information

•
Soundness proofs via impossibility of supra-luminal signaling
Some primitives require keys only half as long if input is
unentangled with outside world
Classical Secrecy Sometimes the Best Analogue

Secret sharing schemes $ Error-Correcting codes
 Approximate

quantum codes beat quantum Singleton bound
Secret key capacity $ quantum conditional entropy
 Negative
entropies have similar interpretations
37
Things I Didn’t Talk About
•
Key re-use
•
Deniability
•
Bounded Quantum Memory / Processing
•
Uncloneable encryption
•
…
38
Interesting (to
Open
me) Questions that might be Open
•
Extending Watrous’ argument:

What types of rewinding for quantum adversaries?

E.g. can we get quantum proofs of knowledge for NP?
•
Two-party quantum computation?
•
One-way (or trapdoor) permutation candidates
which are classically computable in the forward
direction?

•
See [OUT’00] for partial version
UC impossibility results?
39
Cryptography in a Quantum World
•
Landscape changes!
New things are possible
 New difficulties arise
Needed:
Tools and language for reasoning
about quantum adversaries
The field is still very young

•
•



Some successes…
… occasional mistakes
Lots of questions!
40
Some references from the talk (a very partial list!)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
[AMTW00] Andris Ambainis, Michele Mosca, Alain Tapp, Ronald de Wolf: Private Quantum Channels. FOCS 2000: 547-553
[BCGST02] H. Barnum, C. Crepeau, D. Gottesman, A. Smith, A. Tapp, "Authentication of Quantum Messages," Proc. 43rd IEEE
Symposium on the Foundations of Computer Science, 449-458 (2002), full version quant-ph/0205128.
[BCJL] Gilles Brassard, Claude Crépeau, Richard Jozsa, Denis Langlois: A Quantum Bit Commitment Scheme Provably Unbreakable
by both Parties FOCS 1993: 362-371.
[BH05] Michael Ben-Or, Avinatan Hassidim: Fast quantum byzantine agreement. STOC 2005: 481-485
[BHLMO'05] Michael Ben-Or, Michal Horodecki, Debbie W. Leung, Dominic Mayers, Jonathan Oppenheim: The Universal
Composable Security of Quantum Key Distribution. TCC 2005: 386-406. quant-ph/0409078
[BM'05] Michael Ben-Or, Dominic Mayers. General Security Definition and Composability for Quantum & Classical Protocols. quantph/0409062.
[CDMS] Claude Crépeau, Paul Dumais, Dominic Mayers, Louis Salvail: Computational Collapse of Quantum State with Application to
Oblivious Transfer. TCC 2004: 374-393.
[CGS02] C. Crepeau, D. Gottesman, A. Smith, "Secure Multi-Party Quantum Computation," Proc. 34th ACM Symposium on the
Theory of Computing, 643-652 (New York, NY, ACM Press, 2002), quant-ph/0206138.
[CHTW04] R. Cleve, P. Høyer, B. Toner, and J. Watrous, Consequences and Limits of Nonlocal Strategies, Proceedings of the 19th
IEEE Annual Conference on Computational Complexity (CCC 2004), pp. 236- 249 (2004).
[CST'05] C. Crepeau, J.-R. Simard, A. Tapp. Classical and quantum strategies for two-prover bit commitments. Manuscrip, 2005.
[DFS] Ivan Damgård, Serge Fehr, Louis Salvail: Zero-Knowledge Proofs and String Commitments Withstanding Quantum Attacks.
CRYPTO 2004: 254-272
[E91] Artur K. Ekert. Quantum cryptography based on Bell's theorem. Phys. Rev. Lett. 67, 661–663 (1991).
[G] D. Gottesman, "Uncloneable Encryption," Proc. 6th International Conf. on Quantum Communication, Measurement, and
Computing, eds. J. H. Shapiro and O. Hirota, pp. 405-410 (Princeton, NJ, Rinton Press, 2003), full version Quantum Information and
Computation 3, No. 6, 581-602 (2003), quant-ph/0210062.
[K'03] Hirotada Kobayashi: Non-interactive Quantum Perfect and Statistical Zero-Knowledge. ISAAC 2003: 178-188.
[KMR] Robert Koenig, Ueli Maurer, and Renato Renner. On the Power of Quantum Memory. IEEE Transaction on Information Theory,
vol. 51, no. 7, pp. 2391-2401, Jul 2005, eprint archive: http://arxiv.org/abs/quant-ph/0305154.
[LC99] Hoi-Kwong Lo, H. F. Chau. Unconditional Security of Quantum Key Distribution over Arbitrarily Long Distances. Science 26
March 1999: Vol. 283. no. 5410, pp. 2050 - 2056
[M,LC] D. Mayers. Unconditonally secure quantum bit commitment is impossible, Phys. Rev. Lett. 78, (1997) 3414-3417. --and-- H.-K.
Lo, H. F. Chau. Why Quantum Bit Commitment And Ideal Quantum Coin Tossing Are Impossible. Physica D120 (1998) 177-187.
quant-ph/9711065.
[OTU'00] Tatsuaki Okamoto, Keisuke Tanaka, Shigenori Uchiyama: Quantum Public-Key Cryptosystems. CRYPTO 2000: 147-165.
[S'94] Peter W. Shor: Algorithms for Quantum Computation: Discrete Logarithms and Factoring FOCS 1994: 124-134.
41
[W'05] J. Watrous. Zero-knowledge against quantum attacks. arXiv.org e-Print quant-ph/0511020, 2005.
Thank you
Questions?
This talk to be posted on:
http://theory.csail.mit.edu/~asmith