Upload
madaline-ewing
View
50
Download
0
Embed Size (px)
DESCRIPTION
Cryptography with Quantum Data. Adam Smith Weizmann à IPAM à Penn State IPAM Workshop on Foundations of Cryptography November 14, 2006. quantum thinkers needed. Isaac Newton 1642-1727. Cryptography in a Quantum World. Landscape changes! New features appear - PowerPoint PPT Presentation
Citation preview
Cryptography with Quantum Data
Adam SmithWeizmann à IPAM à Penn State
IPAM Workshop on Foundations of CryptographyNovember 14, 2006
2
Cryptography in a Quantum World• Landscape changes!
New features appear New difficulties arise Some key pieces unchanged
• Needed: Tools and language for reasoning about quantum adversaries
• The field is still very young Some successes… … occasional mistakes Lots of questions!
quantumthinkersneeded
Isaac Newton
1642-1727
3
Some Things That Change• Unconditional key exchange [BB84,…]• Factoring + DL broken [Sho]• Weak 2-party unconditional primitives
coin flipping [ATVY,Amb] string commitment [BCHLW]
• Some multi-prover commitments insecure [CST]• Some extractors fail vs quantum memory [IKW]
But some are OK [KMR]
• Some simulators for ZK proofs fail but new ones can sometimes be built[Wat]
• Bounded Storage Model more Powerful [DFSS]• See survey talk on
http://theory.csail.mit.edu/~asmith
4
This talk: Salient Features (a partial* list)• Multiparty Quantum Computing
Parties hold quantum inputs Want to evaluate a quantum circuit Generalizes classical MPC
• Two Feasibility results Statistical MPQC , cheating minority
à la [RB’89] Computational MPQC for arbitrary subsets
à la [GMW’87] under non-standard assumption• Along the way:
Some infeasibility results Authentication and Approximate Error-Correction ZK Proofs of Knowledge
= incomplete and biased
5
This Talk
• Basics of quantum computing
• Multiparty Quantum Computing (MPQC)
• Codes and Authentication
• MPQC with a cheating minority
• Beyond a faulty minority: 2-party QC
ZK for quantum adversaries
6
Quantum Information: Pure States• “Pure states” = vectors in complex space• “qubit” = Basic unit of quantum
information
|0i + |1i : , 2C , ||2+||2 =1
• Register of n qubits:
xx|x i (where x 2{0,1}n )
• NB: qubit-by-qubit description not enough 2n numbers vs 2n numbers
|0i + |1i
|1i
|0i
7
Quantum Circuits: 2 kinds of gates
• Invertible operations on n qubits
= 2n£2n unitary matrices ( U-1 = Uy ) |i U |i e.g. Hadamard
• Projective measurements: Ask a qubit: are you 0 or 1? State becomes |0i or |1i
(according to output) Destructive!
|0i + |1i
|1i
|0i
w.prob. |2|
w.prob. |2|
1 11 1
1√2..
8
Information versus Disturbance
• Important principle of quantum mechanics
• Consequence: No cloning!
• Theorem: If A = |i for all inputs |i then B is independent of |i
• Information ) Disturbance
Secrecy ( Resilience to errors
U| i
A
BDolly
9
This Talk
• Basics of quantum computing
• Multiparty Quantum Computing
• Codes and Authentication
• MPQC with a cheating minority
• Beyond a faulty minority: 2-party QC
ZK for quantum adversaries
10
Classical Multiparty Computation
• Resource: number of honest players
Trusted Classical Circuit
C
Alice (xA)
Harriet (xH)
Charlie (xC)
George (xG)
Bob (xB)
Fred (xF)
Diane (xD)
Eve (xE)
Cheaters
Simulator
11
Quantum Multiparty Computation
• Each player sends quantum input• Receives quantum output• Secure against UC distinguisher
Trusted Quantum Circuit
C
Alice (xA)
Harriet (xH)
Charlie (xC)
George (xG)
Bob (xB)
Fred (xF)
Diane (xD)
Eve (xE)
Cheaters
Simulator
12
Quantum Multiparty Computation
• Each player sends quantum input• Receives quantum output• Secure against UC distinguisher• Generalizes Classical SFE• New techniques are needed
Players cannot keep copies of their input Rewinding may not be possible Need to operate on encoded / encrypted quantum
states
Dolly
13
Some Terminology• With Abort?
This talk: unfair abort (based on cheaters’ output)
• Perfect / statistical security• Computational security
14
Basic Feasibility Results (assuming broadcast)
t = 0 n/4 n/3 nn/2
Perfect MPC [BGW,CCD]
Perfect MPC impossible
Statistical MPC [RB]
Statistical MPC impossible (even w. abort)
Computational MPC w. abort [GMW]
15
Basic Feasibility Results (assuming broadcast)
t = 0 n/4 n/3 nn/2
Perfect MPC [BGW,CCD]
Perfect MPC impossible
Statistical MPC [RB]
Statistical MPC impossible (even w. abort)
Computational MPC w. abort [GMW]Q Q
Q Q
Perfect MPQC impossible [CGS’02-’05]
Statistical MPQC [BCGHS’06]
Statistical MPQC impossible (even w. abort)
Computational* MPQC w. abort [S]
t < n/6[CGS’02]
n/6
Q
16
Basic Feasibility Results (assuming broadcast)
t = 0 n/4 n/3 nn/2
Perfect MPC [BGW,CCD]
Perfect MPC impossible
Statistical MPC [RB]
Statistical MPC impossible (even w. abort)
Computational MPC w. abort [GMW]Q Q
Q Q
Perfect MPQC impossible [CGS’02-’05]
Statistical MPQC [BCGHS’06]
Statistical MPQC impossible (even w. abort)
Computational* MPQC w. abort [S]
t < n/6[CGS’02]
n/6
Q
• [CGS’02]: use error-correcting codes and fault-tolerant circuits [AB]
• 2nd real proof of quantum security
• Barrier at n/4 : quantum codes [KL]
• Authentication codes [BCGST ‘02] give
• approximate codes [CGS ‘05]• reduction to computation on keys
17
This Talk• Basics of quantum computing• Multiparty Quantum Computing• Codes and Authentication
Quantum error-correcting codes A spurious lower bound Authentication Approximate Codes and Secret Sharing
• MPQC with a cheating minority• Beyond a faulty minority: 2-party QC
ZK for quantum adversaries
18
Error Correcting Codes• Map k qubits ! n qubits
introduce redundancy
• If few qubits corrupted or erased, decoder recovers input exactly
• Tricky because of no cloning repetition code doesn’t work
• Good codes exist. [CSS] Over large alphabet [AB99]: Correct (n-1)/4 errors
or (n-1)/2 erasures
i
E(|i)
E(|i)
channel
corrupted
idecoding
19
2t
t
t
Quantum codes cannot correct n/4 errors
• As in the classical case:correct t errors , correct 2t erasures
20
• As in the classical case:correct t errors , correct 2t erasures
• Quantum codes cannot correct n/2 erasures No cloning
) Quantum codes cannot
correct n/4 errors (not true of classical codes – repetition)
Quantum codes cannot correct n/4 errors
E(|i)
|i |i
decoder decoderDolly
21
A spurious lower boundLemma: Every MPQC protocol
tolerating t cheatersimplies existence of a code correcting t errorswith high fidelity Honest players should be
able to reconstruct output
• [CGS’02] MPQC is impossible for t< n/4
• How do we get around this? Authenticating Quantum States [BCGST] Approximate QECC break n/4 bound Connection to secret sharing
Protocol
Alice (xA)
Harriet (xH)
Charlie (xC)
George (xG)
Bob (xB)
Fred (xF)
Diane (xD)
Eve (xE)
Perfect[CGS’05] FALSE
22
Authenticating Quantum Messages [BCGST]
• How does Alice know it’s Bob? classical MACs
• What if he needs to send her qubits?
23
Authenticating Quantum Messages [BCGST]
• System behaves like “channel with veto” Eve inputs one bit (accept/reject) No cloning ) If Bob accepts, Eve learns nothing In fact, Eve learns nothing. Ever. Authentication ) encryption
• [BCGST’02] poly-time protocols m qubits à 2m + 2log (m/) bits of key Construction on board?
Alice Bob
|i Ak(|i) Eve|i
or ?
Classical key k
Dolly
24
Approximate Codes [CGS’05]
• Code “correcting” (n-1)/2 errors• Start with (n-1)/2 erasure-correcting code
Authenticate each piece Secret-share keys Use classical MACs to authenticate keys
|i E(|i)
Ak(|1i)
Ak(|2i)
Ak(|3i)
Ak(|4i)
Ak(|5i)
+classical
shares + MAC of
authentication keys
25
Approximate Codes [CGS’05]
• AQECC “correcting” (n-1)/2 errors If any majority of pieces untouched Then original state recovered approximately Correct twice as many errors No classical analogue in codes… (see also [LNCY])
|i E(|i)
Ak(|1i)
Ak(|2i)
Ak(|3i)
Ak(|4i)
Ak(|5i)
+classical
shares + MAC of
authentication keys
26
Secret Sharing and Quantum Codes• AQECC smell like secret sharing
Similar to Rabin – Ben-Or ’89
• [CGL] Every quantum code is a SS scheme
• Lesson of AQECC: best viewed as robust SS (a.k.a. PSMT) secret sharing is the right classical analogue of
quantum error-correction “Cryptography is everything!” (S. Micali)
E(|i)erased
idecoding
no info
Dolly
27
This Talk
• Basics of quantum computing
• Multiparty Quantum Computing
• Codes and Authentication
• MPQC with a cheating minority
• Beyond a faulty minority: 2-party QC
ZK for quantum adversaries
28
Basic Feasibility Results (assuming broadcast)
t = 0 n/4 n/3 nn/2
Perfect MPC [BGW,CCD]
Perfect MPC impossible
Statistical MPC [RB]
Statistical MPC impossible (even w. abort)
Computational MPC w. abort [GMW]Q Q
Q Q
Perfect MPQC impossible [CGS’02-’05]
Statistical MPQC [BCGHS’06]
Statistical MPQC impossible (even w. abort)
Computational* MPQC w. abort [S]
t < n/6[CGS’02]
n/6
Q
29
MPQC with a cheating minority• AQECC is basic underlying code
Need to operate on encoded states
• Two more tools Computing on keys
Authenticate data using [BCGST] Operate on state by changing classical key Trivial example: One-Time Pad
Ek(x) = x+k and matrix A
A(Ek(x)) = EAk(Ax)
This performs Clifford operations Fault-tolerant QC [Shor,AB,BCGHS]
Can use Clifford ops to verify universal set of gates Get cheaters to perform gates then check
30
MPQC with a cheating minority• Share inputs• Verify using RB-style machinery
a few more layers…
• Compute Reduce quantum computations to
classical computations on keys Use classical SFE to manipulate keys UC framework allows modular design [BM]
• Distribute
• Bonus: get straight-line simulator
31
Basic Feasibility Results (assuming broadcast)
t = 0 n/4 n/3 nn/2
Perfect MPC [BGW,CCD]
Perfect MPC impossible
Statistical MPC [RB]
Statistical MPC impossible (even w. abort)
Computational MPC w. abort [GMW]Q Q
Q Q
Perfect MPQC impossible [CGS’02-’05]
Statistical MPQC [BCGHS’06]
Statistical MPQC impossible (even w. abort)
Computational* MPQC w. abort [S]
t < n/6[CGS’02]
n/6
Q
• Complete picture of robust MPQC(with no abort)
• Insights into coding along the way
• New tools for fault-tolerant computing
• Major factor:Dolly
32
This Talk
• Basics of quantum computing
• Multiparty Quantum Computing
• Codes and Authentication
• MPQC with a cheating minority
• Beyond a faulty minority: 2-party QC
ZK for quantum adversaries
33
Two-party Quantum Computation
• Many ideas of MPQC can apply here
• AQECC replaced by commitment
• As before: operate on classical keys
• Need classical 2-party QC
|iAk(|i)
Commit(k)
34
Two-party Quantum Computation• Problem: standard ZK simulation + extraction
arguments may not work in quantum world Rewinding = cloning auxiliary info Sequential composition is lost
• Big step: Watrous’ simulator for 3-round ZK Does not give knowledge extractor
• Idea: We can lie, need to read minds Attach special preamble Work in progress: need funny assumptions Refine understanding of how we argue security
Dolly
35
Basic Feasibility Results (assuming broadcast)
t = 0 n/4 n/3 nn/2
Perfect MPC [BGW,CCD]
Perfect MPC impossible
Statistical MPC [RB]
Statistical MPC impossible (even w. abort)
Computational MPC w. abort [GMW]Q Q
Q Q
Perfect MPQC impossible [CGS’02-’05]
Statistical MPQC [BCGHS’06]
Statistical MPQC impossible (even w. abort)
Computational* MPQC w. abort [S]
t < n/6[CGS’02]
n/6
Q
36
Cryptography in a Quantum World• Landscape changes!
New features appear New difficulties arise Some key pieces unchanged
• Needed: Tools and language for reasoning about quantum adversaries
• The field is still very young Some successes… … occasional mistakes Lots of questions!
quantumthinkersneeded
Isaac Newton
1642-1727
37
Things I Did Not Talk About
• Proofs! • Quantum Key Distribution• Byzantine Agreement in full info model
[BH]
• Randomness Extraction with Quantum Memories [AS.’04, KMR’04, D’06, GIKRdW’06]
• Fault-tolerant QC• Multiprover commitments [CST]• …
Thanks
Co-authors:Howard Barnum (LANL), Michael Ben-Or (HUJI), Claude Crépeau (McGill), Daniel Gottesman (Perimeter/Waterloo), Avinatan Hasidim (HUJI), Alain Tapp (Montreal)
Discussions: Boaz Barak, Louis Salvail, Jon Katz, …