Cryptography In the Bounded QuantumStorage Model - PowerPoint PPT Presentation

1 / 42

About This Presentation

Title:

Cryptography In the Bounded QuantumStorage Model

Description:

Cryptography In the. Bounded Quantum-Storage Model. Christian Schaffner, BRICS ... Two-Party Crypto Primitives. Protocol for Oblivious Transfer. Security Proof ... – PowerPoint PPT presentation

Number of Views:46

Avg rating:3.0/5.0

Slides: 43

Provided by: christian93

Category:

more less

Transcript and Presenter's Notes

Title: Cryptography In the Bounded QuantumStorage Model

1
Cryptography In theBounded Quantum-Storage Model
joint work with Ivan Damgård, Serge Fehr and
Louis Salvail

Christian Schaffner, BRICS
University of Århus, Denmark
9th workshop on QIP 2006, Paris
Tuesday, January 17th 2006

2
Agenda

Two-Party Crypto Primitives
Protocol for Oblivious Transfer
Security Proof
Protocol for Bit Commitment
Practicality Issues
Open Problems

3
Classical 2-party primitives Rabin Oblivious
Transfer
Receiver
Sender
OT
b
b / ?

Alice

correct For honest Alice and Bob, Bob gets the
bit b with probability ½.
sender-private If Alice is honest, (cheating)
Bob does not get information about b with
probability bigger than ½.
receiver-private If Bob is honest, (cheating)
Alice does not learn, whether Bob received the
bit or not.

4
Classical 2-party primitivesBit Commitment
Verifier
BC
Committer
b
Cb
b
b in Cb?

correct BC allows Alice to commit to a bit b.
Later, she can open Cb to Bob.
hiding If Alice is honest, (cheating) Bob does
not get information on b from Cb.
binding If Bob is honest, (cheating) Alice
cannot open Cb to a bit b ? b.

5
Classical 2-party primitives Relations

sender-private
receiver-private

hiding
binding

OT ) BC
OT is complete for two-party cryptography

6
Known Impossibility Results

In the classical unconditionally secure model
without further assumptions

OT
)

In the unconditionally secure model with quantum
communication
Mayers97, Lo-Chau97

BC
7
Three Ways Out

Bound computing power (schemes based on
complexity assumptions)
Noisy communication CrépeauKilian88, Crépeau97,
Physical limitations

OT
?

Physical limitations
e.g. bound memory size of the players

BC
?
8
Classical Bounded-Storage ModelMaurer92

long random string in the sky which players try
to store
a memory bound applies at a specified moment
(string disappears)
protocol for OT CCM98, DHRS04 memory size of
honest players k memory of dishonest
players ltk2
Tight bound DM04
can be improved by allowing quantum communication

OT
BC
9
Bounded Quantum-Storage Model

quantum memory bound applies at a specified
moment
besides that, players are unbounded (in time and
space)
unconditional security against adversaries with
quantum memory of less then half of the
transmitted qubits
honest players do not need quantum memory at all
honest players 0 k dishonest players ltn/2 ltk2

OT
?
BC
?
10
Agenda

Two-Party Crypto Primitives
Protocol for Oblivious Transfer
Security Proof
Protocol for Bit Commitment
Practicality Issues
Open Problems

11
Quantum Notation
basis
basis
Measurements
with prob. ½ yields 0
with prob. ½ yields 1
prob. ½ 0
prob. ½ 1
12
Quantum Protocol for OT
Bob
Alice
0110
0110
Wiesner70
Example honest players
13
Quantum Protocol for OT II
Bob
Alice
0110
0011
?
?
honest players?
receiver-private?
14
Sender-privacy against dishonest Bob?
Bob
Alice
unbounded classical memory!
0110

11
15
Proof of Sender-Privacy PurificationEkert91
Bob
Alice
16
Proof of Sender-Privacy Distributions
Bob
Alice
17
Proof of Sender-Privacy Example
Bob
Alice
p
q
2-4
2-4

0000
0001
0010
0011
0100
0101
0110
0000
0001
0010
0011
0100
0101
0110

18
Proof of Obliviousness Distributions II
Bob
Alice
001
19
Proof of Sender-Privacy Goal
p
q

0001
0010
0011
0100
0101
0110
0000
x
x
0111
1000
1001
1010
0001
0010
0011
0100
0101
0110
0000
0111
1000
1001
1010
20
Privacy Amplification
Privacy Amplification against Quantum Adversaries
Renner König, TCC 2005
p

Theorem
21
Sender-Privacy Transformation
p
q

x
x
22
Sender-Privacy Uncertainty Relation
p
q

x
x
23
General Uncertainty Relation
24
Proof of Sender-Privacy Finale
p
q

x
x
25
Proof of Sender-Privacy Recap
Bob
Alice
26
Proof of Sender-Privacy Recap II
Bob
Alice
27
Proof of Sender-Privacy Recap III
Bob
Alice
p
q

x
x
001
28
Proof of Sender-Privacy Recap IV
Bob
Alice
p
q

x
x
29
Privacy Amplification is Necessary
Bob
Alice
30
Privacy Amplification is Necessary II
Bob
Alice
Bell-
31
Privacy Amplification is Necessary !
Bob
Alice
Bell-
32
Agenda

Two-Party Crypto Primitives
Protocol for Oblivious Transfer
Security Proof
Protocol for Bit Commitment
Practicality Issues
Open Problems

33
Quantum Protocol for Bit Commitment
Verifier
Committer
BC
34
Quantum Protocol for Bit Commitment II
Verifier
Committer
memory bound store lt n/2 qubits

one round, non-interactive
commit by receiving! application e.g. passive
time-stamping
unconditionally hiding
unconditionally binding
classically Memdis lt 2 Memhon
quantum Memdis lt n / 2

BC
35
Binding Property Proof Idea
Verifier
Committer
BC
?
36
Agenda

Two-Party Crypto Primitives
Protocol for Oblivious Transfer
Security Proof
Protocol for Bit Commitment
Practicality Issues
Open Problems

37
Practicality Issues

Use polarization of photons asquantum states
state-of-the-art technology
can transmit (encode, send over fibers, receive
and measure) quantum bits
cannot store them for longer than a few
milliseconds

OT
BC

Problems
imperfect sources (multi-pulse emissions)
transmission errors

38
Practicality Issues II

Our protocols can be modified to
resist attacks based on multi-photon emissions
tolerate (quantum) noise in transmission

OT
?
BC

Well within reach of current technology
unconditionally secure as long as nobody can
store large amounts of quantum bits

?
39
More Realistic Noisy Memory Models
OT
encode
?
001
noise
BC
?
Privacy Amplification
40
Open Problem Noisy Memory Models
OT
encode
?
noise
0
BC
?
1
Privacy Amplification
41
Open Problems and Next Steps