Cryptography In the Bounded QuantumStorage Model joint work

Cryptography In the Bounded Quantum-Storage Model joint work with Ivan Damgård, Serge Fehr and Louis Salvail Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January 17 th 2006

Agenda § § § Two-Party Crypto Primitives Protocol for Oblivious Transfer Security Proof Protocol for Bit Commitment Practicality Issues Open Problems 2

Classical 2 -party primitives: Rabin Oblivious Transfer Sender Alice n n n b OT b/? Receiver Bob correct: For honest Alice and Bob, Bob gets the bit b with probability ½. sender-private: If Alice is honest, (cheating) Bob does not get information about b with probability bigger than ½. receiver-private: If Bob is honest, (cheating) Alice does not learn, whether Bob received the bit or not. 3

Classical 2 -party primitives: Bit Commitment Committer b b n n n BC Cb Verifier b in Cb? correct: BC allows Alice to commit to a bit b. Later, she can open Cb to Bob. hiding: If Alice is honest, (cheating) Bob does not get information on b from Cb. binding: If Bob is honest, (cheating) Alice cannot open Cb to a bit b’ b. 4

Classical 2 -party primitives: Relations Oblivious Transfer b OT b/? n n sender-private receiver-private Bit Commitment b BC b n n Cb b in Cb? n n hiding binding OT ) BC OT is complete for two-party cryptography 5

Known Impossibility Results In the classical unconditionally secure model without further assumptions n In the unconditionally secure model with quantum communication ) OT n BC [Mayers 97, Lo-Chau 97] 6

Three Ways Out Bound computing power (schemes based on complexity assumptions) n Noisy communication [Crépeau. Kilian 88, Crépeau 97, …] è limitations n Physical limitations e. g. bound memory size of the players n OT BC 7

Classical Bounded-Storage Model [Maurer 92] n OT ( ) n n BC ( ) n n long random string in the sky which players try to store a memory bound applies at a specified moment (string disappears) protocol for OT [CCM 98, DHRS 04]: memory size of honest players: k memory of dishonest players: <k 2 Tight bound [DM 04] can be improved by allowing quantum communication 8

Bounded Quantum-Storage Model n OT n n BC n n quantum memory bound applies at a specified moment besides that, players are unbounded (in time and space) unconditional security against adversaries with quantum memory of less then half of the transmitted qubits honest players do not need quantum memory at all honest players: 0 k dishonest players: <n/2 <k 2 9

Agenda ü § § § Two-Party Crypto Primitives Protocol for Oblivious Transfer Security Proof Protocol for Bit Commitment Practicality Issues Open Problems 10

Quantum Notation + basis £basis Measurements: with prob. ½ yields 0 with prob. ½ yields 1 EPR pairs: prob. ½ : 0 prob. ½ : 1 11

Quantum Protocol for OT Bob Alice 0110… [Wiesner 70] memory bound: store < n/2 qubits Example: honest players 12

Quantum Protocol for OT II Bob Alice 0110… 0011… memory bound: store < n/2 qubits honest players? receiver-private? 13

Sender-privacy against dishonest Bob? Bob Alice 0110… unbounded classical memory! … … 11… memory bound: store < n/2 qubits 14

Proof of Sender-Privacy: Purification [Ekert 91] Alice Bob memory bound: store < n/2 qubits 15

Proof of Sender-Privacy: Distributions Bob Alice p q 2 -4 … 0110 0101 0100 0011 0010 0001 0000 … … … memory bound: store < n/2 qubits 16

Proof of Sender-Privacy: Example Bob Alice p q 2 -4 … 0110 0101 0100 0011 0010 0001 0000 … … … memory bound: store < n/2 qubits 17

Proof of Obliviousness: Distributions II Bob Alice p q 2 -4 … 0110 0101 0100 0011 0010 0001 0000 x … … x … 001… memory bound: store < n/2 qubits 18

Proof of Sender-Privacy: Goal p q … However Bob prepares his memory 1010 1001 1000 0111 0110 0101 0100 0011 0010 0001 0000 x … x 001… and the distributions p and q, he cannot guess h(x) in both bases simultaneously ) sender-private 19

Privacy Amplification against Quantum Adversaries [Renner König, TCC 2005] 2 p ) x S … h(x) = ? ? ? … j · ¡ f g ¡ ¡ d(h(X) h ½) 2 12 (H 1 ( X ½) H 0 (½) 1) · ¡ Theorem: ¡ ¡ 1 2 12 (H (X) n=2 1) 20

Sender-Privacy: Transformation p H n q X 2 x L µ X … p j i px x = x ) j j· z L 2 n=2 |2 ¡ n=2 X 2 p ¡ ¢ {z p ( 1)x z} x x L · negl(n) ¶ … xj i z 21

Sender-Privacy: Uncertainty Relation p q … … x x 22

General Uncertainty Relation p q £ p(L+ ) + q(L ) L+³; L · £ 1+ ½f p 2 g 0; 1 n ¡ n j jj L+ L ´ £j 2 23

Proof of Sender-Privacy: Finale p q … … x x 24

Proof of Sender-Privacy: Recap Alice Bob memory bound: store < n/2 qubits 25

Proof of Sender-Privacy: Recap II Alice Bob memory bound: store < n/2 qubits 26

Proof of Sender-Privacy: Recap III Bob Alice p q … x 001… memory bound: store < n/2 qubits 27

Proof of Sender-Privacy: Recap IV Bob Alice p q … x 28

Privacy Amplification is Necessary Alice Bob memory bound: store < n/2 qubits 29

Privacy Amplification is Necessary II ¯ ® ¯ ¯ Alice ® j i ¯ + = ¯© ® j 00 i+ + j 11 i+ ¯ + = 10 ¯ª¡ ® j 01 i+ + ¡ j i+ ¯ © = 00 11 ¡ j i+ + ¡ ª = 01 10 + + j i = 00 £ + 11 £ j i ¡j i = 00 £ 11 £ j i = 01 £ + 10 £ j i ¡j i = 10 £ 01 £ Bob j i j ¡i ©+ ; Bellª+ ; © ; ª memory bound: store < n/2 qubits 30

Privacy Amplification is Necessary ! ¯ ® ¯ ¯ Alice ® j i ¯ + = ¯© ® j 00 i+ + j 11 i+ ¯ + = 10 ¯ª¡ ® j 01 i+ + ¡ j i+ ¯ © = 00 11 ¡ j i+ + ¡ ª = 01 10 + + j i = 00 £ + 11 £ j i ¡j i = 00 £ 11 £ j i = 01 £ + 10 £ j i ¡j i = 10 £ 01 £ Bob j i Bellª+ memory bound: store < n/2 qubits 31

Agenda ü ü ü § § § Two-Party Crypto Primitives Protocol for Oblivious Transfer Security Proof Protocol for Bit Commitment Practicality Issues Open Problems 32

Quantum Protocol for Bit Commitment Verifier BC Committer memory bound: store < n/2 qubits 33

Quantum Protocol for Bit Commitment II Verifier Committer memory bound: store < n/2 qubits n BC n n n one round, non-interactive commit by receiving! application: e. g. passive time-stamping unconditionally hiding unconditionally binding: n n classically: Memdis < 2 ¢ Memhon quantum: Memdis < n / 2 34

Binding Property: Proof Idea Verifier BC Committer memory bound: store < n/2 qubits 35

Agenda ü ü § § Two-Party Crypto Primitives Protocol for Oblivious Transfer Security Proof Protocol for Bit Commitment Practicality Issues Open Problems 36

Practicality Issues n OT n Use polarization of photons as quantum states state-of-the-art technology n n BC can transmit (encode, send over fibers, receive and measure) quantum bits cannot store them for longer than a few milliseconds Problems: n imperfect sources (multi-pulse emissions) n transmission errors 37

Practicality Issues II OT BC Our protocols can be modified to n resist attacks based on multi-photon emissions n tolerate (quantum) noise in transmission è Well within reach of current technology è unconditionally secure as long as nobody can store large amounts of quantum bits 38

More Realistic: Noisy Memory Models encode OT BC 001… noise memory bound: store < n/2 qubits ¸ E Uncertainty relation: n=2, given = log(rank(½)) < n=2 j · Privacy Amplification: ¡ 1 (H 1 (f. X g ½)¡H (½)¡ 1) d(h(X) h ½) 2 2 0 39

Open Problem: Noisy Memory Models OT ? BC encode noise 0 ? 1 = log(rank(½)) = n < n=2 ? j · Privacy Amplification: ¡ 1 (H 1 (f. X g ½)¡H (½)¡ 1) d(h(X) h ½) 2 2 0 40

Open Problems and Next Steps OT ? BC ? n Noisy Memory Model n Other flavors of OT: e. g. 1 -out-of-2 Oblivious Transfer n Better memory bounds n Composability? What happens to the memory bound? n Cryptographic primitives for which we can show lower bounds 41

Summary OT BC Simple protocols for OT and BC that are n efficient, non-interactive n unconditionally secure against adversaries with bounded quantum memory n practical: n n n honest players do not need quantum memory fault-tolerant work in more practical noisy memory models 42