Title: Quantum Public Key Cryptography with Information-Theoretic Security
1Quantum Public Key Cryptography with
Information-Theoretic Security
- Daniel Gottesman
- Perimeter Institute
2Advantages of Public Key Crypto
- High efficiency
- New protocols
- Public key encryption
- Digital signatures
- Better key distribution and management
- No danger that public key compromised
- Convert authenticated channel to secure channel
in interactive setting (QKD can do this too) - Certificate authorities
- PGP (many redistribution sites)
3Quantum Public Keys
- Consider a map f k ??fk?.
- k is the private key
- ?fk? is the public key
For some maps f, it can be impossible
(information-theoretically) to determine k, even
given many copies of ?fk?.
However, there is a limit. More copies of ?fk?
means more information about k, and even one copy
generally leaks some information about k.
4Quantum Fingerprinting
For example, we can let k be an O(2n)-bit string
and ?fk? be n qubits long using quantum
fingerprints (Buhrman, Cleve, Watrous, de Wolf
2001).
One construction Let C be a 2n, r2n, p2n
code, with max dist. (1-p)2n, and let x (k,i) be
the ith bit of the codeword encoding k. Then
?fk? 2-n/2 ?i (-1)x(k,i) ?i?,
which implies that
??fj?fk?? ? 1-2p (when i?j).
5Quantum One-Way Function
From n qubits, we can extract at most n classical
bits of information, so T copies of ?fk? can only
give at most Tn bits of information about k,
which is r2n bits long.
Thus, the function f k ??fk? is hard
(impossible, actually) to invert, even given many
copies of the output. It is a one-way function.
This is why it is safe to use ?fk? as a public
key we can give it to many people without
revealing the private key k.
6One-Time Digital Signature
Classical scheme (Lamport 1979) One-way function
f(x), private key (k0, k1), public key (f(k0),
f(k1)). To sign a bit b, send (b, kb).
Quantum scheme (Gottesman, Chuang 2001)
- Private key (k0(i), k1(i)) (i1, ..., M)
- Public key (?fk?) (for kkb(i))
- To sign b, send (b, kb(1), kb(2), ..., kb(M)).
- To verify, measure ?fk? to check k kb(i).
7Different Levels of Acceptance
Suppose s keys fail the measurement test
s ? c1M ? 1-ACC Message comes from Alice, other
recipients will agree.
c1M lt s ? c2M ? 0-ACC Message comes from Alice,
another recipient might disagree.
s gt c2M ? REJ Message might not come from Alice.
Similar to classical pseudo-signatures (Chaum and
Roijakkers 1991), which are information-theoretica
lly secure, but with complex set-up procedure.
8Quantum Public Key Encryption
- Protocol defines map k ? Uk (unitary)
- Alices private key k
- Public key (I ? Uk) (?0??0? ?1??1?)
- To encrypt a quantum state ???, teleport state
through the public key, getting Pauli matrix P.
Transmit P and 2nd register of public key. - Alice receives (P, Uk P ???). Decrypts by
performing Uk-1 then P-1.
9Notes on Quantum Public Key Encryption
- Expends one copy of the public key per encrypted
message. - When Uk runs over Pauli matrices, this is the
one-time pad, but only one copy of public key is
allowed. - For larger sets of Uk, it is impossible to learn
k completely. However, I have no security proof.
10SWAP test
BCWW also introduced a test to check if two
fingerprints are the same without knowing their
exact state
?0? ?1?
Measure ?0? ?1? vs. ?0? - ?1?
?fj?
?fj?
?fk?
?fk?
- If they are the same, result (fingerprints are
unchanged) - If they are different, often - result
Controlled-SWAP
11Distributed SWAP Test
Two problems with the straight SWAP test
- How can we do a SWAP test at a distance?
- A SWAP test against a bad key corrupts your copy.
Distributed SWAP test
key
key
key
key
Charlie
Bob
12Quantum Public Key Distribution
Alice
B
E
D
C
F can compare if the public keys received from B
and D are the same.
F
13Certificate Authorities
A certificate authority signs other peoples
public keys. Everyone has the CAs public key
already, and they trust the CA to verify the
public keys source.
Main advantage the CA only needs to be involved
in the distant past.
Can we make a certificate authority for quantum
public keys?
14No Signatures of Quantum States
There is no signature scheme for unknown quantum
states, even with computational security. Anyone
who can read the signed state can change it.
(BCGST 2002)
Let ?Sk(?)? be the signed state for ???
(purified).
To read the state, use U ?Sk(?)? ? ??? ?Rk(?)?.
But No-Cloning implies ?Rk(?)? ?Rk? does not
depend on ???.
U
To cheat ?Sk(?)?
??? ?Rk?
U-1
??? ?Rk?
?Sk(?)?
15Signing Known Quantum States
However, this argument does not apply to a state
which is known by the signer, or even if the
signer has multiple copies of ???.
Can we sign a known quantum state?
Yes, sort of we can sign the classical
description of the state.
What we really want is to sign the state
efficiently in the number of qubits. Can we do
this? Unknown.
16Signing Known Quantum States
Solutions to this problem could potentially allow
- More efficient quantum signatures sign a
fingerprint of the classical message. - Reusable quantum signatures sign a message plus
a new quantum public key. - Quantum certificate authority Provide multiple
copies of your public key to the CA, allowing him
to sign them.
17Quantum Signature Efficiency
One-time quantum signatures are very inefficient,
but if it is possible to sign known states as
suggested on the previous slide, they could
become very efficient.
- Key length to sign n-bit message O(log n)?
- Number of messages from single key exp.?
- However length of private key is still
proportional to of copies of public key.
None of this is proved.
18Capabilities of Quantum Public Keys
- High efficiency (No?)
- New protocols
- Public key encryption (Yes?)
- Digital signatures (Yes)
- Better key distribution and management
- No danger that public key compromised (Yes)
- Convert authenticated channel to secure channel
(Yes, QKD) - Certificate authorities (Yes??)
- PGP (many redistribution sites) (Yes)