Anonymous quantum communication

1
Anonymous quantum communication

• Sébastien Gambs

With Gilles Brassard (Montréal), Anne Broadbent
(Montréal), Joe Fitzsimons (Oxford), and Alain
Tapp (Montréal).
Special thanks to Anne Broadbent for the initial
version of the slides
2
Maimonides Ladder of Charity from Jewish law

• Help a person help himself
• Prevent poverty by empowering a person with a
  loan or job
• Giver and Receiver unknown to each other
• Completely anonymous Receiver not embarrassed
  Giver cannot show off
• Receiver Known, Giver Unknown
• Giver knows to whom he gives, Receiver does not
  know Giver
• Giver Does Not Know Receiver
• Receiver knows from whom he takes, Giver does not
  know Receiver
• Gives Before He is Asked
• No anonymity potential embarrassment/showing off
• Gives After He is Asked
• Gives Less Than He Should, But Cheerfully
• Gives Unwillingly

with thanks to Aram Harrow
3
Outline

• Anonymous communication
• Model
• Original protocol
• Possible extension

4
(Classical) anonymous communication
Sender
A private message was sent from an anonymous
sender to an anonymous receiver
Receiver receives a message from an anonymous
sender
Sender sends anonymously a message to Receiver
Receiver
5
Model

• Public authentic broadcast channel.

• Private channel between each pair of participants.

6
Security model

• No restriction on the number of corrupt
  participants.
• No computational assumptions.
• Drawback any participant can make the protocol
  abort.
• Same model used in Broadbent and Tapp 07.

• Remark if we had a guarantee of a majority of
  honest participants, we could use a
  general-purpose multiparty secure computation
  protocol such as
• (Rabin and Ben-Or 89) for classical
• (Ben-Or, Crépeau, Gottesman, Hassidim and Smith
  06) for quantum.

7
Classical functionalities
Broadbent and Tapp (2007)

• Multiple sender detection
• Receiver notification
• Classical anonymous communication
• Distributed logical-OR

8
Anonymous quantum communication
Sender
A private quantum message was sent from an
anonymous sender to an anonymous receiver
Receiver

• Additional concern the quantum state should
  never be destroyed.

9
Anonymous entanglement
Christandl and Wehner (2005)

• If sender and receiver anonymously share a Bell
  state, anonymous communication can be achieved
  via teleportation and the anonymous sending of
  two classical bits.

Teleportation Measurement
Sender
Teleportation Corrections
Receiver
10
Previous work Christandl and Wehner 05

• Definition of the task and first protocol to
  solve it.
• Anonymous sender and receiver.
• Honest-but-curious participants
• Participants can be curious but they are supposed
  to follow the recipe of the protocol.
• The global GHZ used to distill anonymous
  entanglement is given as an initial resource.

11
Previous work Bouda and projcar 07

• Public receiver, anonymous sender.
• Model where participants can be malicious.
• Claimed to be secure as long as success of
  protocol is known only to sender...usefulness
  seems limited.
• An attack allows malicious participants to
  correlate to success of the protocol to the
  identity of the sender and/or the receiver.
• Direct breakdown of the anonymity.
• If the receiver is corrupted, then even if he is
  the only bad guy he can attack the anonymity of
  the sender.

12
Outline main protocol

• Multiple sender detection (classical)
• Entanglement distribution
• Entanglement verification
• Receiver notification (classical)
• Anonymous entanglement generation
• Perfect anonymous entanglement
• Fail-safe teleportation

13
1. Multiple sender detection

• Collision detection is used to determine if
  exactly one participant wants to be the sender.
• If not, protocol aborts.

14
2. Entanglement distribution

• An arbitrarily chosen participant creates and
  distributes a sufficient amount of generalized
  GHZ states among the n participants
  
• Remark states may be bad and chosen
  maliciously
• Will cause the protocol to abort later.
• No cheater can use this information to find the
  identity of the sender or receiver, or to gain
  any information on the quantum message.

15
3. Entanglement verification (1)

• Each participant
• Makes n-1 pseudo-copies, each time by applying a
  control-NOT between his qubit and an ancillary
  qubit set to .
• Distributes the pseudo-copies between all other
  participants.
• Performs a measurement to determine if his system
  is in subspace spanned by
• Abort if any participant measures no.
• Resets system back to a single qubit by applying
  once again the control-NOT.

16
3. Entanglement verification (2)

• If the entanglement verification procedure
  succeeds, the state of the system is invariant
  under permutation of the honest participants
• This guarantees that no particular participant
  can be specifically targeted out of the crowd of
  honest participants.

17
4. Receiver notification

• Notification is executed the sender notifies a
  single receiver.
• If notification fails, the protocol aborts.

18
5. Anonymous entanglement generation

• All participants (except the sender and receiver)
  measure in the Hadamard basis.
• They broadcast their results (sender and receiver
  broadcast random bits).
• The state shared between sender and receiver is
• If the parity of bits is even
• If the parity of bits is odd
• The sender computes the parity for each state and
  apply phase correction when necessary to yield
• 
  

19
6. Perfect anonymous entanglement

• Quantum authentication an encoding scheme based
  on a purity-testing code that can detect any
  modification to the quantum message (Barnum,
  Crépeau, Gottesman, Smith, Tapp 02).
• The sender creates many instances of and
  uses the already established anonymous
  entanglement to teleport to the receiver an
  authenticated version of these states.
• Receiver verifies integrity of the received
  state.
• If the shared anonymous entanglement was bad,
  this fails.
• A logical-OR is executed where the receiver
  inputs 1 iff the authentication failed.
• The protocol aborts if output is 1.

20
7. Fail-safe teleportation
The quantum message should never be lost (except
if receiver is corrupt).
Teleportation Measurement
Sender
Broadcast all bits
Teleportation Corrections
Teleportation Measurement
Receiver
21
Summary of the protocol features

• The anonymity and privacy are information-theoreti
  cally secure (except with exponentially small
  probability).
• No assumption on the number of honest
  participants.
• The quantum state is never destroyed.
• Any participant can make the protocol abort.

22
How to get rid of the abort property (work in
progress)

• Problem because of the use of the generalized
  GHZ state it is always possible for any
  participant to collapse this state by directly
  measuring it
• thus preventing the generation of anonymous
  entanglement.
• Remark another globally entangled state that is
  invariant under permutation of honest
  participants could have been used instead.
• This would still guarantee the protection of the
  anonymity.

23
An idea coming from the measurement-based model

• Main idea construct by pairwise interactions a
  global entangled state that is not maximally
  entangled.
• The state is such that
• It is impossible for a particular participant to
  make it collapse entirely.
• Validity of the state can be verified by pairwise
  interactions to ascertain it is invariant under
  permutation of the honest participants.

24
Concentrating entanglement

• The anonymous entangled state produced from the
  global state is not a maximally entangled
  .
• A genuine can be obtained by the sender
  performing one-way entanglement concentration and
  sending the classical bits using classical
  anonymous communication.
• The entanglement of the global state, and the
  rate to which entanglement can be concentrate,
  may be tuned depending on our a priori knowledge
  on the maximum number of dishonest participants.

25
The end
Thank you!
26
Not so serious applications

• Anonymous P ? NP proving
• The sender (i.e. a student) has a quantum proof
  that P ? NP which he sends anonymously to the
  receiver (i.e. the professor).
• Anonymous downloading.
• Public sender, anonymous receiver.
• Sender anonymously communicate a quantum song.
• Anonymous dating
• Sender and receiver are anonymous even to each
  other.
• Anybody choose with random probability to act as
  sender or receiver.

27
Why the exponentially small probability?

• Quantum authentication can failed
• Entanglement appears good but is actually bad...
  quantum state is lost.
• Notification appears to have succeeded, but has
  failed
• Adversary can take the role of receiver and
  retrieve the quantum message.

28
Attack on protocol of Bouda and projcar 07

• A collusion can arrange for the identity of the
  sender (and/or the receiver) to be correlated
  with the success probability of the protocol.
• Knowing if the protocol succeeds reveals
  information on the identity of the sender and the
  receiver.
• This works by tweaking the global distributed
  entangled state to target specific participants.

29
Example of entanglement verification
3-participant example (supposing original state
was distributed as required )
30
Application anonymous downloading
31
Our contribution