Title: Cryptography In the Bounded Quantum-Storage Model
1Cryptography In theBounded Quantum-Storage Model
joint work with Ivan Damgård, Serge Fehr and
Louis Salvail
- Christian Schaffner, BRICS
- University of Århus, Denmark
- 9th workshop on QIP 2006, Paris
- Tuesday, January 17th 2006
2Agenda
- Two-Party Crypto Primitives
- Protocol for Oblivious Transfer
- Security Proof
- Protocol for Bit Commitment
- Practicality Issues
- Open Problems
3Classical 2-party primitives Rabin Oblivious
Transfer
Receiver
Sender
OT
b
b / ?
Alice
- correct For honest Alice and Bob, Bob gets the
bit b with probability ½. - sender-private If Alice is honest, (cheating)
Bob does not get information about b with
probability bigger than ½. - receiver-private If Bob is honest, (cheating)
Alice does not learn, whether Bob received the
bit or not.
4Classical 2-party primitivesBit Commitment
Verifier
BC
Committer
b
Cb
b
b in Cb?
- correct BC allows Alice to commit to a bit b.
Later, she can open Cb to Bob. - hiding If Alice is honest, (cheating) Bob does
not get information on b from Cb. - binding If Bob is honest, (cheating) Alice
cannot open Cb to a bit b ? b.
5Classical 2-party primitives Relations
- sender-private
- receiver-private
OT
BC
- OT ) BC
- OT is complete for two-party cryptography
6Known Impossibility Results
- In the classical unconditionally secure model
without further assumptions
OT
)
- In the unconditionally secure model with quantum
communication - Mayers97, Lo-Chau97
BC
7Three Ways Out
- Bound computing power (schemes based on
complexity assumptions) - Noisy communication CrépeauKilian88, Crépeau97,
- Physical limitations
OT
?
- Physical limitations
- e.g. bound memory size of the players
BC
?
8Classical Bounded-Storage ModelMaurer92
- long random string in the sky which players try
to store - a memory bound applies at a specified moment
(string disappears) - protocol for OT CCM98, DHRS04 memory size of
honest players k memory of dishonest
players ltk2 - Tight bound DM04
- can be improved by allowing quantum communication
OT
BC
9Bounded Quantum-Storage Model
- quantum memory bound applies at a specified
moment - besides that, players are unbounded (in time and
space) - unconditional security against adversaries with
quantum memory of less then half of the
transmitted qubits - honest players do not need quantum memory at all
- honest players 0 k dishonest players ltn/2 ltk2
OT
?
BC
?
10Agenda
- Two-Party Crypto Primitives
- Protocol for Oblivious Transfer
- Security Proof
- Protocol for Bit Commitment
- Practicality Issues
- Open Problems
11Quantum Notation
basis
basis
Measurements
with prob. ½ yields 0
with prob. ½ yields 1
prob. ½ 0
prob. ½ 1
12Quantum Protocol for OT
Bob
Alice
0110
0110
Wiesner70
Example honest players
13Quantum Protocol for OT II
Bob
Alice
0110
0011
?
?
honest players?
receiver-private?
14Sender-privacy against dishonest Bob?
Bob
Alice
unbounded classical memory!
0110
11
15Proof of Sender-Privacy PurificationEkert91
Bob
Alice
16Proof of Sender-Privacy Distributions
Bob
Alice
17Proof of Sender-Privacy Example
Bob
Alice
p
q
2-4
2-4
0000
0001
0010
0011
0100
0101
0110
0000
0001
0010
0011
0100
0101
0110
18Proof of Obliviousness Distributions II
Bob
Alice
001
19Proof of Sender-Privacy Goal
p
q
0001
0010
0011
0100
0101
0110
0000
x
x
0111
1000
1001
1010
0001
0010
0011
0100
0101
0110
0000
0111
1000
1001
1010
20Privacy Amplification
Privacy Amplification against Quantum Adversaries
Renner König, TCC 2005
p
Theorem
21Sender-Privacy Transformation
p
q
x
x
22Sender-Privacy Uncertainty Relation
p
q
x
x
23General Uncertainty Relation
24Proof of Sender-Privacy Finale
p
q
x
x
25Proof of Sender-Privacy Recap
Bob
Alice
26Proof of Sender-Privacy Recap II
Bob
Alice
27Proof of Sender-Privacy Recap III
Bob
Alice
p
q
x
x
001
28Proof of Sender-Privacy Recap IV
Bob
Alice
p
q
x
x
29Privacy Amplification is Necessary
Bob
Alice
30Privacy Amplification is Necessary II
Bob
Alice
Bell-
31Privacy Amplification is Necessary !
Bob
Alice
Bell-
32Agenda
- Two-Party Crypto Primitives
- Protocol for Oblivious Transfer
- Security Proof
- Protocol for Bit Commitment
- Practicality Issues
- Open Problems
33Quantum Protocol for Bit Commitment
Verifier
Committer
BC
34Quantum Protocol for Bit Commitment II
Verifier
Committer
memory bound store lt n/2 qubits
- one round, non-interactive
- commit by receiving! application e.g. passive
time-stamping - unconditionally hiding
- unconditionally binding
- classically Memdis lt 2 Memhon
- quantum Memdis lt n / 2
BC
35Binding Property Proof Idea
Verifier
Committer
BC
?
36Agenda
- Two-Party Crypto Primitives
- Protocol for Oblivious Transfer
- Security Proof
- Protocol for Bit Commitment
- Practicality Issues
- Open Problems
37Practicality Issues
- Use polarization of photons asquantum states
- state-of-the-art technology
- can transmit (encode, send over fibers, receive
and measure) quantum bits - cannot store them for longer than a few
milliseconds
OT
BC
- Problems
- imperfect sources (multi-pulse emissions)
- transmission errors
38Practicality Issues II
- Our protocols can be modified to
- resist attacks based on multi-photon emissions
- tolerate (quantum) noise in transmission
OT
?
BC
- Well within reach of current technology
- unconditionally secure as long as nobody can
store large amounts of quantum bits
?
39More Realistic Noisy Memory Models
OT
encode
?
001
noise
BC
?
Privacy Amplification
40Open Problem Noisy Memory Models
OT
encode
?
noise
0
BC
?
1
Privacy Amplification
41Open Problems and Next Steps
- Noisy Memory Model
- Other flavors of OTe.g. 1-out-of-2 Oblivious
Transfer - Better memory bounds
- Composability? What happens to the memory bound?
- Cryptographic primitives for which we can show
lower bounds
OT
?
BC
?
42Summary
- Simple protocols for OT and BC that are
- efficient, non-interactive
- unconditionally secure against adversaries with
bounded quantum memory - practical
- honest players do not need quantum memory
- fault-tolerant
- work in more practical noisy memory models
OT
?
BC
?
43Quantum Protocol for 1-2-OT
Bob
Alice
44Questions and Comments?
OT
?
BC
?