Cryptography In the Bounded Quantum-Storage Model - PowerPoint PPT Presentation

About This Presentation
Title:

Cryptography In the Bounded Quantum-Storage Model

Description:

Cryptography In the Bounded Quantum-Storage Model joint work with Ivan Damg rd, Serge Fehr and Louis Salvail Christian Schaffner, BRICS University of rhus, Denmark – PowerPoint PPT presentation

Number of Views:166
Avg rating:3.0/5.0
Slides: 43
Provided by: ChristianS151
Category:

less

Transcript and Presenter's Notes

Title: Cryptography In the Bounded Quantum-Storage Model


1
Cryptography In theBounded Quantum-Storage Model
joint work with Ivan Damgård, Serge Fehr and
Louis Salvail
  • Christian Schaffner, BRICS
  • University of Århus, Denmark
  • 9th workshop on QIP 2006, Paris
  • Tuesday, January 17th 2006

2
Agenda
  • Two-Party Crypto Primitives
  • Protocol for Oblivious Transfer
  • Security Proof
  • Protocol for Bit Commitment
  • Practicality Issues
  • Open Problems

3
Classical 2-party primitives Rabin Oblivious
Transfer
Receiver
Sender
OT
b
b / ?
  • Bob

Alice
  • correct For honest Alice and Bob, Bob gets the
    bit b with probability ½.
  • sender-private If Alice is honest, (cheating)
    Bob does not get information about b with
    probability bigger than ½.
  • receiver-private If Bob is honest, (cheating)
    Alice does not learn, whether Bob received the
    bit or not.

4
Classical 2-party primitivesBit Commitment
Verifier
BC
Committer
b
Cb
b
b in Cb?
  • correct BC allows Alice to commit to a bit b.
    Later, she can open Cb to Bob.
  • hiding If Alice is honest, (cheating) Bob does
    not get information on b from Cb.
  • binding If Bob is honest, (cheating) Alice
    cannot open Cb to a bit b ? b.

5
Classical 2-party primitives Relations
  • sender-private
  • receiver-private

OT
  • hiding
  • binding

BC
  • OT ) BC
  • OT is complete for two-party cryptography

6
Known Impossibility Results
  • In the classical unconditionally secure model
    without further assumptions

OT
)
  • In the unconditionally secure model with quantum
    communication
  • Mayers97, Lo-Chau97

BC
7
Three Ways Out
  • Bound computing power (schemes based on
    complexity assumptions)
  • Noisy communication CrépeauKilian88, Crépeau97,
  • Physical limitations

OT
?
  • Physical limitations
  • e.g. bound memory size of the players

BC
?
8
Classical Bounded-Storage ModelMaurer92
  • long random string in the sky which players try
    to store
  • a memory bound applies at a specified moment
    (string disappears)
  • protocol for OT CCM98, DHRS04 memory size of
    honest players k memory of dishonest
    players ltk2
  • Tight bound DM04
  • can be improved by allowing quantum communication

OT
BC
9
Bounded Quantum-Storage Model
  • quantum memory bound applies at a specified
    moment
  • besides that, players are unbounded (in time and
    space)
  • unconditional security against adversaries with
    quantum memory of less then half of the
    transmitted qubits
  • honest players do not need quantum memory at all
  • honest players 0 k dishonest players ltn/2 ltk2

OT
?
BC
?
10
Agenda
  • Two-Party Crypto Primitives
  • Protocol for Oblivious Transfer
  • Security Proof
  • Protocol for Bit Commitment
  • Practicality Issues
  • Open Problems

11
Quantum Notation
basis
basis
Measurements
with prob. ½ yields 0
with prob. ½ yields 1
prob. ½ 0
prob. ½ 1
12
Quantum Protocol for OT
Bob
Alice
0110
0110
Wiesner70
Example honest players
13
Quantum Protocol for OT II
Bob
Alice
0110
0011
?
?
honest players?
receiver-private?
14
Sender-privacy against dishonest Bob?
Bob
Alice
unbounded classical memory!
0110

11
15
Proof of Sender-Privacy PurificationEkert91
Bob
Alice
16
Proof of Sender-Privacy Distributions
Bob
Alice
17
Proof of Sender-Privacy Example
Bob
Alice
p
q
2-4
2-4


0000
0001
0010
0011
0100
0101
0110
0000
0001
0010
0011
0100
0101
0110


18
Proof of Obliviousness Distributions II
Bob
Alice
001
19
Proof of Sender-Privacy Goal
p
q


0001
0010
0011
0100
0101
0110
0000
x
x
0111
1000
1001
1010
0001
0010
0011
0100
0101
0110
0000
0111
1000
1001
1010
20
Privacy Amplification
Privacy Amplification against Quantum Adversaries
Renner König, TCC 2005
p


Theorem
21
Sender-Privacy Transformation
p
q


x
x
22
Sender-Privacy Uncertainty Relation
p
q


x
x
23
General Uncertainty Relation
24
Proof of Sender-Privacy Finale
p
q


x
x
25
Proof of Sender-Privacy Recap
Bob
Alice
26
Proof of Sender-Privacy Recap II
Bob
Alice
27
Proof of Sender-Privacy Recap III
Bob
Alice
p
q


x
x
001
28
Proof of Sender-Privacy Recap IV
Bob
Alice
p
q


x
x
29
Privacy Amplification is Necessary
Bob
Alice
30
Privacy Amplification is Necessary II
Bob
Alice
Bell-
31
Privacy Amplification is Necessary !
Bob
Alice
Bell-
32
Agenda
  • Two-Party Crypto Primitives
  • Protocol for Oblivious Transfer
  • Security Proof
  • Protocol for Bit Commitment
  • Practicality Issues
  • Open Problems

33
Quantum Protocol for Bit Commitment
Verifier
Committer
BC
34
Quantum Protocol for Bit Commitment II
Verifier
Committer
memory bound store lt n/2 qubits
  • one round, non-interactive
  • commit by receiving! application e.g. passive
    time-stamping
  • unconditionally hiding
  • unconditionally binding
  • classically Memdis lt 2 Memhon
  • quantum Memdis lt n / 2

BC
35
Binding Property Proof Idea
Verifier
Committer
BC
?
36
Agenda
  • Two-Party Crypto Primitives
  • Protocol for Oblivious Transfer
  • Security Proof
  • Protocol for Bit Commitment
  • Practicality Issues
  • Open Problems

37
Practicality Issues
  • Use polarization of photons asquantum states
  • state-of-the-art technology
  • can transmit (encode, send over fibers, receive
    and measure) quantum bits
  • cannot store them for longer than a few
    milliseconds

OT
BC
  • Problems
  • imperfect sources (multi-pulse emissions)
  • transmission errors

38
Practicality Issues II
  • Our protocols can be modified to
  • resist attacks based on multi-photon emissions
  • tolerate (quantum) noise in transmission

OT
?
BC
  • Well within reach of current technology
  • unconditionally secure as long as nobody can
    store large amounts of quantum bits

?
39
More Realistic Noisy Memory Models
OT
encode
?
001
noise
BC
?
Privacy Amplification
40
Open Problem Noisy Memory Models
OT
encode
?
noise
0
BC
?
1
Privacy Amplification
41
Open Problems and Next Steps
  • Noisy Memory Model
  • Other flavors of OTe.g. 1-out-of-2 Oblivious
    Transfer
  • Better memory bounds
  • Composability? What happens to the memory bound?
  • Cryptographic primitives for which we can show
    lower bounds

OT
?
BC
?
42
Summary
  • Simple protocols for OT and BC that are
  • efficient, non-interactive
  • unconditionally secure against adversaries with
    bounded quantum memory
  • practical
  • honest players do not need quantum memory
  • fault-tolerant
  • work in more practical noisy memory models

OT
?
BC
?
43
Quantum Protocol for 1-2-OT
Bob
Alice
44
Questions and Comments?
OT
?
BC
?
Write a Comment
User Comments (0)
About PowerShow.com