Lecture 2: Quantum bit commitment and authentication

Similar documents
arxiv: v7 [quant-ph] 20 Mar 2017

Security Implications of Quantum Technologies

Lecture: Quantum Information

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

arxiv:quant-ph/ v1 10 Dec 1997

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

arxiv: v1 [quant-ph] 3 Jul 2018

EFFICIENT SIMULATION FOR QUANTUM MESSAGE AUTHENTICATION

Other Topics in Quantum Information

Optimal bounds for quantum bit commitment

Quantum information and quantum mechanics: fundamental issues. John Preskill, Caltech 23 February

An Introduction to Quantum Information and Applications

CS120, Quantum Cryptography, Fall 2016

Lecture 28: Public-key Cryptography. Public-key Cryptography

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Optimal bounds for semi-honest quantum oblivious transfer

Optimal quantum strong coin flipping

Question 1. The Chinese University of Hong Kong, Spring 2018

Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing

Solution of Exercise Sheet 7

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Lecture 1: Introduction to Public key cryptography

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Why quantum bit commitment and ideal quantum coin tossing are impossible.

Perfectly secure cipher system.

CPSC 467: Cryptography and Computer Security

Ping Pong Protocol & Auto-compensation

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Ph 219/CS 219. Exercises Due: Friday 3 November 2006

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Lecture 15 - Zero Knowledge Proofs

Classical Verification of Quantum Computations

Challenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley

arxiv:quant-ph/ v1 6 Dec 2005

Quantum key distribution for the lazy and careless

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 6: Quantum error correction and quantum capacity

Chapter 2 : Perfectly-Secret Encryption

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

The Laws of Cryptography Zero-Knowledge Protocols

ECS 189A Final Cryptography Spring 2011

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Actively secure two-party evaluation of any quantum operation

1 Secure two-party computation

Zero-Knowledge Against Quantum Attacks

Hilbert Space, Entanglement, Quantum Gates, Bell States, Superdense Coding.

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

A FRAMEWORK FOR UNCONDITIONALLY SECURE PUBLIC-KEY ENCRYPTION (WITH POSSIBLE DECRYPTION ERRORS)

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Teleportation of Quantum States (1993; Bennett, Brassard, Crepeau, Jozsa, Peres, Wootters)

Quantum Cryptography : On the Security of the BB84 Key-Exchange Protocol

1 Indistinguishability for multiple encryptions

A. Quantum Key Distribution

Entanglement and information

Chapter 2. A Look Back. 2.1 Substitution ciphers

Quantum Setting with Applications

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Lecture 10: Zero-Knowledge Proofs

Lecture 5, CPA Secure Encryption from PRFs

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Universal Blind Quantum Computing

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Cryptography 2017 Lecture 2

Quantum one-time programs

Bit-Commitment and Coin Flipping in a Device-Independent Setting

Cyber Security in the Quantum Era

Quantum-Secure Coin-Flipping and Applications

arxiv:quant-ph/ v1 13 Mar 2007

Quantum Cryptography

10. Physics from Quantum Information. I. The Clifton-Bub-Halvorson (CBH) Theorem.

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 7: CPA Security, MACs, OWFs

CPA-Security. Definition: A private-key encryption scheme

Computer Science A Cryptography and Data Security. Claude Crépeau

arxiv: v2 [quant-ph] 10 Oct 2012

Classical Verification of Quantum Computations

Public Key Cryptography

Seminar Report On QUANTUM CRYPTOGRAPHY. Submitted by SANTHIMOL A. K. In the partial fulfillment of requirements in degree of

Lecture 3: Interactive Proofs and Zero-Knowledge

Historical cryptography. cryptography encryption main applications: military and diplomacy

Classical and Quantum Strategies for Two-Prover Bit Commitments

6.080/6.089 GITCS Apr 15, Lecture 17

Lecture Notes 20: Zero-Knowledge Proofs

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

arxiv:quant-ph/ v2 11 Jan 2006

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

PERFECTLY secure key agreement has been studied recently

Scribe for Lecture #5

Great Theoretical Ideas in Computer Science

Quantum Cryptography

arxiv:cs/ v2 [cs.cr] 16 Apr 2004

Oblivious Evaluation of Multivariate Polynomials. and Applications

Introduction to Quantum Cryptography

Secure Multiparty Quantum Computation with (Only) a Strict Honest Majority

arxiv:quant-ph/ v1 27 Dec 2004

Transcription:

QIC 890/891 Selected advanced topics in quantum information Spring 2013 Topic: Topics in quantum cryptography Lecture 2: Quantum bit commitment and authentication Lecturer: Gus Gutoski This lecture is the second and final lecture in the CryptoWorks21 Novice program in quantum cryptography tools. All future lectures are not part of the the CryptoWorks 21 Novice program. 1 Quantum bit commitment is impossible A protocol for bit commitment solves the following problem. Alice has a bit b that she wishes to commit to Bob, but she doesn t want Bob to learn the value of b until she chooses to reveal it at a later time. [*** picture of a safe and key ***] In other words, a protocol for bit commitment must meet the following conditions: Binding. Alice should not be able to alter the value of the bit once she has committed. Concealing. Bob should not be able to identify the bit that Alice committed until she reveals it. Applications: Bit commitment = multi-party computation, zero-knowledge proofs for NP-complete problems, coin tossing. (That is, secure protocols for these tasks can be constructed from a secure bit commitment protocol.) Example 1 (Bit commitment = coin tossing). The following protocol uses a bit commitment primitive to implement coin tossing. 1. Alice guesses a random bit b and commits this guess to Bob. 2. Bob flips a coin (selects a random bit c) and reports the result to Alice. 3. Alice reveals her guess. The output is c b. It is clear that Bob cannot cheat: if Alice is honest then the result of the coin flip is always uniformly random. In order for Alice to cheat she must be able to change the value of her bit b after she has commited to it, contradicting the binding property of bit commitment. 1.1 Bit commitment in a classical universe Unconditionally secure bit commitment is impossible. Any protocol for bit commitment requires computational assumptions such as the existence of one-way functions. There exist protocols that are unconditionally binding and computationally concealing and vice versa. Example 2 (Bit commitment from a pseudo-random generator [Nao91]). Let R be a PRG from n bits to 3n bits and suppose Alice wishes to commit a bit b. 1. Bob selects a random 3n-bit string s and sends it to Alice. 2. Alice selects a random n-bit string y and computes the 3n-bit string R(y). 3. Commit. If b = 1 then Alice sends R(y) to Bob. Otherwise, she sends R(y) s to Bob. 1

4. Reveal. Alice sends y to Bob, who can then check whether he received R(y) or R(y) s. Statistically binding. Alice cannot cheat with probability greater than 2 n even if she has unlimited computational power at her disposal. Why? Because if she wants to cheat then she needs to find y with R(y ) = R(y) s. However, R(y) s is uniformly distributed among 2 3n possible strings, whereas R(y ) is drawn from a pool of only 2 n strings. Thus, the probability that there exists some y with the desired property is vanishingly small. Computationally concealing. In order to distinguish R(y) from R(y) s Bob must distinguish true randomness (R(y) s) from pseudo-randomness (R(y)), implying that he could break the PRG. 1.2 Unconditionally secure quantum bit commitment is impossible Can unconditionally secure bit commitment be achieved with quantum information? No. Here s a sketch of the proof. By the Church of a Larger Hilbert Space, we can assume without loss of generality that Alice and Bob begin with a pure state and perform only local unitary operations, with all measurements deferred until the end of the protocol. Let A, B denote the local registers of Alice, Bob. Any protocol for bit commitment has two phases: a commit phase and a reveal phase. Suppose Alice wishes to commit bit b and let ψ b AB denote the pure state the entire system at the end of the commit phase. In a perfectly concealing protocol Bob cannot infer any information about b from his local portion B. Thus, it must be that Tr A ( ψ 0 ψ 0 ) = Tr A ( ψ 1 ψ 1 ). By the unitary equivalence of purifications, it follows that there exists a unitary U acting only on A with (U I B ) ψ 0 = ψ 1. In particular, Alice can switch back and forth between ψ 0, ψ 1 after the commit phase without Bob s knowledge or consent; the binding property does not hold. The previous argument showed that a perfectly concealing protocol cannot be binding. But what about a statistically concealing protocol? The impossibility proof sketch is the same except now we need to carry around epislons and convert between the trace norm and fidelity. As a bonus, we can compute a lower bound on the probability with which one party can cheat in any bit commitment protocol. Theorem 3. Suppose that Bob can deduce the bit b before the reveal phase with bias no larger than ε. Then Alice can convince Bob to accept the opposite bit value b after the commit phase with probability at least 1 2 ε. It follows that one party can always cheat with probability at least 17.1%. Legend. In 1993 a group of prominent researchers published a paper in the proceedings of a top-tier computer science conference [BCJL93] in which they claimed to exhibit an unconditionally secure quantum bit commitment scheme. A flaw was subsequently found in their scheme, and quantum bit commitment was proven impossible. There is some dispute over who should be credited with the discovery of this flaw and the impossibility proof. These days, credit is typically given to both Mayers [May97] and Lo and Chau [LC97] as independent discoverers. 2 Authentication of quantum messages 2.1 Review of classical authentication Let K, M, C denote finite sets of keys, messages, and ciphertexts, respectively. (Think of these as sets of bit strings.) An authentication scheme (also called a message authentication code (MAC)) consists of encoding 2

and decoding functions E : K M C D : K C M {valid, invalid} Such a scheme is said to be ε-secure if it has the following conditions: Completeness. Untampered messages are accepted with certainty: D k (E k (m)) = (m, valid) for all messages m and keys k. Soundness. Tampered messages are rejected with high probability over the choice of key k. That is, for any adversary A : C C and any distinct messages m, m we have [ Dk (A(E k (m))) = (m, valid) ] < ε Pr k K where the security parameter ε should drop exponentially in the bit length of ciphertexts. Example 4 (Wegman-Carter). Let H be a set of hash functions on M and for each h H define E h : m (m, h(m)) { (x, valid) if h(x) = y D h : (x, y) (x, invalid) otherwise If H is a universal class of hash functions then E h, D h are a secure authentication scheme with key set K = H. Observe: This scheme authenticates but does not encrypt the plaintext message is transmitted in the clear! (In case you re wondering, a set H of hash functions is called a universal class if for each pair m, m M of distinct messages it holds that [ Pr h(m) = h(m ) ] 1 h H H. In other words, sampling uniformly from H has the same effect as sampling uniformly from all possible hash functions.) 2.2 Definition of quantum authentication Getting the definition right is tricky, owing to the fact that quantum information has a continuum of pure states. For discussion of definitional issues see the original work of Barnum et al. [BCG + 02]. Let s cut to the chase with the correct definition. Let K denote a finite set of (classical) keys. Let M, C denote spaces associated with quantum systems for the message and ciphertext, respectively, and let Q be a two-dimensional space with basis states { valid, invalid }. A quantum authentication scheme consists of encoding and decoding channels for each key k K: E k : L(M) L(C) D k : L(C) L(M Q) For each pure state ψ M of the message space let Π ψ = (I M ψ ψ ) valid valid 3

denote the projection onto the subspace of M Q spanned by message states orthogonal to ψ that are nonetheless accepted by the scheme. A quantum authentication scheme is said to be ε-secure if it meets the following conditions for every ψ M: Completeness. Untampered messages are accepted with certainty: D k (E k ( ψ ψ )) = ψ ψ valid valid. Soundness. Tampered messages are rejected with high probability over the choice of key k. That is, for any adversary A : L(C) L(C) let ρ A, ψ = 1 D k (A(E k ( ψ ψ ))) K k K denote the mixed state of M Q at the end of the protocol, averaged over all choices of key k. The soundness requirement is that for all ψ, A it holds that ΠA, ψ, ρ def = Tr ( Π A, ψ ρ ) ε where the security parameter ε should drop exponentially in the number of qubits of C. There are several quantum authentication schemes out there. Here are two of the simplest: Example 5 (Clifford scheme [ABOE10]). m message qubits are authenticated into m + d cipher qubits. Keys are (m + d)-qubit Clifford circuits C. E C Append d ancilla qubits in state 0 d, then apply C. D C Apply the inverse C, then measure the d ancilla qubits to ensure they re in the 0 state. This scheme achieves security 2 d. Example 6 (Trap scheme [BGS12]). Based on any [[n, 1, d]] quantum error-correcting code C. One message qubit is authenticated into 3n cipher qubits. Keys are pairs (σ, P ) where σ is a permutation on 3n elements and P is a 3n-qubit Pauli operator. E (σ,p ) Encode the message qubit according to C. Append 2n trap qubits in state 0 n + n, then permute all 3n qubits according to σ, then encrypt all 3n qubits by applying P. D (σ,p ) Decrypt by applying P, de-permute by applying σ 1, and decode by applying C. Measure the trap qubits and the syndrome qubits of C and reject if any errors are detected. This scheme achieves security at least (2/3) d/2. 2.3 Authentication requires encryption Recall that classical authentication schemes need not encrypt the message. By contrast, notice that both of our examples of quantum authentication schemes also encrypt the message. This is no coincidence: it is impossible to authenticate a quantum state without also encrypting it. Why? Suppose toward a contradiction that we have a quantum authentication scheme that does not also encrypt. For a given message state ψ let ρ ψ denote the authentication of ψ under this scheme. Let us begin with an extreme example: suppose that there are message states 0, 1 whose ciphertexts ρ 0, ρ 1 are perfectly distinguishable. Then ρ 0, ρ 1 must have orthogonal support. For b {0, 1} let Π b denote the projection onto the support of ρ b and consider an adversary who applies the unitary Π 0 Π 1. That is, the adversary applies a 1 phase to the support of ρ 1. 4

May-06-13 4:45 PM New Section 1 Page 1 Figure 1: An adversary who can distinguish ρ 0 from ρ 1 can can apply a conditional phase to map ρ 0 + 1 to ρ 0 1, thus breaking the authentication scheme. In this figure, ψ b denotes the purification (including the secret key) of the authenticated state ρ b seen by the adversary. When we try to authenticate 0 + 1 the adversary maps ρ 0 + 1 to ρ 0 1. Thus, the decoder can be made to accept 0 1 with certainty even though the original message was 0 + 1. Our hypothesized scheme is insecure. What if ρ 0, ρ 1 are not perfectly distinguishable, but only mostly distinguishable? One can still prove a bound on the security of the scheme. Proposition 7 ([BCG + 02]). If 0, 1 are message states with ρ 0 ρ 1 Tr > 2 ε then an adversary can successfully tamper with ρ 0 + 1 with probability at least 1 ε. What if ρ 0, ρ 1 are only slightly distinguishable? One can still prove a bound on the security of the scheme. We use the well known fact that distinguishability of t copies of two states increases exponentially in t. Specifically, ρ 0 ρ 1 Tr δ = ρ 0 t ρ 1 t Tr 2 exp( tδ 2 /4). Then by Proposition 7 an adversary can change the message state 0 t + 1 t to 0 t 1 t with high probability. All this can be formalized to prove: Theorem 8 ([BCG + 02]). Any ε-secure quantum authentication scheme has the property that for any message states φ, ψ it holds that ρ φ ρ ψ Tr O(ε 1/6 ). In other words, such a scheme must also encrypt message states so as to achieve distinguishability bias O(ε 1/6 ). Why doesn t classical authentication also require encryption? The original authors said it best [BCG + 02]: 5

The difference can be understood as a complementarity feature of quantum mechanics: authenticating a message in one basis requires encrypting it in the complementary Fourier-transformed basis. This is essentially another realization of the principle that measuring data in one basis disturbs it in any complementary basis. For classical messages, therefore, encryption is not required: only one basis is relevant. In contrast, for quantum messages, we require authentication in all bases and therefore we must also require encryption in all bases. References [ABOE10] Dorit Aharonov, Michael Ben-Or, and Elad Eban. Interactive proofs for quantum computations. In Proceedings of Innovations in Computer Science, pages 453 469, 2010. arxiv:0810.5375v2 [quant-ph]. 4 [BCG + 02] Howard Barnum, Claude Crépeau, Daniel Gottesman, Adam Smith, and Alain Tapp. Authentication of quantum messages. In Proceedings of the 43rd IEEE Symposium on Foundations of Computer Science, FOCS 2002, pages 449 458, 2002. arxiv:quant-ph/0205128. 3, 5 [BCJL93] [BGS12] [LC97] [May97] Gilles Brassard, Claude Crépeau, Richard Jozsa, and Denis Langlois. A quantum bit commitment scheme provably unbreakable by both parties. In Proceedings of the 34th IEEE Symposium on Foundations of Computer Science, FOCS 1993, pages 42 52, 1993. 2 Anne Broadbent, Gus Gutoski, and Douglas Stebila. Quantum one-time programs. To appear in CRYPTO 2013. arxiv:1211.1080 [quant-ph], 2012. 4 Hoi-Kwong Lo and H. F. Chau. Is quantum bit commitment really possible? Physical Review Letters, 78:3410 3413, 1997. arxiv:quant-ph/9603004. 2 Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. Physical Review Letters, 78:3414 3417, 1997. arxiv:quant-ph/9605044. 2 [Nao91] Moni Naor. Bit commitment using pseudorandomness. Journal of Cryptology, 4(2):151 158, 1991. 1 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback