Quantum Setting with Applications

Similar documents
Feasibility and Completeness of Cryptographic Tasks in the Quantum World

Quantum sampling of mixed states

Actively secure two-party evaluation of any quantum operation

arxiv: v1 [quant-ph] 3 Jul 2018

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

Quantum Cryptography

arxiv: v7 [quant-ph] 20 Mar 2017

Cryptography in a quantum world

Lecture 2: Quantum bit commitment and authentication

Security Implications of Quantum Technologies

Perfectly secure cipher system.

Quantum Technologies for Cryptography

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Lecture: Quantum Information

Attacks against a Simplified Experimentally Feasible Semiquantum Key Distribution Protocol

Entropy Accumulation in Device-independent Protocols

arxiv:quant-ph/ v1 10 Dec 1997

Bit-Commitment and Coin Flipping in a Device-Independent Setting

Quantum Cryptography. Chris1an Schaffner. Research Center for Quantum So8ware

Optimal bounds for quantum bit commitment

Introduction to Quantum Cryptography

Teleportation of Quantum States (1993; Bennett, Brassard, Crepeau, Jozsa, Peres, Wootters)

Why quantum bit commitment and ideal quantum coin tossing are impossible.

Cryptography In the Bounded Quantum-Storage Model

Practical Quantum Coin Flipping

PERFECTLY secure key agreement has been studied recently

Technical Report Communicating Secret Information Without Secret Messages

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

Other Topics in Quantum Information

arxiv:cs/ v2 [cs.cr] 16 Apr 2004

Device-Independent Quantum Information Processing

arxiv: v4 [quant-ph] 25 Oct 2011

Optimal quantum strong coin flipping

Transmitting and Hiding Quantum Information

arxiv:quant-ph/ v1 13 Mar 2007

Realization of B92 QKD protocol using id3100 Clavis 2 system

Quantum Information Transfer and Processing Miloslav Dušek

Bound entangled states with secret key and their classical counterpart

arxiv: v2 [quant-ph] 10 Oct 2012

A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols

arxiv:quant-ph/ v2 3 Oct 2000

QUANTUM COMMUNICATIONS BASED ON QUANTUM HASHING. Alexander Vasiliev. Kazan Federal University

Quantum Information Processing and Diagrams of States

Security of Quantum Key Distribution with Imperfect Devices

Device-Independent Quantum Information Processing (DIQIP)

Quantum Teleportation

Entanglement and information

Asymptotic Analysis of a Three State Quantum Cryptographic Protocol

Quantum Teleportation Pt. 3

An Introduction to Quantum Information and Applications

Unconditionally secure deviceindependent

Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing

Report on Conceptual Foundations and Foils for QIP at the Perimeter Institute, May 9 May

arxiv:quant-ph/ v1 13 Jan 2003

An Introduction to Quantum Information. By Aditya Jain. Under the Guidance of Dr. Guruprasad Kar PAMU, ISI Kolkata

Quantum dice rolling

Bell inequality for qunits with binary measurements

Gilles Brassard. Université de Montréal

Quantum Cryptography

Quantum Key Distribution. The Starting Point

Introduction to Quantum Key Distribution

Quantum Cryptography

Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

Randomness in nonlocal games between mistrustful players

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

arxiv:quant-ph/ v1 27 Dec 2004

quantum distribution of a sudoku key Sian K. Jones University of South Wales

A New Wireless Quantum Key Distribution Protocol based on Authentication And Bases Center (AABC)

10. Physics from Quantum Information. I. The Clifton-Bub-Halvorson (CBH) Theorem.

Composing Quantum Protocols in a Classical Environment

arxiv: v3 [quant-ph] 17 Dec 2018

Quantum-Secure Coin-Flipping and Applications

Classical and Quantum Strategies for Two-Prover Bit Commitments

Cryptanalysis of a Knapsack Based Two-Lock Cryptosystem

Quantum Computing. Richard Jozsa Centre for Quantum Information and Foundations DAMTP University of Cambridge

Challenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley

A Quantum Multi-Proxy Blind Signature Scheme Based on Entangled Four-Qubit Cluster State

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

University of Amsterdam

Problems of the CASCADE Protocol and Renyi Entropy Reduction in Classical and Quantum Key Generation

Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result

ASPECIAL case of the general key agreement scenario defined

arxiv:quant-ph/ May 2002

Practical Quantum Coin Flipping

Quantum computing. Jan Černý, FIT, Czech Technical University in Prague. České vysoké učení technické v Praze. Fakulta informačních technologií

Quantum Wireless Sensor Networks

Error Reconciliation in QKD. Distribution

Universal Single Server Blind Quantum Computation Revisited

Lecture 11: Key Agreement

CS120, Quantum Cryptography, Fall 2016

High Fidelity to Low Weight. Daniel Gottesman Perimeter Institute

New Notions of Security: Universal Composability without Trusted Setup

AQI: Advanced Quantum Information Lecture 6 (Module 2): Distinguishing Quantum States January 28, 2013

Squashed entanglement

Quantum Cryptography : On the Security of the BB84 Key-Exchange Protocol

LECTURE NOTES ON Quantum Cryptography

What are we talking about when we talk about post-quantum cryptography?

Introduction to Quantum Computing

Entanglement Measures and Monotones

Physically Uncloneable Functions in the Universal Composition Framework. Christina Brzuska Marc Fischlin Heike Schröder Stefan Katzenbeisser

Transcription:

in the Quantum Setting with Applications Frédéric Dupuis 1 Serge Fehr 2 Philippe Lamontagne 3 Louis Salvail 3 2 CWI, Amsterdam, The Netherlands 1 Faculty of Informatics, Masaryk University, Brno, Czech Republic 3 Université de Montréal (DIRO), Montréal, Canada January 6, 2016 0/8

Two-Party Secure Computation Two distrustful parties Alice and Bob wish to compute a joint function f (x, y) of their respective inputs x and y. Alice Bob x y F f (x, y) f (x, y) 1/8

Two-Party Secure Computation Two distrustful parties Alice and Bob wish to compute a joint function f (x, y) of their respective inputs x and y. Alice x Bob y. f (x, y) f (x, y) 1/8

Impossible Without Assumptions Classically, security is impossible to achieve for most functions f without assumptions. Protocols rely un assumptions: 1 Computational assumptions. 2 Cryptographic primitives. 3 Physical assumptions (e.g. parties are spacially separated). 2/8

Impossible Without Assumptions Classically, security is impossible to achieve for most functions f without assumptions. Protocols rely un assumptions: 1 Computational assumptions. 2 Cryptographic primitives. 3 Physical assumptions (e.g. parties are spacially separated). It was long thought that quantum mechanics could be exploited (uncertainty principle, no-cloning, etc.). However, this task is also impossible quantumly [May97]. 2/8

Impossible Without Assumptions Classically, security is impossible to achieve for most functions f without assumptions. Protocols rely un assumptions: 1 Computational assumptions. 2 Cryptographic primitives. 3 Physical assumptions (e.g. parties are spacially separated). It was long thought that quantum mechanics could be exploited (uncertainty principle, no-cloning, etc.). However, this task is also impossible quantumly [May97]. Quantum assumptions include: 1 Classical assumptions. 2 Bounded quantum storage. 3 Noisy quantum storage. 2/8

Adaptive Versus Non-Adaptive Attacks An adversarial strategy is adaptive if the adversary has access to side-information to tailor its attack, non-adaptive if the adversary has no access to any such information. 3/8

Adaptive Versus Non-Adaptive Attacks An adversarial strategy is adaptive if the adversary has access to side-information to tailor its attack, non-adaptive if the adversary has no access to any such information. Having access to k bits of side-information can only increase the adversary s probability of successfuly breaking a protocol by a factor 2 k : P NA succ 1 2 k PA succ P A succ 2 k P NA succ (A-vs-NA) 3/8

Quantum Information When the side-information and cryptographic scheme are quantum, the situation is more complicated. Adaptivity is notoriously hard to handle when analysing quantum cryptographic schemes. 4/8

Quantum Information When the side-information and cryptographic scheme are quantum, the situation is more complicated. Adaptivity is notoriously hard to handle when analysing quantum cryptographic schemes. 1 Entanglement in not well understood in general. Very sophisticated attacks are possible and difficult to analyze. 2 The quantum equivalent to adaptive attacks are entangled attacks: ρ AB ρ A ρ B. 3 Goal for a quantum A-vs-NA relation: determine how much we have to pay to unentangle ρ AB. 4/8

Quantifying the Cost of Unentangling ρ AB The Loewner partial order We say X is positive semi-definite and we write X 0 if all eigenvalues of X are non-negative. This induces a partial order on Hermitian operators: X Y if X Y 0 5/8

Quantifying the Cost of Unentangling ρ AB The Loewner partial order We say X is positive semi-definite and we write X 0 if all eigenvalues of X are non-negative. This induces a partial order on Hermitian operators: X Y if X Y 0 A useful property is that for any quantum operation E (incl. measurements), X Y = E(X ) E(Y ) 5/8

Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) 5/8

Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A 5/8

Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A This implies P A succ 2 h P NA succ 5/8

Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A This implies P A succ 2 h P NA succ 1 h = I max (B; A) ρ 5/8

Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A This implies P A succ 2 h P NA succ 1 h = I max (B; A) ρ 2 However, I max (B; A) ρ 2 A in general. 5/8

Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A This implies P A succ 2 h P NA succ 1 h = I max (B; A) ρ 2 However, I max (B; A) ρ 2 A in general. Our result We show how to recover (and improve) the classical A-vs-NA relation in a general quantum setting. 5/8

The Setting ρ AB M A j B N j pass/fail 6/8

The Setting ρ AB M A j B N j pass/fail The initial state ρ AB can be thought of as being prepared by Alice or Bob, or the output of a previous protocol, etc. 6/8

The Setting ρ AB M A j B N j pass/fail The initial state ρ AB can be thought of as being prepared by Alice or Bob, or the output of a previous protocol, etc. The N j are fixed and kown to Alice. P A succ is Alice s probabilty to pass, maximized over M, P NA succ is obtained by maximizing over j. 6/8

Main Result Theorem For P A succ and P NA succ previously defined, P A succ 2 I acc max(b;a) ρ P NA succ 7/8

Main Result Theorem For P A succ and P NA succ previously defined, P A succ 2 I acc max(b;a) ρ P NA succ Where I acc max(b; A) ρ is the smallest h such that for any M A J, M I(ρ AB ) = ρ JB 2 h σ J ρ B 7/8

Main Result Theorem For P A succ and P NA succ previously defined, P A succ 2 I acc max(b;a) ρ P NA succ Where I acc max(b; A) ρ is the smallest h such that for any M A J, It holds that for any ρ AB, M I(ρ AB ) = ρ JB 2 h σ J ρ B I acc max(b; A) ρ A We thus recover the A-vs-NA relation; P A succ 2 k P NA succ if A holds k qubits. 7/8

Quantum Bit-Commitment A bit-commitment scheme is defined in two phases: 1 a commit phase where the sender commits to a classical bit b, and 2 an opening phase where the sender reveals the bit b. 8/8

Quantum Bit-Commitment A bit-commitment scheme is defined in two phases: 1 a commit phase where the sender commits to a classical bit b, and 2 an opening phase where the sender reveals the bit b. Bit commitment + QM are complete for two-party cryptography. 8/8

Quantum Bit-Commitment A bit-commitment scheme is defined in two phases: 1 a commit phase where the sender commits to a classical bit b, and 2 an opening phase where the sender reveals the bit b. Bit commitment + QM are complete for two-party cryptography. Our result allows us to prove security of bit commitment protocols that were too difficult to analyse before. A BC protocol based on the 1CC primitive (solving an open problem of [FKS + 13]). First security proof of BCJL scheme [BCJL93]. 8/8

References G. Brassard, C. Crepeau, R. Jozsa, and D. Langlois. A quantum bit commitment scheme provably unbreakable by both parties. In Proceedings of the 34th Annual IEEE Symposium on the Foundation of Computer Science, pages 362 371, 1993. Serge Fehr, Jonathan Katz, Fang Song, Hong-Sheng Zhou, and Vassilis Zikas. Feasibility and completeness of cryptographic tasks in the quantum world. In Amit Sahai, editor, Theory of Cryptography, volume 7785 of Lecture Notes in Computer Science, pages 281 296. Springer Berlin Heidelberg, 2013. Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett., 78:3414 3417, Apr 1997. 8/8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback