in the Quantum Setting with Applications Frédéric Dupuis 1 Serge Fehr 2 Philippe Lamontagne 3 Louis Salvail 3 2 CWI, Amsterdam, The Netherlands 1 Faculty of Informatics, Masaryk University, Brno, Czech Republic 3 Université de Montréal (DIRO), Montréal, Canada January 6, 2016 0/8
Two-Party Secure Computation Two distrustful parties Alice and Bob wish to compute a joint function f (x, y) of their respective inputs x and y. Alice Bob x y F f (x, y) f (x, y) 1/8
Two-Party Secure Computation Two distrustful parties Alice and Bob wish to compute a joint function f (x, y) of their respective inputs x and y. Alice x Bob y. f (x, y) f (x, y) 1/8
Impossible Without Assumptions Classically, security is impossible to achieve for most functions f without assumptions. Protocols rely un assumptions: 1 Computational assumptions. 2 Cryptographic primitives. 3 Physical assumptions (e.g. parties are spacially separated). 2/8
Impossible Without Assumptions Classically, security is impossible to achieve for most functions f without assumptions. Protocols rely un assumptions: 1 Computational assumptions. 2 Cryptographic primitives. 3 Physical assumptions (e.g. parties are spacially separated). It was long thought that quantum mechanics could be exploited (uncertainty principle, no-cloning, etc.). However, this task is also impossible quantumly [May97]. 2/8
Impossible Without Assumptions Classically, security is impossible to achieve for most functions f without assumptions. Protocols rely un assumptions: 1 Computational assumptions. 2 Cryptographic primitives. 3 Physical assumptions (e.g. parties are spacially separated). It was long thought that quantum mechanics could be exploited (uncertainty principle, no-cloning, etc.). However, this task is also impossible quantumly [May97]. Quantum assumptions include: 1 Classical assumptions. 2 Bounded quantum storage. 3 Noisy quantum storage. 2/8
Adaptive Versus Non-Adaptive Attacks An adversarial strategy is adaptive if the adversary has access to side-information to tailor its attack, non-adaptive if the adversary has no access to any such information. 3/8
Adaptive Versus Non-Adaptive Attacks An adversarial strategy is adaptive if the adversary has access to side-information to tailor its attack, non-adaptive if the adversary has no access to any such information. Having access to k bits of side-information can only increase the adversary s probability of successfuly breaking a protocol by a factor 2 k : P NA succ 1 2 k PA succ P A succ 2 k P NA succ (A-vs-NA) 3/8
Quantum Information When the side-information and cryptographic scheme are quantum, the situation is more complicated. Adaptivity is notoriously hard to handle when analysing quantum cryptographic schemes. 4/8
Quantum Information When the side-information and cryptographic scheme are quantum, the situation is more complicated. Adaptivity is notoriously hard to handle when analysing quantum cryptographic schemes. 1 Entanglement in not well understood in general. Very sophisticated attacks are possible and difficult to analyze. 2 The quantum equivalent to adaptive attacks are entangled attacks: ρ AB ρ A ρ B. 3 Goal for a quantum A-vs-NA relation: determine how much we have to pay to unentangle ρ AB. 4/8
Quantifying the Cost of Unentangling ρ AB The Loewner partial order We say X is positive semi-definite and we write X 0 if all eigenvalues of X are non-negative. This induces a partial order on Hermitian operators: X Y if X Y 0 5/8
Quantifying the Cost of Unentangling ρ AB The Loewner partial order We say X is positive semi-definite and we write X 0 if all eigenvalues of X are non-negative. This induces a partial order on Hermitian operators: X Y if X Y 0 A useful property is that for any quantum operation E (incl. measurements), X Y = E(X ) E(Y ) 5/8
Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) 5/8
Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A 5/8
Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A This implies P A succ 2 h P NA succ 5/8
Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A This implies P A succ 2 h P NA succ 1 h = I max (B; A) ρ 5/8
Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A This implies P A succ 2 h P NA succ 1 h = I max (B; A) ρ 2 However, I max (B; A) ρ 2 A in general. 5/8
Quantifying the Cost of Unentangling ρ AB The Loewner partial order (X Y if X Y 0) = E(X ) E(Y ) We want to find the smallest h such that ρ AB 2 h σ A ρ B for some σ A This implies P A succ 2 h P NA succ 1 h = I max (B; A) ρ 2 However, I max (B; A) ρ 2 A in general. Our result We show how to recover (and improve) the classical A-vs-NA relation in a general quantum setting. 5/8
The Setting ρ AB M A j B N j pass/fail 6/8
The Setting ρ AB M A j B N j pass/fail The initial state ρ AB can be thought of as being prepared by Alice or Bob, or the output of a previous protocol, etc. 6/8
The Setting ρ AB M A j B N j pass/fail The initial state ρ AB can be thought of as being prepared by Alice or Bob, or the output of a previous protocol, etc. The N j are fixed and kown to Alice. P A succ is Alice s probabilty to pass, maximized over M, P NA succ is obtained by maximizing over j. 6/8
Main Result Theorem For P A succ and P NA succ previously defined, P A succ 2 I acc max(b;a) ρ P NA succ 7/8
Main Result Theorem For P A succ and P NA succ previously defined, P A succ 2 I acc max(b;a) ρ P NA succ Where I acc max(b; A) ρ is the smallest h such that for any M A J, M I(ρ AB ) = ρ JB 2 h σ J ρ B 7/8
Main Result Theorem For P A succ and P NA succ previously defined, P A succ 2 I acc max(b;a) ρ P NA succ Where I acc max(b; A) ρ is the smallest h such that for any M A J, It holds that for any ρ AB, M I(ρ AB ) = ρ JB 2 h σ J ρ B I acc max(b; A) ρ A We thus recover the A-vs-NA relation; P A succ 2 k P NA succ if A holds k qubits. 7/8
Quantum Bit-Commitment A bit-commitment scheme is defined in two phases: 1 a commit phase where the sender commits to a classical bit b, and 2 an opening phase where the sender reveals the bit b. 8/8
Quantum Bit-Commitment A bit-commitment scheme is defined in two phases: 1 a commit phase where the sender commits to a classical bit b, and 2 an opening phase where the sender reveals the bit b. Bit commitment + QM are complete for two-party cryptography. 8/8
Quantum Bit-Commitment A bit-commitment scheme is defined in two phases: 1 a commit phase where the sender commits to a classical bit b, and 2 an opening phase where the sender reveals the bit b. Bit commitment + QM are complete for two-party cryptography. Our result allows us to prove security of bit commitment protocols that were too difficult to analyse before. A BC protocol based on the 1CC primitive (solving an open problem of [FKS + 13]). First security proof of BCJL scheme [BCJL93]. 8/8
References G. Brassard, C. Crepeau, R. Jozsa, and D. Langlois. A quantum bit commitment scheme provably unbreakable by both parties. In Proceedings of the 34th Annual IEEE Symposium on the Foundation of Computer Science, pages 362 371, 1993. Serge Fehr, Jonathan Katz, Fang Song, Hong-Sheng Zhou, and Vassilis Zikas. Feasibility and completeness of cryptographic tasks in the quantum world. In Amit Sahai, editor, Theory of Cryptography, volume 7785 of Lecture Notes in Computer Science, pages 281 296. Springer Berlin Heidelberg, 2013. Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett., 78:3414 3417, Apr 1997. 8/8