cryptography with quantum data

Cryptography with Quantum Data

Adam SmithWeizmann à IPAM à Penn State

IPAM Workshop on Foundations of CryptographyNovember 14, 2006

2

Cryptography in a Quantum World• Landscape changes!

New features appear New difficulties arise Some key pieces unchanged

• Needed: Tools and language for reasoning about quantum adversaries

• The field is still very young Some successes… … occasional mistakes Lots of questions!

quantumthinkersneeded

Isaac Newton

1642-1727

3

Some Things That Change• Unconditional key exchange [BB84,…]• Factoring + DL broken [Sho]• Weak 2-party unconditional primitives

coin flipping [ATVY,Amb] string commitment [BCHLW]

• Some multi-prover commitments insecure [CST]• Some extractors fail vs quantum memory [IKW]

But some are OK [KMR]

• Some simulators for ZK proofs fail but new ones can sometimes be built[Wat]

• Bounded Storage Model more Powerful [DFSS]• See survey talk on

http://theory.csail.mit.edu/~asmith

4

This talk: Salient Features (a partial* list)• Multiparty Quantum Computing

Parties hold quantum inputs Want to evaluate a quantum circuit Generalizes classical MPC

• Two Feasibility results Statistical MPQC , cheating minority

à la [RB’89] Computational MPQC for arbitrary subsets

à la [GMW’87] under non-standard assumption• Along the way:

Some infeasibility results Authentication and Approximate Error-Correction ZK Proofs of Knowledge

= incomplete and biased

5

This Talk

• Basics of quantum computing

• Multiparty Quantum Computing (MPQC)

• Codes and Authentication

• MPQC with a cheating minority

• Beyond a faulty minority: 2-party QC

ZK for quantum adversaries

6

Quantum Information: Pure States• “Pure states” = vectors in complex space• “qubit” = Basic unit of quantum

information

|0i + |1i : , 2C , ||2+||2 =1

• Register of n qubits:

xx|x i (where x 2{0,1}n )

• NB: qubit-by-qubit description not enough 2n numbers vs 2n numbers

|0i + |1i

|1i

|0i

7

Quantum Circuits: 2 kinds of gates

• Invertible operations on n qubits

= 2n£2n unitary matrices ( U-1 = Uy ) |i U |i e.g. Hadamard

• Projective measurements: Ask a qubit: are you 0 or 1? State becomes |0i or |1i

(according to output) Destructive!

|0i + |1i

|1i

|0i

w.prob. |2|

w.prob. |2|

1 11 1

1√2..

8

Information versus Disturbance

• Important principle of quantum mechanics

• Consequence: No cloning!

• Theorem: If A = |i for all inputs |i then B is independent of |i

• Information ) Disturbance

Secrecy ( Resilience to errors

U| i

A

BDolly

9

This Talk

• Basics of quantum computing

• Multiparty Quantum Computing

• Codes and Authentication

• MPQC with a cheating minority

• Beyond a faulty minority: 2-party QC

ZK for quantum adversaries

10

Classical Multiparty Computation

• Resource: number of honest players

Trusted Classical Circuit

C

Alice (xA)

Harriet (xH)

Charlie (xC)

George (xG)

Bob (xB)

Fred (xF)

Diane (xD)

Eve (xE)

Cheaters

Simulator

11

Quantum Multiparty Computation

• Each player sends quantum input• Receives quantum output• Secure against UC distinguisher

Trusted Quantum Circuit

C

Alice (xA)

Harriet (xH)

Charlie (xC)

George (xG)

Bob (xB)

Fred (xF)

Diane (xD)

Eve (xE)

Cheaters

Simulator

12

Quantum Multiparty Computation

• Each player sends quantum input• Receives quantum output• Secure against UC distinguisher• Generalizes Classical SFE• New techniques are needed

Players cannot keep copies of their input Rewinding may not be possible Need to operate on encoded / encrypted quantum

states

Dolly

13

Some Terminology• With Abort?

This talk: unfair abort (based on cheaters’ output)

• Perfect / statistical security• Computational security

14

Basic Feasibility Results (assuming broadcast)

t = 0 n/4 n/3 nn/2

Perfect MPC [BGW,CCD]

Perfect MPC impossible

Statistical MPC [RB]

Statistical MPC impossible (even w. abort)

Computational MPC w. abort [GMW]

15

Basic Feasibility Results (assuming broadcast)

t = 0 n/4 n/3 nn/2

Perfect MPC [BGW,CCD]

Perfect MPC impossible

Statistical MPC [RB]

Statistical MPC impossible (even w. abort)

Computational MPC w. abort [GMW]Q Q

Q Q

Perfect MPQC impossible [CGS’02-’05]

Statistical MPQC [BCGHS’06]

Statistical MPQC impossible (even w. abort)

Computational* MPQC w. abort [S]

t < n/6[CGS’02]

n/6

Q

16

Basic Feasibility Results (assuming broadcast)

t = 0 n/4 n/3 nn/2

Perfect MPC [BGW,CCD]

Perfect MPC impossible

Statistical MPC [RB]

Statistical MPC impossible (even w. abort)

Computational MPC w. abort [GMW]Q Q

Q Q

Perfect MPQC impossible [CGS’02-’05]

Statistical MPQC [BCGHS’06]

Statistical MPQC impossible (even w. abort)

Computational* MPQC w. abort [S]

t < n/6[CGS’02]

n/6

Q

• [CGS’02]: use error-correcting codes and fault-tolerant circuits [AB]

• 2nd real proof of quantum security

• Barrier at n/4 : quantum codes [KL]

• Authentication codes [BCGST ‘02] give

• approximate codes [CGS ‘05]• reduction to computation on keys

17

This Talk• Basics of quantum computing• Multiparty Quantum Computing• Codes and Authentication

Quantum error-correcting codes A spurious lower bound Authentication Approximate Codes and Secret Sharing

• MPQC with a cheating minority• Beyond a faulty minority: 2-party QC

ZK for quantum adversaries

18

Error Correcting Codes• Map k qubits ! n qubits

introduce redundancy

• If few qubits corrupted or erased, decoder recovers input exactly

• Tricky because of no cloning repetition code doesn’t work

• Good codes exist. [CSS] Over large alphabet [AB99]: Correct (n-1)/4 errors

or (n-1)/2 erasures

i

E(|i)

E(|i)

channel

corrupted

idecoding

19

2t

t

t

Quantum codes cannot correct n/4 errors

• As in the classical case:correct t errors , correct 2t erasures

20

• As in the classical case:correct t errors , correct 2t erasures

• Quantum codes cannot correct n/2 erasures No cloning

) Quantum codes cannot

correct n/4 errors (not true of classical codes – repetition)

Quantum codes cannot correct n/4 errors

E(|i)

|i |i

decoder decoderDolly

21

A spurious lower boundLemma: Every MPQC protocol

tolerating t cheatersimplies existence of a code correcting t errorswith high fidelity Honest players should be

able to reconstruct output

• [CGS’02] MPQC is impossible for t< n/4

• How do we get around this? Authenticating Quantum States [BCGST] Approximate QECC break n/4 bound Connection to secret sharing

Protocol

Alice (xA)

Harriet (xH)

Charlie (xC)

George (xG)

Bob (xB)

Fred (xF)

Diane (xD)

Eve (xE)

Perfect[CGS’05] FALSE

22

Authenticating Quantum Messages [BCGST]

• How does Alice know it’s Bob? classical MACs

• What if he needs to send her qubits?

23

Authenticating Quantum Messages [BCGST]

• System behaves like “channel with veto” Eve inputs one bit (accept/reject) No cloning ) If Bob accepts, Eve learns nothing In fact, Eve learns nothing. Ever. Authentication ) encryption

• [BCGST’02] poly-time protocols m qubits à 2m + 2log (m/) bits of key Construction on board?

Alice Bob

|i Ak(|i) Eve|i

or ?

Classical key k

Dolly

24

Approximate Codes [CGS’05]

• Code “correcting” (n-1)/2 errors• Start with (n-1)/2 erasure-correcting code

Authenticate each piece Secret-share keys Use classical MACs to authenticate keys

|i E(|i)

Ak(|1i)

Ak(|2i)

Ak(|3i)

Ak(|4i)

Ak(|5i)

+classical

shares + MAC of

authentication keys

25

Approximate Codes [CGS’05]

• AQECC “correcting” (n-1)/2 errors If any majority of pieces untouched Then original state recovered approximately Correct twice as many errors No classical analogue in codes… (see also [LNCY])

|i E(|i)

Ak(|1i)

Ak(|2i)

Ak(|3i)

Ak(|4i)

Ak(|5i)

+classical

shares + MAC of

authentication keys

26

Secret Sharing and Quantum Codes• AQECC smell like secret sharing

Similar to Rabin – Ben-Or ’89

• [CGL] Every quantum code is a SS scheme

• Lesson of AQECC: best viewed as robust SS (a.k.a. PSMT) secret sharing is the right classical analogue of

quantum error-correction “Cryptography is everything!” (S. Micali)

E(|i)erased

idecoding

no info

Dolly

27

This Talk

• Basics of quantum computing

• Multiparty Quantum Computing

• Codes and Authentication

• MPQC with a cheating minority

• Beyond a faulty minority: 2-party QC

ZK for quantum adversaries

28

Basic Feasibility Results (assuming broadcast)

t = 0 n/4 n/3 nn/2

Perfect MPC [BGW,CCD]

Perfect MPC impossible

Statistical MPC [RB]

Statistical MPC impossible (even w. abort)

Computational MPC w. abort [GMW]Q Q

Q Q

Perfect MPQC impossible [CGS’02-’05]

Statistical MPQC [BCGHS’06]

Statistical MPQC impossible (even w. abort)

Computational* MPQC w. abort [S]

t < n/6[CGS’02]

n/6

Q

29

MPQC with a cheating minority• AQECC is basic underlying code

Need to operate on encoded states

• Two more tools Computing on keys

Authenticate data using [BCGST] Operate on state by changing classical key Trivial example: One-Time Pad

Ek(x) = x+k and matrix A

A(Ek(x)) = EAk(Ax)

This performs Clifford operations Fault-tolerant QC [Shor,AB,BCGHS]

Can use Clifford ops to verify universal set of gates Get cheaters to perform gates then check

30

MPQC with a cheating minority• Share inputs• Verify using RB-style machinery

a few more layers…

• Compute Reduce quantum computations to

classical computations on keys Use classical SFE to manipulate keys UC framework allows modular design [BM]

• Distribute

• Bonus: get straight-line simulator

31

Basic Feasibility Results (assuming broadcast)

t = 0 n/4 n/3 nn/2

Perfect MPC [BGW,CCD]

Perfect MPC impossible

Statistical MPC [RB]

Statistical MPC impossible (even w. abort)

Computational MPC w. abort [GMW]Q Q

Q Q

Perfect MPQC impossible [CGS’02-’05]

Statistical MPQC [BCGHS’06]

Statistical MPQC impossible (even w. abort)

Computational* MPQC w. abort [S]

t < n/6[CGS’02]

n/6

Q

• Complete picture of robust MPQC(with no abort)

• Insights into coding along the way

• New tools for fault-tolerant computing

• Major factor:Dolly

32

This Talk

• Basics of quantum computing

• Multiparty Quantum Computing

• Codes and Authentication

• MPQC with a cheating minority

• Beyond a faulty minority: 2-party QC

ZK for quantum adversaries

33

Two-party Quantum Computation

• Many ideas of MPQC can apply here

• AQECC replaced by commitment

• As before: operate on classical keys

• Need classical 2-party QC

|iAk(|i)

Commit(k)

34

Two-party Quantum Computation• Problem: standard ZK simulation + extraction

arguments may not work in quantum world Rewinding = cloning auxiliary info Sequential composition is lost

• Big step: Watrous’ simulator for 3-round ZK Does not give knowledge extractor

• Idea: We can lie, need to read minds Attach special preamble Work in progress: need funny assumptions Refine understanding of how we argue security

Dolly

35

Basic Feasibility Results (assuming broadcast)

t = 0 n/4 n/3 nn/2

Perfect MPC [BGW,CCD]

Perfect MPC impossible

Statistical MPC [RB]

Statistical MPC impossible (even w. abort)

Computational MPC w. abort [GMW]Q Q

Q Q

Perfect MPQC impossible [CGS’02-’05]

Statistical MPQC [BCGHS’06]

Statistical MPQC impossible (even w. abort)

Computational* MPQC w. abort [S]

t < n/6[CGS’02]

n/6

Q

36

Cryptography in a Quantum World• Landscape changes!

New features appear New difficulties arise Some key pieces unchanged

• Needed: Tools and language for reasoning about quantum adversaries

• The field is still very young Some successes… … occasional mistakes Lots of questions!

quantumthinkersneeded

Isaac Newton

1642-1727

37

Things I Did Not Talk About

• Proofs! • Quantum Key Distribution• Byzantine Agreement in full info model

[BH]

• Randomness Extraction with Quantum Memories [AS.’04, KMR’04, D’06, GIKRdW’06]

• Fault-tolerant QC• Multiprover commitments [CST]• …

Thanks

Co-authors:Howard Barnum (LANL), Michael Ben-Or (HUJI), Claude Crépeau (McGill), Daniel Gottesman (Perimeter/Waterloo), Avinatan Hasidim (HUJI), Alain Tapp (Montreal)

Discussions: Boaz Barak, Louis Salvail, Jon Katz, …