quantum-computational hybrid cryptography based on the...
TRANSCRIPT
Workshop Boolean Functions and Applications June 21, 2019
Quantum-Computational Hybrid Cryptography based on the
Boolean Hidden Matching Problem
Romain Alléaume
Relation btw quantum cryptography and boolean functions ?
Quantumbit(Qbit)óSU(2)óPointontheBlockSphere
|0>,|1>:orthogonalvectorsofSU(2)
| i = cos(✓/2) |0i+ e
i�sin(✓/2)|1iv
v
Relation btw quantum cryptography and boolean functions ?
HolevoTheorem(73):theclassicalcapacityofnqubitsisatmostnbits
Quantumbit(Qbit)óSU(2)óPointontheBlockSphere
|0>,|1>:orthogonalvectorsofSU(2)
| i = cos(✓/2) |0i+ e
i�sin(✓/2)|1iv
v
Relation btw quantum cryptography and boolean functions ?
{|0>,|1>}óF2ó1classicalbit
v
v
v
v
v
v
BB84QKDencoding:{|0>,|1>,|+>,|->}
1bitmaxcapacityZero-erroreavesdroppingImpossible
=>(…)Security
HolevoTheorem(73):theclassicalcapacityofnqubitsisatmostnbits
Quantumbit(Qbit)óSU(2)óPointontheBlockSphere
|0>,|1>:orthogonalvectorsofSU(2)
| i = cos(✓/2) |0i+ e
i�sin(✓/2)|1iv
v
‘‘Quantum’’ is a frontier for computational cryptography
“Whenelementaryquantumsystems…areusedtotransmitdigitalinformaZon,theuncertaintyprinciplegivesrisetonovelcryptographicphenomenaunachievablewithtradiZonaltransmissionmedia.”
CharlesH.Benne_etGillesBrassard(1984)
‘‘Quantum’’ is a frontier for computational cryptography
“Whenelementaryquantumsystems…areusedtotransmitdigitalinformaZon,theuncertaintyprinciplegivesrisetonovelcryptographicphenomenaunachievablewithtradiZonaltransmissionmedia.”
CharlesH.Benne_etGillesBrassard(1984)
- KeyDistribuZon:QKD(BB94,E91,GG02,DI-QKD,MDI-QKD,etc..)- RandomnessGeneraZon:QRNG,DI-QRNG- SecuremulZ-partycomputaZon:Bitcommitment,OT,BlindQCCommonpoint:realizesomeexis1ngcryptographicfunc1onali1eswithoutcomputa1onalassump1on:
ITSsecurity=Uncondi1onalSecurity
Quantum Key Distribution: large-scale deployment in view
FirstEuropeanQKDNetwork,Vienna(2008)Geneva-LausanneQKDlink(1998)
Quantum Key Distribution: large-scale deployment in view
FirstEuropeanQKDNetwork,Vienna(2008)Geneva-LausanneQKDlink(1998)
QSatelliteMicius(2016)2000kmGroundQKDNetwork(2018)
EuropeanQuantumCommunicaZonInfrastructure:deploymentplannedby2030
Challenge: fundamental rate-loss trade-off (PLOB bound)
Lines=Upperbounds
Points=Experimentalresults
Challenge: fundamental rate-loss trade-off (PLOB bound)
Lines=Upperbounds
Points=Experimentalresults
Maximum Distance depends on conditions (i.e Dmax such that R(Dmax) ~1 bit/s)
400 km lab environment low-loss fiber supra-conducting detector
240 km lab environment dark fiber avalanche photodiode
150 km field deployment dark fiber avalanche photodiode
<100 km field deployment WDM avalanche photodiode
Breaking the rate-loss fundamental barrier QuantumRepeaters
QuantumInternetAllianceproject
Breaking the rate-loss fundamental barrier QuantumRepeaters
QuantumInternetAllianceproject
Thiswork:Quantum-Computa;onalHybridCryptographyUsecomputa,onalassump,onstoboostquantumcryptographyØ Implementablewithcurrenttechnology(noquantummemory,norepeaters)Ø Changeofsecuritymodel
• RelaxuncondiZonalsecurityrequirement• Keepcorecryptographicadvantage:everlasZngsecurity
Assumption 1 : Short-term-secure encryption exists
Legitimate users can use a (computationally-secure) symmetric encryption
scheme indisguishable from a random function during a time at least τenc
Assumption 2 : Noisy Quantum Storage
Quantum memory decoheres within a time τcoh << τenc
Quantum Computational Hybrid (QCH) Security Model
Assumption 1 : Short-term-secure encryption exists
Legitimate users can use a (computationally-secure) symmetric encryption
scheme indisguishable from a random function during a time at least τenc
Assumption 2 : Noisy Quantum Storage
Quantum memory decoheres within a time τcoh << τenc
Quantum Computational Hybrid (QCH) Security Model
~min 1 Day 25 years
H1
How to design a KD protocol in the QCH model ?
Highdimensional(d>>1)quantumencodinge.gd=64(arZsZcview)
(H0,H1):parZZonintwod/2-dimensionalbooleansubspaces
H0
H1
How to design a KD protocol in the QCH model ?
Highdimensional(d>>1)quantumencodinge.gd=64(arZsZcview)
(H0,H1):parZZonintwod/2-dimensionalbooleansubspaces
High-levelideaforqcryptographicprotocol:
• Encryptandsend(H0,H1)• Encode1bitbasaqstate|φx>thatbelongstoH0orH1
Ifoneknows(H0,H1)ècandecodeb(measurement(H0,H1))Ifdoesnotknow(H0,H1)ècannotguessb(whatmeasurement?)
H0
,
Bob
Boolean Hidden Matching (BHM)
Alice
BinarymatchingM, ωMóParZZonof{1,n}inn/2pairs{(i1,j1),(i2,j2),…,(in,jn)}
guessb
x�{0,1}n
suchthatMx=ω +bn/2
cbits/qqubits
,
Bob
Boolean Hidden Matching (BHM)
Alice
BinarymatchingM, ωMóParZZonof{1,n}inn/2pairs{(i1,j1),(i2,j2),…,(in,jn)}
guessb
x�{0,1}n
suchthatMx=ω +bn/2
cbits/qqubits
ClassicalOne-waycomputaZonalcomplexityofBHMO(√n) bits
QuantumOne-waycomputaZonalcomplexityofBHMlog(n)qubits• Alicesends|ψx> =Σi=1..n(-1)
xi|i>• BobmeasuresaccordingtomatchingM:projecZonsPk(±)on|ik>±|j1>
ReferenceDmitryGavinsky,JuliaKempe,IordanisKerenidis,RanRaz,andRonaldDeWolf.Exponen,alsepara,onsforone-wayquantumcommuncomplexity,withappl.tocryptography.ACMSymposiumonTheoryofCompuZng2007.
New Q Crypto framework : Quantum Computational Timelock (QCT)
v
The;melockisaZmerdesignedtopreventtheopeningofavaultunZlitreachesapresetZme.Verystrongsecuritywhencombinedwithexternalsecuritymechanism(e.g.Sheriff)
Zme
Startopening(breaking)locks
Timelocked
PresetZme
New Q Crypto framework : Quantum Computational Timelock (QCT)
v
The;melockisaZmerdesignedtopreventtheopeningofavaultunZlitreachesapresetZme.Verystrongsecuritywhencombinedwithexternalsecuritymechanism(e.g.Sheriff)
Zme
Startopening(breaking)locks
Timelocked
PresetZme
AverageSheriffResponseTime
New Q Crypto framework : Quantum Computational Timelock (QCT)
v
The;melockisaZmerdesignedtopreventtheopeningofavaultunZlitreachesapresetZme.Verystrongsecuritywhencombinedwithexternalsecuritymechanism(e.g.Sheriff)
Zme
Startopening(breaking)locks
Timelocked
PresetZme
AverageSheriffResponseTime
ComputaZonalEncrypZon
τenc
Decoherence
τcoh
TimelockedclassicalinformaZonAlice(K)
b∈R {0,1}
x ∈ {0,1}n
DKM,ωEK (M,ω)
QChannel
bBBinarymatchingM
Bob(K)
M,ω ∈R {0,1}O(n)
Λ
EK (S)
IdealQchannel
EveX NoinformaZonaboutS
A-B
Δt > tcomp
XTimelockencrypZonelapsed
Measurement
tcoh << tcomp
NoisyQuantumStorage
tcoh
X ClassicalDecoding
SbE
Zme
Zme
t
T+Δt
QCT leads to reduction (C/Q separation) to Hidden Matching
A-E
Alice(K)
b∈R {0,1}
x ∈ {0,1}n
S = (M,ω)∈R {0,1}O(n)
|ψx >
|ψx >
y
QCommunicaZonbtwAandB
ReducestoCcommunicaZonbtwAandE
Performance of Hidden Matching - QCT protocol
Reduction to BHM:
Secure KD with O(√n) photons / ch use
è Longer reach è Higher rates
than QKD
0 50 100 150 200 250 300 350
-6
-4
-2
0
km
RateHdBL
QKD
105modes
102modes
108modes
Granted Patent EP15305017.4 WO2016110582 Romain Alléaume, Communications with everlasting security from short-term-secure encrypted communication
Implementable with coherent states, with high dimensional (n modes) encoding
Conclusion and perspectives
QCryptocanbeboostedbyephemeralcomputa;onalassump;ons
- Everlas1ngsecurityinnoisystoragemodel- Improvedperformances- ImprovedfuncZonaliZes:1toNKD;noneedtotrustBob
FutureworkandOpenques;ons
ExperimentalImplementaZon(ongoingwork,frequencyencoding)
IsabeSerscalingachievable?(e.g,ratescaleslike0(n))
èExplorealternaZveconstrucZonsandconnecZonswith:- CommunicaZoncomplexity- Locallydecodablecodes- Randomnessextractors
- Othertechniquesfromcryptographyandcoding?