Workshop Boolean Functions and Applications June 21, 2019

Quantum-Computational Hybrid Cryptography based on the

Boolean Hidden Matching Problem

Romain Alléaume

Relation btw quantum cryptography and boolean functions ?

Quantumbit(Qbit)óSU(2)óPointontheBlockSphere

|0>,|1>:orthogonalvectorsofSU(2)

| i = cos(✓/2) |0i+ e

i�sin(✓/2)|1iv

v

Relation btw quantum cryptography and boolean functions ?

HolevoTheorem(73):theclassicalcapacityofnqubitsisatmostnbits

Quantumbit(Qbit)óSU(2)óPointontheBlockSphere

|0>,|1>:orthogonalvectorsofSU(2)

| i = cos(✓/2) |0i+ e

i�sin(✓/2)|1iv

v

Relation btw quantum cryptography and boolean functions ?

{|0>,|1>}óF2ó1classicalbit

v

v

v

v

v

v

BB84QKDencoding:{|0>,|1>,|+>,|->}

1bitmaxcapacityZero-erroreavesdroppingImpossible

=>(…)Security

HolevoTheorem(73):theclassicalcapacityofnqubitsisatmostnbits

Quantumbit(Qbit)óSU(2)óPointontheBlockSphere

|0>,|1>:orthogonalvectorsofSU(2)

| i = cos(✓/2) |0i+ e

i�sin(✓/2)|1iv

v

 ‘‘Quantum’’ is a frontier for computational cryptography

“Whenelementaryquantumsystems…areusedtotransmitdigitalinformaZon,theuncertaintyprinciplegivesrisetonovelcryptographicphenomenaunachievablewithtradiZonaltransmissionmedia.”

CharlesH.Benne_etGillesBrassard(1984)

 ‘‘Quantum’’ is a frontier for computational cryptography

“Whenelementaryquantumsystems…areusedtotransmitdigitalinformaZon,theuncertaintyprinciplegivesrisetonovelcryptographicphenomenaunachievablewithtradiZonaltransmissionmedia.”

CharlesH.Benne_etGillesBrassard(1984)

- KeyDistribuZon:QKD(BB94,E91,GG02,DI-QKD,MDI-QKD,etc..)- RandomnessGeneraZon:QRNG,DI-QRNG- SecuremulZ-partycomputaZon:Bitcommitment,OT,BlindQCCommonpoint:realizesomeexis1ngcryptographicfunc1onali1eswithoutcomputa1onalassump1on:

ITSsecurity=Uncondi1onalSecurity

Quantum Key Distribution: large-scale deployment in view

FirstEuropeanQKDNetwork,Vienna(2008)Geneva-LausanneQKDlink(1998)

Quantum Key Distribution: large-scale deployment in view

FirstEuropeanQKDNetwork,Vienna(2008)Geneva-LausanneQKDlink(1998)

QSatelliteMicius(2016)2000kmGroundQKDNetwork(2018)

EuropeanQuantumCommunicaZonInfrastructure:deploymentplannedby2030

Challenge: fundamental rate-loss trade-off (PLOB bound)

Lines=Upperbounds

Points=Experimentalresults

Challenge: fundamental rate-loss trade-off (PLOB bound)

Lines=Upperbounds

Points=Experimentalresults

Maximum Distance depends on conditions (i.e Dmax such that R(Dmax) ~1 bit/s)

400 km lab environment low-loss fiber supra-conducting detector

240 km lab environment dark fiber avalanche photodiode

150 km field deployment dark fiber avalanche photodiode

<100 km field deployment WDM avalanche photodiode

Breaking the rate-loss fundamental barrier QuantumRepeaters

QuantumInternetAllianceproject

Breaking the rate-loss fundamental barrier QuantumRepeaters

QuantumInternetAllianceproject

Thiswork:Quantum-Computa;onalHybridCryptographyUsecomputa,onalassump,onstoboostquantumcryptographyØ  Implementablewithcurrenttechnology(noquantummemory,norepeaters)Ø  Changeofsecuritymodel

•  RelaxuncondiZonalsecurityrequirement•  Keepcorecryptographicadvantage:everlasZngsecurity

Assumption 1 : Short-term-secure encryption exists

Legitimate users can use a (computationally-secure) symmetric encryption

scheme indisguishable from a random function during a time at least τenc

Assumption 2 : Noisy Quantum Storage

Quantum memory decoheres within a time τcoh << τenc

Quantum Computational Hybrid (QCH) Security Model

Assumption 1 : Short-term-secure encryption exists

Legitimate users can use a (computationally-secure) symmetric encryption

scheme indisguishable from a random function during a time at least τenc

Assumption 2 : Noisy Quantum Storage

Quantum memory decoheres within a time τcoh << τenc

Quantum Computational Hybrid (QCH) Security Model

~min 1 Day 25 years

H1

How to design a KD protocol in the QCH model ?

Highdimensional(d>>1)quantumencodinge.gd=64(arZsZcview)

(H0,H1):parZZonintwod/2-dimensionalbooleansubspaces

H0

H1

How to design a KD protocol in the QCH model ?

Highdimensional(d>>1)quantumencodinge.gd=64(arZsZcview)

(H0,H1):parZZonintwod/2-dimensionalbooleansubspaces

High-levelideaforqcryptographicprotocol:

•  Encryptandsend(H0,H1)•  Encode1bitbasaqstate|φx>thatbelongstoH0orH1

Ifoneknows(H0,H1)ècandecodeb(measurement(H0,H1))Ifdoesnotknow(H0,H1)ècannotguessb(whatmeasurement?)

H0

,

Bob

Boolean Hidden Matching (BHM)

Alice

BinarymatchingM, ωMóParZZonof{1,n}inn/2pairs{(i1,j1),(i2,j2),…,(in,jn)}

guessb

x�{0,1}n

suchthatMx=ω +bn/2

cbits/qqubits

,

Bob

Boolean Hidden Matching (BHM)

Alice

BinarymatchingM, ωMóParZZonof{1,n}inn/2pairs{(i1,j1),(i2,j2),…,(in,jn)}

guessb

x�{0,1}n

suchthatMx=ω +bn/2

cbits/qqubits

ClassicalOne-waycomputaZonalcomplexityofBHMO(√n) bits

QuantumOne-waycomputaZonalcomplexityofBHMlog(n)qubits•  Alicesends|ψx> =Σi=1..n(-1)

xi|i>•  BobmeasuresaccordingtomatchingM:projecZonsPk(±)on|ik>±|j1>

ReferenceDmitryGavinsky,JuliaKempe,IordanisKerenidis,RanRaz,andRonaldDeWolf.Exponen,alsepara,onsforone-wayquantumcommuncomplexity,withappl.tocryptography.ACMSymposiumonTheoryofCompuZng2007.

New Q Crypto framework : Quantum Computational Timelock (QCT)

v

The;melockisaZmerdesignedtopreventtheopeningofavaultunZlitreachesapresetZme.Verystrongsecuritywhencombinedwithexternalsecuritymechanism(e.g.Sheriff)

Zme

Startopening(breaking)locks

Timelocked

PresetZme

New Q Crypto framework : Quantum Computational Timelock (QCT)

v

The;melockisaZmerdesignedtopreventtheopeningofavaultunZlitreachesapresetZme.Verystrongsecuritywhencombinedwithexternalsecuritymechanism(e.g.Sheriff)

Zme

Startopening(breaking)locks

Timelocked

PresetZme

AverageSheriffResponseTime

New Q Crypto framework : Quantum Computational Timelock (QCT)

v

The;melockisaZmerdesignedtopreventtheopeningofavaultunZlitreachesapresetZme.Verystrongsecuritywhencombinedwithexternalsecuritymechanism(e.g.Sheriff)

Zme

Startopening(breaking)locks

Timelocked

PresetZme

AverageSheriffResponseTime

ComputaZonalEncrypZon

τenc

Decoherence

τcoh

TimelockedclassicalinformaZonAlice(K)

b∈R {0,1}

x ∈ {0,1}n

DKM,ωEK (M,ω)

QChannel

bBBinarymatchingM

Bob(K)

M,ω ∈R {0,1}O(n)

Λ

EK (S)

IdealQchannel

EveX NoinformaZonaboutS

A-B

Δt > tcomp

XTimelockencrypZonelapsed

Measurement

tcoh << tcomp

NoisyQuantumStorage

tcoh

X ClassicalDecoding

SbE

Zme

Zme

t

T+Δt

QCT leads to reduction (C/Q separation) to Hidden Matching

A-E

Alice(K)

b∈R {0,1}

x ∈ {0,1}n

S = (M,ω)∈R {0,1}O(n)

|ψx >

|ψx >

y

QCommunicaZonbtwAandB

ReducestoCcommunicaZonbtwAandE

Performance of Hidden Matching - QCT protocol

Reduction to BHM:

Secure KD with O(√n) photons / ch use

è Longer reach è Higher rates

than QKD

0 50 100 150 200 250 300 350

-6

-4

-2

0

km

RateHdBL

QKD

105modes

102modes

108modes

Granted Patent EP15305017.4 WO2016110582 Romain Alléaume, Communications with everlasting security from short-term-secure encrypted communication

Implementable with coherent states, with high dimensional (n modes) encoding

Conclusion and perspectives

QCryptocanbeboostedbyephemeralcomputa;onalassump;ons

-  Everlas1ngsecurityinnoisystoragemodel-  Improvedperformances-  ImprovedfuncZonaliZes:1toNKD;noneedtotrustBob

FutureworkandOpenques;ons

ExperimentalImplementaZon(ongoingwork,frequencyencoding)

IsabeSerscalingachievable?(e.g,ratescaleslike0(n))

èExplorealternaZveconstrucZonsandconnecZonswith:-  CommunicaZoncomplexity-  Locallydecodablecodes-  Randomnessextractors

-  Othertechniquesfromcryptographyandcoding?