Cryptography In the Cryptography In the Bounded Quantum-Storage Bounded Quantum-Storage Model Model Ivan Damgård, Louis Salvail, Ivan Damgård, Louis Salvail, Christian Christian Schaffner Schaffner BRICS, University of Århus, DK BRICS, University of Århus, DK Serge Fehr Serge Fehr CWI, Amsterdam, NL CWI, Amsterdam, NL
Cryptography In the Bounded Quantum-Storage Model. Ivan Damgård, Louis Salvail, Christian Schaffner BRICS, University of Århus, DK Serge Fehr CWI, Amsterdam, NL. FOCS 2005 - Pittsburgh Tuesday, October 25 th 2005. Rabin Oblivious Transfer. b. b / ?. Bit Commitment. b. C b. b. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cryptography In theCryptography In theBounded Quantum-Storage Bounded Quantum-Storage
ModelModel
Ivan Damgård, Louis Salvail, Ivan Damgård, Louis Salvail, Christian SchaffnerChristian SchaffnerBRICS, University of Århus, DKBRICS, University of Århus, DK
OT OT )) BC BC OT OT is complete for two-party cryptography
3 / 18
Known Impossibility ResultsKnown Impossibility Results
OT In the classical unconditionally In the classical unconditionally
secure model without further secure model without further assumptionsassumptions
BC In the unconditionally secure model In the unconditionally secure model
with quantum communicationwith quantum communication[Mayers97, Lo-Chau97][Mayers97, Lo-Chau97]
4 / 18
Classical Bounded-Storage ModelClassical Bounded-Storage Model
OT
BC
()
()
random string which players try to random string which players try to storestore
a memory bound applies at a specified a memory bound applies at a specified momentmoment
protocol for OT [DHRS, TCC04]: protocol for OT [DHRS, TCC04]: memory size of honest players:memory size of honest players: k k memory of dishonest players:memory of dishonest players: <k<k22
Tight bound [DM, EC04]Tight bound [DM, EC04] can be can be improved improved by allowingby allowing
quantum communicationquantum communication
5 / 18
Quantum Bounded-Storage ModelQuantum Bounded-Storage Model
OT
quantum memory bound applies at a quantum memory bound applies at a specified moment. Besides that, players specified moment. Besides that, players are unbounded (in time and space)are unbounded (in time and space)
unconditional secureunconditional secure against against adversaries with quantum memory of adversaries with quantum memory of less then less then half of the transmitted qubitshalf of the transmitted qubits
honest players honest players do not needdo not need quantumquantum memory memory at allat all
Quantum Bounded-Storage ModelQuantum Bounded-Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues
Proof of Obliviousness: ToolsProof of Obliviousness: Tools
OT
Purification techniques like in the Purification techniques like in the Shor-Preskill security proof of BB84Shor-Preskill security proof of BB84
Privacy Amplification against Quantum Privacy Amplification against Quantum Adversaries [RK, TCC05]Adversaries [RK, TCC05]
new min-entropy based uncertainty new min-entropy based uncertainty relation:relation:
For a For a nn-qubit register A in state -qubit register A in state AA, ,
let Plet P++ and P and P££ be the probabilities of measuring A be the probabilities of measuring A in the +-basis respectively in the +-basis respectively ££-basis. Then it holds-basis. Then it holds
PP++11 + P + P££
11 ·· 1 + negl(n). 1 + negl(n).
12 / 18
AgendaAgenda
Quantum Bounded Storage ModelQuantum Bounded Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues
13 / 18
Quantum Protocol for Bit CommitmentQuantum Protocol for Bit Commitment
BC
Verifier Committer
b; x0
x0 b
b2 f ;£ g
jx i r; ::; jxni rn
x 2R f ;gn
r 2R f ;£ gn
xi x0i
ri b
memory bound: store < n/2 qubits
14 / 18
BC
Verifier Committer
b; x0
b2 f ;g
one round, non-interactive one round, non-interactive commit by receiving!commit by receiving! unconditionally hidingunconditionally hiding unconditionally binding as long as unconditionally binding as long as
MemMemcommittercommitter < n / 2 < n / 2
n
memory bound: store < n/2 qubits
Quantum Protocol for Bit Commitment IIQuantum Protocol for Bit Commitment II
) proof uses same tools as for OT !
15 / 18
AgendaAgenda
Quantum Bounded Storage ModelQuantum Bounded Storage Model Protocol for Oblivious TransferProtocol for Oblivious Transfer Protocol for Bit CommitmentProtocol for Bit Commitment Practicality IssuesPracticality Issues
16 / 18
Practicality IssuesPracticality Issues
OT
BC
With today’s technology, weWith today’s technology, we cancan transmit quantum bits encoded in transmit quantum bits encoded in
photonsphotons cannot storecannot store them for longer than a few them for longer than a few
Well within reach of Well within reach of current current
technologytechnology.. makes sense over short distances makes sense over short distances
(in contrast to QKD)(in contrast to QKD)
18 / 18
SummarySummary
OT
Protocols for OT and BC that areProtocols for OT and BC that are efficient, non-interactiveefficient, non-interactive unconditionally secureunconditionally secure against against
adversaries with bounded quantum adversaries with bounded quantum memorymemory
practical:practical: honest players do not need quantum honest players do not need quantum
memorymemory fault-tolerantfault-tolerant
BC
Thank you for Thank you for your attention!your attention!