Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.

Feasibility and Completeness

of

Cryptographic Tasks in the

Quantum World

Hong-Sheng Zhou (U. Maryland)

Joint work with Jonathan Katz (U. Maryland) Fang Song (Penn. State U.)Vassilis Zikas (U. Maryland)

How would classical cryptography change in a

quantum world?

• Take advantage of quantum to break protocolso Factoring and Discrete Logarithm-based protocols are no

longer secure [Shor94]

• Use quantum to build protocolso Quantum Key Distribution (QKD)[BB84]

• Use classical authenticated channel to build statistically secure channel

• Impossible in the classical setting

How would quantum change classical crypto?

• Secure Multi-Party Computation over the Interneto Allow mutually distrustful parties to carry out a crypto

task over the Interneto E.g., coin-tossing, jointly evaluating a function, playing

online poker, commitment, oblivious transfer,….o Security model: Universal Composition (UC) framework

[Canetti01, Unruh10]• Computational vs Information Theoretical

o A notable distinction: [BBCS91]• Using quantum, Oblivious Transfer(OT) can be implemented

from Commitment (COM) • Universally Composable, Statistical Security

[DFLSS09,Unruh10]• Impossible in the classical setting


Question: are there more distinctions that quantum brings about?

• Secure Multi-Party Computation over the Interneto OT is complete [Kilian88] in the sense that it can be used

to implement other crypto tasks.o Analogous to Computational Complexity, crypto tasks have

different strength: Complete vs Feasible

o The classical landscape is well studied [MPR10,MPR09,KMQ11]


Feasible

Complete

P

NP Complete

Question: How would the landscape differ in the quantum setting?

Our Contribution• Identify another distinction: OT from Cut-and-

Choose (CC)

• Application: systematical characterization of a set of tasks in quantum UC

Feasible

Complete

Computational SettingInformation Theoretical Setting

Feasible

Complete

Derive the quantum landscape

How useful is F as a trusted setup?

assuming basic secure communication is given

Feasible

Intermediate

Complete

in the classical setting

Possible “levels of power” for F• Feasible/Useless/Trivial:

access to F is equivalent to no trusted setup (e.g., secure channel)

• Intermediate: some level of power between the two extremes

• Complete:all tasks have UC-secure protocols in presence of F (e.g., OT)

How useful is F as a trusted setup?

• Adversaries with quantum powero Some feasible F becomes

infeasibleo Some complete F becomes not

complete

Feasible

Intermediate

Complete

Feasible

Intermediate

Complete

in the quantum setting

• Honest Players with quantum powero Some infeasible (including

complete) F becomes feasibleo Some incomplete (including

feasible) F becomes complete

2-party, finite, deterministic tasks• We next show how to draw the `cryptographic

complexity’ landscape in the quantum setting o for an interesting class of tasks:

2-party finite deterministic task including OT, COM, CC,….

SFEf

Input(x1) Input(x2)

Output(f2(x1,x2) )Output(f1(x1,x2) )

Reactive

2PC

Input(x’1) Input(x’2)

Output(y’2)Output(y’1)

Input(x1) Input(x2)

Output(y2)Output(y1)

Input(x’’1) Input(x’’2)

Output(y’’2)Output(y’’1)

input/output domains are in poly-size

How useful is F as a trusted setup?in the classical

setting

Feasible

COM

CCXOR

OT

Information Theoretical Setting[MPR09, KMQ11/08]

Feasible

COM

OT

CCXOR

Computational Setting[MPR10]

Feasible

COM

OT

CCXOR

What about quantum setting?

Quantum landscape[This work]

Feasible

COM

OT

CCXOR

Classical landscape[MPR10]

[Unruh10, IPS08]

[HSS11, CLOS02] + suitable computational assumption

Computational Setting

Rewinding used in the security proof

Feasible

COM

OT

CCXOR



Feasible

COM

OT

CCXOR


[Unruh10, IPS08]



This work


Feasible

COM

OT

CCXOR



Feasible

COM

OT

CCXOR


[Unruh10, IPS08]



This work


Warning: it might be the case that all tasks in the set is feasible.

Feasible

COM

CCXOR

OT

Feasible

COM

CCXOR

OT

Classical landscape[MPR09, KMQ11/08]



[Unruh10, IPS08]

[Unruh10,BBCS91]

Information Theoretical Setting

This work

Feasible

COM

OT

CCXOR



Feasible

COM

CCXOR

OT


Design OT from CC

Main Result: CCOT

OT

Input(b0,b1) Input(s)

Output(bs)Output( )

CC

Input(x1) Input(x2)

Output(x1)Output(x1x2 )

Theorem: There is a quantum protocol UC securely realizing OT in the CC-hybrid world against all statistical quantum adversaries.

COM

Commit( )Commit(x)

Open( ) Open(x)

OT from COM [BBCS91]

I0, I1

COM

i

COM

i

C

All i in [n] All i in [n]

All i in C All i in C

b0, b1 s

bs

OT from CC

I0, I1


b0, b1 s

bs

CC

iAbort if

Security Definition• Universal Composition (UC) framework

[Canetti01] (cf. DM00, PW01,…)

Z

ππ A

Protocol π UC securely realize task F if: for every real world A there is an ideal world S two worlds are indistinguishable to all environment Z

Real world

F

ZIdeal world

≈S

Quantum UC • Quantum UC [Unruh10] (cf. Unruh04,BOM04,

HSS11)

Protocol π UC securely realize task F if: for every real world A there is an ideal world S two worlds are indistinguishable to all environment Z

QUC

We only consider classical F

F

ZIdeal world

Z

ππ A

Real world

≈S

OT from CC

I0, I1


b0, b1 s

bs

CC

iAbort if

Design simulator:• Extracting (b0,b1)

when Alice is corrupted

• Extracting s when Bob is corrupted

• Statistically close communication transcript

OT from CC

I0, I1


b0, b1 s

bs

CC

iAbort if

OT

ZIdeal world

I0, I1

All i in [n]

bs

CC

i

Abort if

(b0,b1) s

bs

S

OT from CC

I0, I1


b0, b1 s

bs

CC

iAbort if

OT

ZIdeal world

(b0,b1) s

bs

I0, I1

CC

iAll i in [n]S

Summary and Open questions

Feasible

COM

OT

CCXOR


Feasible

COM

CCXOR

OT


Main Result: CCOT

Open questions: Much larger set: randomized tasks, infinite

tasks, multi-party…. Quantum tasks

Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.

Documents