Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang Song (Penn. State U.) Vassilis Zikas (U. Maryland)
Feasibility and Completeness
of
Cryptographic Tasks in the
Quantum World
Hong-Sheng Zhou (U. Maryland)
Joint work with Jonathan Katz (U. Maryland) Fang Song (Penn. State U.)Vassilis Zikas (U. Maryland)
How would classical cryptography change in a
quantum world?
• Take advantage of quantum to break protocolso Factoring and Discrete Logarithm-based protocols are no
longer secure [Shor94]
• Use quantum to build protocolso Quantum Key Distribution (QKD)[BB84]
• Use classical authenticated channel to build statistically secure channel
• Impossible in the classical setting
How would quantum change classical crypto?
• Secure Multi-Party Computation over the Interneto Allow mutually distrustful parties to carry out a crypto
task over the Interneto E.g., coin-tossing, jointly evaluating a function, playing
online poker, commitment, oblivious transfer,….o Security model: Universal Composition (UC) framework
[Canetti01, Unruh10]• Computational vs Information Theoretical
o A notable distinction: [BBCS91]• Using quantum, Oblivious Transfer(OT) can be implemented
from Commitment (COM) • Universally Composable, Statistical Security
[DFLSS09,Unruh10]• Impossible in the classical setting
How would quantum change classical crypto?
Question: are there more distinctions that quantum brings about?
• Secure Multi-Party Computation over the Interneto OT is complete [Kilian88] in the sense that it can be used
to implement other crypto tasks.o Analogous to Computational Complexity, crypto tasks have
different strength: Complete vs Feasible
o The classical landscape is well studied [MPR10,MPR09,KMQ11]
How would quantum change classical crypto?
Feasible
Complete
P
NP Complete
Question: How would the landscape differ in the quantum setting?
Our Contribution• Identify another distinction: OT from Cut-and-
Choose (CC)
• Application: systematical characterization of a set of tasks in quantum UC
Feasible
Complete
Computational SettingInformation Theoretical Setting
Feasible
Complete
Derive the quantum landscape
How useful is F as a trusted setup?
assuming basic secure communication is given
Feasible
Intermediate
Complete
in the classical setting
Possible “levels of power” for F• Feasible/Useless/Trivial:
access to F is equivalent to no trusted setup (e.g., secure channel)
• Intermediate: some level of power between the two extremes
• Complete:all tasks have UC-secure protocols in presence of F (e.g., OT)
How useful is F as a trusted setup?
• Adversaries with quantum powero Some feasible F becomes
infeasibleo Some complete F becomes not
complete
Feasible
Intermediate
Complete
Feasible
Intermediate
Complete
in the quantum setting
• Honest Players with quantum powero Some infeasible (including
complete) F becomes feasibleo Some incomplete (including
feasible) F becomes complete
2-party, finite, deterministic tasks• We next show how to draw the `cryptographic
complexity’ landscape in the quantum setting o for an interesting class of tasks:
2-party finite deterministic task including OT, COM, CC,….
SFEf
Input(x1) Input(x2)
Output(f2(x1,x2) )Output(f1(x1,x2) )
Reactive
2PC
Input(x’1) Input(x’2)
Output(y’2)Output(y’1)
Input(x1) Input(x2)
Output(y2)Output(y1)
Input(x’’1) Input(x’’2)
Output(y’’2)Output(y’’1)
input/output domains are in poly-size
How useful is F as a trusted setup?in the classical
setting
Feasible
COM
CCXOR
OT
Information Theoretical Setting[MPR09, KMQ11/08]
Feasible
COM
OT
CCXOR
Computational Setting[MPR10]
Feasible
COM
OT
CCXOR
What about quantum setting?
Quantum landscape[This work]
Feasible
COM
OT
CCXOR
Classical landscape[MPR10]
[Unruh10, IPS08]
[HSS11, CLOS02] + suitable computational assumption
Computational Setting
Rewinding used in the security proof
Feasible
COM
OT
CCXOR
What about quantum setting?
Quantum landscape[This work]
Feasible
COM
OT
CCXOR
Classical landscape[MPR10]
[Unruh10, IPS08]
[HSS11, CLOS02] + suitable computational assumption
Computational Setting
This work
Rewinding used in the security proof
Feasible
COM
OT
CCXOR
What about quantum setting?
Quantum landscape[This work]
Feasible
COM
OT
CCXOR
Classical landscape[MPR10]
[Unruh10, IPS08]
[HSS11, CLOS02] + suitable computational assumption
Computational Setting
This work
Rewinding used in the security proof
Warning: it might be the case that all tasks in the set is feasible.
Feasible
COM
CCXOR
OT
Feasible
COM
CCXOR
OT
Classical landscape[MPR09, KMQ11/08]
What about quantum setting?
Quantum landscape[This work]
[Unruh10, IPS08]
[Unruh10,BBCS91]
Information Theoretical Setting
This work
Feasible
COM
OT
CCXOR
What about quantum setting?
Computational Setting
Feasible
COM
CCXOR
OT
Information Theoretical Setting
Design OT from CC
Main Result: CCOT
OT
Input(b0,b1) Input(s)
Output(bs)Output( )
CC
Input(x1) Input(x2)
Output(x1)Output(x1x2 )
Theorem: There is a quantum protocol UC securely realizing OT in the CC-hybrid world against all statistical quantum adversaries.
COM
Commit( )Commit(x)
Open( ) Open(x)
OT from COM [BBCS91]
I0, I1
COM
i
COM
i
C
All i in [n] All i in [n]
All i in C All i in C
b0, b1 s
bs
OT from CC
I0, I1
All i in [n] All i in [n]
b0, b1 s
bs
CC
iAbort if
Security Definition• Universal Composition (UC) framework
[Canetti01] (cf. DM00, PW01,…)
Z
ππ A
Protocol π UC securely realize task F if: for every real world A there is an ideal world S two worlds are indistinguishable to all environment Z
Real world
F
ZIdeal world
≈S
Quantum UC • Quantum UC [Unruh10] (cf. Unruh04,BOM04,
HSS11)
Protocol π UC securely realize task F if: for every real world A there is an ideal world S two worlds are indistinguishable to all environment Z
QUC
We only consider classical F
F
ZIdeal world
Z
ππ A
Real world
≈S
OT from CC
I0, I1
All i in [n] All i in [n]
b0, b1 s
bs
CC
iAbort if
Design simulator:• Extracting (b0,b1)
when Alice is corrupted
• Extracting s when Bob is corrupted
• Statistically close communication transcript
OT from CC
I0, I1
All i in [n] All i in [n]
b0, b1 s
bs
CC
iAbort if
OT
ZIdeal world
I0, I1
All i in [n]
bs
CC
i
Abort if
(b0,b1) s
bs
S
OT from CC
I0, I1
All i in [n] All i in [n]
b0, b1 s
bs
CC
iAbort if
OT
ZIdeal world
(b0,b1) s
bs
I0, I1
CC
iAll i in [n]S
Summary and Open questions
Feasible
COM
OT
CCXOR
Computational Setting
Feasible
COM
CCXOR
OT
Information Theoretical Setting
Main Result: CCOT
Open questions: Much larger set: randomized tasks, infinite
tasks, multi-party…. Quantum tasks