Quantum Cryptography

Τεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 4 χρόνια και 5 μήνες)

79 εμφανίσεις

Quantum
Cryptography

Christian Schaffner

ILLC, University of Amsterdam

Centrum
Wiskunde

&
Informatica

Logic, Language and Computation

Monday, 15 October 2012

2

What will you Learn from this Talk?

Classical Cryptography

Quantum Computation &
Teleportation

Position
-
Based

Cryptography

Garden
-
Hose Model

3

Classical Cryptography

3000 years of fascinating history

until
1970:
private communication
was the only goal

4

Modern Cryptography

is
everywhere
!

is concerned with all settings where people
do not trust
each other

Modern Cryptography

Alice

Bob

symmetric
-
key cryptography:

encryption: Eve does not
learn

the message

authentication: Eve cannot
alter

the message

Eve

k = 0101 1011

c

= m

k = 0101 0100

k = 0101 1011

m = 0000 1111

m

= c

k = 0000 1111

, e.g.
one
-

Modern Cryptography

Alice

Bob

symmetric
-
key cryptography:

encryption: Eve does not
learn

the message

authentication: Eve cannot
alter

the message

public
-
key cryptography:

solves

the

key
-
exchange
problem

digital
signatures

Eve

m = 0000 1111

public key

secret key

7

Introduction to Modern Cryptography

6 ECTS
MoL

course

first lecture: Tuesday, 30 October 2012, 11:
00, B0.208

http://homepages.cwi.nl/~schaffne/course
/

be the first to solve the
crypto challenge
!

8

What to Learn from this Talk?

Classical Cryptography

Quantum Computing & Teleportation

Position
-
Based Cryptography

Garden
-
Hose Model

9

Quantum Bit:
Polarization
of
a Photon

q

u

b

i

t

a

s

u

n

i

t

v

e

c

t

o

r

i

n

C

2

10

Qubit
:
Rectilinear/Computational
Basis

11

Detecting a
Qubit

Bob

no

photons
:
0

Alice

12

Measuring a Qubit

Bob

no

photons
:
0

photons:
1

with prob. 1 yields 1

measurement
:

0/1

Alice

13

Diagonal/

Basis

with prob. ½ yields 0

with prob. ½ yields 1

Measurement:

0/1

=

14

Illustration of a Superposition

with prob. ½ yields 0

with prob. ½ yields 1

Measurement:

0/1

=

15

Illustration of a Superposition

=

=

16

Quantum
Mechanics

with prob. 1 yields 1

Measurements:

+

basis

£
basis

with prob. ½ yields 0

with prob. ½ yields 1

0/1

0/1

Quantum Information Processing (QIP)

18

No
-
Cloning Theorem

?

?

?

quantum

operations:

U

Proof: copying is a
non
-
linear operation

Quantum Key Distribution (QKD)

Alice

Bob

Eve

security

against

unrestricted

eavesdroppers
:

quantum

states

are

unknown

to

Eve,
she

cannot

copy

them

honest
players

can

check
whether

Eve
interfered

technically feasible
:
no quantum computation required
,

only quantum communication

[
Bennett Brassard 84
]

20

EPR Pairs

prob. ½ : 0

prob. ½ : 1

prob. 1 : 0

[
Einstein
Podolsky

Rosen 1935]

spukhafte

Fernwirkung
” (spooky action at a distance)

EPR pairs

do not allow to communicate

(
to relativity theory)

can provide a shared random bit

EPR magic!

21

Quantum Teleportation

[
Bennett Brassard Cr
é
peau

Jozsa

Peres
Wootters

1993]

does

teleported
state can only be recovered

once the classical information
¾

arrives

?

[
Bell]

?

?

22

What to Learn from this Talk?

Classical Cryptography

Quantum Computing & Teleportation

Position
-
Based Cryptography

Garden
-
Hose Model

23

How to Convince Someone of Your Presence at a Location

The Great Moon
Landing Hoax

http://www.unmuseum.org/moonhoax.htm

24

Prove you are at a
certain location
:

launching
-
missile command comes from within the

talking to
the correct country

pizza delivery
problem

building block
for

authentication, position
-
based key
-
exchange

can
only decipher message at specific
location

Can
the

geographical

location

of

a
player

be

used

as

cryptographic

credential

?

25

Prover

wants to convince
verifiers that she is at a
particular position

no
coalition of (fake)
provers
, i.e. not at the claimed
position, can convince verifiers

assumptions:

communication at speed of light

instantaneous computation

verifiers can coordinate

Verifier1

Verifier2

Prover

26

Position Verification: First Try

Verifier1

Verifier2

Prover

time

distance bounding [Brands
Chaum

‘93]

27

Position Verification: Second Try

Verifier1

Verifier2

Prover

position

verification

is

classically

impossible

!

[
Chandran

Goyal

Moriarty
Ostrovsky
: CRYPTO

09]

28

Equivalent Attacking Game

independent messages
m
x

and
m
y

copying

classical information

this is
impossible

quantumly

29

Position Verification: Quantum Try

[Kent Munro
Spiller

03/10
]

Let us study the attacking game

?

?

?

30

?

Attacking Game

impossible

but
possible

with entanglement!!

?

?

?

?

31

?

Entanglement attack

done if b=1

[
Bell]

?

?

32

?

Entanglement attack

the correct person can reconstruct the
qubit

in time!

the scheme is completely broken

[
Bell]

?

?

[
Bell]

33

more complicated schemes?

Different schemes
proposed by

Chandran, Fehr, Gelles, Goyal, Ostrovsky [2010]

Malaney [2010]

Kent, Munro, Spiller [2010]

Lau, Lo [2010
]

Unfortunately they can all
be

broken
!

general
no
-
go
theorem

[
Buhrman
,
Chandran
,
Fehr
,
Gelles
,
Goyal
,
Ostrovsky
, S 2010]

34

U

Most General Single
-
Round Scheme

Let us study the attacking game

35

U

Distributed Q Computation in 1 Round

using some form of
back
-
and
-
forth teleportation
,

players
succeed with probability arbitrarily close to
1

requires an
exponential amount
of EPR pairs

36

No
-
Go Theorem

Any position
-
verification protocol
can be
broken

using

an
exponential

number

of

EPR
-
pairs

Question
:

is this optimal
?

Does

there

exist

a
protocol

such
that
:

any

attack

requires many EPR
-
pairs

honest

prover

and

verifiers

efficient

37

Single
-
Qubit

Protocol:
SQP
f

[Kent Munro
Spiller

03/10
]

if f(
x,y
)=0

?

?

?

if f(
x,y
)=1

efficiently computable

38

?

Attacking Game for
SQP
f

Define
E(
SQP
f
)
:= minimum number of EPR pairs
required for attacking
SQP
f

?

?

if f(
x,y
)=0

if f(
x,y
)=1

x

y

39

What to Learn from this Talk?

Classical Cryptography

Quantum Computing & Teleportation

Position
-
Based Cryptography

Garden
-
Hose Model

http://arxiv.org/abs/
1109.2563

Buhrman
,

Fehr,

S,

Speelman

share
s

waterpipes

40

The Garden
-
Hose Model

The Garden
-
Hose Model

based on their inputs, players connect
pipes with pieces of hose

Alice also connects a
water
tap

41

if water exits @ Alice

if water exits @ Bob

Garden
-
Hose complexity of
f
:

GH
(f
)

:= minimum number
of pipes needed to compute f

42

if water exits @ Alice

if water exits @ Bob

The Garden
-
Hose Model

Demonstration: Inequality on Two Bits

43

GH
( Inequality )

demonstration: 3n

challenge: 2n + 1 (first student to email me solution wins)

world record
:
~1.448n (
using IBM’s SAT
solver)

GH( Inequality )
¸

n
[
Pietrzak

‘11]

n
-
Bit Inequality Puzzle

44

Relationship between

E(
SQP
f
)
and
GH(f)

GH(f)
¸
E(
SQP
f
)

Garden
-
Hose

Attacking Game

teleport

teleport

teleport

teleport

?

GH(f)
¸
E(
SQP
f
)

Garden
-
Hose

Attacking Game

teleport

teleport

teleport

teleport

?

y, Bob’s

telep
. keys

x, Alice’s

telep
. keys

using
x &
y,
qubit

correct water/
qubit

using
all
measurement
outcomes

48

last slide:
GH
(f)
¸

E(
SQP
f
)

The two models are
not

equivalent
:

exists
f such that
GH(f) = n
, but

E
(
SQP
f
)

log(n)

Quantum
garden
-
hose
model:

give Alice & Bob also entanglement

research question: are the models
now
equivalent
?

GH(f)
=

E(
SQP
f
)
?

49

Garden
-
Hose Complexity Theory

every f has GH(f)

2
n+1

if f
in
logspace
,
then GH(f)

polynomial

efficient f & no efficient attack
)

P

L

exist f with GH(f)
exponential

(
counting argument)

for g
2

{equality, IP, majority
}:
GH(g)
¸

n / log(n)

techniques from communication
complexity

Many open problems!

50

What
Have You Learned from
this Talk?

Classical Cryptography

Quantum Computing &
Teleportation

51

What
Have You Learned from
this Talk?

No
-
Go Theorem

Impossible
unconditionally, but attack
requires
unrealistic amounts of
resources

Garden
-
Hose Model

model of communication complexity

Position
-
Based Cryptography

52

Take on the crypto challenges!

GH( Inequality )
=

2n
+ 1
pipes

the first person to tell me (
cschaffner@
uva.nl
) the
protocol wins:

course
“Introduction to Modern Cryptography”

first lecture: Tuesday, 30 October 2012, 11:
00