Quantum Public Key

innocentsickAI and Robotics

Nov 21, 2013 (3 years and 4 months ago)

81 views

Quantum Public Key
Cryptography with Information
-
Theoretic Security

Daniel Gottesman

Perimeter Institute

Advantages of Public Key Crypto


High efficiency


New protocols

o
Public key encryption

o
Digital signatures


Better key distribution and management

o
No danger that public key compromised

o
Convert authenticated channel to secure channel in
interactive setting (
QKD can do this too
)

o
Certificate authorities

o
PGP (many redistribution sites)

Quantum Public Keys

Consider a map
f: k

f
k

.



k
is the
private key




f
k


is the
public key


However, there is a limit. More copies of

f
k


means more information about
k
, and
even one copy generally leaks some
information about
k
.

For some maps
f
, it can be impossible
(information
-
theoretically) to determine
k
,
even given many copies of

f
k

.

Quantum Fingerprinting

For example, we can let
k
be an
O(2
n
)
-
bit string
and

f
k


be
n

qubits long using quantum
fingerprints
(Buhrman, Cleve, Watrous, de Wolf 2001).

One construction: Let C be a
[2
n
, r2
n
, p2
n
]

code,
with max dist.
(1
-
p)2
n
,

and let
x

(k,i)

be the
i
th

bit of the codeword encoding
k
. Then


f
k


= 2
-
n/2

i

(
-
1)
x(k,i)


i

,

which implies that



f
j

f
k





1
-
2p
(when
i

j
).

Quantum One
-
Way Function

Thus, the function
f: k

f
k


is hard (impossible,
actually) to invert, even given many copies of the
output. It is a one
-
way function. This is why it is
safe to use

f
k


as a public key:
we can give it to
many people without revealing the private key
k
.

From
n

qubits, we can extract at most
n

classical
bits of information, so
T

copies of

f
k


can only
give at most
Tn

bits of information about
k
,
which is
r2
n

bits long.

One
-
Time Digital Signature

Classical scheme (Lamport 1979): One
-
way
function
f(x)
, private key
(k
0
, k
1
)
, public key
(f(k
0
), f(k
1
))
. To sign a bit
b
, send
(b, k
b
)
.



Private key
(k
0
(i)
, k
1
(i)
)
(i=1, ..., M)



Public key
(

f
k

)

(for
k=k
b
(i)
)



To sign
b
, send
(b, k
b
(1)
, k
b
(2)
, ..., k
b
(M)
)
.



To verify, measure

f
k


to check
k = k
b
(i)
.

Quantum scheme (Gottesman, Chuang 2001):

Different Levels of Acceptance

Suppose
s

keys fail the measurement test:

s


c
1
M


1
-
ACC
: Message comes from
Alice, other recipients will agree.

c
1
M <
s


c
2
M


0
-
ACC
: Message comes
from Alice, another recipient might disagree.

s
>
c
2
M


REJ
: Message might not
come from Alice.

Similar to classical pseudo
-
signatures (Chaum and
Roijakkers 1991), which are information
-
theoretically
secure, but with complex set
-
up procedure.

Quantum Public Key Encryption



Protocol defines map
k


U
k
(unitary)



Alice’s private key
k



Public key
(I


U
k
) (

0

0


+

1

1

)



To encrypt a quantum state

, teleport
state through the public key, getting Pauli
matrix
P
. Transmit P and 2nd register of
public key.



Alice receives
(P, U
k

P

)
. Decrypts by
performing
U
k
-
1

then
P
-
1
.

Notes on Quantum Public Key
Encryption



Expends one copy of the public key per
encrypted message.



When
U
k

runs over Pauli matrices, this is the
one
-
time pad, but only one copy of public key is
allowed.



For larger sets of
U
k
, it is impossible to learn
k
completely. However, I have no security proof.

SWAP test

BCWW also introduced a test to check if two
fingerprints are the same without knowing their
exact state:


f
j



f
k



0


+

1


Controlled
-
SWAP

Measure

0


+

1


vs.

0


-


1



f
j



f
k




If they are the same, + result
(fingerprints are unchanged)



If they are different, often
-

result

Distributed SWAP Test



How can we do a SWAP test at a distance?



A SWAP test against a bad key corrupts your
copy.

Two problems with the straight SWAP test:

Distributed SWAP test:

key

key

key

key

SWAP

SWAP

1

1

2

SWAP

keep

discard

Bob

Charlie

Quantum Public Key Distribution

Alice

B

C

D

E

F

F can compare if the public
keys received from B and D
are the same.

Certificate Authorities

A certificate authority signs other people’s public
keys. Everyone has the CA’s public key already,
and they trust the CA to verify the public key’s
source.

Main advantage: the CA only needs to be
involved in the distant past.

Can we make a certificate authority for quantum
public keys?

No Signatures of Quantum States

There is no signature scheme for unknown quantum
states, even with computational security.
Anyone
who can read the signed state can change it.

(BCGST
2002)

Let

S
k
(

)


be the signed state for


(purified).

To cheat:

S
k
(

)


To read the state, use
U:

S
k
(

)







R
k
(

)

.
But No
-
Cloning implies

R
k
(

)


=

R
k


does not
depend on

.




R
k


U




R
k



S
k
(

)


U
-
1

Signing Known Quantum States

However, this argument does not apply to a state
which is known by the signer, or even if the signer
has multiple copies of

.

Can we sign a known quantum state?

Yes, sort of: we can sign the classical
description of the state.

What we really want is to
sign the state
efficiently in the number of qubits
. Can we do
this?
Unknown.

Signing Known Quantum States

Solutions to this problem could potentially allow:



More efficient quantum signatures: sign a
fingerprint of the classical message.



Reusable quantum signatures: sign a
message plus a new quantum public key.



Quantum certificate authority: Provide
multiple copies of your public key to the CA,
allowing him to sign them.

Quantum Signature Efficiency

One
-
time quantum signatures are very inefficient,
but if it is possible to sign known states as
suggested on the previous slide, they could
become very efficient.



Key length to sign
n
-
bit message:
O(log n)
?



Number of messages from single key:
exp.
?



However: length of private key is still
proportional to # of copies of public key.

None of this is proved.

Capabilities of Quantum Public
Keys


High efficiency (
No?
)


New protocols

o
Public key encryption (
Yes?
)

o
Digital signatures (
Yes
)


Better key distribution and management

o
No danger that public key compromised (
Yes
)

o
Convert authenticated channel to secure channel (
Yes,
QKD
)

o
Certificate authorities (
Yes??
)

o
PGP (many redistribution sites) (
Yes
)