Quantum Cryptography

sunflowerplateAI and Robotics

Nov 21, 2013 (3 years and 11 months ago)

70 views

Quantum
Cryptography

Christian Schaffner

ILLC, University of Amsterdam

Centrum
Wiskunde

&
Informatica


Logic, Language and Computation

Monday, 15 October 2012




2

What will you Learn from this Talk?


Classical Cryptography


Quantum Computation &
Teleportation


Position
-
Based

Cryptography


Garden
-
Hose Model

3

Classical Cryptography


3000 years of fascinating history


until
1970:
private communication
was the only goal


4

Modern Cryptography


is
everywhere
!


is concerned with all settings where people
do not trust
each other

Modern Cryptography

Alice

Bob


symmetric
-
key cryptography:


encryption: Eve does not
learn

the message


authentication: Eve cannot
alter

the message

Eve

k = 0101 1011

c

= m
©

k = 0101 0100

k = 0101 1011

m = 0000 1111

m

= c
©

k = 0000 1111

, e.g.
one
-
time pad

Modern Cryptography

Alice

Bob


symmetric
-
key cryptography:


encryption: Eve does not
learn

the message


authentication: Eve cannot
alter

the message


public
-
key cryptography:


solves

the

key
-
exchange
problem


digital
signatures

Eve

m = 0000 1111

public key

secret key

7

Introduction to Modern Cryptography


6 ECTS
MoL

course


first lecture: Tuesday, 30 October 2012, 11:
00, B0.208


http://homepages.cwi.nl/~schaffne/course
/


be the first to solve the
crypto challenge
!


8

What to Learn from this Talk?


Classical Cryptography


Quantum Computing & Teleportation


Position
-
Based Cryptography


Garden
-
Hose Model

9

Quantum Bit:
Polarization
of
a Photon

q

u

b

i

t

a

s

u

n

i

t

v

e

c

t

o

r

i

n

C

2

10

Qubit
:
Rectilinear/Computational
Basis

11

Detecting a
Qubit

Bob

no

photons
:
0

Alice

12

Measuring a Qubit

Bob

no

photons
:
0

photons:
1

with prob. 1 yields 1

measurement
:

0/1

Alice

13

Diagonal/
Hadamard

Basis

with prob. ½ yields 0

with prob. ½ yields 1

Measurement:

0/1

=

14

Illustration of a Superposition

with prob. ½ yields 0

with prob. ½ yields 1

Measurement:

0/1

=

15

Illustration of a Superposition

=

=

16

Quantum
Mechanics

with prob. 1 yields 1

Measurements:

+


basis

£
basis

with prob. ½ yields 0

with prob. ½ yields 1

0/1

0/1

Quantum Information Processing (QIP)

18

No
-
Cloning Theorem

?

?

?

quantum

operations:


U


Proof: copying is a
non
-
linear operation

Quantum Key Distribution (QKD)

Alice

Bob

Eve


security

against

unrestricted

eavesdroppers
:


quantum

states

are

unknown

to

Eve,
she

cannot

copy

them


honest
players

can

check
whether

Eve
interfered


technically feasible
:
no quantum computation required
,

only quantum communication

[
Bennett Brassard 84
]

20

EPR Pairs

prob. ½ : 0

prob. ½ : 1

prob. 1 : 0

[
Einstein
Podolsky

Rosen 1935]



spukhafte

Fernwirkung
” (spooky action at a distance)


EPR pairs

do not allow to communicate

(
no contradiction
to relativity theory)


can provide a shared random bit

EPR magic!

21

Quantum Teleportation

[
Bennett Brassard Cr
é
peau

Jozsa

Peres
Wootters

1993]


does
not contradict relativity theory


teleported
state can only be recovered

once the classical information
¾

arrives

?

[
Bell]

?

?

22

What to Learn from this Talk?


Classical Cryptography


Quantum Computing & Teleportation


Position
-
Based Cryptography


Garden
-
Hose Model

23

How to Convince Someone of Your Presence at a Location

The Great Moon
Landing Hoax

http://www.unmuseum.org/moonhoax.htm

24

Basic Task: Position Verification


Prove you are at a
certain location
:


launching
-
missile command comes from within the
military headquarters


talking to
the correct country


pizza delivery
problem





building block
for
advanced cryptographic tasks:


authentication, position
-
based key
-
exchange


can
only decipher message at specific
location


Can
the

geographical

location

of

a
player

be

used

as

cryptographic

credential

?

25

Basic task: Position Verification


Prover

wants to convince
verifiers that she is at a
particular position


no
coalition of (fake)
provers
, i.e. not at the claimed
position, can convince verifiers


assumptions:



communication at speed of light


instantaneous computation


verifiers can coordinate






Verifier1

Verifier2

Prover

26

Position Verification: First Try

Verifier1

Verifier2

Prover

time


distance bounding [Brands
Chaum

‘93]


27

Position Verification: Second Try

Verifier1

Verifier2

Prover

position

verification

is

classically

impossible

!

[
Chandran

Goyal

Moriarty
Ostrovsky
: CRYPTO

09]

28

Equivalent Attacking Game


independent messages
m
x

and
m
y



copying

classical information


this is
impossible

quantumly


29

Position Verification: Quantum Try

[Kent Munro
Spiller

03/10
]


Let us study the attacking game

?

?

?

30

?

Attacking Game


impossible


but
possible

with entanglement!!


?

?

?

?

31

?

Entanglement attack


done if b=1


[
Bell]

?

?

32

?

Entanglement attack


the correct person can reconstruct the
qubit

in time!


the scheme is completely broken



[
Bell]

?

?

[
Bell]

33

more complicated schemes?


Different schemes
proposed by


Chandran, Fehr, Gelles, Goyal, Ostrovsky [2010]


Malaney [2010]


Kent, Munro, Spiller [2010]


Lau, Lo [2010
]



Unfortunately they can all
be

broken
!


general
no
-
go
theorem

[
Buhrman
,
Chandran
,
Fehr
,
Gelles
,
Goyal
,
Ostrovsky
, S 2010]

34

U


Most General Single
-
Round Scheme


Let us study the attacking game








35

U


Distributed Q Computation in 1 Round


using some form of
back
-
and
-
forth teleportation
,

players
succeed with probability arbitrarily close to
1


requires an
exponential amount
of EPR pairs

36

No
-
Go Theorem


Any position
-
verification protocol
can be
broken

using

an
exponential

number

of

EPR
-
pairs



Question
:

is this optimal
?


Does

there

exist

a
protocol

such
that
:


any

attack

requires many EPR
-
pairs


honest

prover

and

verifiers

efficient

37

Single
-
Qubit

Protocol:
SQP
f

[Kent Munro
Spiller

03/10
]

if f(
x,y
)=0

?

?

?

if f(
x,y
)=1

efficiently computable








38

?

Attacking Game for
SQP
f



Define
E(
SQP
f
)
:= minimum number of EPR pairs
required for attacking
SQP
f



?

?

if f(
x,y
)=0

if f(
x,y
)=1

x

y

39

What to Learn from this Talk?


Classical Cryptography


Quantum Computing & Teleportation


Position
-
Based Cryptography



Garden
-
Hose Model

http://arxiv.org/abs/
1109.2563

Buhrman
,

Fehr,

S,

Speelman

share
s

waterpipes


40

The Garden
-
Hose Model

The Garden
-
Hose Model


based on their inputs, players connect
pipes with pieces of hose


Alice also connects a
water
tap

41



if water exits @ Alice



if water exits @ Bob

Garden
-
Hose complexity of
f
:

GH
(f
)

:= minimum number
of pipes needed to compute f

42



if water exits @ Alice



if water exits @ Bob

The Garden
-
Hose Model

Demonstration: Inequality on Two Bits

43


GH
( Inequality )




demonstration: 3n


challenge: 2n + 1 (first student to email me solution wins)







world record
:
~1.448n (
using IBM’s SAT
solver)


GH( Inequality )
¸

n
[
Pietrzak

‘11]

n
-
Bit Inequality Puzzle

44

Relationship between

E(
SQP
f
)
and
GH(f)

GH(f)
¸
E(
SQP
f
)

Garden
-
Hose

Attacking Game

teleport

teleport

teleport

teleport

?

GH(f)
¸
E(
SQP
f
)

Garden
-
Hose

Attacking Game

teleport

teleport

teleport

teleport

?

y, Bob’s


telep
. keys

x, Alice’s


telep
. keys


using
x &
y,
can follow the water/
qubit


correct water/
qubit

using
all
measurement
outcomes


48


last slide:
GH
(f)
¸

E(
SQP
f
)


The two models are
not

equivalent
:


exists
f such that
GH(f) = n
, but

E
(
SQP
f
)


log(n)



Quantum
garden
-
hose
model:


give Alice & Bob also entanglement


research question: are the models
now
equivalent
?

GH(f)
=

E(
SQP
f
)
?

49

Garden
-
Hose Complexity Theory


every f has GH(f)


2
n+1


if f
in
logspace
,
then GH(f)


polynomial


efficient f & no efficient attack
)

P


L


exist f with GH(f)
exponential

(
counting argument)


for g
2

{equality, IP, majority
}:
GH(g)
¸

n / log(n)


techniques from communication
complexity



Many open problems!

50

What
Have You Learned from
this Talk?


Classical Cryptography




Quantum Computing &
Teleportation

51

What
Have You Learned from
this Talk?


No
-
Go Theorem


Impossible
unconditionally, but attack
requires
unrealistic amounts of
resources


Garden
-
Hose Model


model of communication complexity


Position
-
Based Cryptography


52

Take on the crypto challenges!


GH( Inequality )
=

2n
+ 1
pipes


the first person to tell me (
cschaffner@
uva.nl
) the
protocol wins:







course
“Introduction to Modern Cryptography”


first lecture: Tuesday, 30 October 2012, 11:
00