Evolving Notions of Security for Quantum Protocols Adam Smith Weizmann Institute of Science Caltech Workshop on Security of Classical and Quantum Protocols December 16, 2005

Evolving Notions of Security for Quantum Protocols Adam Smith Weizmann Institute of Science Caltech Workshop on Security of Classical and Quantum Protocols December 16, 2005 Proofs Occasionally Mistaken Usually Correct, Frequently Interesting,

3 Cryptography in a Quantum World Landscape changes!  New things are possible  New difficulties arise Needed: Tools and language for reasoning about quantum adversaries The field is still very young  Some successes…  … occasional mistakes  Lots of questions! quantum thinkers needed Isaac Newton

4 This talk Basics of quantum computing New Possibilities  E.g. quantum key distribution New Difficulties, Partial Solutions  E.g. rewinding in ZK proofs Conclusions & Questions

5 Quantum Information: Pure States “Pure states” = vectors in complex space “qubit”= Basic unit of quantum information  |0 i +  |1 i : ,  2 C, |  | 2 +|  | 2 =1 Register of n qubits:  x  x |x i (where x 2 {0,1} n ) NB: qubit-by-qubit description not enough  2 n numbers vs 2 n numbers  |0 i +  |1 i |1 i |0 i

6 Quantum Circuits: 2 kinds of gates Invertible operations on n qubits = 2 n £ 2 n unitary matrices ( U -1 = U y )  |  i  U |  i  e.g. Hadamard Projective measurements:  Ask a qubit: are you 0 or 1?  State becomes |0 i or |1 i (according to output)  Destructive!  |0 i +  |1 i |1 i |0 i w.prob. |  2 | w.prob. |  2 | 1 1 ­1 1 √2..

7 Information vs Disturbance Important principle of quantum mechanics Consequence: No copying! Theorem: If A = |  i for all inputs |  i then B is independent of |  i Information ) Disturbance Secrecy ( Resilience to errors U | i| i A B

8 This talk Basics of quantum computing New Possibilities  E.g. quantum key distribution New Difficulties, Partial Solutions  E.g. rewinding in ZK proofs Conclusions & Questions

9 New Possibilities Key Distribution w/o computational assumptions [BB84] Coin flipping with constant bias (see Andris’ talk) Public-key cryptography with limited keys (see Daniel’s talk) Non-locality games (see Ben Toner’s talk) Uncloneable encryption [G] Fast Byzantine agreement [BH05] Key re-use (see Louis Salvail’s talk) Crypto with quantum data [AMTW00,CGS02,BCGST02,…] Not a panacea: Bit commitment, OT, etc are still impossible [M,LC] (Probably) does not circumvent composability issues

10 Quantum Key Distribution [BB84] Alice and Bob want to generate a secret key AliceBob Eve quantum channel controlled by Eve classical authenticated channel visible to Eve

11 Quantum Key Distribution (simplified [E91,LC99] ) Basic tool: EPR pairs  State on two qubits Say Alice and Bob share an EPR pair  Measure each half to get shared, secret bit Goal: set up many clean, shared EPR pairs Phase I: Alice creates n EPR pairs, send halves to Bob Phase II: Alice and Bob test the pairs for tampering using classical channel |  + i = | 00 i AB + | 11 i AB |  + n i =  x |x i A |x i B AliceBob

12 Phase I Alice generates n EPR pairs Sends halves of these pairs to Bob Bob acknowledges receipt AliceBob Eve Eve’s memory |+ni|+ni “Got them.”

13 Phase II: Testing Intuition: Many symmetries U such that (U A ­ U B ) |  + n i AB = |  + n i AB. AliceBob |+ni|+ni Eve Eve’s memory “Got them.”

14 Phase II: Testing Alice picks symmetry U at random  Applies U and measures last k qubits  Sends U and results to Bob  Bob applies U and measures last k qubits ACCEPT iff measurements agree AliceBob |+ni|+ni Eve Eve’s memory U, results U U Intuition: ACCEPT ) n – k ‘good’ EPR pairs

15 Example Symmetries [E91,BCGST02] For any invertible binary matrix M 2 {0,1} n £ n : U M | x i = | Mx i Alice  picks random invertible matrix M,  applies U M  applies Hadamard with probability ½ to each qubit Exercise: This preserves |  + n i =  x |x i A |x i B

16 Analyzing Security Joint state A,B = |  n + i ) test passes w.p. 1 Joint state A,B ? |  n + i ) test passes w.p. 2 -k How can we use this?  What’s the security statement?  How can we prove it? span(|  + n i ) span(|  + n i ) ?

17 Analyzing Security We want “ n–k perfect EPR pairs or REJECT” with high probability To show closeness, look at state before test: |  i ABE =  ( AB || |  + n i ) +  ( AB ? |  + n i ) Each piece mapped close to good subspace Eve U U subspace +

18 Analyzing Security Theorem: Global state is close to subspace “ n–k perfect EPR pairs or REJECT” Are we done?  Intuitively meaningful  What’s the definition of security here? This can be used to build a simulator  Good enough to prove UC security [BM, BHLMO’05]

19 Security as Simulatability [BHLMO’05] Theorem: Global state is close to subspace “ n–k perfect EPR pairs or REJECT” Ideal protocol:  Trusted party asks Eve “Abort or run?”  Eve answers 1 bit  If “Run” then give good keys to Alice and Bob real Adv ideal Sim

20 Security as Simulatability Theorem: Global state is close to subspace “ n–k perfect EPR pairs or REJECT” Simulator:  Runs dummy execution  Output Eve’s view  If Eve aborts, send “abort”, else send “run” real Adv ideal dummy execution Strong guarantee! abort?

21 Lessons of QKD We can sometimes test for disturbance  Hence for information Security proven through simulator  Proximity to “good” subspace [LC’99,CGS’02, BHLMO‘05]  Simple form of simulator is good  All* QKD protocols have simulator! [BHLMO ‘05] Deniability and adaptivity more tricky  Some protocols but not all [B‘02]

22 This talk Basics of quantum computing New Possibilities  E.g. quantum key distribution New Difficulties, Partial Solutions  E.g. rewinding in ZK proofs Conclusions & Questions

23 New Difficulties (& Partial Solutions)  Computational Assumptions Broken Factoring and discrete logarithm in BQP [S’94] Still lots of candidate one-way functions Few candidates for public-key encryption, OT  Lattices, codes No candidates for  Trapdoor 1-Way Permutations ( though see [OTU’00] )  Non-interactive ZK for NP ( though see [K’03 ]) See workshop

24 New Difficulties (& Partial Solutions)  Computational Assumptions Broken  Definitional Paradigms May No Longer Apply UC paradigm is ok ( [BM’05] ) what else? Bit Commitment  Standard requirement: adversary cannot produce a pair: ( decommitment to 0, decommitment to 1 )  OK if commitment is perfectly binding  Claim: unconditionally-secure QBC [BCJL]  Adversary cannot decommit to both 0 and 1.  But… she can decommit to either!  Workable definitions given later (but complicated) [CDMS,DFS]

25 New Difficulties (& Partial Solutions)  Computational Assumptions Broken  Definitional Paradigms May No Longer Apply  Information-theoretic Proofs Also Get Broken Protocols based on extractors: not clear if they remain secure against bounded quantum memory  (Pairwise-independent hashing is ok [KMR] ) Multi-prover commitment schemes can be broken [CST]  Some of them can still be fixed, but require very careful proofs.  E.g: adversary can win magic square game  See Ben Toner’s talk

26 New Difficulties (& Partial Solutions)  Computational Assumptions Broken  Definitional Paradigms May No Longer Apply  Information-theoretic Proofs Also Get Broken  Basic Proof Techniques May Fail Fixing random coins  Binding in multiprover commitment schemes  Many other places Rewinding in ZK proof systems  Exception: [Watrous, 2005]

27 Rewinding and Simulation Wanted: simulator that fools quantum adversaries Some simulators do work  Key distribution  Multiparty computation [BGW88,CCD88,RB89,etc] “Rigid straight-line simulator”  Uses only one black-box run of adversary, even in proof of correctness of simulation real Adv ideal Sim Few protocols have rigid simulators!

28 Rewinding in Zero Knowledge: Graph Isomorphism ZK proof for graph ismorphism: Input G 0, G 1. Given  s.t.  (G 0 )=G 1.  à S n. b à {0,1} G0)G0) b  ¢  b Prover Verifier

29 Rewinding in Zero Knowledge: Graph Isomorphism Classical simulator: g à {0,1}  à S n. Vic Gg)Gg) b  Simulator aux If g=b, output state of Vic Else, start over! What if Vic and aux are quantum?  Need to copy to start over  First execution might destroy aux Is the protocol still deniable?

30 Simulator for Quantum Verifier [W’05] Classical simulator: aux g à {0,1}  à S n. Vic Gg)Gg) b  Simulator Output ( g=b?, state of Vic) 1.“Purify” protocol Postpone measurements, keep all outputs quantum

31 Simulator for Quantum Verifier [W’05] Classical simulator: aux g à {0,1}  à S n. Vic Gg)Gg) b  Simulator Output ( g=b?, state of Vic) 1.“Purify” protocol Postpone measurements, keep all outputs quantum

32 Simulator for Quantum Verifier [W’05] Classical simulator: 1.“Purify” protocol Postpone measurements, keep all outputs quantum 2.Measure 1 qubit: g © b  If simulation successful, output Vic’s state. Else aux g à {0,1}  à S n. Vic Gg)Gg) b  Simulator Output ( g=b?, state of Vic) Make it successful

33 Simulator for Quantum Verifier [W’05] Classical simulator: aux g à {0,1}  à S n. Vic Gg)Gg) b  Simulator Output ( g=b?, state of Vic) Measuring g © b defines two subspaces W 0, W 1.  Every verifier Vic defines two states |  0 i, |  1 i. Theorem[Watrous’05]: there is poly-time unitary U Vic s.t. U Vic |  0 i = |  1 i. W0W0 W1W1

34 Simulator for Quantum Verifier [W’05] Classical simulator: 1.“Purify” protocol Postpone measurements, keep all outputs quantum 2.Measure 1 qubit: g © b  If simulation successful, output Vic’s state. Else aux g à {0,1}  à S n. Vic Gg)Gg) b  Simulator Output ( g=b?, state of Vic) Apply U Vic Output state

35 Lessons from Watrous’ Simulation Quantum simulators are surprisingly powerful  NB: Strict poly-time simulation Refines our understanding of protocols  This simulation works for a sublcass of protocols  Simulator’s success prob. independent* of aux  In particular, Hamiltonian path and 3-coloring  Not a subclass that had appeared before (?) Use quantum tricks to defeat a quantum adversary

36 This talk Basics of quantum computing New Possibilities  E.g. quantum key distribution New Difficulties, Partial Solutions  E.g. rewinding in ZK proofs Questions to think about

37 Quantum Information Requires New Intuitions Multi-prover Interacitive Proofs [CHTW04,CST05]  Soundness proofs via impossibility of supra-luminal signaling Composability and auxiliary information  Some primitives require keys only half as long if input is unentangled with outside world Classical Secrecy Sometimes the Best Analogue  Secret sharing schemes $ Error-Correcting codes  Approximate quantum codes beat quantum Singleton bound  Secret key capacity $ quantum conditional entropy  Negative entropies have similar interpretations

38 Things I Didn’t Talk About Key re-use Deniability Bounded Quantum Memory / Processing Uncloneable encryption …

39 Interesting Open Questions Extending Watrous’ argument:  What types of rewinding for quantum adversaries?  E.g. can we get quantum proofs of knowledge for NP? Two-party quantum computation? One-way (or trapdoor) permutation candidates which are classically computable in the forward direction?  See [OUT’00] for partial version UC impossibility results? (to me)that might be Open

40 Cryptography in a Quantum World Landscape changes!  New things are possible  New difficulties arise Needed: Tools and language for reasoning about quantum adversaries The field is still very young  Some successes…  … occasional mistakes  Lots of questions! quantum thinkers needed Isaac Newton

41 Some references from the talk (a very partial list!) [AMTW00] Andris Ambainis, Michele Mosca, Alain Tapp, Ronald de Wolf: Private Quantum Channels. FOCS 2000: [BCGST02] H. Barnum, C. Crepeau, D. Gottesman, A. Smith, A. Tapp, "Authentication of Quantum Messages," Proc. 43rd IEEE Symposium on the Foundations of Computer Science, (2002), full version quant-ph/ [BCJL] Gilles Brassard, Claude Crépeau, Richard Jozsa, Denis Langlois: A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties FOCS 1993: [BH05] Michael Ben-Or, Avinatan Hassidim: Fast quantum byzantine agreement. STOC 2005: [BHLMO'05] Michael Ben-Or, Michal Horodecki, Debbie W. Leung, Dominic Mayers, Jonathan Oppenheim: The Universal Composable Security of Quantum Key Distribution. TCC 2005: quant-ph/ [BM'05] Michael Ben-Or, Dominic Mayers. General Security Definition and Composability for Quantum & Classical Protocols. quant- ph/ [CDMS] Claude Crépeau, Paul Dumais, Dominic Mayers, Louis Salvail: Computational Collapse of Quantum State with Application to Oblivious Transfer. TCC 2004: [CGS02] C. Crepeau, D. Gottesman, A. Smith, "Secure Multi-Party Quantum Computation," Proc. 34th ACM Symposium on the Theory of Computing, (New York, NY, ACM Press, 2002), quant-ph/ [CHTW04] R. Cleve, P. Høyer, B. Toner, and J. Watrous, Consequences and Limits of Nonlocal Strategies, Proceedings of the 19th IEEE Annual Conference on Computational Complexity (CCC 2004), pp (2004). [CST'05] C. Crepeau, J.-R. Simard, A. Tapp. Classical and quantum strategies for two-prover bit commitments. Manuscrip, [DFS] Ivan Damgård, Serge Fehr, Louis Salvail: Zero-Knowledge Proofs and String Commitments Withstanding Quantum Attacks. CRYPTO 2004: [E91] Artur K. Ekert. Quantum cryptography based on Bell's theorem. Phys. Rev. Lett. 67, 661–663 (1991). [G] D. Gottesman, "Uncloneable Encryption," Proc. 6th International Conf. on Quantum Communication, Measurement, and Computing, eds. J. H. Shapiro and O. Hirota, pp (Princeton, NJ, Rinton Press, 2003), full version Quantum Information and Computation 3, No. 6, (2003), quant-ph/ [K'03] Hirotada Kobayashi: Non-interactive Quantum Perfect and Statistical Zero-Knowledge. ISAAC 2003: [KMR] Robert Koenig, Ueli Maurer, and Renato Renner. On the Power of Quantum Memory. IEEE Transaction on Information Theory, vol. 51, no. 7, pp , Jul 2005, eprint archive: [LC99] Hoi-Kwong Lo, H. F. Chau. Unconditional Security of Quantum Key Distribution over Arbitrarily Long Distances. Science 26 March 1999: Vol no. 5410, pp [M,LC] D. Mayers. Unconditonally secure quantum bit commitment is impossible, Phys. Rev. Lett. 78, (1997) and-- H.-K. Lo, H. F. Chau. Why Quantum Bit Commitment And Ideal Quantum Coin Tossing Are Impossible. Physica D120 (1998) quant-ph/ [OTU'00] Tatsuaki Okamoto, Keisuke Tanaka, Shigenori Uchiyama: Quantum Public-Key Cryptosystems. CRYPTO 2000: [S'94] Peter W. Shor: Algorithms for Quantum Computation: Discrete Logarithms and Factoring FOCS 1994: [W'05] J. Watrous. Zero-knowledge against quantum attacks. arXiv.org e-Print quant-ph/ , 2005.

Thank you Questions? This talk to be posted on:

Old Slides Graveyard

44 Quantum computer: model which handles data in different way from classical machines Not feasible on large scale (yet? ever?) Studied because  Promise of huge computational power  New phenomena (quantum crypto) As far as we know, we live in a quantum world Ike Newton

45 Quantum Information: Pure States “Pure states” = vectors in complex space “qubit”= Basic unit of quantum information state 2 {  |0 i +  |1 i : ,  2 C, |  | 2 +|  | 2 =1 } Register of n qubits: state 2 {  x  x |x i : x 2 {0,1} n,  x |  x | 2 =1 } NB: qubit-by-qubit description not enough “Pure states” don’t describe uncertainty pieces of larger states

46 Alternative Formalism: Density Matrices State of n qubits = 2 n £ 2 n matrix  2 C (2 n £ 2 n ) Captures all local information  same density matrix ) same measurement outcomes  can describe part of a larger system  Captures probability

47 Alternative Formalism: Density Matrices State of n qubits = 2 n £ 2 n matrix  2 C (2 n £ 2 n ) Captures all local information “Pure states” = projector matrices |w i 2 C n   w = |w i¢ |w i y rank(  w ) = 1

48 Alternative Formalism: Density Matrices State of n qubits = 2 n £ 2 n matrix  2 C (2 n £ 2 n ) Captures all local information “Pure states” = projector matrices |w i 2 C n   w = |w i¢ |w i y rank(  w ) = 1 Mixed state = convex combination of projectors   =  i p i  i  Any matrix with  =  y and tr(  )=1 Many combinations  same “mixed state”

49 Alternative Formalism: Density Matrices State of n qubits = 2 n £ 2 n matrix  2 C (2 n £ 2 n ) Captures all local information “Pure states” = projector matrices |w i 2 C n   w = |w i¢ |w i y rank(  w ) = 1 Mixed state = convex combination of projectors

50 Alternative Formalism: Density Matrices State of n qubits = 2 n £ 2 n matrix  2 C (2 n £ 2 n ) Captures all local information “Pure states” = projector matrices Mixed state = convex combination of projectors Example: Normalized identity matrix  density matrix of random state   is “completely mixed”  Behaves like random state  = I / 2 n

51 Quantum Operators Feasible invertible operations on n qubits = invertible matrices* in C (2 n £ 2 n ) “pure state”: |  i  U |  i “mixed state”:   U  U y * Any unitary matrix is feasible: U -1 = U y

52 Diagonal basis for qubits |+ i = ( |0 i + |1 i ) /  2 |– i = ( |0 i – |1 i ) /  2 Pauli matrices: bit flips in two bases  X: |0 i  |1 i |1 i  |0 i  Z: |0 i  |0 i Z:|+ i  |– i |1 i  |-1 i |– i  |+ i Pauli Matrices X = Z = |1 i |0 i |0 i + |1 i |0 i – |1 i { I, X, Z, XZ} form Pauli basis for C (2 £ 2)

53 With More Qubits With n >1 qubits:  Apply one of { I, X, Z, XZ } to each qubit Get tensor products of matrices, e.g X ­ Z ­ I ­ XZ Shorthand: u, v 2 {0,1} n : X u Z v = X u 1 Z v 1 ­  ­ X u n Z v n Example:u = ( 1, 0, 0, 1 ) v = ( 0, 1, 0, 1 ) X u Z v = X ­ Z ­ I ­ XZ

54 Pauli Tests Pauli matrix ¼ parity check “Measuring” Z ­ Z ­ Z ­ Z = learn parity © ( x )=  i x i mod 2   x  x |x i  “Measuring” X ­ Z ­ I ­ XZ : = parity with different bases in each positions 0 with prob.  © (x)= 0 |  x | 2 1 with prob.  © (x)= 1 |  x | 2 |0 i, |1 i |+ i, |– i ignore this position |  i, | i