Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.

Slides:

Advertisements

Similar presentations

Dov Gordon & Jonathan Katz University of Maryland.

Advertisements

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Yan Huang, David Evans, Jonathan Katz

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

Short course on quantum computing Andris Ambainis University of Latvia.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Oblivious Transfer based on the McEliece Assumptions

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Privacy Preserving Learning of Decision Trees Benny Pinkas HP Labs Joint work with Yehuda Lindell (done while at the Weizmann Institute)

Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University.

Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)

Adaptively Secure Broadcast, Revisited

Collusion-Free Multiparty Computation in the Mediated Model

Secure Multi-Party Quantum Computation Michael Ben-Or QCrypt 2013 Tutorial M. Ben-Or, C. Crépeau, D. Gottesman, A.Hassidim, A. Smith, arxiv.org/abs/

Completeness in Two-Party Secure Computation Revisited Danny Harnik Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science AT&T IAS.

Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Workshop on Post-Quantum Security Models Paris, France Tuesday,

Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.

Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:

Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October.

Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January.

Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.

Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.

Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Tropical QKD Waterloo, ON, Canada Wednesday, 16 June 2010.

Secure Multiparty Computation and its Applications

Cryptography In the Bounded Quantum-Storage Model

Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.

Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---

Quantum Cryptography Antonio Acín

A Game-Theoretic Perspective on Oblivious Transfer Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.)

Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.

Universally Composable Authentication and Key-exchange with Global PKI Ran Canetti (TAU and BU) Daniel Shahaf (TAU) Margarita Vald(TAU) PKC2016 Taipei,

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

Topic 36: Zero-Knowledge Proofs

The Exact Round Complexity of Secure Computation

The Exact Round Complexity of Secure Computation

Carmit Hazay (Bar-Ilan University, Israel)

TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.

Foundations of Secure Computation

Course Business I am traveling April 25-May 3rd

On the Power of Hybrid Networks in Multi-Party Computation

Unconditional One Time Programs and Beyond

Cryptography for Quantum Computers

Presentation transcript:

Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang Song (Penn. State U.) Vassilis Zikas (U. Maryland)

How would classical cryptography change in a quantum world?

Take advantage of quantum to break protocols o Factoring and Discrete Logarithm-based protocols are no longer secure [Shor94] Use quantum to build protocols o Quantum Key Distribution (QKD)[BB84] Use classical authenticated channel to build statistically secure channel Impossible in the classical setting How would quantum change classical crypto?

Secure Multi-Party Computation over the Internet o Allow mutually distrustful parties to carry out a crypto task over the Internet o E.g., coin-tossing, jointly evaluating a function, playing online poker, commitment, oblivious transfer,…. o Security model: Universal Composition (UC) framework [Canetti01, Unruh10] Computational vs Information Theoretical o A notable distinction: [BBCS91] Using quantum, Oblivious Transfer(OT) can be implemented from Commitment (COM) Universally Composable, Statistical Security [DFLSS09,Unruh10] Impossible in the classical setting How would quantum change classical crypto? Question: are there more distinctions that quantum brings about?

Secure Multi-Party Computation over the Internet o OT is complete [Kilian88] in the sense that it can be used to implement other crypto tasks. o Analogous to Computational Complexity, crypto tasks have different strength: Complete vs Feasible o The classical landscape is well studied [MPR10,MPR09,KMQ11] How would quantum change classical crypto? Feasible Complete P NP Complete Question: How would the landscape differ in the quantum setting?

Our Contribution Identify another distinction: OT from Cut-and- Choose (CC) Application: systematical characterization of a set of tasks in quantum UC Feasible Complete Computational Setting Information Theoretical Setting Feasible Complete

Derive the quantum landscape

How useful is F as a trusted setup? assuming basic secure communication is given Feasible Intermediate Complete in the classical setting Possible “levels of power” for F Feasible/Useless/Trivial : access to F is equivalent to no trusted setup (e.g., secure channel) Intermediate: some level of power between the two extremes Complete : all tasks have UC-secure protocols in presence of F (e.g., OT)

How useful is F as a trusted setup? Adversaries with quantum power o Some feasible F becomes infeasible o Some complete F becomes not complete Feasible Intermediate Complete Feasible Intermediate Complete in the quantum setting Honest Players with quantum power o Some infeasible (including complete) F becomes feasible o Some incomplete (including feasible) F becomes complete

2-party, finite, deterministic tasks We next show how to draw the `cryptographic complexity’ landscape in the quantum setting o for an interesting class of tasks: 2-party finite deterministic task including OT, COM, CC,…. SFE f Input(x 1 ) Input(x 2 ) Output(f 2 (x 1,x 2 ) ) Output(f 1 (x 1,x 2 ) ) Reactiv e 2PC Reactiv e 2PC Input(x’ 1 ) Input(x’ 2 ) Output(y’ 2 ) Output(y’ 1 ) Input(x 1 ) Input(x 2 ) Output(y 2 ) Output(y 1 ) Input(x’’ 1 ) Input(x’’ 2 ) Output(y’’ 2 ) Output(y’’ 1 ) input/output domains are in poly-size

How useful is F as a trusted setup? in the classical setting Feasible COM CC XOR OT Information Theoretical Setting [MPR09, KMQ11/08] Feasible COM OT CC XOR Computational Setting [MPR10]

Feasible COM OT CC XOR What about quantum setting? Quantum landscape [This work] Feasible COM OT CC XOR Classical landscape [MPR10] [Unruh10, IPS08] [HSS11, CLOS02] + suitable computational assumption Computational Setting Rewinding used in the security proof

Feasible COM OT CC XOR What about quantum setting? Quantum landscape [This work] Feasible COM OT CC XOR Classical landscape [MPR10] [Unruh10, IPS08] [HSS11, CLOS02] + suitable computational assumption Computational Setting This work Rewinding used in the security proof

Feasible COM OT CC XOR What about quantum setting? Quantum landscape [This work] Feasible COM OT CC XOR Classical landscape [MPR10] [Unruh10, IPS08] [HSS11, CLOS02] + suitable computational assumption Computational Setting This work Rewinding used in the security proof Warning: it might be the case that all tasks in the set is feasible.

Feasible COM CC XOR OT Feasible COM CC XOR OT Classical landscape [MPR09, KMQ11/08] What about quantum setting? Quantum landscape [This work] [Unruh10, IPS08] [Unruh10,BBCS91] Information Theoretical Setting This work

Feasible COM OT CC XOR What about quantum setting? Computational Setting Feasible COM CC XOR OT Information Theoretical Setting

Design OT from CC

Main Result: CC  OT OT Input(b 0, b 1 ) Input(s) Output(b s ) Output( ) CC Input(x 1 ) Input(x 2 ) Output(x 1 ) Output(x 1  x 2 ) Theorem: There is a quantum protocol UC securely realizing OT in the CC-hybrid world against all statistical quantum adversaries. COM Commit( ) Commit(x) Open( )Open(x)

OT from COM [BBCS91] I 0, I 1 COM i C All i in [ n ] All i in C b 0, b 1 s bsbs

OT from CC I 0, I 1 All i in [ n ] b 0, b 1 s bsbs CC i Abort if

Security Definition Universal Composition (UC) framework [Canetti01] (cf. DM00, PW01,…) Z Z π π π π A A Protocol π UC securely realize task F if: for every real world A there is an ideal world S two worlds are indistinguishable to all environment Z Real world F F Z Z Ideal world ≈ S S

Quantum UC Quantum UC [Unruh10] (cf. Unruh04,BOM04, HSS11) Protocol π UC securely realize task F if: for every real world A there is an ideal world S two worlds are indistinguishable to all environment Z QUC We only consider classical F F F Z Z Ideal world Z Z π π π π A A Real world ≈ S S

OT from CC I 0, I 1 All i in [ n ] b 0, b 1 s bsbs CC i Abort if Design simulator: Extracting (b 0,b 1 ) when Alice is corrupted Extracting s when Bob is corrupted Statistically close communication transcript

OT from CC I 0, I 1 All i in [ n ] b 0, b 1 s bsbs CC i Abort if

OT Z Z Ideal world I 0, I 1 All i in [ n ] bsbs CCiCCi CCiCCi Abort if (b0,b1)(b0,b1) s bsbs S

OT from CC I 0, I 1 All i in [ n ] b 0, b 1 s bsbs CC i Abort if

OT Z Z Ideal world (b0,b1)(b0,b1) s bsbs I 0, I 1 CCiCCi CCiCCi All i in [ n ] S

Summary and Open questions Feasible COM OT CC XOR Computational Setting Feasible COM CC XOR OT Information Theoretical Setting Main Result: CC  OT Open questions:  Much larger set: randomized tasks, infinite tasks, multi-party….  Quantum tasks