1. Quantum tokens for digital signatures
9/10/2018 4:26 PM
Quantum tokens for digital signatures
IACR eprint: 2017/094
Or Sattath – Hebrew University & MIT
Shalev Ben-David – MIT
GTACS June 2017
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Highlights of Quantum Cryptography
𝐹𝑎𝑐𝑡𝑜𝑟𝑖𝑛𝑔,𝐷𝑖𝑠𝑐𝑟𝑒𝑡𝑒−𝐿𝑜𝑔∈𝐵𝑄𝑃 [Shor’94]
Unconditionally secure quantum key distribution [BB’84]
Quantum coin flipping & Bit commitment [Mochon’07,CK’09,CK’11]
Certified randomness
Quantum homomorphic encryption[DSS’16]
Outsourcing quantum computation (Blind quantum computing) [RUV’13]
The emergence of post-quantum cryptography – classical cryptography which is secure against quantum adversaries.

3. Quantum Tokens Many crypto primitives:
𝑠𝑘←𝐾𝑒𝑦𝐺𝑒𝑛 ….
𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜 𝑛 𝑠𝑘 𝑥
Can we use the quantum magic for:
𝑡𝑜𝑘𝑒𝑛 ←𝑇𝑜𝑘𝑒𝑛𝐺𝑒𝑛(𝑠𝑘)
𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜 𝑛 |𝑡𝑜𝑘𝑒𝑛〉 𝑥
A single signing token can be used only for a single operation, and “consume” the token.

4. Goal
Tokens for digital signatures: Tokenized signatures

5. Digital Signature vs. Tokenized Signatures
Digital signature. Generate two keys: pk, sk.
Verifypk(m,signsk(m))=1
For every (polynomial) adversary who knows pk (but not sk) that generates m’,s’ Pr[Verifypk(m’,s’)=1]≤negl
Tokenized signature: pk, sk, | 〉 – quantum signing token. Generated by the bank.
Verifypk(m,sign(m))=1
Adversary with pk and a single ρsign that generates m1≠m2,s1,s2 Pr[Verifypk (m1,s1)=1 & Verify(m2,s2)=1] ≤ negl
Signing token is consumed during signing

6. Tokenized Signature
Signature: Signed messages are classical strings, just like a digital signature. Verification is classical.
Tokenized: the signing token is consumed during signing ⇒ only one message can be signed using a single signing token.

7. Agenda Aaronson & Christiano’s query complexity lower bound.
AC lower bound => quantum money
Extension of the lower bound=> tokenized signature.
Applications.

8. Why quantum money? Problem: Bills and coins can be forged
Solution: money which is secured by the laws of quantum mechanics (the no cloning theorem) & computational complexity

9. Public money scheme The bank can generate quantum money states.
Everyone can validate.
Forgers holding the money cannot copy.

10. Quantum money from hidden subspaces [Aaronson-Christiano’12]
Let 𝐴⊂ℤ 2 2𝑛 , be a random subspace s.t. dim(A)=n.
𝐴 ⊥ ={𝑦∈ ℤ 2 2𝑛 | 𝑖 𝑥 𝑖 𝑦 𝑖 =0 𝑚𝑜𝑑 2 ∀𝑥∈𝐴}
The state 𝐴 = 𝑛 𝑥∈𝐴 |𝑥〉 is the quantum money state.
The state 𝐴 can be verified using membership oracle to A, 𝐴 ⊥ .

11. Verification of AC’s scheme
Validation: project onto A, apply 𝐻 ⊗2𝑛 , project onto 𝐴 ⊥ apply 𝐻 ⊗2𝑛 .
Claim: 𝐻 ⊗2𝑛 Π 𝐴 ⊥ 𝐻 ⊗2𝑛 Π 𝐴 = 𝐴 〈𝐴|
Proof (one direction): 𝐻 ⊗2𝑛 Π 𝐴 ⊥ 𝐻 ⊗2𝑛 Π 𝐴 𝑥∈𝐴 |𝑥〉 =𝐻 ⊗2𝑛 Π 𝐴 ⊥ 𝐻 ⊗2𝑛 𝑥∈𝐴 𝑥
=𝐻 ⊗2𝑛 Π 𝐴 ⊥ 𝑦∈ 𝐴 ⊥ 𝑦
= 𝐻 ⊗2𝑛 𝑦∈ 𝐴 ⊥ 𝑦
= 𝑥∈𝐴 |𝑥〉

12. Security - Formal
Let R be a symmetric relation on subspaces of dimension n: 𝐴,𝐵 ∈𝑅⇔ dim 𝐴∩𝐵 =𝑛−1
Thm[AC] :Suppose we have states 𝑖𝑛𝑖𝑡 𝐴 , 𝑓𝑖𝑛𝑎 𝑙 𝐴 which satisfy:
𝐸 𝐴,𝐵 ∈𝑅 [ 𝑖𝑛𝑖𝑡 𝐴 𝑖𝑛𝑖𝑡 𝐵 ]≥ 𝑐 1
𝐸 𝐴,𝐵 ∈𝑅 𝑓𝑖𝑛𝑎 𝑙 𝐴 𝑓𝑖𝑛𝑎 𝑙 𝐵 ≤ 𝑐 2
Then, an algorithm which maps 𝑖𝑛𝑖 𝑡 𝐴 ⇒ 𝑓𝑖𝑛𝑎 𝑙 𝐴 for all A, must use Ω 𝑐 1 − 𝑐 𝑛 𝑐 1 − 𝑐 𝑛 queries.

13. The challenge Fisherman should be able to sign at most 3 wishes.
Fish could share his secret key – but then fisherman can sign an arbitrary number of wishes.
Goal: Each signing token should allow to sign only one (arbitrary) message.
Can’t be achieved classically.

14. Quantum Tokens Many crypto primitives:
𝑠𝑘←𝐾𝑒𝑦𝐺𝑒𝑛 ….
𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜 𝑛 𝑠𝑘 𝑥
Can we use the “quantum magic” for:
𝑡𝑜𝑘𝑒𝑛 ←𝑇𝑜𝑘𝑒𝑛𝐺𝑒𝑛(𝑠𝑘)
𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜 𝑛 |𝑡𝑜𝑘𝑒𝑛〉 𝑥 ?
A single token can be used only for a single operation: the operation “consumes” the token.

15. Main results
Tokens for message authentication codes: private tokenized signature scheme
A plausibility argument for tokens for digital signatures: public tokenized signature scheme
The original construction we had is broken because the underlying quantum money scheme is broken

16. Definition: public tokenized signature scheme
𝑝𝑘,𝑠𝑘 ←𝑘𝑒𝑦𝑔𝑒𝑛( 1 𝜅 ), PPT
| ⟩←𝑡𝑜𝑘𝑒𝑛𝑔𝑒𝑛(𝑠𝑘), QPT (quantum poly time)
𝜎←𝑠𝑖𝑔 𝑛 (𝑚), QPT
𝑉𝑒 𝑟 𝑝𝑘 : 0,1 ∗ × 0,1 ∗ →{𝑇,𝐹}, PPT
Correctness: for all messages m, 𝑉𝑒 𝑟 𝑝𝑘 𝑚,𝑆𝑖𝑔 𝑛 𝑚 =𝑇
Security: hard to create 𝑛+1 unique signed documents from 𝑛 signing tokens: m 1 , 𝜎 1 … 𝑚 𝑛+1 , 𝜎 𝑛+1 ←QAdv ,… 𝑛 ,𝑝𝑘 Pr 𝑚 𝑖 ≠ 𝑚 𝑗 𝑎𝑛𝑑 ∀𝑖 𝑣𝑒 𝑟 𝑝𝑘 𝑚 𝑖 , 𝜎 𝑖 =𝑇 ≤𝑛𝑒𝑔𝑙
Morally equivalent if adversary is provided with signing oracle, and required to generate “fresh” signatures

17. Definition: private tokenized signature scheme (MAC)
sk←𝑘𝑒𝑦𝑔𝑒𝑛( 1 𝜅 ), PPT
| ⟩←𝑡𝑜𝑘𝑒𝑛𝑔𝑒𝑛(𝑠𝑘), QPT (quantum poly time)
𝜎←𝑠𝑖𝑔 𝑛 (𝑚), QPT
𝑉𝑒 𝑟 𝑠𝑘 : 0,1 ∗ × 0,1 ∗ →{𝑇,𝐹}, PPT
Correctness: for all messages m, 𝑉𝑒 𝑟 𝑠𝑘 𝑚,𝑆𝑖𝑔 𝑛 𝑚 =𝑇
Security: hard to create 𝑛+1 unique signed documents from 𝑛 signing tokens. m 1 , 𝜎 1 … 𝑚 𝑛+1 , 𝜎 𝑛+1 ← QAdv 𝑣𝑒 𝑟 𝑠𝑘 ,… 𝑛 Pr 𝑚 𝑖 ≠ 𝑚 𝑗 𝑎𝑛𝑑 ∀𝑖 𝑣𝑒 𝑟 𝑠𝑘 𝑚 𝑖 , 𝜎 𝑖 =𝑇 ≤𝑛𝑒𝑔𝑙(𝜅)

18. Recap: Tokenized Signature
“Signature”: The message and signature are classical strings, just like a digital signature / MAC. Verification is classical.
“Tokenized”: the signing token is consumed during signing ⇒ only one message can be signed using a single signing token.

19. Agenda Reduction to a simpler task
Construction of a private tokenized signature scheme
Plausibility argument for public tokenized signature scheme
Applications
Open questions
Many of the ideas & results are extensions of [Aaronson-Christano’12] related to quantum money. Unfortunately, I will not present their results explicitly.

20. Step 1: Onetime 1-bit tokenized signature
Onetime security: hard to create 2 unique signed documents from 1 signing tokens.
1-bit: allows to sign only 1-bit messages.
Theorem: Onetime 1-bit private (public) tokenized signatures + q. secure CRH => tokenized private (public) signatures.
Proof idea: known techniques related to quantum money + hash-and-sign paradigm.
Main challenge: construct onetime 1-bit tokenized signature scheme.

21. Quantum computation and subspaces
𝐴≼ 𝔽 2 2𝑛 . Let 𝐴 ⊥ ={𝑏∈ 𝔽 2 2𝑛 |𝑎⋅𝑏=0 𝑚𝑜𝑑 2 ∀𝑎∈𝐴}
Fact 1: dim 𝐴+ dim 𝐴 ⊥ =2𝑛
Fact 2: Given a basis for A, it is easy to generate 𝐴 ∝ 𝑎∈𝐴 |𝑎⟩ .
Fact 3: H ⊗2𝑛 𝐴 = 𝐴 ⊥ ∝ 𝑏∈ 𝐴 ⊥ |𝑏⟩
Fact 4: Measuring 𝐴 gives a sample from A. Measuring 𝐴 ⊥ gives a sample from 𝐴 ⊥ .
rank-nullity theorem

22. Construction: Onetime 1-bit private tokenized signature
𝐾𝑒𝑦𝑔𝑒𝑛( 1 𝑛 ): outputs a random subspace 𝐴≼ 𝔽 2 2𝑛 , dim 𝐴 =𝑛.
𝑇𝑜𝑘𝑒𝑛𝐺𝑒𝑛(𝐴): outputs the state 𝐴 = 𝑛 𝑎∈𝐴 |𝑎⟩
𝑆𝑖𝑔 𝑛 𝐴 (𝑚): if m=0, measure the state. If m=1, apply 𝐻 ⊗2𝑛 and then measure.
𝑉𝑒𝑟𝑖𝑓 𝑦 𝐴 𝑚,𝑠𝑖𝑔 : if m=0, check 𝑠𝑖𝑔∈𝐴∖ 0 if m=1, check 𝑠𝑖𝑔∈ 𝐴 ⊥ ∖{0}.

23. Security 1
Thm[Ben-David,S’16]: Let A≼ 𝔽 2 2𝑛 , dim 𝐴=𝑛 picked at random. Given membership oracle to 𝐴, 𝐴 ⊥ , and 𝐴 , it takes exp(n) time to find both 𝑎∈𝐴∖0, 𝑎 ⊥ ∈ 𝐴 ⊥ ∖0 with non-negl. prob.
𝐴 ⇒𝑎∈𝐴∖0 efficiently (by measuring 𝐴 ).
𝐴 ⇒ 𝑎 ⊥ ∈ 𝐴 ⊥ ∖0 efficiently (by measuring H ⊗2𝑛 𝐴 = 𝐴 ⊥ ).
Can’t do both!
Proof technique: quantum query complexity (adversary method).
Intuition: no cloning (if cloning was possible, you could generate 𝐴 ⊗|𝐴⟩, and use one copy to get 𝑎 and the second copy to get 𝑎 ⊥ ).

24. Security 2
Thm: Let A≼ 𝔽 2 2𝑛 , dim 𝐴=𝑛 picked at random. Given membership oracle to 𝐴, 𝐴 ⊥ , and 𝐴 , it takes exp(n) queries to find both 𝑎∈𝐴∖0, 𝑎 ⊥ ∈ 𝐴 ⊥ ∖0.
Corollary: The onetime 1-bit scheme is secure. 0, 𝜎 0 ,1, 𝜎 1 ← QAdv 𝑣𝑒 𝑟 𝑠𝑘 𝐴 Pr 𝑣𝑒 𝑟 𝑠𝑘 𝑖, 𝜎 𝑖 =𝑇, 𝑖∈{0,1} ≤𝑛𝑒𝑔𝑙(𝜅)
The access to 𝑣𝑒 𝑟 𝑠𝑘 is membership oracle to 𝐴, 𝐴 ⊥ . Forging is equivalent to finding both 𝑎∈𝐴∖0, 𝑎 ⊥ ∈ 𝐴 ⊥ ∖0.

25. Public tokenized signature?
Previous construction used for quantum money:
Access to the membership of A by a list of low degree polynomials that vanish on A + “noise” polynomials. x∈𝐴⇔ Pr 𝑖 ( 𝑝 𝑖 𝑥 =0)≥2/3 x∈ 𝐴 ⊥ ⇔ Pr 𝑖 ( 𝑞 𝑖 𝑥 =0)≥2/3
Version without the noise polynomials broken by Pena et al. [PFP15] using Gröbner’s basis analysis.
Noisy version broken by Christiano and reported in our work (quantum attack based on “single copy tomgography”).

26. Public tokenized signature?
We can prove security if there exists q. secure Virtual Black Box obfuscation with quantum dependent auxiliary input for these subspace membership.
Positive result for hyperplane obfuscation [CRV’10]. Cannot be used mainly because it is not quantum secure.
The public key: 𝑂𝑏𝑓 1 𝐴 , 1 𝐴 ⊥ . Verification uses the obfuscated circuit to test membership.
Candidate construction: indistinguishability obfuscation. Holds if it is VBB obfuscation with the desired properties (similarly to the “best possible obfuscation” notion).

27. Applications Semi-classical quantum money Revocation of signing tokens
Protection against two-faced behavior

28. Quantum money Informal definition:
Easy to generate the quantum money for the mint
Easy to verify (in a private scheme - for the mint, in a public scheme – for everyone)
Hard to copy / forge
First work in Quantum information & cryptography [Wiesner’69].

29. 1st Application: Classically verifiable quantum money
Verifypk(|$〉) 
Quantum communication Channel
|$〉
But what if they don’t have quantum communication?

30. 1st Application: Classically verifiable quantum money
...
...
Branch 1
Branch 7
Branch 2
Sign(7, |$〉)
I’m near branch 7, so sign the message “7”.
|$〉

31. 1st Application: Semi-classical quantum money
Verifypk(7,Sign(7,|$〉) 
...
...
|$′〉
Branch 1
Branch 7
Branch 2
Sign(7, |$〉)

32. 1st Application: double spending is equivalent to forging messages
Verifypk(2,Sign(7,|$〉) ❌
...
...
Branch 1
Branch 7
Branch 2
Sign(7, |$〉)

33. 2nd application: Revocation of tokenized signatures
You’re hired.
Here are your signing signing tokens:
𝜌 𝑠𝑖𝑔𝑛 1 ,…, 𝜌 𝑠𝑖𝑔𝑛 10

34. Revocation of tokenized signatures
m 1 ,Sign 𝑚 1 ,…, 𝑚 5 ,𝑆𝑖𝑔𝑛( 𝑚 5 )
Show me all your signed messages

35. Revocation of tokenized signatures
Fine. Sign the messages 1-5 using your remaining signing tokens.
Sign 𝜌6 (1),…𝑆𝑖𝑔 𝑛 𝜌10 (5)

36. Revocation of tokenized signatures
OK, You’re fired!

37. 3rd application: protection against two-faced behavior
An issue that happens a lot in a distributed network. Alice is supposed to have a preference 0 or 1. Things become complicated if she is malicious and can report 0 to Bob and 1 to Charlie.
Messages can be digitally signed, and compared with each other. Complicated.
If Alice is given a single signing token, she can’t sign both 0 and 1.

38. Implementation issues
Does not require a universal quantum computer
The state |𝐴⟩ can be prepared only using Clifford gates – a non-universal set of gates.
Signing requires a very simple depth-1 circuit.
Problems with quantum money: coherence time milli-micro seconds. Cannot function as a store of value.
The tokens can be used shortly after they are generated.

39. Open questions
Tokens for other primitives? Revocable decryption tokens?
Quantum copy protection
Security proof for the public tokenized signature scheme
Improved running time for a distributed task (such as Byzantine agreement, etc.)?