Download presentation
Presentation is loading. Please wait.
1
Cryptography for Quantum Computers
Sanjam Garg University of California, Berkeley
2
Outline Obfuscating Quantum Programs MPC with low-communication
Quantum Crypto Complete? (Strong Computational Assumptions) Obfuscating Quantum Programs Randomized Encodings Attribute Based Encryption Non-Interactive Key Exchange (3 or more parties) MPC with low-communication (under different assumptions) Quantum might have an advantage
3
Obfuscation Obfuscation aims to make of computer programs ``unintelligible’’ without affecting their functionality. O(P) P Alice Bob
4
Attempt 1: Virtual-Black-Box Notion
Produce as output another program O(𝐶) 𝑂(𝐶) computes the same function as 𝐶 𝑂(𝐶)at most polynomially larger than 𝐶 𝑂(𝐶) is “unintelligible” Multiple notions ``virtual black-box’’ notion: ∀𝐴 ∃𝑆 ∀𝐶 cannot do much more with 𝑂(𝐶) than running it on various inputs VBB is impossible [BGIRSVY01] 𝐴 𝑂(𝐶) ∼ 𝑃𝑃𝑇 𝑆 𝐶 ( 1 𝐶 )
5
Attempt 2: Indistinguishability Obfuscation (IO)
Def: If 𝐶 1 , 𝐶 2 compute the same function (and |𝐶 1 |=| 𝐶 2 |) then 𝑂 𝐶 1 ≈𝑂 𝐶 2 Indistinguishable even if you know 𝐶 1 , 𝐶 2 Note: Inefficient iO is always possible 𝑂(𝐶) = lexicographically 1st circuit computing the same function as 𝐶 (canonical form) Canonicalization is inefficient
6
The Power of IO * 𝑵𝑷 ⊈𝑹𝑷 IO* [GGHRW 13, Sahai-Waters 14, GGHR14…]
Functional encryption Trapdoor permutations MPC Verifiable Delegation Concurrent Zero-Knowledge IO* So if IO can replace ideal obfuscation in so many places, can we show that it implies PPAD-hardness? Deniable encryption PPAD-hardness? * 𝑵𝑷 ⊈𝑹𝑷
![The Power of IO * 𝑵𝑷 ⊈𝑹𝑷 IO* [GGHRW 13, Sahai-Waters 14, GGHR14…]](http://slideplayer.com./slide/14829767/90/images/6/The+Power+of+IO+%2A+%F0%9D%91%B5%F0%9D%91%B7+%E2%8A%88%F0%9D%91%B9%F0%9D%91%B7+IO%2A+%5BGGHRW+13%2C+Sahai-Waters+14%2C+GGHR14%E2%80%A6%5D.jpg "Functional encryption. Trapdoor permutations. MPC. Verifiable Delegation. Concurrent. Zero-Knowledge. IO* So if IO can replace ideal obfuscation in so many places, can we show that it implies PPAD-hardness Deniable encryption. PPAD-hardness * 𝑵𝑷 ⊈𝑹𝑷.")
7
Best Possible Obfuscation [GR07]
x x Indist. Obfuscation Indist. Obfuscation ≈ Best Obfuscation Padding Some circuit C Computationally Indistinguishable Some circuit C C(x) C(x)
![Best Possible Obfuscation [GR07]](http://slideplayer.com./slide/14829767/90/images/7/Best+Possible+Obfuscation+%5BGR07%5D.jpg "x. x. Indist. Obfuscation. Indist. Obfuscation. ≈ Best Obfuscation. Padding. Some circuit C. Computationally Indistinguishable. Some circuit C. C(x) C(x)")
8
Indistinguishability Obfuscation [BGIRSVY01]
Def: If 𝐶 1 , 𝐶 2 compute the same function (and |𝐶 1 |=| 𝐶 2 |) then 𝑂 𝐶 1 ≈𝑂 𝐶 2 Indistinguishable even if you know 𝐶 1 , 𝐶 2 Note: Inefficient iO is always possible 𝑂(𝐶) = lexicographically 1st circuit computing the same function as 𝐶 (canonical form) Canonicalization is inefficient Picture by [HB16]
![Indistinguishability Obfuscation [BGIRSVY01]](http://slideplayer.com./slide/14829767/90/images/8/Indistinguishability+Obfuscation+%5BBGIRSVY01%5D.jpg "Def: If 𝐶 1 , 𝐶 2 compute the same function (and |𝐶 1 |=| 𝐶 2 |) then 𝑂 𝐶 1 ≈𝑂 𝐶 2. Indistinguishable even if you know 𝐶 1 , 𝐶 2. Note: Inefficient iO is always possible. 𝑂(𝐶) = lexicographically 1st circuit computing the same function as 𝐶. (canonical form) Canonicalization is inefficient. Picture by [HB16]")
9
Obfuscation: Open Questions
Question 1: Can quantum help obfuscate classical programs? Question 2: Can we obfuscate quantum programs? Simpler tasks?
10
Randomized Encodings [IK00,IK02,AIK04]
Question 3: Can Alice encode a quantum program classically? Randomized Encodings [IK00,IK02,AIK04] Encode a “complex” computation into a “simple” one E.g. Enc is low depth but larger parallel complexity 𝑃,𝑥 𝐸𝑛𝑐(𝑃,𝑥) 𝑃(𝑥) Alice Bob Security: 𝐸𝑛𝑐(𝑃,𝑥)≈𝑆𝑖𝑚( 1 𝑃 ,𝑃 𝑥 ) If 𝐸𝑛𝑐 𝑃,𝑥 <|𝑃(𝑥)| then we can use 𝐸𝑛𝑐 to obtain obfuscation.
![Randomized Encodings [IK00,IK02,AIK04]](http://slideplayer.com./slide/14829767/90/images/10/Randomized+Encodings+%5BIK00%2CIK02%2CAIK04%5D.jpg "Question 3: Can Alice encode a quantum program classically Randomized Encodings [IK00,IK02,AIK04] Encode a complex computation into a simple one. E.g. Enc is low depth but larger parallel complexity. 𝑃,𝑥. 𝐸𝑛𝑐(𝑃,𝑥) 𝑃(𝑥) Alice Bob. Security: 𝐸𝑛𝑐(𝑃,𝑥)≈𝑆𝑖𝑚( 1 𝑃 ,𝑃 𝑥 ) If 𝐸𝑛𝑐 𝑃,𝑥 <|𝑃(𝑥)| then we can use 𝐸𝑛𝑐 to obtain obfuscation.")
11
Attribute-Based Encryption [SW05, GPSW06, … GVW13,…]
MSK OR Board AND PC Crypto PK Key Authority OR Board AND PC Crypto SK Question 4: Can an encryptor specify a quantum policy? SK’ “PC” “Crypto” “PC” “Eurocrypt”
![Attribute-Based Encryption [SW05, GPSW06, … GVW13,…]](http://slideplayer.com./slide/14829767/90/images/11/Attribute-Based+Encryption+%5BSW05%2C+GPSW06%2C+%E2%80%A6+GVW13%2C%E2%80%A6%5D.jpg " MSK. OR. Board. AND. PC. Crypto. PK. Key Authority. OR. Board. AND. PC. Crypto. SK. Question 4: Can an encryptor specify a quantum policy SK’ PC Crypto PC Eurocrypt")
12
Non-Interactive Key Exchange [DH76]
𝑃 𝐾 𝐴 𝑃 𝐾 𝐵 𝐾 𝐴𝐵 𝑆 𝐾 𝐴 𝑆 𝐾 𝐵 Alice Bob
![Non-Interactive Key Exchange [DH76]](http://slideplayer.com./slide/14829767/90/images/12/Non-Interactive+Key+Exchange+%5BDH76%5D.jpg "𝑃 𝐾 𝐴. 𝑃 𝐾 𝐵. 𝐾 𝐴𝐵. 𝑆 𝐾 𝐴. 𝑆 𝐾 𝐵. Alice Bob.")
13
Non-Interactive Key Exchange
Two Parties [DH76] 1976 2000 Three Parties [Joux00] No post-quantum NIKE is know for more than two parties.
14
Starting Point NIKE from Obfuscation [BZ14]
Primitives One way function 𝐺: 𝑠 →𝑥 Pseudorandom Function (PRF) F Shared Key: 𝐹 𝐾 𝑥 1 , 𝑥 2 , 𝑥 3 , 𝑥 4 𝑠 3 𝑠 1 𝑥 1 = 𝐺 𝑠 1 𝑥 1 , 𝑥 2 , 𝑥 3 , 𝑥 4 𝑠 2 𝑠 4 How?
![Starting Point NIKE from Obfuscation [BZ14]](http://slideplayer.com./slide/14829767/90/images/14/Starting+Point+NIKE+from+Obfuscation+%5BBZ14%5D.jpg "Primitives. One way function 𝐺: 𝑠 →𝑥. Pseudorandom Function (PRF) F. Shared Key: 𝐹 𝐾 𝑥 1 , 𝑥 2 , 𝑥 3 , 𝑥 4. 𝑠 3. 𝑠 1. 𝑥 1 = 𝐺 𝑠 1. 𝑥 1 , 𝑥 2 , 𝑥 3 , 𝑥 4. 𝑠 2. 𝑠 4. How")
15
First party sends an obfuscation that does that
𝑃 𝐾 𝑃 𝐾 𝑥 1 , 𝑥 2 ,… 𝑥 𝑛 , 𝑖, 𝑠 If 𝐺 𝑠 ≠ 𝑥 𝑖 then output ⊥ Otherwise, output 𝐹 𝐾 𝑥 1 , 𝑥 2 , … 𝑥 𝑛 Skip: Security Proof (Uses Puncturable PRFs) O( 𝑃 𝐾 ) Now the parties can generate 𝐹 𝐾 𝑥 1 , 𝑥 2 , … 𝑥 𝑛 .
16
Secure Multiparty Computation [Yao82, GMW87]
Compute 𝑓( 𝑥 1 , 𝑥 2 ,…, 𝑥 𝑛 ) 𝑥 3 𝑥 4 𝑥 2 𝑥 5 𝑥 1 However, in this talk as the title suggests we are interested in the multiparty setting. Here, there are n parties each with its own private input. They wish to compute a joint function f of their private inputs. … 𝑥 6 𝑥 𝑛 𝑓 is classical
![Secure Multiparty Computation [Yao82, GMW87]](http://slideplayer.com./slide/14829767/90/images/16/Secure+Multiparty+Computation+%5BYao82%2C+GMW87%5D.jpg "Compute 𝑓( 𝑥 1 , 𝑥 2 ,…, 𝑥 𝑛 ) 𝑥 3. 𝑥 4. 𝑥 2. 𝑥 5. 𝑥 1. However, in this talk as the title suggests we are interested in the multiparty setting. Here, there are n parties each with its own private input. They wish to compute a joint function f of their private inputs. … 𝑥 6. 𝑥 𝑛. 𝑓 is classical.")
17
Secure Multiparty Computation [Yao 86, GMW 87]
𝑥 3 𝑥 4 𝑥 2 Not learn anything about honest parties inputs apart from 𝑓( 𝑥 1 , 𝑥 2 ,…, 𝑥 𝑛 ) 𝑥 5 𝑥 1 As before, the security notion is that even if a subset of parties get corrupted where the number of corrupted parties could be as large as n-1, they do not learn anything about the honest parties input apart from what is leaked from the function’s output. Multiparty computation is a much more demanding setting and it is generally hard to design secure protocols that work in the multiparty case. … 𝑥 6 𝑥 𝑛
![Secure Multiparty Computation [Yao 86, GMW 87]](http://slideplayer.com./slide/14829767/90/images/17/Secure+Multiparty+Computation+%5BYao+86%2C+GMW+87%5D.jpg "𝑥 3. 𝑥 4. 𝑥 2. Not learn anything about honest parties inputs apart from 𝑓( 𝑥 1 , 𝑥 2 ,…, 𝑥 𝑛 ) 𝑥 5. 𝑥 1. As before, the security notion is that even if a subset of parties get corrupted where the number of corrupted parties could be as large as n-1, they do not learn anything about the honest parties input apart from what is leaked from the function’s output. Multiparty computation is a much more demanding setting and it is generally hard to design secure protocols that work in the multiparty case. … 𝑥 6. 𝑥 𝑛.")
18
Efficiency Computational Complexity Have been good understanding.
Round Complexity Communication Complexity Several problems are open here.
19
Known Results … … FHE – Independent of s [Gentry09] 𝑥 1 𝑥 2 𝑥 3 𝑥 4
𝑥 5 𝑥 6 𝑥 𝑛 … Phase 1: Compute 𝑝𝑘 and each part gets a secret shares of 𝑠𝑘 Party 𝑖 sends 𝐸𝑛𝑐 𝑝𝑘, 𝑥 𝑖 to everyone else Everyone computes 𝐸𝑛𝑐(𝐶(𝑥)) Phase 2: 𝑥 1 𝑥 2 𝑥 3 𝑥 4 𝑥 5 𝑥 6 𝑥 𝑛 … Phase 3: Parties decrypt Enc(C(x))
![Known Results … … FHE – Independent of s [Gentry09] 𝑥 1 𝑥 2 𝑥 3 𝑥 4](http://slideplayer.com./slide/14829767/90/images/19/Known+Results+%E2%80%A6+%E2%80%A6+FHE+%E2%80%93+Independent+of+s+%5BGentry09%5D+%F0%9D%91%A5+1+%F0%9D%91%A5+2+%F0%9D%91%A5+3+%F0%9D%91%A5+4.jpg "𝑥 5. 𝑥 6. 𝑥 𝑛. … Phase 1: Compute 𝑝𝑘 and each part gets a secret shares of 𝑠𝑘. Party 𝑖 sends 𝐸𝑛𝑐 𝑝𝑘, 𝑥 𝑖 to everyone else. Everyone computes 𝐸𝑛𝑐(𝐶(𝑥)) Phase 2: 𝑥 1. 𝑥 2. 𝑥 3. 𝑥 4. 𝑥 5. 𝑥 6. 𝑥 𝑛. … Phase 3: Parties decrypt Enc(C(x))")
20
Known Results FHE – Independent of s [Gentry09]
DDH – O( s log s ) [BGI16…] Information theoretic – O( s loglog s ) [Couteau18] correlated randomness model Question 5: Can quantum computers help?
![Known Results FHE – Independent of s [Gentry09]](http://slideplayer.com./slide/14829767/90/images/20/Known+Results+FHE+%E2%80%93+Independent+of+s+%5BGentry09%5D.jpg "DDH – O( s log s ) [BGI16…] Information theoretic – O( s loglog s ) [Couteau18] correlated randomness model. Question 5: Can quantum computers help")
21
Thank you! Questions?
Similar presentations
