Presentation is loading. Please wait.

Presentation is loading. Please wait.

Short course on quantum computing Andris Ambainis University of Latvia.

Published bySpencer Porter Modified over 9 years ago

Similar presentations

Presentation on theme: "Short course on quantum computing Andris Ambainis University of Latvia."— Presentation transcript:

1 Short course on quantum computing Andris Ambainis University of Latvia

2 Lecture 3 Recent results in quantum cryptography

3 Quantum cryptography Unconditional secure key distribution. Unconditional security for other tasks?

4 Setting QKD: two honest parties, connected by insecure channel. Protection from eavesdropping. Two (or more) parties, some of them might be dishonest. Honest parties need to be protected from dishonest ones.

5 Bit commitment Alice has a bit a. She wants to commit it to Bob so that Bob does not learn a, Alice cannot change it.

6 Coin flipping Alice and Bob want to flip a coin so that neither of them controls the outcome. If both honest, 0 (1) with probability 1/2. If one honest, 0 (1) with probability at most 1/2+ .

7 Oblivious transfer Alice has two bits x 0, x 1. Bob wants to learn x b so that: Alice does not learn b. Alice is guaranteed that Bob gets only one bit.

8 Secret sharing Secret m. Distribute it among n parties so that any k parties have no information about m.

9 Multiparty computation Alice has x, Bob has y. They want to compute f(x, y) so that: Alice learns nothing about y except f(x, y). Bob learns nothing about x except f(x, y). Generalizes to more than two parties.

10 Coin flipping Alice and Bob want to flip a coin so that neither of them controls the outcome. If both honest, 0 (1) with probability 1/2. If one honest, 0 (1) with probability at most 1/2+ .

11 Classical coin flipping If hard functions are available, Information-theoretically (unlimited computational power), one party can always force one outcome with probability 1.

12 Quantum coin flipping Protocol with  =1/4 [A, 2000]. Lower bound of 1/2+   1/  2 [Kitaev, 2001]. Better protocols with weaker definition [A, RS, 2002].

13 Classical coin flipping a  {0, 1}b  {0, 1} Commit (a) b Reveal (a) Result: (a+b) mod 2.

14 Why is this secure? Bob is honest, Alice cheating. Alice’s bit a does not depend on b because Alice has to commit a before seeing b. Bob picks 0/1 with probability ½. The result is a or (a+1) mod 2 with probability ½.

15 Quantum coin flipping a, x  {0, 1}b  {0, 1} b a,x Result: (a+b) mod 2.

16 General quantum states k-dimensional quantum system. Basis |1>, |2>, …, |k>. General state  1 |1>+  2 |2>+…+  k |k>, |  1 |^2+…+ |  k |^2=1 2 k dimensional system can be constructed as a tensor product of k quantum bits.

17 Measurements Measuring  1 |1>+  2 |2>+…+  k |k> in the basis |1>, |2>, …, |k> gives |i> with probability |  i | 2. Any orthogonal basis can be used.

18 Quantum coin flipping a, x  {0, 1}b  {0, 1} b a,x Result: (a+b) mod 2.

19 States

20 Security result Theorem. Alice (Bob) cannot achieve 0 (1) with probability more than 3/4.

21 Cheating Bob Bob could measure the state in basis |0>, |1>, |2>. If a=0, he gets |0> or |1> with probabilities 1/2. If a=1, |0> or |2> with probabilities 1/2. Learns a with probability 1/2, no information otherwise.

22 Mixed states If a=0, Alice sends |0>  |1> with probabilities 1/2. If a=1, Alice sends |0>  |2> with probabilities 1/2. How well can Bob distinguish these two?

23 Mixed states Probabilistic combinations of quantum states. (|0> with probability 1/2 and |1> with probability 1/2) not the same as |0>+|1>. |1> |0> |0> +|1> |0> -|1>

24 Equivalent mixed states Let  0 be |0> or |1> with probabilities 1/2. Let  1 be |0>  |1> with probabilities 1/2. Any measurement on  0 produces the same probability distribution as on  1.

25 Bra-ket notation

26 Inner product

27 Density matrix Consider the mixed state that is |  i > with probabilities p i. The density matrix is

28 Density matrix Let

29 Cheating Bob Alice sends  0,  1. How well can Bob distinguish these two?

30 Cheating Bob Theorem: The best probability with which Bob can guess i, given  i, is For matrices in our protocol, ||  0 -  1 || t =1, probability 3/4.

31 Cheating Alice. Fidelity of two density matrices. Bounds how one state can be transformed into another. Probability that Alice can convince Bob that a=0 is F( ,  0 ). Probability that Alice can convince Bob that a=1 is F( ,  1 ).

32 Quantum coin flipping a, x  {0, 1}b  {0, 1} b a,x Result: (a+b) mod 2.

33 Better bit commitment Quantum bit commitment => Quantum coin flipping. Better commitment? Bob can’t guess a at all, but Alice can’t change it?

34 Impossibility theorem Theorem [Mayers, 1996]. Perfect quantum bit commitment is impossible. If Bob’s state contains no information about Alice’s bit, Alice can change commitment perfectly. Note: there was a “provably secure” protocol before Mayers’ proof.

35 Delayed measurements Any measurement can be delayed till end of protocol. Any classical random variable can be replaced by a quantum state. E.g. 0/1 random bit can be replaced by

36 State after commitment By delayed measurement, pure state |  >. Let |  0 > be the state if Alice commits 0, |  1 > be the state if Alice commits 1. How well Bob can distinguish |  0 > and |  1 >?

37 Tracing out Imagine that Alice measures her part. Then, Bob is left with mixed state. |0> |1>

38 Distinguishability If Bob cannot access Alice’s part, distinguishing |  0 > and |  1 > is equivalent to distinguishing  0 and  1. Bob can guess commitment with probability Perfectly secure if ||  0 -  1 || t =0, i.e.  0 =  1.

39 Transformability Theorem. If  0 =  1, then there is a unitary U on Alice’s part such that U|  0 >= |  1 >. Perfectly hiding commitments are completely non-binding. Almost perfecly hiding commitments?

40 Fidelity F(  0,  1 )=max | | 2, over all |  0 >, |  1 > that give  0,  1 if Alice’s part is traced out. Any test that accepts |  0 > with certainty, accepts |  1 > with probability at least | | 2.

41 Fidelity Theorem. For any |  0 >, |  1 > Alice can transform |  0 > into a state that is accepted as |  1 > with probability F(  0,  1 ). Theorem [Ullman, 1972]

42 Trace distance vs. fidelity Theorem [Fuchs, van de Graaf, 1997] Tradeoff between Alice’s and Bob’s cheating probabilities.

43 Summary on bit commitment In any protocol, either Alice or Bob is capable of cheating with a constant success probability. Protocols in which both parties can’t cheat perfectly, exist.

44 Coin flipping Trace distance vs. fidelity gives some lower bounds for coin flipping. Based on one-round commitment [A,RS, 2001]: 3/4. Based on multi-round commitment: 9/16 [Nayak,Shor,2002]. Not based on commitment?

45 Different protocol [Salvail, 2000] Alice generate two copies of sends second qubits to Bob. Bob randomly chooses one and verifies it. Alice and Bob measure the other pair.

46 Security Theorem [Salvail, 2000] No party can achieve 0 (1) with probability more than 3/4.

47 Lower bound [Kitaev, 2002] Theorem. In any protocol, one party can force 0 (1) with probability at least 1/ . Proof. Write a semidefinite program for max probability achieved by Alice/ Bob. Look at the dual program. Combine the dual programs.

48 Weak CF Assume that Alice can achieve 0 with probability 1 and Bob can achieve 1 with probability 1. Would the protocol be useful? Yes, if Alice wants 1 and Bob wants 0. Still allowed by Kitaev’s theorem.

49 Weak CF Only interested in probability of Alice achieving 1 and Bob achieving 0. Kitaev’s lower bound allows 1/2+ . Theorem [A, Rudolph-Spekkens, 2002] There is a protocol with probability 1/  2.

50 Protocol Alice prepares Bob maps |12> Bob wins, Alice verifies Alice wins, Bob verifies

51 CF summary StrongWeak 3/4 1/  2 >0 Protocol Lower bound

52 CF open problems Better protocols/lower bounds. Coin flipping with penalty for cheating. Party caught cheating loses k coins instead of 1. Best result achievable by cheater? The tradeoff between successful cheating vs. being caught.

53 Open problems Other cryptographic primitives. Quantum zero knowledge? Multiparty computation. Composing the primitives.

Download ppt "Short course on quantum computing Andris Ambainis University of Latvia."

Similar presentations

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.

Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.
Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.

Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.
Quantum Computing MAS 725 Hartmut Klauck NTU 5.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
Implementation of Practically Secure Quantum Bit Commitment Protocol Ariel Danan School of Physics Tel Aviv University September 2008.

Implementation of Practically Secure Quantum Bit Commitment Protocol Ariel Danan School of Physics Tel Aviv University September 2008.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Classical capacities of bidirectional channels Charles Bennett, IBM Aram Harrow, MIT/IBM, Debbie Leung, MSRI/IBM John Smolin,

Classical capacities of bidirectional channels Charles Bennett, IBM Aram Harrow, MIT/IBM, Debbie Leung, MSRI/IBM John Smolin,
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Avraham Ben-Aroya (Tel Aviv University) Oded Regev (Tel Aviv University) Ronald de Wolf (CWI, Amsterdam) A Hypercontractive Inequality for Matrix-Valued.

Avraham Ben-Aroya (Tel Aviv University) Oded Regev (Tel Aviv University) Ronald de Wolf (CWI, Amsterdam) A Hypercontractive Inequality for Matrix-Valued.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Similar presentations

Ads by Google