Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.

Published byClemence Foster Modified over 9 years ago

Similar presentations

Presentation on theme: "A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University."— Presentation transcript:

1 A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University

2 102344578911 QKD: An “Application” of Non- Cloning First, a digression: Wiesner’s unforgeable quantum cash 0 0 1 1 1 1 0 0 1 1 0 1 0 1 102344578907 +x++xx+xx++x++ 10100010010110 102344578908 x++x+x++x+x+xx 10010110001110 102344578909 ++xx+xx+x+++x+ 11010111001010 102344578910 x+xxx++x+x+++x 01101010011000 102344578911 +x++xx+x+x+xx+ 00111100110101 102344578912 x+xx++x+x++x++ 10101101110100 102344578913 xx+x++x+x+++x+ 01010010011101 102344578914 +x+x+++xx+x++x 01010111101000 102344578915 x+++xx+x+x+++x 10110101010111 2nd attack: 1st attack: pick random bases, measure and store the outcome. 0 0 1 0 1 1 0 0 1 1 0 0 0 1 0 0 1 0 1 0 0 0 1 1 0 1 0 1

3 BB84 0110101001101010 0111101101111011 Quantum Channel quantum classical OK 1,3,5,6,7-----((1,0),(7,1)) OK,f Verify that not 2-many errors occured. If OK then choose f randomly from U2 class. K=f(110) Return good positions and a random sample. error-correction 0*1*101*0*1*101* 0*1*101*0*1*101* 110110 110110

4 Hardware This is how a QKD set-up looked like a few years ago. photodetector: photon source And now:

5 Purified BB84 This EPR pair is a singlet: 1101110011011100 1101010011010100

6 Encrypting Qubits Suppose we want to encrypt a qubit under a classical secret-key K, such that: The cipher state alone does not reveal any information on the state of the qubit. Using K, the qubit can be perfectly reconstructed from the cipher state.

7 Encryption/Decryptio n We suppose that encryption is performed by a family of unitary transforms {U K } K indexed by secret-key K. The simplest form is that upon qubit |φ>, the cipher state is generated as: |e K (φ)> = U K |φ>. Decryption is performed by running U K backward (its complex conjugate transposed).

8 Privacy Privacy means that given only the cipher state |e K (φ)>, no information can be extracted about the state |φ>. This can be captured by enforcing that the quantum state produced by an encryption under a uniform and random choice for K is independent of |φ>. This would mean that an eavesdropper ignorant of K always sees the same state. No measurement can therefore distinguish the encryptions of any 2 states.

9 The State Available to the Eavesdropper As we have seen, the state available to the adversary when |φ> is encrypted is the mixed state corresponding to the encryption of |φ> over all keys: An encryption scheme is therefore said to be private if:

10 Back to Teleportation (x,z) with prob. 1/4:(0,0) with prob. 1/4:(0,1)with prob. 1/4:(1,0) with prob. 1/4:(1,1)

11 Encryption/Decryptio n Suppose Alice and Bob share K ∈ {0,1}×{0,1}: If K=(0,0) If K=(0,1) If K=(1,0) If K=(1,1) Since XX=ZZ=-YY=I, Bob decrypts by applying the same transform indicated by K:

12 In General It can be shown that 2 classical bits are necessary in order to encrypt with perfect privacy (and with perfect decryption) an arbitrary qubit. If the possible states of the qubit are restricted to some special sets then 1 classical could be sufficient. For the encryption of qubits with only statistical privacy and almost perfect descryption, a single classical bit per qubit is asymptotically sufficient.

13 First Special Case Suppose the possible states of the qubit are { |0>, |1> }. The situation is now classical and the one-time-pad (one bit per qubit) provides perfect privacy. Notice that the encryption of these 2 states using X with probability 1/2 is exactly the same as the one-time-pad.

14 Second Special Case Suppose the qubit to encrypt is of the form |φ> = a|0> + b|1> where a, b are real numbers. Now, observe that: So, only complex amplitude states require 2 bits of key.

15 Committing a Qubit Teleportation also allows to see how one can commit on a qubit given only a classical commitment scheme. Suppose the scheme allows for committing on a pair of classical bits. Encrypt |φ> using a random key K. classical commitment of K

16 Encrypting Classical Messages in Quantum States Consider the symmetric encryption of classical messages in quantum states. We’ll get a simple encryption scheme that resists “better” to known plaintext attacks than any classical scheme. It is based upon what is called an uncertainty relations.

17 Hadamard Transform Remember that: Let’s define the following 2 Von Neumann measurements on n qubits (computational & diagonal basis): Associated to |φ>, we can define the 2 probability distributions for the outcomes of M + and M x when applied to |φ>:

18 Uncertainty Relation The following uncertainty relation has been shown by Maassen and Uffink. We shall denote by H(p φ ) and H(q φ ) the Shannon entropy for distributions p φ (x) and q φ (x) respectively. Theorem: For any n-qubit state |φ>, it is the case that H(p φ ) + H(q φ ) ≥ n.

19 An equivalent uncertainty relation Suppose that a source S sends a quantum state chosen as follows: Pick x in {0,1} n at random, With prob. 1/2 send |x>, With prob. 1/2 send H ⊗ n |x>. Theorem: Let X be the random variable describing the choice made by S above. Let Y be the random variable for the outcome of an arbitrary measurement applied to the state sent by S. Then, for any outcome y: H(X|Y=y) ≥ n/2.

20 Encryption Scheme The key K=(p,h) where p ∈ {0,1} n and h ∈ {0,1}. The encryption of message m is done the following way: c := m ⊕ p If h=0 then send |c> Else send H ⊗ n |c>. Notice that the scheme is private since the message m is one-time-padded. This is a (n,n+1)-encryption scheme: it encrypts n-bit messages using n+1 bit of keys. This is called the H n -cipher

21 Known Plaintext Attacks In a known plaintext attack, the adversary gets the ciphertext(cipherstate), the plaintext and wants to extract as much information as possible on the secret-key. Theorem: Any classical (n,n+1)-cipher is such that H(K| c,m) ≤1. Theorem: The (n,n+1)-quantum cipher H n is such that H((p,h) | (H ⊗ n ) h | |m ⊕ p>,m)≥ n/2. Proof sketch: Given m and the situation is equivalent to distinguishing among {|p>,H ⊗ n |p>} p ∈ {0,1} n. We have seen that the entropy on p is at least n/2. In addition, it can be shown that the extra bit of key h is perfectly hidden. It follows that: H((p,h) | View) ≥ n/2+1.

22 Secure Evaluation of an AND gate AND x ∈ {0,1}y ∈ {0,1} ab a ⊕ b = xy Theorem: Even with shared randomness, Alice and Bob cannot implement the AND gate without communication such that with probability better 3/4 Alice and Bob end up with a correct output for all possible inputs.

23 Quantum Crypto-AND gate xy B1(0) B1(1) A0(0) A0(1) A1(0) A1(1) B0(0) B0(1 ) The interpretation: Given x, Alice measures her half EPR-pair in basis {Ax(0),Ax(1)}, Given y, Bob measures his half EPR-pair in basis {By(0),By(1)}.

24 Why it Works Let p(x,y) be the error-probability when Alice inputs x and Bob inputs y:

25 Conclusion With shared-EPR pairs, Alice and Bob can end up with an additive sharing for the AND of their bits without communication and with probability cos 2 (π/8)≈0.85. This is significantly better than what is achievable by any classical strategy using shared randomness. Quantum entanglement is therefore more than classical shared randomness!! This was originally shown by Bell using a different method called the Bell inequalities.

Download ppt "A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University."

Similar presentations

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Quantum Computation and Quantum Information – Lecture 2

Quantum Computation and Quantum Information – Lecture 2
Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.

Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Quantum Computing MAS 725 Hartmut Klauck NTU 5.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.

Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Quantum data locking, enigma machines and entropic uncertainty relations Saikat Guha, Patrick Hayden, Hari Krovi, Seth Lloyd, Cosmo Lupo, Jeffrey H. Shapiro,

Quantum data locking, enigma machines and entropic uncertainty relations Saikat Guha, Patrick Hayden, Hari Krovi, Seth Lloyd, Cosmo Lupo, Jeffrey H. Shapiro,
1 quantum teleportation David Riethmiller 28 May 2007.

1 quantum teleportation David Riethmiller 28 May 2007.
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
1 Introduction to Quantum Information Processing QIC 710 / CS 667 / PH 767 / CO 681 / AM 871 Richard Cleve DC 2117 / RAC 2211 Lecture.

1 Introduction to Quantum Information Processing QIC 710 / CS 667 / PH 767 / CO 681 / AM 871 Richard Cleve DC 2117 / RAC 2211 Lecture.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Quantum information as high-dimensional geometry Patrick Hayden McGill University Perspectives in High Dimensions, Cleveland, August 2010.

Quantum information as high-dimensional geometry Patrick Hayden McGill University Perspectives in High Dimensions, Cleveland, August 2010.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Quantum Computing MAS 725 Hartmut Klauck NTU 12.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Ref. Cryptography: theory and practice Douglas R. Stinson

Ref. Cryptography: theory and practice Douglas R. Stinson
Superdense coding. How much classical information in n qubits? Observe that 2 n  1 complex numbers apparently needed to describe an arbitrary n -qubit.

Superdense coding. How much classical information in n qubits? Observe that 2 n  1 complex numbers apparently needed to describe an arbitrary n -qubit.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Similar presentations

Ads by Google