actively secure two party evaluation of any quantum
play

Actively secure two-party evaluation of any quantum operation Fr - PowerPoint PPT Presentation

Actively secure two-party evaluation of any quantum operation Fr ed eric Dupuis ETH Z urich Joint work with Louis Salvail (Universit e de Montr eal) Jesper Buus Nielsen (Aarhus Universitet) August 23, 2012 Fr ed eric


  1. Actively secure two-party evaluation of any quantum operation Fr´ ed´ eric Dupuis ETH Z¨ urich Joint work with Louis Salvail (Universit´ e de Montr´ eal) Jesper Buus Nielsen (Aarhus Universitet) August 23, 2012 Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 1 / 21

  2. Outline Introduction: Task to be solved Security definition “Baby version” (semi-honest adversaries) Semi-honest Ñ active adversaries (Very high-level) description of our protocol Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 2 / 21

  3. Introduction Alice and Bob want to execute a quantum circuit F : A A F B B For example: H R ‘ ‚ R ‚ X ‘ ‚ ‘ P ‘ Z ‚ P Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 3 / 21

  4. Introduction They want a protocol A A B B that imitates a black box: A A F B B Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 4 / 21

  5. Impossibility in the bare model Problem: This is impossible to achieve only by communication (quantum or classical). Why? Because it’s impossible classically. We will assume that Alice and Bob can do classical two-party computation for free. Hallgren, Smith and Song (2011) have shown that classical ideal functionalities can be replaced by computationally secure protocols if the computational assumptions hold against quantum adversaries. What we show: Classical two-party computation ñ quantum two-party computation Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 5 / 21

  6. Previous work Quantum multiparty computation: Cr´ epeau, Gottesman, Smith 2002: At most n { 6 cheaters. Ben-Or, Cr´ epeau, Gottesman, Hassidim, Smith 2008: Strict honest majority. Us, CRYPTO2010: Two-party computation, but against “specious” (semi-honest) adversaries. Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 6 / 21

  7. Brief detour: Security definition We define security via simulation Problem: Player who goes last has an unavoidable advantage: He can prevent the other from getting his output. Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 7 / 21

  8. Security definition: Dishonest Alice Real protocol: Alice input output Bob Simulation with ideal functionality: Simulator 0/1 output input Ideal func. Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 8 / 21

  9. Security definition: Dishonest Bob Real protocol: Alice input output Bob Simulation with ideal functionality: 1 input output Ideal func. Simulator Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 9 / 21

  10. Baby version: semi-honest adversaries First, represent F as a sequence of the following gates: | 0 y X Y Z ˆ ˙ ˆ ˙ ˆ ˙ ´ i ˆ ˙ 0 1 0 1 0 1 ´ 1 1 0 i 0 0 0 ‚ H P R ‘ ˆ ˙ ˆ ˙ ˆ 1 ˙ 1 1 1 0 0 ¨ ˛ 1 0 0 0 1 ? e iπ { 4 ´ 1 i 2 1 0 0 0 1 0 0 ˚ ‹ ˚ ‹ 0 0 0 1 ˝ ‚ 0 0 1 0 Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 10 / 21

  11. Baby version: semi-honest adversaries Suppose the adversaries are semi-honest [us, CRYPTO’10]. Then the protocol is as follows: Encrypt all the inputs with a quantum one-time pad. For each gate in the circuit, execute a subprotocol that performs the gates and updates the keys. All the gates can be done without communication except: Non-local CNOT: Need classical communication R -gate (non-Clifford): Need one oblivious transfer. Use a perfect SWAP gate to exchange the keys at the end. Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 11 / 21

  12. From semi-honest to full security We need a way to force a dishonest adversaries to follow the protocol Solution: Instead of just encrypting, we authenticate all the inputs and ancillas. We check the authentication at every step to ensure compliance with the protocol. Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 12 / 21

  13. Authenticating quantum states Auth p k q Test p k q | ψ y Attack Pass/Fail Reference should be equivalent to Auth p k q Destroy? Test p k q | ψ y Pass/Fail Reference Attack Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 13 / 21

  14. Clifford-based QAS: the Clifford group [Aharonov, Ben-Or, Eban 2008] Pauli group: any tensor product of ✶ , X, Y, Z . Clifford group: U is Clifford if for any Pauli P , UPU ˚ is also Pauli. Need O p n 2 q bits to identify a Clifford operator. Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 14 / 21

  15. Clifford-based QAS To authenticate | ψ y , do the following: | ψ y Clifford | 0 y n . (Key) . . qubits | 0 y To check, undo the Clifford and measure the ancillas. If we don’t get all | 0 y ’s, declare an error. Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 15 / 21

  16. Swaddling: double authentication | ψ y | 0 y K a n Alice . . . . . . qubits | 0 y . . . . . . K b Bob | 0 y n . . . . . . qubits | 0 y Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 16 / 21

  17. Our protocol Swaddle all the inputs and commit to the keys. Generate extra | 0 y and ensure that they are correct. For each gate, run a classical protocol that tells Alice and Bob how to execute the gates and update the keys. Verify the authentication whenever necessary. Open commitments (i.e. reveal all keys). Problem gate: the R -gate, the only non-Clifford gate in our set. Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 17 / 21

  18. The R gate We can reduce the R gate to Clifford operations by the following trick: | ψ y ‘ M ‚ | M y e iπ { 4 XP ˚ R | ψ y 1 2 p | 0 y ` e iπ { 4 | 1 yq (“magic state”). where | M y “ ? Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 18 / 21

  19. The R gate We need to generate a supply of | M y states at the beginning. Have one player generate a large number of them, and the other player tests a random sample of them and aborts if any errors are found. This ensures a low error rate. We then use a distillation protocol by Bravyi and Kitaev to distill a smaller number of good | M y states. Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 19 / 21

  20. Conclusion Classical two-party computation ñ Quantum two-party computation Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 20 / 21

  21. Thank you Thank you! Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 21 / 21

Recommend


More recommend