Alexandru Cojocaru Elham Kashefi Lo Colisson Petros Wallden - PowerPoint PPT Presentation

Malicious 4-states QFactory Required Assumptions 2 preimages for any This function is hard element in 𝐽𝑛 𝑔 to invert. 𝑙 Without the trapdoor 𝑢 𝑙 , except if you have the hard to find 𝑦 ≠ 𝑦’ trapdoor 𝑢 𝑙 associated such that 𝑔 𝑙 (𝑦) = 𝑔 𝑙 (𝑦′) to the index function 𝑙 Has the same domain as 𝑕 𝑙 ℎ 𝑚 𝑦 1 ⊕ ℎ 𝑚 (𝑦 2 ) = ℎ 𝑚 (𝑦 2 − 𝑦 1 ) and outputs a single bit. 𝑕 𝑙 : 𝐸 → 𝑆 injective, homomorphic, quantum-safe, trapdoor one-way; ℎ 𝑚 𝑔 𝑙 ∶ 𝐸 × 0, 1 → 𝑆 When 𝑦 is sampled 𝑙 𝑦, 𝑑 = ቊ 𝑕 𝑙 𝑦 , 𝑗𝑔 𝑑 = 0 uniformly at random, 𝑔 𝑕 𝑙 𝑦 ⋆ 𝑕 𝑙 𝑦 0 = 𝑕 𝑙 𝑦 + 𝑦 0 , 𝑗𝑔 𝑑 = 1 it is hard to distinguish ℎ 𝑚 𝑦 from a random bit. where 𝑦 0 is chosen by the Client at random from the domain of 𝑕 𝑙

Malicious 4-states QFactory Protocol 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚

Malicious 4-states QFactory Protocol 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚

Malicious 4-states QFactory Protocol 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 |0 𝑛 ⟩ 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 |0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 |𝑔 𝑦 ⟩ 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 |0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 𝑔 𝑦 = σ 𝑧∈𝐽𝑛 𝑔 𝑙 ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → 𝑦 |0 𝑛 ⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ ෍ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 𝑦 = (𝑨, 0) 𝑦’ = (𝑨′, 1) 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → 𝑦 |0 𝑛 ⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) ෍ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] 𝑦 = 𝑨, 0 𝑦 ′ = (𝑨 ′ , 1)

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] 𝑦 = 𝑨, 0 𝑦 ′ = (𝑨 ′ , 1) 𝑸𝒔𝒑𝒆𝒗𝒅𝒇𝒕 |𝑷𝒗𝒖𝒒𝒗𝒖⟩

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] 𝑦 = 𝑨, 0 𝑦 ′ = (𝑨 ′ , 1) 𝑸𝒔𝒑𝒆𝒗𝒅𝒇𝒕 |𝑷𝒗𝒖𝒒𝒗𝒖⟩ 𝑧, 𝑐

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] 𝑦 = 𝑨, 0 𝑦 ′ = (𝑨 ′ , 1) 𝑸𝒔𝒑𝒆𝒗𝒅𝒇𝒕 |𝑷𝒗𝒖𝒒𝒗𝒖⟩ 𝑧, 𝑐 (𝑦, 𝑦’) = 𝐽𝑜𝑤(𝑢 𝑙 , 𝑧) 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝐶 1 , 𝐶 2

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] 𝑦 = 𝑨, 0 𝑦 ′ = (𝑨 ′ , 1) 𝑸𝒔𝒑𝒆𝒗𝒅𝒇𝒕 |𝑷𝒗𝒖𝒒𝒗𝒖⟩ 𝑧, 𝑐 (𝑦, 𝑦’) = 𝐽𝑜𝑤(𝑢 𝑙 , 𝑧) 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝐶 1 , 𝐶 2 𝑯𝒇𝒖𝒕 𝑷𝒗𝒖𝒒𝒗𝒖

Security (in the quantum malicious setting) ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ ▪ 𝐶 1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 ▪ If 𝐶 1 = 0 then 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} and if 𝐶 1 = 1 then 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} Server cannot do better than a random guess: • Blindness of the basis 𝐶 1 of |𝑃𝑣𝑢𝑞𝑣𝑢⟩ • 𝐶 1 is a hard-core predicate (wrt the function g); against malicious adversaries. Theorem : No matter what Bob does, • he cannot determine 𝐶 1 .

Security (in the quantum malicious setting) ➢ 𝐶 1 is a hard-core predicate ⟹ basis -bli lindness ss ➢ The basis-blindness is the “maximum” security: ➢ Even after an honest run we can at most guarantee basis blindness, but not full blindness about the output state: ➢ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 3 ➢ Then the Adversary can determine 𝐶 2 with probability at least 4 : ➢ Makes a random guess ෪ 𝐶 1 and then measures 𝑃𝑣𝑢𝑞𝑣𝑢 in the ෪ 𝐶 1 basis, obtaining measurement outcome ෪ 𝐶 2 : if ෪ 𝐶 1 = 𝐶 1 then ෪ 𝐶 2 = 𝐶 2 with probability 1 , otherwise 1 𝐶 2 = 𝐶 2 with probability ෪ 2 ; ➢ Basis-blindness is proven to be sufficient for many secure computation protocols, e.g. blind quantum computation (UBQC protocol); ➢ Basis-blindness is required for classical verification of QFactory; ⟹ classical verification of quantum computations

Security (in the quantum malicious setting) Recall: 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ]

Security (in the quantum malicious setting) Recall: 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐶 1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶 1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶 1 = 1 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ ⇒ 𝐼𝑗𝑒𝑗𝑜𝑕 the basis equivalent to hiding 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ]

Security (in the quantum malicious setting) Recall: 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐶 1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶 1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶 1 = 1 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ ⇒ 𝐼𝑗𝑒𝑗𝑜𝑕 the basis equivalent to hiding 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] Using the definition of 𝑔 : • ℎ𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 𝑕 𝑨 + 𝑑 ⋅ 𝑨 0 𝑔 𝑨, 𝑑 = 𝑕 𝑨 + 𝑑 ⋅ 𝑕 𝑨 0 =

Security (in the quantum malicious setting) Recall: 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐶 1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶 1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶 1 = 1 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ ⇒ 𝐼𝑗𝑒𝑗𝑜𝑕 the basis equivalent to hiding 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] Using the definition of 𝑔 : • ℎ𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 𝑕 𝑨 + 𝑑 ⋅ 𝑨 0 𝑔 𝑨, 𝑑 = 𝑕 𝑨 + 𝑑 ⋅ 𝑕 𝑨 0 = • 𝑕 is injective , the 2 preimages of 𝑔 are: 𝑦 = 𝑨, 0 𝑏𝑜𝑒 𝑦’ = 𝑨 + 𝑨 0 , 1 ⇒ 𝑨’ = 𝑨 + 𝑨 0

Security (in the quantum malicious setting) Recall: 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐶 1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶 1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶 1 = 1 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ ⇒ 𝐼𝑗𝑒𝑗𝑜𝑕 the basis equivalent to hiding 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] Using the definition of 𝑔 : • ℎ𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 𝑕 𝑨 + 𝑑 ⋅ 𝑨 0 𝑔 𝑨, 𝑑 = 𝑕 𝑨 + 𝑑 ⋅ 𝑕 𝑨 0 = • 𝑕 is injective , the 2 preimages of 𝑔 are: 𝑦 = 𝑨, 0 𝑏𝑜𝑒 𝑦’ = 𝑨 + 𝑨 0 , 1 ⇒ 𝑨’ = 𝑨 + 𝑨 0 ℎ is homomorphic: • 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨 ′ = ℎ 𝑨 ′ − 𝑨 = ℎ(𝑨 0 )

Security (in the quantum malicious setting) Recall: 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐶 1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶 1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶 1 = 1 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ ⇒ 𝐼𝑗𝑒𝑗𝑜𝑕 the basis equivalent to hiding 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] Using the definition of 𝑔 : • ℎ𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 𝑕 𝑨 + 𝑑 ⋅ 𝑨 0 𝑔 𝑨, 𝑑 = 𝑕 𝑨 + 𝑑 ⋅ 𝑕 𝑨 0 = • 𝑕 is injective , the 2 preimages of 𝑔 are: 𝑦 = 𝑨, 0 𝑏𝑜𝑒 𝑦’ = 𝑨 + 𝑨 0 , 1 ⇒ 𝑨’ = 𝑨 + 𝑨 0 ℎ is homomorphic: • 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨 ′ = ℎ 𝑨 ′ − 𝑨 = ℎ(𝑨 0 ) • ℎ is hardcore predicate: 𝐶 1 = ℎ 𝑨 0 𝑗𝑡 ℎ𝑗𝑒𝑒𝑓𝑜

Security (in the quantum malicious setting) Overview  The client picks at random 𝑨 0 and then sends 𝐿 ′ = 𝐿, 𝑕 𝐿 𝑨 0 to the Server (as the public description of 𝑔 )  As the basis of the output qubit is 𝐶 1 = ℎ(𝑨 0 ) , then the basis is basically fixed by the Client at the very beginning of the protocol.  The output basis depends only on the Client’s random choice of 𝑨 0 and is independent of the Server’s communication.  Then, no matter how the Server deviates and no matter what are the messages (𝑧, 𝑐) sent by Server, to prove that the basis 𝐶 1 = ℎ(𝑨 0 ) is completely hidden from the Server, is sufficient to use that ℎ is a hardcore predicate.

Extensions of QFactory

Malicious 8-states QFactory  To use Malicious 4-states QFactory for applications where communication consists of |+ 𝜄 ⟩ , with 𝜄 ∈ {0, 𝜌 4 , … , 7𝜌 4 } , we provide a gadget that achieves such a state from 2 outputs of Malicious 4-states QFactory.

Malicious 8-states QFactory  To use Malicious 4-states QFactory for applications where communication consists of |+ 𝜄 ⟩ , with 𝜄 ∈ {0, 𝜌 4 , … , 7𝜌 4 } , we provide a gadget that achieves such a state from 2 outputs of Malicious 4-states QFactory. 𝜌 𝜌 𝑝𝑣𝑢 = 𝑆 𝑀 1 𝜌 + 𝑀 2 2 + 𝑀 3 + 4 𝑀 3 = 𝐶 1 ′ ⊕ [ 𝐶 2 ⊕ 𝑡 2 ⋅ 𝐶 1 ] 𝑀 2 = 𝐶 1 ′ ⊕ 𝐶 2 ⊕ [𝐶 1 ⋅ (𝑡 1 ⊕ 𝑡 2 )] 𝑀 1 = 𝐶 2

Malicious 8-states QFactory To use Malicious 4-states QFactory for applications where communication consists of  |+ 𝜄 ⟩ , with 𝜄 ∈ {0, 𝜌 4 , … , 7𝜌 4 } , we provide a gadget that achieves such a state from 2 outputs of Malicious 4-states QFactory. 𝜌 𝜌 𝑝𝑣𝑢 = 𝑆 𝑀 1 𝜌 + 𝑀 2 2 + 𝑀 3 + 4 𝑀 3 = 𝐶 1 ′ ⊕ [ 𝐶 2 ⊕ 𝑡 2 ⋅ 𝐶 1 ] 𝑀 2 = 𝐶 1 ′ ⊕ 𝐶 2 ⊕ [𝐶 1 ⋅ (𝑡 1 ⊕ 𝑡 2 )] 𝑀 1 = 𝐶 2 No information about the bases ( 𝑀 2 , 𝑀 3 ) of the new output state |𝑝𝑣𝑢⟩ is leaked:  We prove the basis blindness of the output of the gadget by a reduction to the  basis-blindness of 1 of the 2 outputs of Malicious 4-states QFactory; If you could determine 𝑀 2 and 𝑀 3 , then you would determine 𝐶 1 or 𝐶 1 ′ .

Blind Measurements  Perform a measurement on a first qubit of an arbitrary state |𝜔⟩ in such a way that the adversary is oblivious whether he is performing a measurement in 1 out of 2 possible basis (e.g. 𝑌 or 𝑎 basis).  Useful for classical verification of quantum computations (Mahadev FOCS18);

Blind Measurements  Perform a measurement on a first qubit of an arbitrary state |𝜔⟩ in such a way that the adversary is oblivious whether he is performing a measurement in 1 out of 2 possible basis (e.g. 𝑌 or 𝑎 basis).  Useful for classical verification of quantum computations (Mahadev FOCS18);  Achieved using the following gadget:

Blind Measurements  Perform a measurement on an arbitrary state |𝜔⟩ in such a way that the adversary is oblivious whether he is performing a measurement in 1 out of 2 possible basis (e.g. 𝑌 or 𝑎 basis).  Useful for classical verification of quantum computations (Mahadev FOCS18);  Achieved using the following gadget:  No information about the basis of the measurement is leaked;  We prove the measurement blindness of the output of the gadget by a reduction to the basis-blindness of Malicious 4-states QFactory;

Classical verification of quantum computations  Basis-blindness is not sufficient for verifiable blind quantum computation;  To achieve verification, we combine Basis Blindness and Self-Testing ;

Alexandru Cojocaru Elham Kashefi Lo Colisson Petros Wallden - PowerPoint PPT Presentation

Alexandru Cojocaru Elham Kashefi Lo Colisson Petros Wallden Overview Part 1: Classical Delegation of Quantum Computations UBQC Protocol Part 2: Honest-But-Curious QFactory Functionality Protocol description

QCrypt 2018: On the possibility of classical client blind quantum computing Alexandru Cojocaru,

Rigidity of quantum steering and 1sDI verifiable quantum computation [arXiv:1512.07401]

Verification of Quantum Computing Elham Kashefi Paris Centre for Quantum Computing Laboratoire

Entrapping Nature Elham Kashefi University of Edinburgh UK Networked Quantum Information

Approximating a tensor as a sum of rank-one components Petros Drineas Petros Drineas Rensselaer

Int nter ergene enerationa nal Mo Mobi bility Aroun Ar und d the e World Ancona, May 27

Modern Update Approaches for Embedded Linux Petros Angelatos April 2016 About me Petros

A Comprehensive Analysis Of Quantum E-voting Protocols M. Arapinis, N. Lamprou, E. Kashefi, A.

Coq Manual (Section 4.4.5) G.C. Alexandru Jochem Raat May 26, 2020 G.C. Alexandru, Jochem Raat

Why is modal logic decidable Petros Potikas NTUA 9/5/2017 Petros Potikas (NTUA) Modal logic

Background Why a Redfish Green500 Benchmarker is useful: Data centers consume a huge amount

Differential Detection Schemes for M -ary DPSK Elham Torabi Wireless Communications Course

Requirement Models for Co-Design Calotoiu Alexandru Dagstuhl Seminar| 23.10.2017 23.10.17 |

Next Generation Testing Cdric Beust, Google Alexandru Popescu, InfoQ Alexandru Popescu, InfoQ

Classification of Rare Recipes Requires Linguistic Features as Special Ingredients Elham

Pelh elham am Me Memo morial rial Sch Schoo ool A P Present entation tion to the SAU

Robotium Prepared by: David Miguel Elham Shahrour Hema Lakshmi Nesreen

Automated Reasoning Petros Papapanagiotou October 4, 2013 1 / 26 Extra Lecture Program

Gradient-based Sparse Approximation for Computed Tomography Elham Sakhaee , Manuel Arreola and

Elham Torabi EECE 565 - Term Paper - April 2006 Department of Electrical & Computer

Learning Splines for Sparse Tomographic Reconstruction Elham Sakhaee and and Alireza Entezari

Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2

In uncomplicated, left-sided acute diverticulitis, observation did not differ from antibiotics

Spline-based Sparse Tomographic Reconstruction with Besov Priors Elham Sakhaee and and Alireza

Alexandru Cojocaru Elham Kashefi Lo Colisson Petros Wallden - PowerPoint PPT Presentation

Alexandru Cojocaru Elham Kashefi Lo Colisson Petros Wallden Overview Part 1: Classical Delegation of Quantum Computations UBQC Protocol Part 2: Honest-But-Curious QFactory Functionality Protocol description

QCrypt 2018: On the possibility of classical client blind quantum computing Alexandru Cojocaru,

Rigidity of quantum steering and 1sDI verifiable quantum computation [arXiv:1512.07401]

Verification of Quantum Computing Elham Kashefi Paris Centre for Quantum Computing Laboratoire

Entrapping Nature Elham Kashefi University of Edinburgh UK Networked Quantum Information

Approximating a tensor as a sum of rank-one components Petros Drineas Petros Drineas Rensselaer

Int nter ergene enerationa nal Mo Mobi bility Aroun Ar und d the e World Ancona, May 27

Modern Update Approaches for Embedded Linux Petros Angelatos April 2016 About me Petros

A Comprehensive Analysis Of Quantum E-voting Protocols M. Arapinis, N. Lamprou, E. Kashefi, A.

Coq Manual (Section 4.4.5) G.C. Alexandru Jochem Raat May 26, 2020 G.C. Alexandru, Jochem Raat

Why is modal logic decidable Petros Potikas NTUA 9/5/2017 Petros Potikas (NTUA) Modal logic

Background Why a Redfish Green500 Benchmarker is useful: Data centers consume a huge amount

Differential Detection Schemes for M -ary DPSK Elham Torabi Wireless Communications Course

Requirement Models for Co-Design Calotoiu Alexandru Dagstuhl Seminar| 23.10.2017 23.10.17 |

Next Generation Testing Cdric Beust, Google Alexandru Popescu, InfoQ Alexandru Popescu, InfoQ

Classification of Rare Recipes Requires Linguistic Features as Special Ingredients Elham

Pelh elham am Me Memo morial rial Sch Schoo ool A P Present entation tion to the SAU

Robotium Prepared by: David Miguel Elham Shahrour Hema Lakshmi Nesreen

Automated Reasoning Petros Papapanagiotou October 4, 2013 1 / 26 Extra Lecture Program

Gradient-based Sparse Approximation for Computed Tomography Elham Sakhaee , Manuel Arreola and

Elham Torabi EECE 565 - Term Paper - April 2006 Department of Electrical &amp; Computer

Learning Splines for Sparse Tomographic Reconstruction Elham Sakhaee and and Alireza Entezari

Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2

In uncomplicated, left-sided acute diverticulitis, observation did not differ from antibiotics

Spline-based Sparse Tomographic Reconstruction with Besov Priors Elham Sakhaee and and Alireza

Elham Torabi EECE 565 - Term Paper - April 2006 Department of Electrical & Computer