Overview Part 1: Malicious QFactory Functionality Required - PowerPoint PPT Presentation

Overview  Part 1: Malicious QFactory  Functionality  Required assumptions  Protocol description  Security  Protocol Extensions (e.g. verification)  Part 2: Functions implementation  QHBC QFactory functions  Malicious QFactory functions

II. Classical delegation of secret qubits against Malicious Adversaries or Malicious 4-states QFactory

Malicious 4-states QFactory functionality $ {|0⟩, |1⟩, |+⟩, |−⟩} |𝑃𝑣𝑢𝑞𝑣𝑢⟩ ՚ 𝑃𝑣𝑢𝑞𝑣𝑢 |𝑃𝑣𝑢𝑞𝑣𝑢⟩

Motivation There exist protocols for most of these applications where quantum communication only consists of the qubits 0 , 1 , + , −

Motivation There exist protocols for most of these applications where quantum communication only consists of the qubits 0 , 1 , + , − Functionality of Malicious 4- states QFactory ⇒ classical delegation of quantum computation (against malicious adversaries)

Motivation There exist protocols for most of these applications where quantum communication only consists of the qubits 0 , 1 , + , − Functionality of Malicious 4- states QFactory ⇒ classical delegation of quantum computation (against malicious adversaries) as long as the basis of qubits is hidden from any adversary

Malicious 4-states QFactory Required Assumptions 2 preimages for any This function is hard element in 𝐽𝑛 𝑔 to invert. 𝑙 Without the trapdoor 𝑢 𝑙 , except if you have the hard to find 𝑦 ≠ 𝑦’ trapdoor 𝑢 𝑙 associated such that 𝑔 𝑙 (𝑦) = 𝑔 𝑙 (𝑦′) to the index function 𝑙

Malicious 4-states QFactory Required Assumptions 2 preimages for any This function is hard element in 𝐽𝑛 𝑔 to invert. 𝑙 Without the trapdoor 𝑢 𝑙 , except if you have the hard to find 𝑦 ≠ 𝑦’ trapdoor 𝑢 𝑙 associated such that 𝑔 𝑙 (𝑦) = 𝑔 𝑙 (𝑦′) to the index function 𝑙 𝑕 𝑙 : 𝐸 → 𝑆 injective, homomorphic, quantum-safe, trapdoor one-way; 𝑔 𝑙 ∶ 𝐸 × 0, 1 → 𝑆 𝑙 𝑦, 𝑑 = ቊ 𝑕 𝑙 𝑦 , 𝑗𝑔 𝑑 = 0 𝑔 𝑕 𝑙 𝑦 ⋆ 𝑕 𝑙 𝑦 0 = 𝑕 𝑙 𝑦 + 𝑦 0 , 𝑗𝑔 𝑑 = 1 where 𝑦 0 is chosen by the Client at random from the domain of 𝑕 𝑙

Malicious 4-states QFactory Required Assumptions 2 preimages for any This function is hard element in 𝐽𝑛 𝑔 to invert. 𝑙 Without the trapdoor 𝑢 𝑙 , except if you have the hard to find 𝑦 ≠ 𝑦’ trapdoor 𝑢 𝑙 associated such that 𝑔 𝑙 (𝑦) = 𝑔 𝑙 (𝑦′) to the index function 𝑙 Has the same domain as 𝑕 𝑙 ℎ 𝑚 𝑦 1 ⊕ ℎ 𝑚 (𝑦 2 ) = ℎ 𝑚 (𝑦 2 − 𝑦 1 ) and outputs a single bit. 𝑕 𝑙 : 𝐸 → 𝑆 injective, homomorphic, quantum-safe, trapdoor one-way; ℎ 𝑚 𝑔 𝑙 ∶ 𝐸 × 0, 1 → 𝑆 When 𝑦 is sampled 𝑙 𝑦, 𝑑 = ቊ 𝑕 𝑙 𝑦 , 𝑗𝑔 𝑑 = 0 uniformly at random, 𝑔 𝑕 𝑙 𝑦 ⋆ 𝑕 𝑙 𝑦 0 = 𝑕 𝑙 𝑦 + 𝑦 0 , 𝑗𝑔 𝑑 = 1 it is hard to distinguish ℎ 𝑚 𝑦 from a random bit. where 𝑦 0 is chosen by the Client at random from the domain of 𝑕 𝑙

Malicious 4-states QFactory Protocol 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚

Malicious 4-states QFactory Protocol 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚

Malicious 4-states QFactory Protocol 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 |0 𝑛 ⟩ 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 |0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 |𝑔 𝑦 ⟩ 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 |0 𝑛 ⟩ → σ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦 𝑔 𝑦 = σ 𝑧∈𝐽𝑛 𝑔 𝑙 ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → 𝑦 |0 𝑛 ⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ ෍ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 𝑦 = (𝑨, 0) 𝑦’ = (𝑨′, 1) 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol 0 𝑜 ⟩ 0 𝑛 ⟩ → 𝑦 |0 𝑛 ⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) ෍ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢 𝑙 ) 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙

Malicious 4-states QFactory Protocol ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦 ′ ⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩ ෍ 𝑦 𝑔 𝑦 = ෍ 𝑦∈𝐸𝑝𝑛 𝑔 𝑙 𝑧∈𝐽𝑛 𝑔 𝑙 ෪ 𝑉 ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩ 𝑨 𝑑 0 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢 𝑙 𝑉 ℎ 𝑚 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼 𝐶 1 𝑌 𝐶 2 |0⟩ 𝑙, 𝑚 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚 𝐶 1 = ℎ 𝑨 ⊕ ℎ 𝑨’ 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢 𝑉 𝑔 𝑙 𝐶 2 = σ 𝑦 𝑗 ⊕ 𝑦 𝑗 ′ ⋅ 𝑐 𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶 1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶 1 ] 𝑦 = 𝑨, 0 𝑦 ′ = (𝑨 ′ , 1)