Actively secure two-party evaluation of any quantum operation Fr - - PowerPoint PPT Presentation

actively secure two party evaluation of any quantum
SMART_READER_LITE
LIVE PREVIEW

Actively secure two-party evaluation of any quantum operation Fr - - PowerPoint PPT Presentation

Mar 04, 2024 397 likes •628 views

Actively secure two-party evaluation of any quantum operation Fr ed eric Dupuis ETH Z urich Joint work with Louis Salvail (Universit e de Montr eal) Jesper Buus Nielsen (Aarhus Universitet) August 23, 2012 Fr ed eric

slide-1
SLIDE 1

Actively secure two-party evaluation of any quantum operation

Fr´ ed´ eric Dupuis ETH Z¨ urich Joint work with Louis Salvail (Universit´ e de Montr´ eal) Jesper Buus Nielsen (Aarhus Universitet) August 23, 2012

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 1 / 21

slide-2
SLIDE 2

Outline

Introduction: Task to be solved Security definition “Baby version” (semi-honest adversaries) Semi-honest Ñ active adversaries (Very high-level) description of our protocol

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 2 / 21

slide-3
SLIDE 3

Introduction

Alice and Bob want to execute a quantum circuit F:

F

A B A B For example:

R ‚ ‘ H ‘ ‚ Z X ‚ ‘ P ‚ ‘ R P

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 3 / 21

slide-4
SLIDE 4

Introduction

They want a protocol A A B B that imitates a black box: A A B B

F

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 4 / 21

slide-5
SLIDE 5

Impossibility in the bare model

Problem: This is impossible to achieve only by communication (quantum or classical). Why? Because it’s impossible classically. We will assume that Alice and Bob can do classical two-party computation for free. Hallgren, Smith and Song (2011) have shown that classical ideal functionalities can be replaced by computationally secure protocols if the computational assumptions hold against quantum adversaries. What we show: Classical two-party computation ñ quantum two-party computation

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 5 / 21

slide-6
SLIDE 6

Previous work

Quantum multiparty computation:

Cr´ epeau, Gottesman, Smith 2002: At most n{6 cheaters. Ben-Or, Cr´ epeau, Gottesman, Hassidim, Smith 2008: Strict honest majority.

Us, CRYPTO2010: Two-party computation, but against “specious” (semi-honest) adversaries.

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 6 / 21

slide-7
SLIDE 7

Brief detour: Security definition

We define security via simulation Problem: Player who goes last has an unavoidable advantage: He can prevent the other from getting his

  • utput.

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 7 / 21

slide-8
SLIDE 8

Security definition: Dishonest Alice

Real protocol: Alice Bob input

  • utput

Simulation with ideal functionality: Simulator input

  • utput

Ideal func. 0/1

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 8 / 21

slide-9
SLIDE 9

Security definition: Dishonest Bob

Real protocol: Alice Bob input

  • utput

Simulation with ideal functionality: Simulator input

  • utput

Ideal func. 1

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operationAugust 23, 2012 9 / 21

slide-10
SLIDE 10

Baby version: semi-honest adversaries

First, represent F as a sequence of the following gates: |0y

ˆ 1 ˙

X

ˆ 1 1 ˙

Y

ˆ ´i i ˙

Z

ˆ 1 ´1 ˙

H

1 ? 2

ˆ 1 1 1 ´1 ˙

P

ˆ 1 i ˙

R

ˆ1 eiπ{4 ˙

‘ ‚

¨ ˚ ˚ ˝ 1 1 1 1 ˛ ‹ ‹ ‚

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 10 / 21

slide-11
SLIDE 11

Baby version: semi-honest adversaries

Suppose the adversaries are semi-honest [us, CRYPTO’10]. Then the protocol is as follows: Encrypt all the inputs with a quantum one-time pad. For each gate in the circuit, execute a subprotocol that performs the gates and updates the keys. All the gates can be done without communication except:

Non-local CNOT: Need classical communication R-gate (non-Clifford): Need one oblivious transfer.

Use a perfect SWAP gate to exchange the keys at the end.

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 11 / 21

slide-12
SLIDE 12

From semi-honest to full security

We need a way to force a dishonest adversaries to follow the protocol Solution: Instead of just encrypting, we authenticate all the inputs and ancillas. We check the authentication at every step to ensure compliance with the protocol.

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 12 / 21

slide-13
SLIDE 13

Authenticating quantum states

|ψy Reference Attack Authpkq Testpkq Pass/Fail should be equivalent to |ψy Reference Attack Destroy? Authpkq Testpkq Pass/Fail

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 13 / 21

slide-14
SLIDE 14

Clifford-based QAS: the Clifford group

[Aharonov, Ben-Or, Eban 2008] Pauli group: any tensor product of ✶, X, Y, Z. Clifford group: U is Clifford if for any Pauli P, UPU ˚ is also Pauli. Need Opn2q bits to identify a Clifford operator.

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 14 / 21

slide-15
SLIDE 15

Clifford-based QAS

To authenticate |ψy, do the following:

|ψy |0y . . . |0y Clifford (Key) n qubits

To check, undo the Clifford and measure the ancillas. If we don’t get all |0y’s, declare an error.

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 15 / 21

slide-16
SLIDE 16

Swaddling: double authentication Ka Kb

|ψy |0y |0y . . . n qubits . . . . . . |0y |0y . . . . . . . . . n qubits Alice Bob

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 16 / 21

slide-17
SLIDE 17

Our protocol

Swaddle all the inputs and commit to the keys. Generate extra |0y and ensure that they are correct. For each gate, run a classical protocol that tells Alice and Bob how to execute the gates and update the keys. Verify the authentication whenever necessary. Open commitments (i.e. reveal all keys). Problem gate: the R-gate, the only non-Clifford gate in our set.

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 17 / 21

slide-18
SLIDE 18

The R gate

We can reduce the R gate to Clifford operations by the following trick: eiπ{4XP ˚ |My R|ψy M |ψy ‚ ‘ where |My “

1 ? 2p|0y ` eiπ{4|1yq (“magic state”).

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 18 / 21

slide-19
SLIDE 19

The R gate

We need to generate a supply of |My states at the beginning. Have one player generate a large number of them, and the

  • ther player tests a random sample of them and aborts if

any errors are found. This ensures a low error rate. We then use a distillation protocol by Bravyi and Kitaev to distill a smaller number of good |My states.

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 19 / 21

slide-20
SLIDE 20

Conclusion

Classical two-party computation ñ Quantum two-party computation

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 20 / 21

slide-21
SLIDE 21

Thank you

Thank you!

Fr´ ed´ eric Dupuis Actively secure two-party evaluation of any quantum operation August 23, 2012 21 / 21