Alexandru Cojocaru Elham Kashefi Lo Colisson Petros Wallden - - PowerPoint PPT Presentation
Alexandru Cojocaru Elham Kashefi Lo Colisson Petros Wallden Overview Part 1: Classical Delegation of Quantum Computations UBQC Protocol Part 2: Honest-But-Curious QFactory Functionality Protocol description
Alexandru Cojocaru Elham Kashefi Léo Colisson Petros Wallden
Part 1: Classical Delegation of Quantum Computations
UBQC Protocol
Part 2: Honest-But-Curious QFactory
Functionality
Protocol description
Security
Part 3: Malicious QFactory
Functionality
Required assumptions
Protocol description
Security
Protocol Extensions (e.g. verification)
Part 4: Functions implementation
QHBC QFactory functions
Malicious QFactory functions
Adam can instruct the preparation of random qubits at Bob The classical description of the qubits is (computationally) unknown to Bob but known to Adam Unique feature that no quantum communication is required This enables Adam to perform a class of quantum communication protocols with only a public classical channel between him and Bob.
Adam classical party Bob quantum party
Classical delegation of quantum computations
𝑂 𝑞, 𝑟 𝑥ℎ𝑓𝑠𝑓 𝑂 = 𝑞 ∙ 𝑟
Classical blind delegation of quantum computations
𝑂 𝑞, 𝑟 𝑥ℎ𝑓𝑠𝑓 𝑂 = 𝑞 ∙ 𝑟
Universal Blind Quantum Computing (Kashefi et al), Quantum Fully Homomorphic Encryption (Broadbent et al ‘15, Dulek et al ‘16), etc.
|+𝜄⟩, 𝜄 ∈ {0,
𝜌 4 , … , 7𝜌 4 }
Simulating the Quantum Channel
Required Assumptions:
Chooses
Chooses
Chooses
{ }
Chooses
{ } Computes the circuit
Chooses
{ } Computes the circuit
0 ⊗𝑜 0 ⊗𝑛
Chooses
{ } Computes the circuit
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩
Chooses
{ } Computes the circuit
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩ ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |𝑔
𝑙 𝑦 ⟩
Chooses
{ } Computes the circuit
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩ ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |𝑔
𝑙 𝑦 ⟩ = σ𝑧∈𝐽𝑛(𝑔𝑙)( 𝑦 + 𝑦′ ) ⊗ |𝑧⟩
Chooses
{ } Computes the circuit
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩ ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |𝑔
𝑙 𝑦 ⟩ = σ𝑧∈𝐽𝑛(𝑔𝑙)( 𝑦 + 𝑦′ ) ⊗ |𝑧⟩ ⇒
𝑦 + 𝑦′ ⊗ 𝑧
Chooses
{ } Computes the circuit
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩ ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |𝑔
𝑙 𝑦 ⟩ = σ𝑧∈𝐽𝑛(𝑔𝑙)( 𝑦 + 𝑦′ ) ⊗ |𝑧⟩ ⇒
𝑦 + 𝑦′ ⊗ 𝑧 ⇒ (⊗𝑗|𝑐𝑗⟩) ⊗ |+𝜄⟩ ⊗ |𝑧⟩
Chooses
{ } Computes the circuit
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩ ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |𝑔
𝑙 𝑦 ⟩ = σ𝑧∈𝐽𝑛(𝑔𝑙)( 𝑦 + 𝑦′ ) ⊗ |𝑧⟩ ⇒
𝑦 + 𝑦′ ⊗ 𝑧 ⇒ (⊗𝑗|𝑐𝑗⟩) ⊗ |+𝜄⟩ ⊗ |𝑧⟩
Chooses
{ } Computes the circuit { }
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩ ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |𝑔
𝑙 𝑦 ⟩ = σ𝑧∈𝐽𝑛(𝑔𝑙)( 𝑦 + 𝑦′ ) ⊗ |𝑧⟩ ⇒
𝑦 + 𝑦′ ⊗ 𝑧 ⇒ (⊗𝑗|𝑐𝑗⟩) ⊗ |+𝜄⟩ ⊗ |𝑧⟩
Chooses
{ } Computes the circuit { }
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩ ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |𝑔
𝑙 𝑦 ⟩ = σ𝑧∈𝐽𝑛(𝑔𝑙)( 𝑦 + 𝑦′ ) ⊗ |𝑧⟩ ⇒
𝑦 + 𝑦′ ⊗ 𝑧 ⇒ (⊗𝑗|𝑐𝑗⟩) ⊗ |+𝜄⟩ ⊗ |𝑧⟩
Chooses
{ } Computes the circuit { }
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩ ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |𝑔
𝑙 𝑦 ⟩ = σ𝑧∈𝐽𝑛(𝑔𝑙)( 𝑦 + 𝑦′ ) ⊗ |𝑧⟩ ⇒
𝑦 + 𝑦′ ⊗ 𝑧 ⇒ (⊗𝑗|𝑐𝑗⟩) ⊗ |+𝜄⟩ ⊗ |𝑧⟩
Chooses
{ } Computes the circuit { }
0 ⊗𝑜 0 ⊗𝑛 ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |0⟩ ⇒ σ𝑦∈𝐸𝑝𝑛(𝑔𝑙) 𝑦 ⊗ |𝑔
𝑙 𝑦 ⟩ = σ𝑧∈𝐽𝑛(𝑔𝑙)( 𝑦 + 𝑦′ ) ⊗ |𝑧⟩ ⇒
𝑦 + 𝑦′ ⊗ 𝑧 ⇒ (⊗𝑗|𝑐𝑗⟩) ⊗ |+𝜄⟩ ⊗ |𝑧⟩
Level of Security:
Information Theoretic: Secure against unbounded adversaries; Computational: Secure against Quantum Adversaries with polynomially bounded
computational resources (QPT);
Types of Adversaries
Honest-But-Curious: Adversary follows the protocol, but can keep records and try
to learn from these;
Malicious: Adversary can deviate in any step of the protocol in any way;
Security (in the quantum honest but curious setting)
𝐻𝑀 predicate
θ function Collision resistance
|𝑃𝑣𝑢𝑞𝑣𝑢⟩ ՚
$ {|0⟩, |1⟩, |+⟩, |−⟩}
|𝑃𝑣𝑢𝑞𝑣𝑢⟩ 𝑃𝑣𝑢𝑞𝑣𝑢
There exist protocols for most of these applications where quantum communication
the qubits 0 , 1 , + , −
There exist protocols for most of these applications where quantum communication
the qubits 0 , 1 , + , − Functionality of Malicious 4- states QFactory ⇒ classical delegation of quantum computation (against malicious adversaries)
There exist protocols for most of these applications where quantum communication
the qubits 0 , 1 , + , − Functionality of Malicious 4- states QFactory ⇒ classical delegation of quantum computation (against malicious adversaries) as long as the basis of qubits is hidden from any adversary
except if you have the trapdoor 𝑢𝑙 associated to the index function 𝑙 This function is hard to invert. 2 preimages for any element in 𝐽𝑛 𝑔
𝑙
Without the trapdoor 𝑢𝑙, hard to find 𝑦 ≠ 𝑦’ such that 𝑔
𝑙(𝑦) = 𝑔 𝑙(𝑦′)
𝑙: 𝐸 → 𝑆 injective, homomorphic, quantum-safe, trapdoor one-way;
This function is hard to invert. 2 preimages for any element in 𝐽𝑛 𝑔
𝑙
Without the trapdoor 𝑢𝑙, hard to find 𝑦 ≠ 𝑦’ such that 𝑔
𝑙(𝑦) = 𝑔 𝑙(𝑦′)
𝑔
𝑙 𝑦, 𝑑 = ቊ𝑙 𝑦 ,
𝑗𝑔 𝑑 = 0 𝑙 𝑦 ⋆ 𝑙 𝑦0 = 𝑙 𝑦 + 𝑦0 , 𝑗𝑔 𝑑 = 1 𝑔
𝑙 ∶ 𝐸 × 0, 1 → 𝑆
except if you have the trapdoor 𝑢𝑙 associated to the index function 𝑙
where 𝑦0 is chosen by the Client at random from the domain of 𝑙
𝑙: 𝐸 → 𝑆 injective, homomorphic, quantum-safe, trapdoor one-way;
ℎ𝑚
Has the same domain as 𝑙 and outputs a single bit.
ℎ𝑚 𝑦1 ⊕ ℎ𝑚(𝑦2) = ℎ𝑚(𝑦2 − 𝑦1)
When 𝑦 is sampled uniformly at random, it is hard to distinguish ℎ𝑚 𝑦 from a random bit.
This function is hard to invert. 2 preimages for any element in 𝐽𝑛 𝑔
𝑙
Without the trapdoor 𝑢𝑙, hard to find 𝑦 ≠ 𝑦’ such that 𝑔
𝑙(𝑦) = 𝑔 𝑙(𝑦′)
𝑔
𝑙 𝑦, 𝑑 = ቊ𝑙 𝑦 ,
𝑗𝑔 𝑑 = 0 𝑙 𝑦 ⋆ 𝑙 𝑦0 = 𝑙 𝑦 + 𝑦0 , 𝑗𝑔 𝑑 = 1 𝑔
𝑙 ∶ 𝐸 × 0, 1 → 𝑆
except if you have the trapdoor 𝑢𝑙 associated to the index function 𝑙
where 𝑦0 is chosen by the Client at random from the domain of 𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
0𝑜⟩ 0𝑛⟩
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
0𝑜⟩ 0𝑛⟩ → σ𝑦∈𝐸𝑝𝑛 𝑔𝑙 𝑦 |0𝑛⟩
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
0𝑜⟩ 0𝑛⟩ → σ𝑦∈𝐸𝑝𝑛 𝑔𝑙 𝑦 |0𝑛⟩ → σ𝑦∈𝐸𝑝𝑛 𝑔𝑙 𝑦 |𝑔 𝑦 ⟩
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
0𝑜⟩ 0𝑛⟩ → σ𝑦∈𝐸𝑝𝑛 𝑔𝑙 𝑦 |0𝑛⟩ → σ𝑦∈𝐸𝑝𝑛 𝑔𝑙 𝑦 𝑔 𝑦 = σ𝑧∈𝐽𝑛 𝑔𝑙 ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
0𝑜⟩ 0𝑛⟩ →
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 |0𝑛⟩ →
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩
𝑦 = (𝑨, 0) 𝑦’ = (𝑨′, 1)
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
0𝑜⟩ 0𝑛⟩ →
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 |0𝑛⟩ →
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩)
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 (𝑙, 𝑢𝑙) 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩
𝑨 𝑑 0
෪ 𝑉ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢𝑙 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩
𝑨 𝑑 0
෪ 𝑉ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢𝑙 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩
𝑨 𝑑 0
෪ 𝑉ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩}
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢𝑙 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩
𝑨 𝑑 0
෪ 𝑉ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝑦 = 𝑨, 0 𝑦′ = (𝑨′, 1)
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢𝑙 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩
𝑨 𝑑 0
෪ 𝑉ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩
𝑸𝒔𝒑𝒆𝒗𝒅𝒇𝒕 |𝑷𝒗𝒖𝒒𝒗𝒖⟩
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝑦 = 𝑨, 0 𝑦′ = (𝑨′, 1)
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢𝑙 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩
𝑨 𝑑 0
෪ 𝑉ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩
𝑧, 𝑐 𝑸𝒔𝒑𝒆𝒗𝒅𝒇𝒕 |𝑷𝒗𝒖𝒒𝒗𝒖⟩
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝑦 = 𝑨, 0 𝑦′ = (𝑨′, 1)
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢𝑙 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩
𝑨 𝑑 0
෪ 𝑉ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝑧, 𝑐
(𝑦, 𝑦’) = 𝐽𝑜𝑤(𝑢𝑙, 𝑧) 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝐶1, 𝐶2
𝑸𝒔𝒑𝒆𝒗𝒅𝒇𝒕 |𝑷𝒗𝒖𝒒𝒗𝒖⟩ 𝑦 = 𝑨, 0 𝑦′ = (𝑨′, 1)
𝑉ℎ𝑚 𝑉
𝑔𝑙
𝐷ℎ𝑝𝑝𝑡𝑓 𝑙, 𝑢𝑙 𝐷ℎ𝑝𝑝𝑡𝑓 𝑚
𝑙, 𝑚
𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝑢ℎ𝑓 𝑑𝑗𝑠𝑑𝑣𝑗𝑢
𝑦∈𝐸𝑝𝑛 𝑔𝑙
𝑦 𝑔 𝑦 =
𝑧∈𝐽𝑛 𝑔𝑙
( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ → ( 𝑦 + |𝑦′⟩) ⊗ |𝑧⟩ = (|𝑨⟩|0⟩ + |𝑨′⟩|1⟩) ⊗ |𝑧⟩ → (|𝑨⟩|0⟩|0⟩ + |𝑨′⟩|1⟩|0⟩) → |𝑨⟩|0⟩|ℎ(𝑨)⟩ + |𝑨′⟩|1⟩|ℎ(𝑨′)⟩ ⇒ |𝑷𝒗𝒖𝒒𝒗𝒖⟩
𝑨 𝑑 0
෪ 𝑉ℎ |𝑨⟩ |𝑑⟩ |ℎ(𝑨) ⟩
𝑧, 𝑐
(𝑦, 𝑦’) = 𝐽𝑜𝑤(𝑢𝑙, 𝑧) 𝐷𝑝𝑛𝑞𝑣𝑢𝑓 𝐶1, 𝐶2
𝑸𝒔𝒑𝒆𝒗𝒅𝒇𝒕 |𝑷𝒗𝒖𝒒𝒗𝒖⟩ 𝑯𝒇𝒖𝒕 𝑷𝒗𝒖𝒒𝒗𝒖
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝑦 = 𝑨, 0 𝑦′ = (𝑨′, 1)
𝑉ℎ𝑚 𝑉
𝑔𝑙
▪ 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ ▪ 𝐶1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 ▪ If 𝐶1 = 0 then 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} and if 𝐶1 = 1 then 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩}
against malicious adversaries.
he cannot determine 𝐶1.
𝐶1 is a hard-core predicate (wrt the function g);
➢ 𝐶1 is a hard-core predicate ⟹ basis-bli lindness ss ➢ The basis-blindness is the “maximum” security: ➢ Even after an honest run we can at most guarantee basis blindness, but not full blindness about the output state: ➢ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} ➢ Then the Adversary can determine 𝐶2 with probability at least
3 4:
➢ Makes a random guess ෪ 𝐶1 and then measures 𝑃𝑣𝑢𝑞𝑣𝑢 in the ෪ 𝐶1 basis, obtaining measurement outcome ෪ 𝐶2 : if ෪ 𝐶1 = 𝐶1 then ෪ 𝐶2 = 𝐶2 with probability 1, otherwise ෪ 𝐶2 = 𝐶2 with probability
1 2 ;
➢ Basis-blindness is proven to be sufficient for many secure computation protocols, e.g. blind quantum computation (UBQC protocol); ➢ Basis-blindness is required for classical verification of QFactory; ⟹ classical verification of quantum computations
Recall:
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝐶1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶1 = 1
⇒ 𝐼𝑗𝑒𝑗𝑜 the basis equivalent to hiding 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
Recall:
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝐶1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶1 = 1
⇒ 𝐼𝑗𝑒𝑗𝑜 the basis equivalent to hiding 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
Recall:
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝑔 𝑨, 𝑑 = 𝑨 + 𝑑 ⋅ 𝑨0 =
ℎ𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 𝑨 + 𝑑 ⋅ 𝑨0
𝐶1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶1 = 1
⇒ 𝐼𝑗𝑒𝑗𝑜 the basis equivalent to hiding 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
Recall:
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝑔 𝑨, 𝑑 = 𝑨 + 𝑑 ⋅ 𝑨0 =
ℎ𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 𝑨 + 𝑑 ⋅ 𝑨0
𝑦 = 𝑨, 0 𝑏𝑜𝑒 𝑦’ = 𝑨 + 𝑨0, 1 ⇒ 𝑨’ = 𝑨 + 𝑨0
𝐶1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶1 = 1
⇒ 𝐼𝑗𝑒𝑗𝑜 the basis equivalent to hiding 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
Recall:
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝑔 𝑨, 𝑑 = 𝑨 + 𝑑 ⋅ 𝑨0 =
ℎ𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 𝑨 + 𝑑 ⋅ 𝑨0
𝑦 = 𝑨, 0 𝑏𝑜𝑒 𝑦’ = 𝑨 + 𝑨0, 1 ⇒ 𝑨’ = 𝑨 + 𝑨0
𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨′ = ℎ 𝑨′ − 𝑨 = ℎ(𝑨0)
Recall:
𝑔 𝑨, 𝑑 = 𝑨 + 𝑑 ⋅ 𝑨0 =
ℎ𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 𝑨 + 𝑑 ⋅ 𝑨0
𝑦 = 𝑨, 0 𝑏𝑜𝑒 𝑦’ = 𝑨 + 𝑨0, 1 ⇒ 𝑨’ = 𝑨 + 𝑨0
𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨′ = ℎ 𝑨′ − 𝑨 = ℎ(𝑨0)
𝐶1 = ℎ 𝑨0 𝑗𝑡 ℎ𝑗𝑒𝑒𝑓𝑜
𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩ , |1⟩ , |+⟩ , |−⟩} 𝑃𝑣𝑢𝑞𝑣𝑢 = 𝐼𝐶1𝑌𝐶2|0⟩ 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
𝐶2 = σ 𝑦𝑗 ⊕ 𝑦𝑗′ ⋅ 𝑐𝑗 𝑛𝑝𝑒 2 ⋅ 𝐶1 ⊕ [ℎ 𝑨 ⋅ 1 ⊕ 𝐶1 ]
𝐶1 = the basis bit of 𝑃𝑣𝑢𝑞𝑣𝑢 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|0⟩, |1⟩} ⇔ 𝐶1 = 0 ▪ 𝑃𝑣𝑢𝑞𝑣𝑢 ∈ {|+⟩, |−⟩} ⇔ 𝐶1 = 1
⇒ 𝐼𝑗𝑒𝑗𝑜 the basis equivalent to hiding 𝐶1 = ℎ 𝑨 ⊕ ℎ 𝑨’
The client picks at random 𝑨0 and then sends 𝐿′ = 𝐿, 𝐿 𝑨0
to the Server (as the public description of 𝑔)
As the basis of the output qubit is 𝐶1 = ℎ(𝑨0), then the basis is basically fixed
by the Client at the very beginning of the protocol.
The output basis depends only on the Client’s random choice of 𝑨0 and is
independent of the Server’s communication.
Then, no matter how the Server deviates and no matter what are the
messages (𝑧, 𝑐) sent by Server, to prove that the basis 𝐶1 = ℎ(𝑨0) is completely hidden from the Server, is sufficient to use that ℎ is a hardcore predicate.
Overview
To use Malicious 4-states QFactory for applications where communication consists
4 , … , 7𝜌 4 }, we provide a gadget that achieves such a state from
2 outputs of Malicious 4-states QFactory.
To use Malicious 4-states QFactory for applications where communication consists
4 , … , 7𝜌 4 }, we provide a gadget that achieves such a state from
2 outputs of Malicious 4-states QFactory.
𝑝𝑣𝑢 = 𝑆 𝑀1𝜌 + 𝑀2 𝜌 2 + 𝑀3 𝜌 4 + 𝑀3 = 𝐶1 𝑀2 = 𝐶1
′ ⊕ [ 𝐶2 ⊕ 𝑡2 ⋅ 𝐶1]
𝑀1 = 𝐶2
′ ⊕ 𝐶2 ⊕ [𝐶1 ⋅ (𝑡1 ⊕ 𝑡2)]
To use Malicious 4-states QFactory for applications where communication consists of |+𝜄⟩, with 𝜄 ∈ {0, 𝜌
4 , … , 7𝜌 4 }, we provide a gadget that achieves such a state from 2
No information about the bases (𝑀2, 𝑀3) of the new output state |𝑝𝑣𝑢⟩ is leaked:
We prove the basis blindness of the output of the gadget by a reduction to the basis-blindness of 1 of the 2 outputs of Malicious 4-states QFactory; If you could determine 𝑀2 and 𝑀3, then you would determine 𝐶1 or 𝐶1′. 𝑝𝑣𝑢 = 𝑆 𝑀1𝜌 + 𝑀2 𝜌 2 + 𝑀3 𝜌 4 + 𝑀3 = 𝐶1 𝑀2 = 𝐶1
′ ⊕ [ 𝐶2 ⊕ 𝑡2 ⋅ 𝐶1]
𝑀1 = 𝐶2
′ ⊕ 𝐶2 ⊕ [𝐶1 ⋅ (𝑡1 ⊕ 𝑡2)]
Perform a measurement on a first qubit of an arbitrary state |𝜔⟩ in such a way
that the adversary is oblivious whether he is performing a measurement in 1
Useful for classical verification of quantum computations (Mahadev FOCS18);
Perform a measurement on a first qubit of an arbitrary state |𝜔⟩ in such a way
that the adversary is oblivious whether he is performing a measurement in 1
Useful for classical verification of quantum computations (Mahadev FOCS18);
Achieved using the following gadget:
Perform a measurement on an arbitrary state |𝜔⟩ in such a way that the
adversary is oblivious whether he is performing a measurement in 1 out of 2 possible basis (e.g. 𝑌 or 𝑎 basis).
Useful for classical verification of quantum computations (Mahadev FOCS18);
Achieved using the following gadget: No information about the basis of the measurement is leaked;
We prove the measurement blindness of the output of the gadget by a reduction to
the basis-blindness of Malicious 4-states QFactory;
Basis-blindness is not sufficient for verifiable blind quantum computation; To achieve verification, we combine Basis Blindness and Self-Testing;
Basis-blindness is not sufficient for verifiable blind quantum computation; To achieve verification, we combine Basis Blindness and Self-Testing; Self-Testing
Given measurement statistics, classical parties are certain that some untrusted
quantum states, that 2 non-communicating quantum parties share, are the states that the classical parties believe to have;
In our case, we replace the non-communication property with the basis-blindness
condition;
{ 0 , 1 , + , − }
8 states hidden bases Self-Testing
|+𝜄⟩, 𝜄 ∈ {0,
𝜌 4 , … , 7𝜌 4 }
4 states hidden bases
Verification Protocol
1.
We repeat Malicious 8-states QFactory multiple times – independent runs;
Verification Protocol
1.
We repeat Malicious 8-states QFactory multiple times – independent runs;
2.
The Client chooses and announces a random fraction of the output qubits of these runs to use them for a test;
Verification Protocol
1.
We repeat Malicious 8-states QFactory multiple times – independent runs;
2.
The Client chooses and announces a random fraction of the output qubits of these runs to use them for a test;
3.
The Server is instructed by the Client to measure the test qubits in random angles and sends the measurement results to the Client;
Verification Protocol
1.
We repeat Malicious 8-states QFactory multiple times – independent runs;
2.
The Client chooses and announces a random fraction of the output qubits of these runs to use them for a test;
3.
The Server is instructed by the Client to measure the test qubits in random angles and sends the measurement results to the Client;
4.
With the measurement results, the Client knowing the basis of the test qubits and the measurement angles, he can check their statistics;
Verification Protocol
1.
We repeat Malicious 8-states QFactory multiple times – independent runs;
2.
The Client chooses and announces a random fraction of the output qubits of these runs to use them for a test;
3.
The Server is instructed by the Client to measure the test qubits in random angles and sends the measurement results to the Client;
4.
With the measurement results, the Client knowing the basis of the test qubits and the measurement angles, he can check their statistics;
5.
Since the Server does not know the basis bits of these test states, he is unlikely to succeed in guessing the correct statistics unless he is honest.
Required Assumptions:
We propose 2 generic constructions, using:
A) A bijective, quantum-safe, trapdoor one-way function 𝑙: 𝐸 → 𝑆
We propose 2 generic constructions, using:
A) A bijective, quantum-safe, trapdoor one-way function 𝑙: 𝐸 → 𝑆 B) An injective, homomorphic, quantum-safe, trapdoor one-way function 𝑙: 𝐸 → 𝑆 where 𝑦0 is chosen by the Client at random from the domain of 𝑙
Learning With Errors
LWE problem (Regev, 2005, Gödel Prize 2018):
Given 𝑡 ∈ ℤ𝑟
𝑜, the task is to distinguish between a set of polynomially many “noisy” random
linear combinations of the elements of 𝑡 and a set of polynomially many random numbers from ℤ𝑟.
Decisional LWE:
|
Pr
𝑡՚ℤ𝑟
𝑜
𝐵՚ℤ𝑟
𝑜×𝑛
𝑓՚𝜓𝑛
[ 𝐵, 𝑡𝑈𝐵 + 𝑓𝑈 = 1] − Pr
𝐵՚ℤ𝑟
𝑜×𝑛
𝑐՚ℤ𝑟
𝑛
[ 𝐵, 𝑐 = 1] | = 𝑜𝑓𝑚(𝑜), for any QPT adversary
Search LWE:
Pr
𝑡՚ℤ𝑟
𝑜
𝐵՚ℤ𝑟
𝑜×𝑛
𝑓՚𝜓𝑛
[ 𝐵, 𝑡𝑈𝐵 + 𝑓𝑈 = 𝑡] = 𝑜𝑓𝑚(𝑜) , for any QPT adversary
Learning With Errors
LWE problem (Regev, 2005, Gödel Prize 2018):
Given 𝑡 ∈ ℤ𝑟
𝑜, the task is to distinguish between a set of polynomially many “noisy” random
linear combinations of the elements of 𝑡 and a set of polynomially many random numbers from ℤ𝑟.
Decisional LWE:
|
Pr
𝑡՚ℤ𝑟
𝑜
𝐵՚ℤ𝑟
𝑜×𝑛
𝑓՚𝜓𝑛
[ 𝐵, 𝑡𝑈𝐵 + 𝑓𝑈 = 1] − Pr
𝐵՚ℤ𝑟
𝑜×𝑛
𝑐՚ℤ𝑟
𝑛
[ 𝐵, 𝑐 = 1] | = 𝑜𝑓𝑚(𝑜), for any QPT adversary
Search LWE:
Pr
𝑡՚ℤ𝑟
𝑜
𝐵՚ℤ𝑟
𝑜×𝑛
𝑓՚𝜓𝑛
[ 𝐵, 𝑡𝑈𝐵 + 𝑓𝑈 = 𝑡] = 𝑜𝑓𝑚(𝑜) , for any QPT adversary
Regev (2005) and Peikert (2009) have proven quantum and classical reductions from average case LWE to problems as approximating the length of the shortest vector or the shortest independent vectors problem in the worst case - conjectured to be hard for quantum computers.
Learning With Errors
LWE problem (Regev, 2005, Gödel Prize 2018):
Given 𝑡 ∈ ℤ𝑟
𝑜, the task is to distinguish between a set of polynomially many “noisy” random
linear combinations of the elements of 𝑡 and a set of polynomially many random numbers from ℤ𝑟.
Decisional LWE:
|
Pr
𝑡՚ℤ𝑟
𝑜
𝐵՚ℤ𝑟
𝑜×𝑛
𝑓՚𝜓𝑛
[ 𝐵, 𝑡𝑈𝐵 + 𝑓𝑈 = 1] − Pr
𝐵՚ℤ𝑟
𝑜×𝑛
𝑐՚ℤ𝑟
𝑛
[ 𝐵, 𝑐 = 1] | = 𝑜𝑓𝑚(𝑜), for any QPT adversary
Search LWE:
Pr
𝑡՚ℤ𝑟
𝑜
𝐵՚ℤ𝑟
𝑜×𝑛
𝑓՚𝜓𝑛
[ 𝐵, 𝑡𝑈𝐵 + 𝑓𝑈 = 𝑡] = 𝑜𝑓𝑚(𝑜) , for any QPT adversary
Regev and Peikert have proven quantum and classical reductions from average case LWE to problems as approximating the length of the shortest vector (SVP) or the shortest independent vectors problem (SIVP) in the worst case - conjectured to be hard for quantum computers.
How do we choose 𝑛 ?
Injective, homomorphic, quantum-safe, trapdoor one-way function
Construction based on the Micciancio and Peikert trapdoor function (Eurocrypt ‘12) – derived from the Learning With Errors problem: 𝐿 ∶ ℤq
n × 𝜓𝑛 → ℤq m
𝐿 𝑡, 𝑓 = 𝐿𝑡 + 𝑓 𝑛𝑝𝑒 𝑟 𝑥ℎ𝑓𝑠𝑓 𝐿 ՚ ℤq
𝑛×𝑜 and 𝑓𝑗 ∈ 𝜓 𝑗𝑔 𝑓𝑗 ≤ 𝜈 = 𝑟 4
𝐿(𝑡, 𝑓) + 𝐿(𝑡0, 𝑓0) 𝑛𝑝𝑒 𝑟 = (𝐿𝑡 + 𝑓 + 𝐿𝑡0 + 𝑓0) 𝑛𝑝𝑒 𝑟 = 𝐿
𝑡 + 𝑡0 𝑛𝑝𝑒 𝑟, 𝑓 + 𝑓0
𝐿(𝑡, 𝑓) + 𝐿(𝑡0, 𝑓0) 𝑛𝑝𝑒 𝑟 = (𝐿𝑡 + 𝑓 + 𝐿𝑡0 + 𝑓0) 𝑛𝑝𝑒 𝑟 = 𝐿
𝑡 + 𝑡0 𝑛𝑝𝑒 𝑟, 𝑓 + 𝑓0
Issue: domain of 𝐿 imposes that each component of 𝑓 + 𝑓0 must be bounded by 𝜈 ! Otherwise, we will just have 1 preimage;
𝐿(𝑡, 𝑓) + 𝐿(𝑡0, 𝑓0) 𝑛𝑝𝑒 𝑟 = (𝐿𝑡 + 𝑓 + 𝐿𝑡0 + 𝑓0) 𝑛𝑝𝑒 𝑟 = 𝐿
𝑡 + 𝑡0 𝑛𝑝𝑒 𝑟, 𝑓 + 𝑓0
Issue: domain of 𝐿 imposes that each component of 𝑓 + 𝑓0 must be bounded by 𝜈 ! Otherwise, we will just have 1 preimage; To solve this:
We are sampling 𝑓0 from a smaller set, such that when added with a random input 𝑓, the total
noise 𝑓 + 𝑓0 is bounded by 𝜈 with high probability;
We showed that if 𝑓0 is sampled such that it is bounded by 𝜈’ =
𝜈 𝑛, then 𝑓 + 𝑓0 lies in the domain
𝑔 is 2-regular with constant probability
However, what we must show is that when 𝑓0 is restricted to this smaller domain 𝐿(𝑡0, 𝑓0) is still
hard to invert.
𝐿(𝑡, 𝑓) + 𝐿(𝑡0, 𝑓0) 𝑛𝑝𝑒 𝑟 = (𝐿𝑡 + 𝑓 + 𝐿𝑡0 + 𝑓0) 𝑛𝑝𝑒 𝑟 = 𝐿
𝑡 + 𝑡0 𝑛𝑝𝑒 𝑟, 𝑓 + 𝑓0
Issue: domain of 𝐿 imposes that each component of 𝑓 + 𝑓0 must be bounded by 𝜈 ! Otherwise, we will just have 1 preimage; To solve this:
We are sampling 𝑓0 from a smaller set, such that when added with a random input 𝑓, the total
noise 𝑓 + 𝑓0 is bounded by 𝜈 with high probability;
We showed that if 𝑓0 is sampled such that it is bounded by 𝜈’ =
𝜈 𝑛, then 𝑓 + 𝑓0 lies in the domain
𝑔 is 2-regular with constant probability
However, what we must show is that when 𝑓0 is restricted to this smaller domain 𝐿(𝑡0, 𝑓0) is still
hard to invert.
Finally, we show there exists an explicit choice of parameters such that both and the
restriction of to the domain of 𝑓0 are one-way functions and such that all the other properties of are preserved.
𝑙: 𝐸 → 𝑆 injective, homomorphic, quantum-safe, trapdoor one-way;
ℎ𝑚
Has the same domain as 𝑙 and outputs a single bit.
ℎ𝑚 𝑦1 ⊕ ℎ𝑚(𝑦2) = ℎ𝑚(𝑦2 − 𝑦1)
When 𝑦 is sampled uniformly at random, it is hard to distinguish ℎ𝑚 𝑦 from a random bit.
This function is hard to invert. 2 preimages for any element in 𝐽𝑛 𝑔
𝑙
Without the trapdoor 𝑢𝑙, hard to find 𝑦 ≠ 𝑦’ such that 𝑔
𝑙(𝑦) = 𝑔 𝑙(𝑦′)
𝑔
𝑙 𝑦, 𝑑 = ቊ𝑙 𝑦 ,
𝑗𝑔 𝑑 = 0 𝑙 𝑦 ⋆ 𝑙 𝑦0 = 𝑙 𝑦 + 𝑦0 , 𝑗𝑔 𝑑 = 1 𝑔
𝑙 ∶ 𝐸 × 0, 1 → 𝑆
except if you have the trapdoor 𝑢𝑙 associated to the index function 𝑙
“QHBC” functions:
ത 𝐿 ∶ ℤq
n × 𝜓𝑛 → ℤq m
ҧ 𝑔
𝐿′ ∶ ℤq n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 ՚
$ ℤq 𝑛×𝑜
𝐿′ = 𝐿, ത 𝐿 𝑡0, 𝑓0 ത 𝐿 𝑡, 𝑓 = 𝐿𝑡 + 𝑓 𝑛𝑝𝑒 𝑟 ҧ 𝑔𝐿′ 𝑡, 𝑓, 𝑑 = ത 𝐿 𝑡, 𝑓 + 𝑑 ⋅ ത 𝐿 𝑡0, 𝑓0
“QHBC” functions:
ҧ 𝐿 ∶ ℤq
n × 𝜓𝑛 → ℤq m
ҧ 𝑔
𝐿′ ∶ ℤq n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 ՚
$ ℤq 𝑛×𝑜
𝐿′ = 𝐿, ҧ 𝐿 𝑡0, 𝑓0 ҧ 𝐿 𝑡, 𝑓 = 𝐿𝑡 + 𝑓 𝑛𝑝𝑒 𝑟 ҧ 𝑔𝐿′ 𝑡, 𝑓, 𝑑 = ҧ 𝐿 𝑡, 𝑓 + 𝑑 ⋅ ҧ 𝐿 𝑡0, 𝑓0
“Malicious” functions:
𝐿 ∶ ℤq
n × 𝜓𝑛 × 0, 1 → ℤq m
𝑔
𝐿′ ∶ ℤq n × 𝜓𝑛 × 0, 1 × 0, 1 → ℤq m
𝐿 𝑡, 𝑓, 𝑒 = ҧ 𝐿 𝑡, 𝑓 + 𝑒 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 𝑔𝐿′ 𝑡, 𝑓, 𝑒, 𝑑 = 𝐿 𝑡, 𝑓, 𝑒 + 𝑑 ⋅ 𝐿 𝑡0, 𝑓0, 𝑒0
where 𝑤 =
𝑟 2
… ∈ ℤm.
𝐿 ∶ ℤq
n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 𝑡, 𝑓, 𝑒 = ത
𝐿 𝑡, 𝑓 + 𝑒 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = 𝐿𝑡 + 𝑓 + 𝑒 ⋅
𝑟 2 … 𝑛𝑝𝑒 𝑟
𝐿 ∶ ℤq
n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 𝑡, 𝑓, 𝑒 = ത
𝐿 𝑡, 𝑓 + 𝑒 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = 𝐿𝑡 + 𝑓 + 𝑒 ⋅
𝑟 2 … 𝑛𝑝𝑒 𝑟
ℎ ∶ ℤq
n × 𝜓𝑛 × 0, 1 → {0, 1}
ℎ 𝑡, 𝑓, 𝑒 = 𝑒
𝐿 ∶ ℤq
n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 𝑡, 𝑓, 𝑒 = ത
𝐿 𝑡, 𝑓 + 𝑒 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = 𝐿𝑡 + 𝑓 + 𝑒 ⋅
𝑟 2 … 𝑛𝑝𝑒 𝑟
ℎ ∶ ℤq
n × 𝜓𝑛 × 0, 1 → {0, 1}
ℎ 𝑡, 𝑓, 𝑒 = 𝑒
➢
𝐿 𝑡1, 𝑓1, 𝑒1 + 𝐿 𝑡2, 𝑓2, 𝑒2 = ҧ 𝐿 𝑡1, 𝑓1 + 𝑒1 ⋅ 𝑤 + ҧ 𝐿 𝑡2, 𝑓2 + 𝑒2 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = ҧ 𝐿 𝑡1 + 𝑡2 𝑛𝑝𝑒 𝑟 , 𝑓1 + 𝑓2 + 𝑒1 + 𝑒2 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 =
ҧ 𝐿 𝑡1 + 𝑡2 𝑛𝑝𝑒 𝑟 , 𝑓1 + 𝑓2, 𝑒1 ⊕ 𝑒2
Properties of
𝐿 ∶ ℤq
n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 𝑡, 𝑓, 𝑒 = ത
𝐿 𝑡, 𝑓 + 𝑒 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = 𝐿𝑡 + 𝑓 + 𝑒 ⋅
𝑟 2 … 𝑛𝑝𝑒 𝑟
ℎ ∶ ℤq
n × 𝜓𝑛 × 0, 1 → {0, 1}
ℎ 𝑡, 𝑓, 𝑒 = 𝑒
➢
𝐿 𝑡1, 𝑓1, 𝑒1 + 𝐿 𝑡2, 𝑓2, 𝑒2 = ҧ 𝐿 𝑡1, 𝑓1 + 𝑒1 ⋅ 𝑤 + ҧ 𝐿 𝑡2, 𝑓2 + 𝑒2 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = ҧ 𝐿 𝑡1 + 𝑡2 𝑛𝑝𝑒 𝑟 , 𝑓1 + 𝑓2 + 𝑒1 + 𝑒2 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 =
ҧ 𝐿 𝑡1 + 𝑡2 𝑛𝑝𝑒 𝑟 , 𝑓1 + 𝑓2, 𝑒1 ⊕ 𝑒2
➢
𝑆𝑓𝑒𝑣𝑑𝑢𝑗𝑝𝑜 𝑢𝑝 𝑢ℎ𝑓 𝑝𝑜𝑓 − 𝑥𝑏𝑧𝑜𝑓𝑡𝑡 𝑝𝑔 ҧ 𝐿: 𝑈𝑝 𝑗𝑜𝑤𝑓𝑠𝑢 𝑧 = ҧ 𝐿(𝑡, 𝑓) : 𝑒 ՚
$
0, 1 𝑧′ ՚ 𝑧 + 𝑒 ⋅ 𝑤 𝑡′, 𝑓′, 𝑒′ ՚ 𝐵𝐿 𝑧′ 𝑠𝑓𝑢𝑣𝑠𝑜 (𝑡′, 𝑓′)
Properties of
𝐿 ∶ ℤq
n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 𝑡, 𝑓, 𝑒 = ҧ 𝐿 𝑡, 𝑓 + 𝑒 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = 𝐿𝑡 + 𝑓 + 𝑒 ⋅ 𝑟 2 … 𝑛𝑝𝑒 𝑟
➢ 𝑇𝑣𝑞𝑞𝑝𝑡𝑓 ∃ 𝑡1, 𝑓1, 𝑒1 , 𝑡2, 𝑓2, 𝑒2 𝑡. 𝑢. 𝐿 𝑡1, 𝑓1, 𝑒1 = 𝐿 𝑡2, 𝑓2, 𝑒2 ➢ ത
𝐿 𝑡1, 𝑓1 − ത 𝐿 𝑡2, 𝑓2 + 𝑒1 − 𝑒2 ⋅ 𝑤 = 0 𝑛𝑝𝑒 𝑟
➢ 𝐽𝑔 𝑒1 = 𝑒2 𝑢ℎ𝑓𝑜 ത
𝐿 𝑡1, 𝑓1 = ത 𝐿 𝑡2, 𝑓2 ⇒ 𝑡1 = 𝑡2 , 𝑓1 = 𝑓2
Properties of
𝐿 ∶ ℤq
n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 𝑡, 𝑓, 𝑒 = ҧ 𝐿 𝑡, 𝑓 + 𝑒 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = 𝐿𝑡 + 𝑓 + 𝑒 ⋅ 𝑟 2 … 𝑛𝑝𝑒 𝑟
➢ 𝑇𝑣𝑞𝑞𝑝𝑡𝑓 ∃ 𝑡1, 𝑓1, 𝑒1 , 𝑡2, 𝑓2, 𝑒2 𝑡. 𝑢. 𝐿 𝑡1, 𝑓1, 𝑒1 = 𝐿 𝑡2, 𝑓2, 𝑒2 ➢
ҧ 𝐿 𝑡1, 𝑓1 − ҧ 𝐿 𝑡2, 𝑓2 + 𝑒1 − 𝑒2 ⋅ 𝑤 = 0 𝑛𝑝𝑒 𝑟
➢ 𝐽𝑔 𝑒1 = 𝑒2 𝑢ℎ𝑓𝑜
ҧ 𝐿 𝑡1, 𝑓1 = ҧ 𝐿 𝑡2, 𝑓2 ⇒ 𝑡1 = 𝑡2 , 𝑓1 = 𝑓2
➢ 𝐽𝑔 𝑒1 ≠ 𝑒2 ⇒
ҧ 𝐿 𝑡1, 𝑓1 − ҧ 𝐿 𝑡2, 𝑓2 = 𝑤 ⟺ 𝐿 𝑡1 − 𝑡2 + 𝑓1 − 𝑓2 =
𝑟 2
… 𝑛𝑝𝑒 𝑟 ∗
➢ 𝐿 =
𝐿1 ഥ 𝐿 , 𝑓1 − 𝑓2 = 𝑓 = 𝑓′ ҧ 𝑓
∗
ቐ 𝐿
1, 𝑡1 − 𝑡2 + 𝑓′ = 𝑟 2
(1) ഥ 𝐿 𝑡1 − 𝑡2 + ҧ 𝑓 = 0 (2)
➢ 𝐶𝑣𝑢
ҧ ഥ
𝐿 𝑗𝑡 𝑏𝑚𝑡𝑝 𝑗𝑜𝑘𝑓𝑑𝑢𝑗𝑤𝑓 ( ҧ
𝑗𝑡 𝑗𝑜𝑘𝑓𝑑𝑢𝑗𝑤𝑓 ∀ 𝑛 = Ω 𝑜 )
2 𝑡1 = 𝑡2 1 𝑓′ = 𝑟
2 . 𝐶𝑣𝑢 𝑓′ = 𝑓1,1 − 𝑓2,1 ≤ 𝑓1,1| + |𝑓2,1 < 𝑟 2 . 𝐷𝑝𝑜𝑢𝑠𝑏𝑒𝑗𝑑𝑢𝑗𝑝𝑜
Properties of
𝐿 ∶ ℤq
n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 𝑡, 𝑓, 𝑒 = ത
𝐿 𝑡, 𝑓 + 𝑒 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = 𝐿𝑡 + 𝑓 + 𝑒 ⋅
𝑟 2 … 𝑛𝑝𝑒 𝑟
ℎ ∶ ℤq
n × 𝜓𝑛 × 0, 1 → {0, 1}
ℎ 𝑡, 𝑓, 𝑒 = 𝑒
1.
𝐼𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 ℎ 𝑦1 ⊕ ℎ(𝑦2) = ℎ(𝑦2 − 𝑦1)
➢
ℎ 𝑡1, 𝑓1, 𝑒1 ⊕ ℎ 𝑡2, 𝑓2, 𝑒2 = 𝑒1 ⊕ 𝑒2 = ℎ(𝑡2 − 𝑡1 𝑛𝑝𝑒 𝑟, 𝑓2 − 𝑓1, 𝑒2 ⊕ 𝑒1)
Properties of ℎ
𝐿 ∶ ℤq
n × 𝜓𝑛 × 0, 1 → ℤq m
𝐿 𝑡, 𝑓, 𝑒 = ത
𝐿 𝑡, 𝑓 + 𝑒 ⋅ 𝑤 𝑛𝑝𝑒 𝑟 = 𝐿𝑡 + 𝑓 + 𝑒 ⋅
𝑟 2 … 𝑛𝑝𝑒 𝑟
ℎ ∶ ℤq
n × 𝜓𝑛 × 0, 1 → {0, 1}
ℎ 𝑡, 𝑓, 𝑒 = 𝑒
1.
𝐼𝑝𝑛𝑝𝑛𝑝𝑠𝑞ℎ𝑗𝑑 ℎ 𝑦1 ⊕ ℎ(𝑦2) = ℎ(𝑦2 − 𝑦1)
➢
ℎ 𝑡1, 𝑓1, 𝑒1 ⊕ ℎ 𝑡2, 𝑓2, 𝑒2 = 𝑒1 ⊕ 𝑒2 = ℎ(𝑡2 − 𝑡1 𝑛𝑝𝑒 𝑟, 𝑓2 − 𝑓1, 𝑒2 ⊕ 𝑒1)
2.
𝐼𝑏𝑠𝑒𝑑𝑝𝑠𝑓 𝑞𝑠𝑓𝑒𝑗𝑑𝑏𝑢𝑓 (𝑥𝑠𝑢 ):
➢
𝐻𝑗𝑤𝑓𝑜 (𝐿, 𝐿 𝑡, 𝑓, 𝑒 ) 𝑗𝑡 ℎ𝑏𝑠𝑒 𝑢𝑝 𝑣𝑓𝑡𝑡 𝑒
➢
𝐼𝑏𝑠𝑒 𝑢𝑝 𝑒𝑗𝑡𝑢𝑗𝑜𝑣𝑗𝑡ℎ: 𝐸1 = 𝐿, 𝐿𝑡 + 𝑓 𝑏𝑜𝑒 𝐸2 = {𝐿, 𝐿𝑡 + 𝑓 + 𝑤}
➢
𝐺𝑠𝑝𝑛 𝑒𝑓𝑑𝑗𝑡𝑗𝑝𝑜𝑏𝑚 𝑀𝑋𝐹: 𝐸1 ≈
𝑑
𝐿, 𝑣 , 𝑣 ՚
𝑣 ℤq m
➢
𝑤 𝑗𝑡 𝑏 𝑔𝑗𝑦𝑓𝑒 𝑤𝑓𝑑𝑢𝑝𝑠: 𝐸2 ≈
𝑑
𝐿, 𝑣 ≈
𝑑 𝐸1
Properties of ℎ
QFactory: simulates quantum channel from classical channel;
Solve blind delegated quantum computations using quantum client → classical client;
Protocol is secure in the malicious setting;
Several extensions of the protocol can be achieved, including classical verification
QFactory: simulates quantum channel from classical channel;
Solve blind delegated quantum computations using quantum client → classical client;
Protocol is secure in the malicious setting;
Several extensions of the protocol can be achieved, including classical verification
Next:
Improve the efficiency of the QFactory protocol, by looking at other post-quantum solutions;
Prove the security of the QFactory module in the composable setting;
Explore new possible applications (e.g. multiparty quantum computation).
1) “On the possibility of classical client blind quantum computing” (AC, Colisson, Kashefi, Wallden)
https://arxiv.org/abs/1802.08759, QCrypt ‘18.
2) “QFactory: classically-instructed remote secret qubits preparation”(AC, Colisson, Kashefi, Wallden)
https://arxiv.org/abs/1904.06303