Quantum Coin Flipping and Bit Commitment op2mal bounds, device independence, implementa2ons Iordanis Kerenidis CNRS -‐ Univ Paris Diderot CQT – NU Singapore Outline of the Talk Op2mal bounds for cryptographic primi2ves
Coin Flipping Protocol
Bit commitment Protocol Bit commitment lower bound
Device independent coin flipping and bit commitment
Implementa2ons
Future direc2ons Strong Coin Flipping Strong coin flipping protocol with bias SCF
Alice and Bob are far from each other and don't trust each other
They want to flip a coin c
They want to make sure that the outcome of c is random Weak Coin Flipping Weak coin flipping protocol with bias WCF
Same seNng as Strong Coin Flipping but Alice and Bob flip a coin to choose a winner (game)
c = 0 : Alice wins
c = 1 : Bob wins Bit Commitment
Two phases: a commit phase and a decommit phase
During the commit phase, Alice wants to commit to a bit x. Bob should have no/liXle informa2on about x When Alice reveals x, Alice cannot lie
Quantum equivalent: Chea2ng Alice cannot reveal the two values for x (a liXle weaker)
Chea2ng probability for Alice
Chea2ng probability for Bob
Chea2ng probability of the protocol: Security Condi2ons
What can we achieve classically ?
Computa2onal Security chea2ng players are computa2onally bounded (hardness of factoring, Discrete Logarithm) We can achieve any
Informa2on Theore2c Security
Chea2ng players have unlimited power We can achieve nothing, i.e. How about quantum protocols? Quantum Strong Coin Flipping
Perfect coin flipping is impossible, i.e. [Lo-‐Chau, Mayers 96]
BeXer than classical protocols exist (classically always )
[Aharonov, Ta-‐Shma, Vazirani, Yao STOC ’00] What is the best possible bias? [Ambainis STOC ‘01]
[Kitaev ‘03] , Quantum Weak Coin Flipping
Perfect coin flipping is impossible, i.e.
BUT, almost perfect weak coin flipping exists
[Mochon STOC ‘04, Mochon ‘05, Mochon ‘07] Weak coin flipping is resolved. Quantum Bit Commitment
Reduc2on from coin flipping. We can reduce Bit Commitment to Strong Coin Flipping (i.e. Bit Commitment is harder)
Kitaev’s Bound
Ambainis’ protocol Same gap than for Quantum Strong Coin Flipping Our results
[Chailloux, K FOCS 2009, FOCS 2011] Op2mal Bounds for Quantum Strong Coin Flipping and Quantum Bit Commitment Lower Bound Strong Coin Flipping Bit Commitment Weak Coin Flipping Upper Bound Strong Coin Flip: A first aXempt
Assume a perfect weak coin flipping protocol WCF (we have almost perfect by Mochon) Protocol 1
Alice and Bob perform WCF The winner flips a random coin c. Perform WCF
Strong Coin Flip: A first aXempt
Assume a perfect weak coin flipping protocol WCF (we have almost perfect by Mochon) Protocol 1
Alice and Bob perform WCF The winner flips a random coin c. Analysis
Alice and Bob are honest: c is uniformly random. Alice is dishonest: If she wins the WCF then she chooses the value she wants, otherwise c is random
Chea2ng player succeeds with prob. 1/2 even when he loses WCF
From Weak to Strong Coin Flipping First Protocol Perform WCF
Winner outputs a random value c From Weak to Strong Coin Flipping First Protocol New Protocol Perform WCF
Perform WCF(z)
Winner outputs a random value c
If A wins Output If B wins Output w.p. p Output w.p. 1-‐p Unbalanced Weak Coin Flipping Weak coin flipping (z) protocol with bias The 0(1) outcome corresponds to Alice (Bob) winning WCF(z) Proposi2on Assume . Then, we construct with and Chea2ng probabili2es of the protocol Our Protocol Analysis
A and B honest
Perform WCF(z)
B is dishonest
A is dishonest If A wins
c is uniformly random Output If B wins
Output w.p. p Output w.p. 1-‐p PuNng it all together
We constructed a strong coin flip protocol with
We match Kitaev’s lower bound
The chea2ng probabili2es are equal for
All the quantum part lies in the WCF protocol Quantum Bit Commitment
Again we use Mochon’s construc2on as a Black Box
Apart from this, the construc2on is more quantum
The resul2ng protocol will have the following bounds for the chea2ng probabili2es:
We will later show that this protocol is op2mal The ¾ protocol
Commit phase: Alice wants to commit to a bit x
Alice creates the state and sends half to Bob.
This means that Alice sends to Bob the state Decommit phase: Alice reveals x
Alice sends the second part of . Bob checks that Alice did not cheat. Bob can guess x with probability ¾ Alice can cheat with probability ¾ by sending Weak Coin Flipping as a quantum subrou2ne Used classically
Used quantumly
WCF
WCF
We can take care of the garbage
Honest case For chea2ng Alice (simplified)
For chea2ng Bob (simplified) Extending this protocol
Commit phase: Alice wants to commit to a bit x
Alice and Bob perform weak coin with bias
Condionned on Alice losing, Alice sends Condi2onned on Alice winning, Alice sends Analysis Bob can learn x with probability
€
Alice sends with probability at most 1/2
€
But! Op2mal strategy, Alice sends w.p. 2/3 Alice can only win with probability Symmetrize 1
1
LL +
WW
2
2
1
1
LL xx +
WW 22
2
2
Bit Commitment: lower bound
We consider any QBC protocol
Commit phase
Decommit phase Accept or reject Proof of the lower bound (Alice)
Chea2ng Alice
Commit phase
By Uhlmann’s theorem What is the op2mal ?
We can have at least Proof of the lower bound (Bob)
Chea2ng Bob
Commit phase
Bob wants to guess x aqer but knows only
This gives where is the trace distance between and Recap of the bounds
For any QBC protocol
Main technical part
From there
;
Op2mal bounds
[Chailloux, K FOCS 2009, FOCS 2011] Op2mal Bounds for Quantum Strong Coin Flipping and Quantum Bit Commitment Lower Bound Strong Coin Flipping Bit Commitment Weak Coin Flipping Upper Bound Device independence
Perform cryptographic primi2ves without trus2ng the device
Prac2cal issues: quantum hacking
If the device works (or is slightly faulty): the protocol succeeds If the device is faulty: abort the protocol without leaking informa2on Because physical apparatus do not fit exactly the model Noise, errors, dark counts, mul2plica2on of photons and more physical stuff Basic Idea: Use non-‐locality Device independent QKD Eve
Alice
Bob
Possible to do
Alice and Bob cooperate to verify that they have some non-‐locality Use this to perform quantum key distribu2on Device independent coin flipping
Alice and Bob cannot cooperate
A chea2ng player can create the quantum device of the honest player. No way to check non-‐locality [Silman, Chailloux, Aharon, Kerenidis, Pironio, Massar PRL 2011] We construct Device Independent CF and BC Chea2ng probability of (for CF) and (for BC) Device independent bit commitment sB sA sC GHZ boxes rA rB rC Commit Phase: Alice inputs sA=x . Picks a ∈
R {0,1}
and sends c = rA ⊕ (sA ⋅ a)
Reveal Phase: Alice sends sA, rA . Bob checks if c
= rA
or c = rA ⊕ sA
€
€
s
⊕
s
=
1⊕
s
Bob inputs sB, sC s.t. B C A and checks the GHZ Test € once (no need for independence of the boxes etc. ) Remark: The boxes are used €
Implementa2on of Coin Flipping
The imperfect uncondi2onal security can be built ON TOP of computa2onal security and noisy storage security!
Protocols that take into account Channel noise, System transmission efficiency, losses, Mul2-‐photon pulses, Detectors’ dark counts and finite quantum efficiency etc. [Pappa, Chailloux, Diaman2, Kerenidis PRA 2011] Parameter Detector constant loss [dB] Absorp2on coefficient [dB/km] β 0.2 Detec2on efficiency η 0.2 e 1 km
0.98
1 0.01 Cheating Probability
k Dark counts (per slot) Signal error rate 1
Value 10 km
20 km
0.96
25 km
0.94
classical
0.92
0.9
0.006 0.008 0.01 0.012 0.014 0.016 Honest Abort Probability
0.018 0.02 Implementa2on of Coin Flipping
Clavis 2 system (originally QKD system) [in progress] Conclusions
Op2mal bounds for Coin Flipping and Bit commitment
Oblivious Transfer, Zero Knowledge, etc. ? Device independent coin flipping and bit commitment
Op2mal bounds? Oblivious Transfer?
Combining primi2ves in larger protocols
Mul2party protocols: secret sharing, leader elec2on,etc.
More general quantum primi2ves. Resource Theories
Quantum Mechanics vs. Cryptography Thank you
© Copyright 2026 Paperzz