Feasibility and Completeness
of
Cryptographic Tasks
in the
Quantum World
Hong-Sheng Zhou (U. Maryland)
Joint work with
Jonathan Katz (U. Maryland)
Fang Song (Penn. State U.)
Vassilis Zikas (U. Maryland)
How would classical
cryptography change in a
quantum world?
How would quantum change classical crypto?
• Take advantage of quantum to break protocols
o Factoring and Discrete Logarithm-based protocols are no
longer secure [Shor94]
• Use quantum to build protocols
o Quantum Key Distribution (QKD)[BB84]
• Use classical authenticated channel to build statistically
secure channel
• Impossible in the classical setting
How would quantum change classical crypto?
• Secure Multi-Party Computation over the Internet
o Allow mutually distrustful parties to carry out a crypto task
over the Internet
o E.g., coin-tossing, jointly evaluating a function, playing
online poker, commitment, oblivious transfer,….
o Security model: Universal Composition (UC) framework
[Canetti01, Unruh10]
• Computational vs Information Theoretical
o A notable distinction: [BBCS91]
• Using quantum, Oblivious Transfer(OT) can be implemented
from Commitment (COM)
• Universally Composable, Statistical Security [DFLSS09,Unruh10]
• Impossible
in the
classical
setting
Question:
are there
more
distinctions
that quantum brings about?
How would quantum change classical crypto?
• Secure Multi-Party Computation over the Internet
o OT is complete [Kilian88] in the sense that it can be used to
implement other crypto tasks.
o Analogous to Computational Complexity, crypto tasks have
different strength: Complete vs Feasible
Complete
Feasible
NP Complete
P
o The classical landscape is well studied [MPR10,MPR09,KMQ11]
Question: How would the landscape differ in the quantum setting?
Our Contribution
• Identify another distinction: OT from Cut-andChoose (CC)
• Application: systematical characterization of a set
of tasks in quantum UC
Complete
Feasible
Information Theoretical Setting
Complete
Feasible
Computational Setting
Derive the quantum
landscape
How useful is F as a trusted setup?
in the classical setting
assuming basic secure communication is given
Possible “levels of power” for F
• Feasible/Useless/Trivial:
access to F is equivalent to no
trusted setup (e.g., secure channel)
• Intermediate:
some level of power between the
two extremes
• Complete:
all tasks have UC-secure protocols
in presence of F (e.g., OT)
Complete
Intermediate
Feasible
How useful is F as a trusted setup?
in the quantum setting
• Adversaries with quantum
power
o Some feasible F becomes infeasible
o Some complete F becomes not
complete
• Honest Players with quantum
power
o Some infeasible (including complete)
F becomes feasible
o Some incomplete (including feasible)
F becomes complete
Complete
Intermediate
Feasible
Complete
Intermediate
Feasible
2-party, finite, deterministic tasks
• We next show how to draw the `cryptographic
complexity’ landscape in the quantum setting
o for an interesting class of tasks:
2-party finite deterministic task
including OT, COM, CC,….
input/output domains
are in poly-size
Input(x1)
Input(x2)
Output(y1)
Output(y2)
Input(x’1)
Input(x2)
Input(x1)
Output(y’1)
SFEf
Output(f1(x1,x2) )
Output(f2(x1,x2) )
Reactiv
e
2PC
Input(x’2)
Output(y’2)
Input(x’’1)
Input(x’’2)
Output(y’’1)
Output(y’’2)
How useful is F as a trusted setup?
in the classical setting
OT
OT
COM
COM
XOR
CC
Feasible
Information Theoretical Setting
[MPR09, KMQ11/08]
XOR
CC
Feasible
Computational Setting
[MPR10]
What about quantum setting?
Computational Setting
OT
[Unruh10, IPS08]
OT
COM
[HSS11, CLOS02]
+ suitable
computational
assumption
COM
XOR
XOR
CC
Feasible
CC
Feasible
Classical landscape
[MPR10]
Quantum landscape
[This work]
Rewinding used in
the security proof
What about quantum setting?
Computational Setting
OT
[Unruh10, IPS08]
OT
COM
[HSS11, CLOS02]
+ suitable
computational
assumption
COM
XOR
XOR
CC
Feasible
CC
Feasible
This work
Classical landscape
[MPR10]
Quantum landscape
[This work]
Rewinding used in
the security proof
What about quantum setting?
Computational Setting
Warning: it might be the case that all tasks in the set is feasible.
OT
[Unruh10, IPS08]
OT
COM
[HSS11, CLOS02]
+ suitable
computational
assumption
COM
XOR
XOR
CC
Feasible
CC
Feasible
This work
Classical landscape
[MPR10]
Quantum landscape
[This work]
Rewinding used in
the security proof
What about quantum setting?
Information Theoretical Setting
OT
[Unruh10, IPS08]
OT
[Unruh10,BBCS91]
COM
XOR
COM
XOR
CC
Feasible
CC
Feasible
This work
Classical landscape
[MPR09, KMQ11/08]
Quantum landscape
[This work]
What about quantum setting?
OT
OT
COM
COM
XOR
CC
Feasible
Information Theoretical Setting
XOR
CC
Feasible
Computational Setting
Design OT from CC
Main Result: CCOT
Theorem: There is a quantum protocol UC securely
realizing OT in the CC-hybrid world against all
statistical quantum adversaries.
Input(b0,b1)
Input(s)
OT
CC
Output(bs)
Output( )
Commit(x)
Commit( )
COM
Open( )
Input(x2)
Input(x1)
Open(x)
Output(x1x2 )
Output(x1)
b 0, b 1
OT from COM [BBCS91]
All i in [n]
COM
s
All i in [n]
i
C
COM
All i in C
i
All i in C
I0, I1
bs
b 0, b 1
OT from CC
All i in [n]
s
All i in [n]
CCi
Abort if
I0, I1
bs
Security Definition
• Universal Composition (UC) framework [Canetti01]
(cf. DM00, PW01,…)
F
π
A
π
Real world
Z
S
≈
Z
Protocol π UC securely realize task F if:
for every real world A
there is an ideal world S
two worlds are indistinguishable to all environment Z
Ideal world
We only
consider
classical F
Quantum UC
• Quantum UC [Unruh10] (cf. Unruh04,BOM04, HSS11)
F
π
A
π
Real world
Z
S
≈
Z
QUC
Protocol π UC securely realize task F if:
for every real world A
there is an ideal world S
two worlds are indistinguishable to all environment Z
Ideal world
b 0, b 1
OT from CC
All i in [n]
s
All i in [n]
CCi
Abort if
Design simulator:
• Extracting (b0,b1)
when Alice is corrupted
• Extracting s
when Bob is corrupted
• Statistically close
communication
transcript
I0, I1
bs
b 0, b 1
OT from CC
All i in [n]
s
All i in [n]
CCi
Abort if
I0, I1
bs
(b0,b1)
OT
bs
s
S
All i in [n]
C
C
i
Abort if
I 0, I 1
bs
Z
Ideal world
b 0, b 1
OT from CC
All i in [n]
s
All i in [n]
CCi
Abort if
I0, I1
bs
(b0,b1)
bs
OT
s
S
Z
C
C
i
All i in [n]
Ideal world
I0, I1
Summary and Open questions
Main Result: CCOT
OT
OT
COM
COM
XOR
CC
Feasible
Information Theoretical Setting
XOR
CC
Feasible
Computational Setting
Open questions:
 Much larger set: randomized tasks, infinite tasks,
multi-party….
 Quantum tasks