6 research outputs found
Delegating Quantum Computation in the Quantum Random Oracle Model
A delegation scheme allows a computationally weak client to use a server's
resources to help it evaluate a complex circuit without leaking any information
about the input (other than its length) to the server. In this paper, we
consider delegation schemes for quantum circuits, where we try to minimize the
quantum operations needed by the client. We construct a new scheme for
delegating a large circuit family, which we call "C+P circuits". "C+P" circuits
are the circuits composed of Toffoli gates and diagonal gates. Our scheme is
non-interactive, requires very little quantum computation from the client
(proportional to input length but independent of the circuit size), and can be
proved secure in the quantum random oracle model, without relying on additional
assumptions, such as the existence of fully homomorphic encryption. In practice
the random oracle can be replaced by an appropriate hash function or block
cipher, for example, SHA-3, AES.
This protocol allows a client to delegate the most expensive part of some
quantum algorithms, for example, Shor's algorithm. The previous protocols that
are powerful enough to delegate Shor's algorithm require either many rounds of
interactions or the existence of FHE. The protocol requires asymptotically
fewer quantum gates on the client side compared to running Shor's algorithm
locally.
To hide the inputs, our scheme uses an encoding that maps one input qubit to
multiple qubits. We then provide a novel generalization of classical garbled
circuits ("reversible garbled circuits") to allow the computation of Toffoli
circuits on this encoding. We also give a technique that can support the
computation of phase gates on this encoding.
To prove the security of this protocol, we study key dependent message(KDM)
security in the quantum random oracle model. KDM security was not previously
studied in quantum settings.Comment: 41 pages, 1 figures. Update to be consistent with the proceeding
versio
Quantum Garbled Circuits
We present a garbling scheme for quantum circuits, thus achieving a
decomposable randomized encoding scheme for quantum computation. Specifically,
we show how to compute an encoding of a given quantum circuit and quantum
input, from which it is possible to derive the output of the computation and
nothing else. In the classical setting, garbled circuits (and randomized
encodings in general) are a versatile cryptographic tool with many applications
such as secure multiparty computation, delegated computation, depth-reduction
of cryptographic primitives, complexity lower-bounds, and more. However, a
quantum analogue for garbling general circuits was not known prior to this
work. We hope that our quantum randomized encoding scheme can similarly be
useful for applications in quantum computing and cryptography.
To illustrate the usefulness of quantum randomized encoding, we use it to
design a conceptually-simple zero-knowledge (ZK) proof system for the
complexity class . Our protocol has the so-called format
with a single-bit challenge, and allows the inputs to be delayed to the last
round. The only previously-known ZK -protocol for is due
to Broadbent and Grilo (FOCS 2020), which does not have the aforementioned
properties.Comment: 66 pages. Updated the erroneous claim from v1 about the complexity of
information-theoretic QRE as matching the classical case. Added an
application of QRE to zero-knowledge for QM
KDM Security for the Fujisaki-Okamoto Transformations in the QROM
Key dependent message (KDM) security is a security notion that guarantees confidentiality of communication even if secret keys are encrypted.
KDM security has found a number of applications in practical situations such as hard-disk encryption systems, anonymous credentials, and bootstrapping of fully homomorphic encryptions. Recently, it also found an application in quantum delegation protocols as shown by Zhang (TCC 2019).
In this work, we investigate the KDM security of existing practical public-key encryption (PKE) schemes proposed in the quantum random oracle model (QROM).
Concretely, we study a PKE scheme whose KEM is constructed by using Fujisaki-Okamoto (FO) transformations in the QROM.
FO transformations are applied to IND-CPA secure PKE schemes and yield IND-CCA secure key encapsulation mechanisms (KEM).
Then, we show the following results.
- We can reduce the KDM-CPA security in the QROM of a PKE scheme whose KEM is derived from any of the FO transformations proposed by Hofheinz et al. (TCC 2017) to the IND-CPA security of the underlying PKE scheme, without square root security loss.
For this result, we use one-time-pad (OTP) as DEM to convert KEM into PKE.
- We can reduce the KDM-CCA security in the QROM of a PKE scheme whose KEM is derived from a single variant of the FO transformation proposed by Hofheinz et al. (TCC 2017) to the IND-CPA security of the underlying PKE scheme, without square root security loss. For this result, we use OTP-then-MAC construction as DEM to convert KEM into PKE. Also, we require a mild injectivity assumption for the underlying IND-CPA secure PKE scheme.
In order to avoid square root security loss, we use a double-sided one-way to hiding (O2H) lemma proposed by Kuchta et al. (EUROCRYPT 2020).
In the context of KDM security, there is a technical hurdle for using double-sided O2H lemma due to the circularity issue.
Our main technical contribution is to overcome the hurdle
Succinct Blind Quantum Computation Using a Random Oracle
In the universal blind quantum computation problem, a client wants to make
use of a single quantum server to evaluate where is an
arbitrary quantum circuit while keeping secret. The client's goal is to use
as few resources as possible. This problem, first raised by Broadbent,
Fitzsimons and Kashefi [FOCS09, arXiv:0807.4154], has become fundamental to the
study of quantum cryptography, not only because of its own importance, but also
because it provides a testbed for new techniques that can be later applied to
related problems (for example, quantum computation verification). Known
protocols on this problem are mainly either information-theoretically (IT)
secure or based on trapdoor assumptions (public key encryptions).
In this paper we study how the availability of symmetric-key primitives,
modeled by a random oracle, changes the complexity of universal blind quantum
computation. We give a new universal blind quantum computation protocol.
Similar to previous works on IT-secure protocols (for example, BFK [FOCS09,
arXiv:0807.4154]), our protocol can be divided into two phases. In the first
phase the client prepares some quantum gadgets with relatively simple quantum
gates and sends them to the server, and in the second phase the client is
entirely classical -- it does not even need quantum storage. Crucially, the
protocol's first phase is succinct, that is, its complexity is independent of
the circuit size. Given the security parameter , its complexity is only
a fixed polynomial of , and can be used to evaluate any circuit (or
several circuits) of size up to a subexponential of . In contrast,
known schemes either require the client to perform quantum computations that
scale with the size of the circuit [FOCS09, arXiv:0807.4154], or require
trapdoor assumptions [Mahadev, FOCS18, arXiv:1708.02130].Comment: 231 pages, 8 figures, 1 table. Add a separate section for extended
technical overview; several readability improvement
Succinct Blind Quantum Computation Using a Random Oracle
In the universal blind quantum computation problem, a client wants to make
use of a single quantum server to evaluate where is an
arbitrary quantum circuit while keeping secret. The client\u27s goal is to use
as few resources as possible. This problem, first raised by Broadbent,
Fitzsimons and Kashefi [FOCS09, arXiv:0807.4154], has become fundamental to the
study of quantum cryptography, not only because of its own importance, but also
because it provides a testbed for new techniques that can be later applied to
related problems (for example, quantum computation verification). Known
protocols on this problem are mainly either information-theoretically (IT)
secure or based on trapdoor assumptions (public key encryptions).
In this paper we study how the availability of symmetric-key primitives,
modeled by a random oracle, changes the complexity of universal blind quantum
computation. We give a new universal blind quantum computation protocol.
Similar to previous works on IT-secure protocols (for example, BFK [FOCS09,
arXiv:0807.4154]), our protocol can be divided into two phases. In the first
phase the client prepares some quantum gadgets with relatively simple quantum
gates and sends them to the server, and in the second phase the client is
entirely classical -- it does not even need quantum storage. Crucially, the
protocol\u27s first phase is succinct, that is, its complexity is independent of
the circuit size. Given the security parameter , its complexity is only
a fixed polynomial of , and can be used to evaluate any circuit (or
several circuits) of size up to a subexponential of . In contrast,
known schemes either require the client to perform quantum computations that
scale with the size of the circuit [FOCS09, arXiv:0807.4154], or require
trapdoor assumptions [Mahadev, FOCS18, arXiv:1708.02130]
Delegation of quantum computation using a random oracle
Quantum computers can make use of quantum mechanics to achieve surprising speed-ups relative to classical computers, for important computational problems. Quantum computers are gradually coming into reality, but the current implementations are big, require advanced facilities and could only be used as a cloud service in the foreseeable future. If we want to run quantum computations on secret data, we require protocols for performing computations on a remote quantum server without leaking information to the server about the data being processed.
In the quantum computation delegation problem, a client with limited quantum computing resources wishes to evaluate a secret quantum circuit C with the help of a more powerful remote server. The protocol is deemed secure if the server learns nothing about either the circuit or the input state even if the server acts maliciously. This problem, first raised in (Childs05), has become fundamental to the study of quantum cryptography, because of its practical importance, and because it provides a testbed for new techniques that can be later applied to related problems (for example, quantum computation verification [FK12]). Prior to our work, known protocols for this problem were either proven secure against all possible attackers, without any complexity-theoretic assumptions, but highly inefficient for the client; or efficient but proven secure only based on strong cryptographic assumptions. This second category of protocols is only secure if there exist public-key encryption schemes that are secure against quantum attacks and that have special additional properties. Very few candidates for such schemes are known, and their security remains poorly understood.
We seek to understand how efficient quantum delegation schemes can be designed based on weaker or different complexity assumptions. We study how the availability of symmetric-key primitives, modeled by a random oracle, changes the complexity of quantum computation delegation. In contrast with public-key primitives, there are many candidates for symmetric-key schemes secure against quantum attacks. We aim for protocols that require as little quantum computing as possible for the client. Specifically, we ask that the client only needs to run a quantum circuit of size independent of the circuit being evaluated. Known unconditionally-secure protocols all require the client to evaluate quantum circuits of size at least linear in the original circuit size.
In this thesis, we construct two new quantum computation delegation protocols. The first protocol is for the delegation of a large special circuit family, which we call "C+P circuits". This scheme is non-interactive, and can be used to delegate a very important quantum algorithm---Shor's algorithm (Shor,97) for integer factorization and discrete logarithms. Our second protocol requires interaction---one quantum message from the client to the server, and many rounds of classical computation---but supports arbitrary quantum computation (instead of a specific circuit family), and is thus much more general than the first protocol in both theory and practice. Both protocols are proved secure in the quantum random oracle model. The protocols can be instantiated in practice with a symmetric-key cipher such as AES