6,044 research outputs found
The Impossibility Of Secure Two-Party Classical Computation
We present attacks that show that unconditionally secure two-party classical
computation is impossible for many classes of function. Our analysis applies to
both quantum and relativistic protocols. We illustrate our results by showing
the impossibility of oblivious transfer.Comment: 10 page
Quantum Cryptography Beyond Quantum Key Distribution
Quantum cryptography is the art and science of exploiting quantum mechanical
effects in order to perform cryptographic tasks. While the most well-known
example of this discipline is quantum key distribution (QKD), there exist many
other applications such as quantum money, randomness generation, secure two-
and multi-party computation and delegated quantum computation. Quantum
cryptography also studies the limitations and challenges resulting from quantum
adversaries---including the impossibility of quantum bit commitment, the
difficulty of quantum rewinding and the definition of quantum security models
for classical primitives. In this review article, aimed primarily at
cryptographers unfamiliar with the quantum world, we survey the area of
theoretical quantum cryptography, with an emphasis on the constructions and
limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference
Secure Two-Party Quantum Computation Over Classical Channels
Secure two-party computation considers the problem of two parties computing a joint function of their private inputs without revealing anything beyond the output of the computation. In this work, we take the first steps towards understanding the setting where: 1) the two parties (Alice and Bob) can communicate only via a classical channel, 2) the input of Bob is quantum, and 3) the input of Alice is classical. Our first result indicates that in this setting it is in general impossible to realize a two-party quantum functionality with black-box simulation in the case of malicious quantum adversaries. In particular, we show that the existence of a secure quantum computing protocol that relies only on classical channels would contradict the quantum no-cloning argument.
We circumvent this impossibility following three different approaches. The first is by considering a weaker security notion called one-sided simulation security. This notion protects the input of one party (the quantum Bob) in the standard simulation-based sense and protects the privacy of the other party\u27s input (the classical Alice). We show how to realize a protocol that satisfies this notion relying on the learning with errors assumption. The second way to circumvent the impossibility result, while at the same time providing standard simulation-based security also against a malicious Bob, is by assuming that the quantum input has an efficient classical representation.
Finally, we focus our attention on the class of zero-knowledge functionalities and provide a compiler that takes as input a classical proof of quantum knowledge (PoQK) protocol for a QMA relation R (a classical PoQK is a PoQK that can be verified by a classical verifier) and outputs a zero-knowledge PoQK for R that can be verified by classical parties. The direct implication of our result is that Mahadev’s protocol for classical verification of quantum computations (FOCS’18) can be turned into a zero-knowledge proof of quantum knowledge with classical verifiers. To the best of our knowledge, we are the first to instantiate such a primitive
Insecurity of Quantum Secure Computations
It had been widely claimed that quantum mechanics can protect private
information during public decision in for example the so-called two-party
secure computation. If this were the case, quantum smart-cards could prevent
fake teller machines from learning the PIN (Personal Identification Number)
from the customers' input. Although such optimism has been challenged by the
recent surprising discovery of the insecurity of the so-called quantum bit
commitment, the security of quantum two-party computation itself remains
unaddressed. Here I answer this question directly by showing that all
``one-sided'' two-party computations (which allow only one of the two parties
to learn the result) are necessarily insecure. As corollaries to my results,
quantum one-way oblivious password identification and the so-called quantum
one-out-of-two oblivious transfer are impossible. I also construct a class of
functions that cannot be computed securely in any ``two-sided'' two-party
computation. Nevertheless, quantum cryptography remains useful in key
distribution and can still provide partial security in ``quantum money''
proposed by Wiesner.Comment: The discussion on the insecurity of even non-ideal protocols has been
greatly extended. Other technical points are also clarified. Version accepted
for publication in Phys. Rev.
Complete Insecurity of Quantum Protocols for Classical Two-Party Computation
A fundamental task in modern cryptography is the joint computation of a
function which has two inputs, one from Alice and one from Bob, such that
neither of the two can learn more about the other's input than what is implied
by the value of the function. In this Letter, we show that any quantum protocol
for the computation of a classical deterministic function that outputs the
result to both parties (two-sided computation) and that is secure against a
cheating Bob can be completely broken by a cheating Alice. Whereas it is known
that quantum protocols for this task cannot be completely secure, our result
implies that security for one party implies complete insecurity for the other.
Our findings stand in stark contrast to recent protocols for weak coin tossing,
and highlight the limits of cryptography within quantum mechanics. We remark
that our conclusions remain valid, even if security is only required to be
approximate and if the function that is computed for Bob is different from that
of Alice.Comment: v2: 6 pages, 1 figure, text identical to PRL-version (but reasonably
formatted
On the Efficiency of Classical and Quantum Secure Function Evaluation
We provide bounds on the efficiency of secure one-sided output two-party
computation of arbitrary finite functions from trusted distributed randomness
in the statistical case. From these results we derive bounds on the efficiency
of protocols that use different variants of OT as a black-box. When applied to
implementations of OT, these bounds generalize most known results to the
statistical case. Our results hold in particular for transformations between a
finite number of primitives and for any error. In the second part we study the
efficiency of quantum protocols implementing OT. While most classical lower
bounds for perfectly secure reductions of OT to distributed randomness still
hold in the quantum setting, we present a statistically secure protocol that
violates these bounds by an arbitrarily large factor. We then prove a weaker
lower bound that does hold in the statistical quantum setting and implies that
even quantum protocols cannot extend OT. Finally, we present two lower bounds
for reductions of OT to commitments and a protocol based on string commitments
that is optimal with respect to both of these bounds
Secure two-party quantum evaluation of unitaries against specious adversaries
We describe how any two-party quantum computation, specified by a unitary
which simultaneously acts on the registers of both parties, can be privately
implemented against a quantum version of classical semi-honest adversaries that
we call specious. Our construction requires two ideal functionalities to
garantee privacy: a private SWAP between registers held by the two parties and
a classical private AND-box equivalent to oblivious transfer. If the unitary to
be evaluated is in the Clifford group then only one call to SWAP is required
for privacy. On the other hand, any unitary not in the Clifford requires one
call to an AND-box per R-gate in the circuit. Since SWAP is itself in the
Clifford group, this functionality is universal for the private evaluation of
any unitary in that group. SWAP can be built from a classical bit commitment
scheme or an AND-box but an AND-box cannot be constructed from SWAP. It follows
that unitaries in the Clifford group are to some extent the easy ones. We also
show that SWAP cannot be implemented privately in the bare model
Variable Bias Coin Tossing
Alice is a charismatic quantum cryptographer who believes her parties are
unmissable; Bob is a (relatively) glamorous string theorist who believes he is
an indispensable guest. To prevent possibly traumatic collisions of
self-perception and reality, their social code requires that decisions about
invitation or acceptance be made via a cryptographically secure variable bias
coin toss (VBCT). This generates a shared random bit by the toss of a coin
whose bias is secretly chosen, within a stipulated range, by one of the
parties; the other party learns only the random bit. Thus one party can
secretly influence the outcome, while both can save face by blaming any
negative decisions on bad luck.
We describe here some cryptographic VBCT protocols whose security is
guaranteed by quantum theory and the impossibility of superluminal signalling,
setting our results in the context of a general discussion of secure two-party
computation. We also briefly discuss other cryptographic applications of VBCT.Comment: 14 pages, minor correction
- …