Commitment from Approximable-. Preimage-Size Quantum One-Way. Function. Takeshi Koshiba and Takanori Odaira. Saitama University. TQC 2009 (Waterloo ...
TQC 2009 (Waterloo, 11-13 May)
Statistically-Hiding Quantum Bit Commitment from ApproximablePreimage-Size Quantum One-Way Function
Takeshi Koshiba and Takanori Odaira Saitama University
1
1. Bit Commitment
2
Bit Commitment
Commit Phase Alice
Bob
Sender
Receiver
Reveal Phase
3
Commit Phase ① Commit b to Bob.
③ Get Some ciphertext C(b).
② Exchange messages.
Alice Bit b
Sender
: :
Bob C(b)
Receiver
4
Reveal Phase ② Decode C(b) by using i and get some output.
Alice
① Send some information i and confide b.
Bob output C(b)
Bit b
Sender
Receiver
③ Judge whether the output is equal to b or not. If and only if they are equal to, Bob returns “accept”. 5
Application of Bit Commitment Example... • Coin-tossing protocol over network. • Building blocks of Zero-knowledge proof (resp. Zero-knowledge argument) systems.
Reducing communication round of bit commitment ➔ Reducing that of Zero-knowledge proof systems. ● Existence of non-interactive bit commitment ➔ Possibility of non-interactive Zero-knowledge proof systems. ●
6
Security Property Hiding property : (Cheating) Bob cannot reveal the committed bit b during the commit phase. Binding property : (Cheating) Alice cannot commit her bit b such that Alice maliciously reveals b as her committed bit but Bob accepts.
7
Possibility / Impossibility In the classical case, it has been shown that ... Statistically Hiding + Impossible! Statistically Binding
Statistically Hiding Thus...
+ Computationally Binding
Computationally Hiding
or
+ Statistically Binding
This case is more desirable for actual application, since we can assume that the reveal phase protocol can be done in limited time.
8
Classical Construction Naor, Ostrovsky, Venkatesan & Yung (NOVY scheme) [J.Crypt. '98] •
Statistically (Perfectly)–hiding
•
Base : One-way permutation Haitner, Horvitz, Katz, Koo, Morselli & Shaltiel [EUROCRYPT '05]
•
Statistically-hiding
•
Base : Regular or approximable-preimage-size(APS) one-way function Haitner & Reingold [STOC '07]
•
Statistically-hiding
•
Base : One-way function 9
In the Quantum World BB84 Quantum Key Distribution
Unconditional Security!
Is the Unconditional Secure Quantum Bit Commitment possible...?
Mayers [Phys.Rev.Lett. '97] and Lo & Chau [Phys.Rev.Lett. '97] showed that “the unconditional secure QBC is impossible”. 10
Quantum Construction Bit String Commitment ●
Kent [Phys.Rev.Lett. '03]
Cheat-Sensitive Commitment ●
Aharonov, Ta-Shama, Vazirani & Yao [STOC '00]
●
Hardy & Kent [Phys.Rev.Lett. '04]
Computational Theoretic ●
Focus on this case
Dumais, Mayers & Salvail (DMS scheme) [EUROCRYPT '00] •
Statistically (Perfectly)-hiding
•
Non-interactive protocol
•
Base : Quantum one-way permutation
Impossible in the classical case.
11
Reducing Complexity Assumption DMS scheme
Perfectly-hiding & Non-interactive
Base: Quantum one-way permutation
but...
We have not found any candidate for this. Thus, reducing complexity assumption has been required. 12
Computational Theoretical Bit Commitment One-way permutation
APS one-way function
One-way function
Classical case
NOVY98
HHKKMS05
HR07
Quantum case
DMS00
Our scheme
?
: Reducing complexity assumption
13
2. Preliminaries
14
Notations Quantum Basis : BB84 state { |0〉+, |1〉+ } and { |0〉× , |1〉× } In our scheme, quantum basis depends on a bit which Alice commits in the commit phase. Trace-Distance: For density matrices σ and ρ, δ(σ,ρ) def= || σ - ρ || = Tr√(σ-ρ)†(σ-ρ)
15
Quantum One-Way Function Quantum One-Way Function: • •
Computable efficiently. Difficult to invert.
And special cases of quantum one-way function...
Regular: •
Each image of the function has same number of pre-images
Approximable Pre-image Size (APS, for short): •
The pre-image size is computable efficiently.
16
Leftover Hash Lemma Leftover Hash Lemma : •
H : universal hash family.
•
X : distribution of input of H, s.t. H∞(X) = λ
•
c : output length of H, where c = λ – 2log(1/ε).
Then
SD((H, H(X)),(H,Uc)) ≦ ε/2 uniform distribution over {0,1}c
17
General Protocol of Non-Interactive QBC (1) : Commit Phase =
Hall
Bit w
Hopen
Alice's Hilbert space HA
Alice's Quantum Circuit
Cw
Hkeep
Alice
|Ψ |0〉 w〉
Hcommit
Bob's Hilbert space HB
ρ(w)
Bob
ρ(w)=trA(|Ψw〉〈Ψw|) 18
General Protocol of Non-Interactive QBC (2) : Reveal Phase Hall
=
Hkeep
Hopen
Alice's Hilbert space HA
Alice
|Ψ |0〉 w〉
Hcommit
Bob's Hilbert space HB
ρ(w)
Measure w'
w Bob
Bit w
Hopen w
Check ; w'=w ? or not?
Fixed by the protocol in view of w 19
General Strategy of Cheating Alice's Attack in Non-Interactive QBC Hall
Cheating Alice's Quantum Circuits
D U
=
Hextra
HA
Hcommit
D : generate malicious state |Ψ〉 U : maximize the success probability of revealing bit 1.
Cheating Alice
|Ψ'〉 |Ψ〉 |0〉 HHcommit open
Highest probability to reveal 1 0 with success
Bob
If she wants to reveal 1, she will send it If she wants to reveal 0, she will only send it. after executing the circuit U. 20
Security Property Computationally-binding : Any adversary Alice cannot reveal a bit w maliciously with non-negligible probability. Statistically-hiding : Trace-distance δ(ρ(0),ρ(1)) is negligible.
Density matrix when Alice commits a bit 0
Density matrix when Alice commits a bit 1
21
3. Our Scheme
22
Our Scheme Base : Regular quantum one-way function or APS quantum one-way function Include 1-to-1 QOW functions as special case and they are MORE LIKELY TO EXIST. We can find some candidates for this.
Statistically-hiding and computationally-binding Non-interactive protocol 23
Protocol (1) : Commit Phase f = { fn : {0,1}n → {0,1}ℓ(n) } : function family. Common input : security parameter n and the description of f.
Bit w
Alice
② Alice sends the quantum state |fn(x)〉θ(w) ∈ Hcommit
Sender
① Alice chooses x ∈ {0,1}n uniformly and computes fn(x).
Bob
|fn(x)〉θ(w)
Receiver Basis of this state depends on w 24
Protocol (2) : Reveal Phase
Alice Bit w
① Alice announces w and x.
Sender
Bob
|fn(x)〉 y' θ(w)
Receiver
② Bob measures |fn(x)〉θ(w) with some measurement and obtains the classical output y' ∈ range(fn). ③ Bob accepts if and only if y' = fn(x).
Also depends on w 25
Security Property Theorem 1. If f = { fn : {0,1}n → {0,1}ℓ(n) } is a quantum oneway function family, then our scheme is computationally binding.
Theorem 2. If f is a family of almost-onto functions, then our scheme is statistically hiding.
If the statistical distance SD(fn(Un),Uℓ(n)) is negligible, then f is almost-onto 26
Compare with DMS Scheme In [DMS00] QOW Permutation
The security property of DMS scheme was proved since the scheme is based on it.
In our paper QOW Permutation Onto property; For hiding
We observed that these are able to discuss respectively. From this observation...
Quantum One-wayness; For binding
We can replace QOWP with more general one. 27
Construct Base Function Original function
Base function
Regular QOWF or
Universal Hash
Almost-onto QOWF
APS QOWF
We use this as f in our scheme. 28
4. Security Analysis
29
Computational Binding (Proof of Theorem 1) Perfect adversary Alice 's strategy. Succeed to reveal a bit w∈{0,1} with probability 1. Initial state |0〉
D
Committed 0 |Ψ0〉
U
Committed 1 |Ψ1〉
We show that if there exists such adversary against binding property, then the base one-way function will be broken. In other words, such Alice constructs the inverter of base function f with success probability is 1. 30
Computational Binding (Proof of Theorem 1) Alice generates the malicious states |Ψ0〉and |Ψ1〉: |Ψ0〉 = ∑ x∈{0,1}n|αn,0〉 |Ψ1〉 = ∑ x∈{0,1}n|αn,1〉
|x〉 |x〉
|fn(x)〉+= D|0〉, |fn(x)〉×= U|Ψ0〉
systems |αn,0〉: Hextra |x〉: Hopen |fn(x)〉: Hcommit |u〉: Hinput
u : input of inverter, where u ∈ range(fn). Encoded to the state |u〉. P×u,c : projection operator acting in Hcommit. State |Φn,0(u)〉= P×u,c|Ψ0〉= 2 -ℓ(n)/2∑ x∈{0,1}n(-1)u f (x)|αn,0〉 plays an important role for the inverter. n
|x〉
|fn(x)〉× 31
Computational Binding (Proof of Theorem 1) Inverter construction from perfect adversary Alice
input
|u〉|0〉
D
|u〉|Ψ0〉
U|Φn,0(u)〉 = ∑z |α1,z 〉
|z〉
W
|u〉|Φn,0(u)〉
U
U|u〉|Φn,0(u)〉
|u〉× for all z ∈ fn-1(u)
Measures Hopen , Alice obtains z ∈ fn-1(u). Thus, Alice can invert f. 32
Computational Binding (verify |u〉|Ψ 〉 0
Act of the circuit W : |u〉|Ψ0〉 = |u〉,∑ x∈{0,1}n|αn,0 〉
|x〉
|fn(x)〉+
systems |αn,0〉: Hextra |x〉: Hopen |fn(x)〉: Hcommit |u〉: Hinput
Hadamard gate and C-Not gate.
|u〉,∑ x∈{0,1}n(-1)u f (x)|αn,0 〉 n
|x〉
|fn(x)〉+
The circuit which compute f efficiently.
|u〉,∑ x∈{0,1}n(-1)u f (x)|αn,0 〉 n
|x〉
|fn(x)
|u〉|Φn,0(u)〉)
fn(x)〉+
C-Not gate. Finally, Hadamard gate.
|u〉2 -ℓ(n)/2∑ x∈{0,1}n(-1)u f (x)|αn,0 〉 n
|x〉
|0
u〉×
= |u〉|Φn,0(u)〉 33
Computational Binding (verify U|Φn,0(u)〉 = ∑z |α1,z 〉|z〉|u〉× ) U|u〉|Φn,0(u)〉= U|u〉P×u,c|Ψ0〉= |u〉P×u,cU|Ψ0〉 Since U is restricted to act in Hextra Hopen
= |u〉P×u,c|Ψ1〉= |u〉P×u,c∑
= |u〉,∑ z |αn,z 〉
|z〉
n
x∈{0,1}
|αn,1〉
|x〉
|fn(x)〉×
systems |αn,0〉: Hextra |x〉: Hopen |fn(x)〉: Hcommit |u〉: Hinput
|u〉× for all z ∈ fn-1(u)
Complete the proof of Theorem 1.
34
Statistical Hiding (Proof of Theorem 2) For all x ∈ {0,1}n, we can write the density matrices ρ(0) and ρ(1) as follows: ρ(0) = ∑ 2-n|fn(x)〉+〈fn(x)| x ρ(1) = ∑ 2-n|fn(x)〉×〈fn(x)| x
For all y ∈ {0,1}ℓ(n)( range of f ), let σ0 = ∑ 2-ℓ(n)|y〉+〈y| y σ1 = ∑ 2-ℓ(n)|y〉×〈y| y Let ε be some negligible function.
Density matrix when Alice commits a bit 0 (resp. bit 1)
35
Statistical Hiding (Proof of Theorem 2) Then, σ0 = σ1.
Since they are both the identity matrices of the same dimension.
Since δ(ρ(0),σ0) < ε and δ(ρ(1),σ1) < ε,
By Leftover Hash Lemma
by triangle inequality we have δ(ρ(0),ρ(1)) < 2ε. Still negligible
Image
σ0
δ< ε
ρB(0)
=
δ< 2ε
σ1
δ< ε
ρB(1) 36
Concluding (1) Statistically-Hiding Quantum Bit Commitment ●
From APS quantum one-way function ➔
●
It possibly is an answer for the open problem of [DMS'00]. Since our complexity assumption is more likely to exist than quantum one-way permutation, the existence of statistically-hiding QBC will be more possible.
Non-interactivity ➔
For actual application (e.g. zero-knowledge proof), it is more desirable that communication complexity is small. So, this is important and interesting property. 37
Concluding (2) Open Problem : Is Non-Interactive & StatisticallyHiding QBC From any QOWF Possible? ●
Required properties ➔
●
Almost-onto for statistically-hiding and quantum onewayness for computationally-binding. Thus, if we have a general construction of almost-onto quantum one-way function, we might solve this problem.
Possible way
Construction of universal one-way hash functions from any OWF in Rompel [STOC '90]. ➔ Statistical Zero-Knowledge argument from any OWF in Nguyen, Ong & Vadhan [FOCS '06] ➔
38
