-
Quantum advantage from soft decoders
Authors:
André Chailloux,
Jean-Pierre Tillich
Abstract:
In the last years, Regev's reduction has been used as a quantum algorithmic tool for providing a quantum advantage for variants of the decoding problem. Following this line of work, the authors of [JSW+24] have recently come up with a quantum algorithm called Decoded Quantum Interferometry that is able to solve in polynomial time several optimization problems. They study in particular the Optimal…
▽ More
In the last years, Regev's reduction has been used as a quantum algorithmic tool for providing a quantum advantage for variants of the decoding problem. Following this line of work, the authors of [JSW+24] have recently come up with a quantum algorithm called Decoded Quantum Interferometry that is able to solve in polynomial time several optimization problems. They study in particular the Optimal Polynomial Interpolation (OPI) problem, which can be seen as a decoding problem on Reed-Solomon codes. In this work, we provide strong improvements for some instantiations of the OPI problem. The most notable improvements are for the $ISIS_{\infty}$ problem (originating from lattice-based cryptography) on Reed-Solomon codes but we also study different constraints for OPI. Our results provide natural and convincing decoding problems for which we believe to have a quantum advantage. Our proof techniques involve the use of a soft decoder for Reed-Solomon codes, namely the decoding algorithm from Koetter and Vardy [KV03]. In order to be able to use this decoder in the setting of Regev's reduction, we provide a novel generic reduction from a syndrome decoding problem to a coset sampling problem, providing a powerful and simple to use theorem, which generalizes previous work and is of independent interest. We also provide an extensive study of OPI using the Koetter and Vardy algorithm.
△ Less
Submitted 19 November, 2024;
originally announced November 2024.
-
The Quantum Decoding Problem
Authors:
André Chailloux,
Jean-Pierre Tillich
Abstract:
One of the founding results of lattice based cryptography is a quantum reduction from the Short Integer Solution problem to the Learning with Errors problem introduced by Regev. It has recently been pointed out by Chen, Liu and Zhandry that this reduction can be made more powerful by replacing the learning with errors problem with a quantum equivalent, where the errors are given in quantum superpo…
▽ More
One of the founding results of lattice based cryptography is a quantum reduction from the Short Integer Solution problem to the Learning with Errors problem introduced by Regev. It has recently been pointed out by Chen, Liu and Zhandry that this reduction can be made more powerful by replacing the learning with errors problem with a quantum equivalent, where the errors are given in quantum superposition. In the context of codes, this can be adapted to a reduction from finding short codewords to a quantum decoding problem for random linear codes.
We therefore consider in this paper the quantum decoding problem, where we are given a superposition of noisy versions of a codeword and we want to recover the corresponding codeword. When we measure the superposition, we get back the usual classical decoding problem for which the best known algorithms are in the constant rate and error-rate regime exponential in the codelength. However, we will show here that when the noise rate is small enough, then the quantum decoding problem can be solved in quantum polynomial time. Moreover, we also show that the problem can in principle be solved quantumly (albeit not efficiently) for noise rates for which the associated classical decoding problem cannot be solved at all for information theoretic reasons.
We then revisit Regev's reduction in the context of codes. We show that using our algorithms for the quantum decoding problem in Regev's reduction matches the best known quantum algorithms for the short codeword problem. This shows in some sense the tightness of Regev's reduction when considering the quantum decoding problem and also paves the way for new quantum algorithms for the short codeword problem.
△ Less
Submitted 31 October, 2023;
originally announced October 2023.
-
Finding many Collisions via Reusable Quantum Walks
Authors:
Xavier Bonnetain,
André Chailloux,
André Schrottenloher,
Yixin Shen
Abstract:
Given a random function $f$ with domain $[2^n]$ and codomain $[2^m]$, with $m \geq n$, a collision of $f$ is a pair of distinct inputs with the same image. Collision finding is an ubiquitous problem in cryptanalysis, and it has been well studied using both classical and quantum algorithms. Indeed, the quantum query complexity of the problem is well known to be $Θ(2^{m/3})$, and matching algorithms…
▽ More
Given a random function $f$ with domain $[2^n]$ and codomain $[2^m]$, with $m \geq n$, a collision of $f$ is a pair of distinct inputs with the same image. Collision finding is an ubiquitous problem in cryptanalysis, and it has been well studied using both classical and quantum algorithms. Indeed, the quantum query complexity of the problem is well known to be $Θ(2^{m/3})$, and matching algorithms are known for any value of $m$. The situation becomes different when one is looking for multiple collision pairs. Here, for $2^k$ collisions, a query lower bound of $Θ(2^{(2k+m)/3})$ was shown by Liu and Zhandry (EUROCRYPT~2019). A matching algorithm is known, but only for relatively small values of $m$, when many collisions exist. In this paper, we improve the algorithms for this problem and, in particular, extend the range of admissible parameters where the lower bound is met. Our new method relies on a chained quantum walk algorithm, which might be of independent interest. It allows to extract multiple solutions of an MNRS-style quantum walk, without having to recompute it entirely: after finding and outputting a solution, the current state is reused as the initial state of another walk. As an application, we improve the quantum sieving algorithms for the shortest vector problem (SVP), with a complexity of $2^{0.2563d + o(d)}$ instead of the previous $2^{0.2570d + o(d)}$.
△ Less
Submitted 27 May, 2022;
originally announced May 2022.
-
Relativistic zero-knowledge protocol for NP over the internet unconditionally secure against quantum adversaries
Authors:
André Chailloux,
Yann Barsamian
Abstract:
Relativistic cryptography is a proposal for achieving unconditional security that exploits the fact that no information carrier can travel faster than the speed of light. It is based on space-time constraints but doesn't require quantum hardware. Nevertheless, it was unclear whether this proposal is realistic or not. Recently, Alikhani et al. [ABC+21] performed an implementation of a relativistic…
▽ More
Relativistic cryptography is a proposal for achieving unconditional security that exploits the fact that no information carrier can travel faster than the speed of light. It is based on space-time constraints but doesn't require quantum hardware. Nevertheless, it was unclear whether this proposal is realistic or not. Recently, Alikhani et al. [ABC+21] performed an implementation of a relativistic zero-knowledge for NP. Their implemented scheme shows the feasibility of relativistic cryptography but it is only secure against classical adversaries. In this work, we present a new relativistic protocol for NP which is secure against quantum adversaries and which is efficient enough so that it can be implemented on everyday laptops and internet connections. We use Stern's zero-knowledge scheme for the Syndrome Decoding problem, which was used before in post-quantum cryptography. The main technical contribution is a generalization of the consecutive measurement framework of [CL17] to prove the security of our scheme against quantum adversaries, and we perform an implementation that demonstrates the feasibility and efficiency of our proposed scheme.
△ Less
Submitted 2 December, 2021;
originally announced December 2021.
-
Lattice sieving via quantum random walks
Authors:
André Chailloux,
Johanna Loyer
Abstract:
Lattice-based cryptography is one of the leading proposals for post-quantum cryptography. The Shortest Vector Problem (SVP) is arguably the most important problem for the cryptanalysis of lattice-based cryptography, and many lattice-based schemes have security claims based on its hardness. The best quantum algorithm for the SVP is due to Laarhoven [Laa16 PhD] and runs in (heuristic) time…
▽ More
Lattice-based cryptography is one of the leading proposals for post-quantum cryptography. The Shortest Vector Problem (SVP) is arguably the most important problem for the cryptanalysis of lattice-based cryptography, and many lattice-based schemes have security claims based on its hardness. The best quantum algorithm for the SVP is due to Laarhoven [Laa16 PhD] and runs in (heuristic) time $2^{0.2653d + o(d)}$. In this article, we present an improvement over Laarhoven's result and present an algorithm that has a (heuristic) running time of $2^{0.2570 d + o(d)}$ where $d$ is the lattice dimension. We also present time-memory trade-offs where we quantify the amount of quantum memory and quantum random access memory of our algorithm. The core idea is to replace Grover's algorithm used in [Laa16 PhD] in a key part of the sieving algorithm by a quantum random walk in which we add a layer of local sensitive filtering.
△ Less
Submitted 12 May, 2021;
originally announced May 2021.
-
Breaking simple quantum position verification protocols with little entanglement
Authors:
Andrea Olivo,
Ulysse Chabaud,
André Chailloux,
Frédéric Grosshans
Abstract:
Instantaneous nonlocal quantum computation (INQC) evades apparent quantum and relativistic constraints and allows to attack generic quantum position verification (QPV) protocols (aiming at securely certifying the location of a distant prover) at an exponential entanglement cost. We consider adversaries sharing maximally entangled pairs of qudits and find low-dimensional INQC attacks against the si…
▽ More
Instantaneous nonlocal quantum computation (INQC) evades apparent quantum and relativistic constraints and allows to attack generic quantum position verification (QPV) protocols (aiming at securely certifying the location of a distant prover) at an exponential entanglement cost. We consider adversaries sharing maximally entangled pairs of qudits and find low-dimensional INQC attacks against the simple practical family of QPV protocols based on single photons polarized at an angle $θ$. We find exact attacks against some rational angles, including some sitting outside of the Clifford hierarchy (e.g. $π/6$), and show no $θ$ allows to tolerate errors higher than $\simeq 5\cdot 10^{-3}$ against adversaries holding two ebits per protocol's qubit.
△ Less
Submitted 30 July, 2020;
originally announced July 2020.
-
Tight quantum security of the Fiat-Shamir transform for commit-and-open identification schemes with applications to post-quantum signature schemes
Authors:
André Chailloux
Abstract:
Applying the Fiat-Shamir transform on identification schemes is one of the main ways of constructing signature schemes. While the classical security of this transformation is well understood, it is only very recently that generic results for the quantum case have been proposed [DFMS19,LZ19]. These results are asymptotic and therefore can't be used to derive the concrete security of these signature…
▽ More
Applying the Fiat-Shamir transform on identification schemes is one of the main ways of constructing signature schemes. While the classical security of this transformation is well understood, it is only very recently that generic results for the quantum case have been proposed [DFMS19,LZ19]. These results are asymptotic and therefore can't be used to derive the concrete security of these signature schemes without a significant loss in parameters.
In this paper, we show that if we start from a commit-and-open identification scheme, where the prover first commits to several strings and then as a second message opens a subset of them depending on the verifier's message, then there is a tight quantum reduction for the the Fiat-Shamir transform to special soundness notions. Our work applies to most 3 round schemes of this form and can be used immediately to derive quantum concrete security of signature schemes.
We apply our techniques to several identification schemes that lead to signature schemes such as Stern's identification scheme based on coding problems, the [KTX08] identification scheme based on lattice problems, the [SSH11] identification schemes based on multivariate problems, closely related to the NIST candidate MQDSS, and the PICNIC scheme based on multiparty computing problems, which is also a NIST candidate.
△ Less
Submitted 16 March, 2021; v1 submitted 12 June, 2019;
originally announced June 2019.
-
A note on the quantum query complexity of permutation symmetric functions
Authors:
André Chailloux
Abstract:
It is known since the work of [AA14] that for any permutation symmetric function $f$, the quantum query complexity is at most polynomially smaller than the classical randomized query complexity, more precisely that $R(f) = \widetilde{O}\left(Q^7(f)\right)$. In this paper, we improve this result and show that $R(f) = {O}\left(Q^3(f)\right)$ for a more general class of symmetric functions. Our proof…
▽ More
It is known since the work of [AA14] that for any permutation symmetric function $f$, the quantum query complexity is at most polynomially smaller than the classical randomized query complexity, more precisely that $R(f) = \widetilde{O}\left(Q^7(f)\right)$. In this paper, we improve this result and show that $R(f) = {O}\left(Q^3(f)\right)$ for a more general class of symmetric functions. Our proof is constructive and relies largely on the quantum hardness of distinguishing a random permutation from a random function with small range from Zhandry [Zha15].
△ Less
Submitted 3 October, 2018;
originally announced October 2018.
-
A tight security reduction in the quantum random oracle model for code-based signature schemes
Authors:
André Chailloux,
Thomas Debris-Alazard
Abstract:
Quantum secure signature schemes have a lot of attention recently, in particular because of the NIST call to standardize quantum safe cryptography. However, only few signature schemes can have concrete quantum security because of technical difficulties associated with the Quantum Random Oracle Model (QROM). In this paper, we show that code-based signature schemes based on the full domain hash para…
▽ More
Quantum secure signature schemes have a lot of attention recently, in particular because of the NIST call to standardize quantum safe cryptography. However, only few signature schemes can have concrete quantum security because of technical difficulties associated with the Quantum Random Oracle Model (QROM). In this paper, we show that code-based signature schemes based on the full domain hash paradigm can behave very well in the QROM i.e. that we can have tight security reductions. We also study quantum algorithms related to the underlying code-based assumption. Finally, we apply our reduction to a concrete example: the SURF signature scheme. We provide parameters for 128 bits of quantum security in the QROM and show that the obtained parameters are competitive compared to other similar quantum secure signature schemes.
△ Less
Submitted 20 September, 2017;
originally announced September 2017.
-
The information cost of quantum memoryless protocols
Authors:
André Chailloux,
Iordanis Kerenidis,
Mathieu Laurière
Abstract:
We consider memoryless quantum communication protocols, where the two parties do not possess any memory besides their classical input and they take turns performing unitary operations on a pure quantum state that they exchange between them. Most known quantum protocols are of this type and recently a deep connection between memoryless protocols and Bell inequality violations has been explored rece…
▽ More
We consider memoryless quantum communication protocols, where the two parties do not possess any memory besides their classical input and they take turns performing unitary operations on a pure quantum state that they exchange between them. Most known quantum protocols are of this type and recently a deep connection between memoryless protocols and Bell inequality violations has been explored recently by Buhrman et al. We study the information cost of memoryless quantum protocols by looking at a canonical problem: bounded-round quantum communication protocols for the one-bit AND function. We prove directly a tight lower bound of $Θ(\log(k) / k)$ for the information cost of AND for $k$-round memoryless quantum protocols and for the input distribution needed for the Disjointness function. It is not clear if memoryless protocols allow for a reduction between AND and Disjointness, due to the absence of private workspaces. We enhance the model by allowing the players to keep in their private classical workspace apart from their input also some classical private coins. Surprisingly, we show that every quantum protocol can be transformed into an equivalent quantum protocol with private coins that is perfectly private, i.e. the players only learn the value of the function and nothing more. Last, we consider the model where the players are allowed to use one-shot coins, i.e. private coins that can be used only once during the protocol. While in the classical case, private coins and one-shot coins are equivalent, in the quantum case, we prove that they are not. More precisely, we show that every quantum memoryless protocol with one-bit inputs that uses one-shot coins can be transformed into a memoryless quantum protocol without private coins and without increasing too much its information cost. Hence, while private coins always allow for private quantum protocols, one-shot coins do not.
△ Less
Submitted 9 March, 2017; v1 submitted 3 March, 2017;
originally announced March 2017.
-
Relativistic (or $2$-prover $1$-round) zero-knowledge protocol for $\mathsf{NP}$ secure against quantum adversaries
Authors:
André Chailloux,
Anthony Leverrier
Abstract:
In this paper, we show that the zero-knowledge construction for Hamiltonian cycle remains secure against quantum adversaries in the relativistic setting. Our main technical contribution is a tool for studying the action of consecutive measurements on a quantum state which in turn gives upper bounds on the value of some entangled games. This allows us to prove the security of our protocol against q…
▽ More
In this paper, we show that the zero-knowledge construction for Hamiltonian cycle remains secure against quantum adversaries in the relativistic setting. Our main technical contribution is a tool for studying the action of consecutive measurements on a quantum state which in turn gives upper bounds on the value of some entangled games. This allows us to prove the security of our protocol against quantum adversaries. We also prove security bounds for the (single-round) relativistic string commitment and bit commitment in parallel against quantum adversaries. As an additional consequence of our result, we answer an open question from [Unr12] and show tight bounds on the quantum knowledge error of some $Σ$-protocols.
△ Less
Submitted 22 May, 2017; v1 submitted 22 December, 2016;
originally announced December 2016.
-
Experimental Verification of Multipartite Entanglement in Quantum Networks
Authors:
W. McCutcheon,
A. Pappa,
B. A. Bell,
A. McMillan,
A. Chailloux,
T. Lawson,
M. Mafu,
D. Markham,
E. Diamanti,
I. Kerenidis,
J. G. Rarity,
M. S. Tame
Abstract:
Multipartite entangled states are a fundamental resource for a wide range of quantum information processing tasks. In particular, in quantum networks it is essential for the parties involved to be able to verify if entanglement is present before they carry out a given distributed task. Here we design and experimentally demonstrate a protocol that allows any party in a network to check if a source…
▽ More
Multipartite entangled states are a fundamental resource for a wide range of quantum information processing tasks. In particular, in quantum networks it is essential for the parties involved to be able to verify if entanglement is present before they carry out a given distributed task. Here we design and experimentally demonstrate a protocol that allows any party in a network to check if a source is distributing a genuinely multipartite entangled state, even in the presence of untrusted parties. The protocol remains secure against dishonest behaviour of the source and other parties, including the use of system imperfections to their advantage. We demonstrate the verification protocol in a three- and four-party setting using polarization-entangled photons, highlighting its potential for realistic photonic quantum communication and networking applications.
△ Less
Submitted 15 November, 2016;
originally announced November 2016.
-
Recursive cheating strategies for the relativistic $F_Q$ bit commitment protocol
Authors:
Rémi Bricout,
André Chailloux
Abstract:
In this paper, we study relativistic bit commitment, which uses timing and location constraints to achieve information theoretic security. We consider the $F_Q$ multi-round bit commitment scheme introduced by Lunghi et al. [LKB+15]. This protocol was shown secure against classical adversaries as long as the number of rounds $m$ is small compared to $\sqrt{Q}$ where $Q$ is the size of the used fiel…
▽ More
In this paper, we study relativistic bit commitment, which uses timing and location constraints to achieve information theoretic security. We consider the $F_Q$ multi-round bit commitment scheme introduced by Lunghi et al. [LKB+15]. This protocol was shown secure against classical adversaries as long as the number of rounds $m$ is small compared to $\sqrt{Q}$ where $Q$ is the size of the used field in the protocol [CCL15,FF16].
In this work, we study classical attacks on this scheme. We use classical strategies for the $CHSH_Q$ game described in [BS15] to derive cheating strategies for this protocol. In particular, our cheating strategy shows that if $Q$ is an even power of any prime, then the protocol is not secure when the number of rounds $m$ is of the order of $\sqrt{Q}$. For those values of $Q$, this means that the upper bound of [CCL15,FF16] is essentially optimal.
△ Less
Submitted 12 August, 2016;
originally announced August 2016.
-
Robust Relativistic Bit Commitment
Authors:
Kaushik Chakraborty,
André Chailloux,
Anthony Leverrier
Abstract:
Relativistic cryptography exploits the fact that no information can travel faster than the speed of light in order to obtain security guarantees that cannot be achieved from the laws of quantum mechanics alone. Recently, Lunghi et al [Phys. Rev. Lett. 2015] presented a bit commitment scheme where each party uses two agents that exchange classical information in a synchronized fashion, and that is…
▽ More
Relativistic cryptography exploits the fact that no information can travel faster than the speed of light in order to obtain security guarantees that cannot be achieved from the laws of quantum mechanics alone. Recently, Lunghi et al [Phys. Rev. Lett. 2015] presented a bit commitment scheme where each party uses two agents that exchange classical information in a synchronized fashion, and that is both hiding and binding. A caveat is that the commitment time is intrinsically limited by the spatial configuration of the players, and increasing this time requires the agents to exchange messages during the whole duration of the protocol. While such a solution remains computationally attractive, its practicality is severely limited in realistic settings since all communication must remain perfectly synchronized at all times.
In this work, we introduce a robust protocol for relativistic bit commitment that tolerates failures of the classical communication network. This is done by adding a third agent to both parties. Our scheme provides a quadratic improvement in terms of expected sustain time compared to the original protocol, while retaining the same level of security.
△ Less
Submitted 11 August, 2016;
originally announced August 2016.
-
Arbitrarily long relativistic bit commitment
Authors:
Kaushik Chakraborty,
André Chailloux,
Anthony Leverrier
Abstract:
We consider the recent relativistic bit commitment protocol introduced by Lunghi et al. [Phys. Rev. Lett. 2015] and present a new security analysis against classical attacks. In particular, while the initial complexity of the protocol scaled double-exponentially with the commitment time, our analysis shows that the correct dependence is only linear. This has dramatic implications in terms of imple…
▽ More
We consider the recent relativistic bit commitment protocol introduced by Lunghi et al. [Phys. Rev. Lett. 2015] and present a new security analysis against classical attacks. In particular, while the initial complexity of the protocol scaled double-exponentially with the commitment time, our analysis shows that the correct dependence is only linear. This has dramatic implications in terms of implementation: in particular, the commitment time can easily be made arbitrarily long, by only requiring both parties to communicate classically and perform efficient classical computation.
△ Less
Submitted 1 July, 2015;
originally announced July 2015.
-
Parallel Repetition of Free Entangled Games: Simplification and Improvements
Authors:
André Chailloux,
Giannicola Scarpa
Abstract:
In a two-player game, two cooperating but non communicating players, Alice and Bob, receive inputs taken from a probability distribution. Each of them produces an output and they win the game if they satisfy some predicate on their inputs/outputs. The entangled value $ω^*(G)$ of a game $G$ is the maximum probability that Alice and Bob can win the game if they are allowed to share an entangled st…
▽ More
In a two-player game, two cooperating but non communicating players, Alice and Bob, receive inputs taken from a probability distribution. Each of them produces an output and they win the game if they satisfy some predicate on their inputs/outputs. The entangled value $ω^*(G)$ of a game $G$ is the maximum probability that Alice and Bob can win the game if they are allowed to share an entangled state prior to receiving their inputs.
The $n$-fold parallel repetition $G^n$ of $G$ consists of $n$ instances of $G$ where Alice and Bob receive all the inputs at the same time and must produce all the outputs at the same time. They win $G^n$ if they win each instance of $G$. Recently, there has been a series of works showing parallel repetition with exponential decay for projection games [DSV13], games on the uniform distribution [CS14] and for free games, i.e. games on a product distribution [JPY13].
This article is meant to be a follow up of [CS14], where we improve and simplify several parts of our previous paper. Our main result is that for any free game $G$ with value $ω^*(G)=1-\varepsilon$, we have $ω^*(G^n) \le (1 - \varepsilon^2)^{Ω(\frac{n}{\log(l)})}$ where $l$ is the size of the output set of the game. This result improves on both the results in [JPY13] and [CS14]. The framework we use can also be extended to free projection games. We show that for a free projection game $G$ with value $ω^*(G)=1-\varepsilon$, we have $ω^*(G^n) \le (1 - \varepsilon)^{Ω(n)}$.
△ Less
Submitted 1 March, 2015; v1 submitted 16 October, 2014;
originally announced October 2014.
-
Optimal bounds for parity-oblivious random access codes
Authors:
André Chailloux,
Iordanis Kerenidis,
Srijita Kundu,
Jamie Sikora
Abstract:
Random access coding is an information task that has been extensively studied and found many applications in quantum information. In this scenario, Alice receives an $n$-bit string $x$, and wishes to encode $x$ into a quantum state $ρ_x$, such that Bob, when receiving the state $ρ_x$, can choose any bit $i \in [n]$ and recover the input bit $x_i$ with high probability. Here we study two variants:…
▽ More
Random access coding is an information task that has been extensively studied and found many applications in quantum information. In this scenario, Alice receives an $n$-bit string $x$, and wishes to encode $x$ into a quantum state $ρ_x$, such that Bob, when receiving the state $ρ_x$, can choose any bit $i \in [n]$ and recover the input bit $x_i$ with high probability. Here we study two variants: parity-oblivious random access codes, where we impose the cryptographic property that Bob cannot infer any information about the parity of any subset of bits of the input apart from the single bits $x_i$; and even-parity-oblivious random access codes, where Bob cannot infer any information about the parity of any even-size subset of bits of the input.
In this paper, we provide the optimal bounds for parity-oblivious quantum random access codes and show that they are asymptotically better than the optimal classical ones. Our results provide a large non-contextuality inequality violation and resolve the main open problem in a work of Spekkens, Buzacott, Keehn, Toner, and Pryde (2009). Second, we provide the optimal bounds for even-parity-oblivious random access codes by proving their equivalence to a non-local game and by providing tight bounds for the success probability of the non-local game via semidefinite programming. In the case of even-parity-oblivious random access codes, the cryptographic property holds also in the device-independent model.
△ Less
Submitted 22 March, 2016; v1 submitted 21 April, 2014;
originally announced April 2014.
-
Graph-theoretical Bounds on the Entangled Value of Non-local Games
Authors:
André Chailloux,
Laura Mančinska,
Giannicola Scarpa,
Simone Severini
Abstract:
We introduce a novel technique to give bounds to the entangled value of non-local games. The technique is based on a class of graphs used by Cabello, Severini and Winter in 2010. The upper bound uses the famous Lovász theta number and is efficiently computable; the lower one is based on the quantum independence number, which is a quantity used in the study of entanglement-assisted channel capaciti…
▽ More
We introduce a novel technique to give bounds to the entangled value of non-local games. The technique is based on a class of graphs used by Cabello, Severini and Winter in 2010. The upper bound uses the famous Lovász theta number and is efficiently computable; the lower one is based on the quantum independence number, which is a quantity used in the study of entanglement-assisted channel capacities and graph homomorphism games.
△ Less
Submitted 27 February, 2015; v1 submitted 14 April, 2014;
originally announced April 2014.
-
A simpler proof of existence of quantum weak coin flipping with arbitrarily small bias
Authors:
Dorit Aharonov,
André Chailloux,
Maor Ganz,
Iordanis Kerenidis,
Loïck Magnin
Abstract:
Mochon's proof [Moc07] of existence of quantum weak coin flipping with arbitrarily small bias is a fundamental result in quantum cryptography, but at the same time one of the least understood. Though used several times as a black box in important follow-up results [Gan09, CK09, AS10, CK11, KZ13] the result has not been peer-reviewed, its novel techniques (and in particular Kitaev's point game form…
▽ More
Mochon's proof [Moc07] of existence of quantum weak coin flipping with arbitrarily small bias is a fundamental result in quantum cryptography, but at the same time one of the least understood. Though used several times as a black box in important follow-up results [Gan09, CK09, AS10, CK11, KZ13] the result has not been peer-reviewed, its novel techniques (and in particular Kitaev's point game formalism) have not been applied anywhere else, and an explicit protocol is missing. We believe that truly understanding the existence proof and the novel techniques it relies on would constitute a major step in quantum information theory, leading to deeper understanding of entanglement and of quantum protocols in general. In this work, we make a first step in this direction. We simplify parts of Mochon's construction considerably, making about 20 pages of analysis in the original proof superfluous, clarifying some other parts of the proof on the way, and presenting the proof in a way which is conceptually easier to grasp. We believe the resulting proof of existence is easier to understand, more readable, and certainly verifiable. Moreover, we analyze the resources needed to achieve a bias $ε$ and show that the number of qubits is $O(\log 1/ε)$, while the number of rounds is $(1/ε)^{O(1/ε)}$. A true understanding of the proof, including Kitaev's point game techniques and their applicability, as well as completing the task of constructing an explicit (and also simpler and more efficient) protocol, are left to future work.
△ Less
Submitted 28 February, 2014;
originally announced February 2014.
-
Parallel Repetition of Entangled Games with Exponential Decay via the Superposed Information Cost
Authors:
André Chailloux,
Giannicola Scarpa
Abstract:
In a two-player game, two cooperating but non communicating players, Alice and Bob, receive inputs taken from a probability distribution. Each of them produces an output and they win the game if they satisfy some predicate on their inputs/outputs. The entangled value $ω^*(G)$ of a game $G$ is the maximum probability that Alice and Bob can win the game if they are allowed to share an entangled stat…
▽ More
In a two-player game, two cooperating but non communicating players, Alice and Bob, receive inputs taken from a probability distribution. Each of them produces an output and they win the game if they satisfy some predicate on their inputs/outputs. The entangled value $ω^*(G)$ of a game $G$ is the maximum probability that Alice and Bob can win the game if they are allowed to share an entangled state prior to receiving their inputs.
The $n$-fold parallel repetition $G^n$ of $G$ consists of $n$ instances of $G$ where the players receive all the inputs at the same time and produce all the outputs at the same time. They win $G^n$ if they win each instance of $G$.
In this paper we show that for any game $G$ such that $ω^*(G) = 1 - \varepsilon < 1$, $ω^*(G^n)$ decreases exponentially in $n$. First, for any game $G$ on the uniform distribution, we show that $ω^*(G^n) = (1 - \varepsilon^2)^{Ω\left(\frac{n}{\log(|I||O|)} - |\log(\varepsilon)|\right)}$, where $|I|$ and $|O|$ are the sizes of the input and output sets. From this result, we show that for any entangled game $G$, $ω^*(G^n) \le (1 - \varepsilon^2)^{Ω(\frac{n}{Q\log(|I||O|)} - \frac{|\log(\varepsilon)|}{Q})}$ where $p$ is the input distribution of $G$ and $Q= \frac{|I|^2 \max_{xy} p_{xy}^2 }{\min_{xy} p_{xy} }$. This implies parallel repetition with exponential decay as long as $\min_{xy} \{p_{xy}\} \neq 0$ for general games. To prove this parallel repetition, we introduce the concept of \emph{Superposed Information Cost} for entangled games which is inspired from the information cost used in communication complexity.
△ Less
Submitted 2 October, 2014; v1 submitted 29 October, 2013;
originally announced October 2013.
-
Optimal bounds for semi-honest quantum oblivious transfer
Authors:
André Chailloux,
Gus Gutoski,
Jamie Sikora
Abstract:
Oblivious transfer is a fundamental cryptographic primitive in which Bob transfers one of two bits to Alice in such a way that Bob cannot know which of the two bits Alice has learned. We present an optimal security bound for quantum oblivious transfer protocols under a natural and demanding definition of what it means for Alice to cheat. Our lower bound is a smooth tradeoff between the probability…
▽ More
Oblivious transfer is a fundamental cryptographic primitive in which Bob transfers one of two bits to Alice in such a way that Bob cannot know which of the two bits Alice has learned. We present an optimal security bound for quantum oblivious transfer protocols under a natural and demanding definition of what it means for Alice to cheat. Our lower bound is a smooth tradeoff between the probability B with which Bob can guess Alice's bit choice and the probability A with which Alice can guess both of Bob's bits given that she learns one of the bits with certainty. We prove that 2B + A is greater than or equal to 2 in any quantum protocol for oblivious transfer, from which it follows that one of the two parties must be able to cheat with probability at least 2/3. We prove that this bound is optimal by exhibiting a family of protocols whose cheating probabilities can be made arbitrarily close to any point on the tradeoff curve.
△ Less
Submitted 30 August, 2016; v1 submitted 11 October, 2013;
originally announced October 2013.
-
Experimental plug&play quantum coin flipping
Authors:
Anna Pappa,
Paul Jouguet,
Thomas Lawson,
André Chailloux,
Matthieu Legré,
Patrick Trinkler,
Iordanis Kerenidis,
Eleni Diamanti
Abstract:
Performing complex cryptographic tasks will be an essential element in future quantum communication networks. These tasks are based on a handful of fundamental primitives, such as coin flipping, where two distrustful parties wish to agree on a randomly generated bit. Although it is known that quantum versions of these primitives can offer information-theoretic security advantages with respect to c…
▽ More
Performing complex cryptographic tasks will be an essential element in future quantum communication networks. These tasks are based on a handful of fundamental primitives, such as coin flipping, where two distrustful parties wish to agree on a randomly generated bit. Although it is known that quantum versions of these primitives can offer information-theoretic security advantages with respect to classical protocols, a demonstration of such an advantage in a practical communication scenario has remained elusive. Here, we experimentally implement a quantum coin flipping protocol that performs strictly better than classically possible over a distance suitable for communication over metropolitan area optical networks. The implementation is based on a practical plug&play system, designed for quantum key distribution. We also show how to combine our protocol with coin flipping protocols that are almost perfectly secure against bounded adversaries, hence enhancing them with a level of information-theoretic security. Our results offer a powerful toolbox for future secure quantum communications.
△ Less
Submitted 24 April, 2014; v1 submitted 14 June, 2013;
originally announced June 2013.
-
Strong connections between quantum encodings, non-locality and quantum cryptography
Authors:
André Chailloux,
Iordanis Kerenidis,
Jamie Sikora
Abstract:
Encoding information in quantum systems can offer surprising advantages but at the same time there are limitations that arise from the fact that measuring an observable may disturb the state of the quantum system. In our work, we provide an in-depth analysis of a simple question: What happens when we perform two measurements sequentially on the same quantum system? This question touches upon some…
▽ More
Encoding information in quantum systems can offer surprising advantages but at the same time there are limitations that arise from the fact that measuring an observable may disturb the state of the quantum system. In our work, we provide an in-depth analysis of a simple question: What happens when we perform two measurements sequentially on the same quantum system? This question touches upon some fundamental properties of quantum mechanics, namely the uncertainty principle and the complementarity of quantum measurements. Our results have interesting consequences, for example they can provide a simple proof of the optimal quantum strategy in the famous Clauser-Horne-Shimony-Holt game. Moreover, we show that the way information is encoded in quantum systems can provide a different perspective in understanding other fundamental aspects of quantum information, like non-locality and quantum cryptography. We prove some strong equivalences between these notions and provide a number of applications in all areas.
△ Less
Submitted 2 April, 2014; v1 submitted 3 April, 2013;
originally announced April 2013.
-
Multipartite entanglement verification resistant against dishonest parties
Authors:
Anna Pappa,
André Chailloux,
Stephanie Wehner,
Eleni Diamanti,
Iordanis Kerenidis
Abstract:
Future quantum information networks will likely consist of quantum and classical agents, who have the ability to communicate in a variety of ways with trusted and untrusted parties and securely delegate computational tasks to untrusted large-scale quantum computing servers. Multipartite quantum entanglement is a fundamental resource for such a network and hence it is imperative to study the possib…
▽ More
Future quantum information networks will likely consist of quantum and classical agents, who have the ability to communicate in a variety of ways with trusted and untrusted parties and securely delegate computational tasks to untrusted large-scale quantum computing servers. Multipartite quantum entanglement is a fundamental resource for such a network and hence it is imperative to study the possibility of verifying a multipartite entanglement source in a way that is efficient and provides strong guarantees even in the presence of multiple dishonest parties. In this work, we show how an agent of a quantum network can perform a distributed verification of a multipartite entangled source with minimal resources, which is, nevertheless, resistant against any number of dishonest parties. Moreover, we provide a tight tradeoff between the level of security and the distance between the state produced by the source and the ideal maximally entangled state. Last, by adding the resource of a trusted common random source, we can further provide security guarantees for all honest parties in the quantum network simultaneously.
△ Less
Submitted 6 November, 2012; v1 submitted 21 December, 2011;
originally announced December 2011.
-
The Complexity of the Separable Hamiltonian Problem
Authors:
André Chailloux,
Or Sattath
Abstract:
In this paper, we study variants of the canonical Local-Hamiltonian problem where, in addition, the witness is promised to be separable. We define two variants of the Local-Hamiltonian problem. The input for the Separable-Local-Hamiltonian problem is the same as the Local-Hamiltonian problem, i.e. a local Hamiltonian and two energies a and b, but the question is somewhat different: the answer is Y…
▽ More
In this paper, we study variants of the canonical Local-Hamiltonian problem where, in addition, the witness is promised to be separable. We define two variants of the Local-Hamiltonian problem. The input for the Separable-Local-Hamiltonian problem is the same as the Local-Hamiltonian problem, i.e. a local Hamiltonian and two energies a and b, but the question is somewhat different: the answer is YES if there is a separable quantum state with energy at most a, and the answer is NO if all separable quantum states have energy at least b. The Separable-Sparse-Hamiltonian problem is defined similarly, but the Hamiltonian is not necessarily local, but rather sparse. We show that the Separable-Sparse-Hamiltonian problem is QMA(2)-Complete, while Separable-Local-Hamiltonian is in QMA. This should be compared to the Local-Hamiltonian problem, and the Sparse-Hamiltonian problem which are both QMA-Complete. To the best of our knowledge, Separable-SPARSE-Hamiltonian is the first non-trivial problem shown to be QMA(2)-Complete.
△ Less
Submitted 22 November, 2011;
originally announced November 2011.
-
Practical Quantum Coin Flipping
Authors:
Anna Pappa,
André Chailloux,
Eleni Diamanti,
Iordanis Kerenidis
Abstract:
In this article we show for the first time that quantum coin flipping with security guarantees that are strictly better than any classical protocol is possible to implement with current technology. Our protocol takes into account all aspects of an experimental implementation like losses, multi-photon pulses emitted by practical photon sources, channel noise, detector dark counts and finite quantum…
▽ More
In this article we show for the first time that quantum coin flipping with security guarantees that are strictly better than any classical protocol is possible to implement with current technology. Our protocol takes into account all aspects of an experimental implementation like losses, multi-photon pulses emitted by practical photon sources, channel noise, detector dark counts and finite quantum efficiency. We calculate the abort probability when both players are honest, as well as the probability of one player forcing his desired outcome. For channel length up to 21 km, we achieve a cheating probability that is better than in any classical protocol. Our protocol is easy to implement using attenuated laser pulses, with no need for entangled photons or any other specific resources.
△ Less
Submitted 30 July, 2011; v1 submitted 6 June, 2011;
originally announced June 2011.
-
Optimal bounds for quantum bit commitment
Authors:
André Chailloux,
Iordanis Kerenidis
Abstract:
Bit commitment is a fundamental cryptographic primitive with numerous applications. Quantum information allows for bit commitment schemes in the information theoretic setting where no dishonest party can perfectly cheat. The previously best-known quantum protocol by Ambainis achieved a cheating probability of at most 3/4[Amb01]. On the other hand, Kitaev showed that no quantum protocol can have ch…
▽ More
Bit commitment is a fundamental cryptographic primitive with numerous applications. Quantum information allows for bit commitment schemes in the information theoretic setting where no dishonest party can perfectly cheat. The previously best-known quantum protocol by Ambainis achieved a cheating probability of at most 3/4[Amb01]. On the other hand, Kitaev showed that no quantum protocol can have cheating probability less than 1/sqrt{2} [Kit03] (his lower bound on coin flipping can be easily extended to bit commitment). Closing this gap has since been an important and open question.
In this paper, we provide the optimal bound for quantum bit commitment. We first show a lower bound of approximately 0.739, improving Kitaev's lower bound. We then present an optimal quantum bit commitment protocol which has cheating probability arbitrarily close to 0.739. More precisely, we show how to use any weak coin flipping protocol with cheating probability 1/2 + eps in order to achieve a quantum bit commitment protocol with cheating probability 0.739 + O(eps). We then use the optimal quantum weak coin flipping protocol described by Mochon[Moc07]. To stress the fact that our protocol uses quantum effects beyond the weak coin flip, we show that any classical bit commitment protocol with access to perfect weak (or strong) coin flipping has cheating probability at least 3/4.
△ Less
Submitted 8 February, 2011;
originally announced February 2011.
-
Fully Distrustful Quantum Cryptography
Authors:
J. Silman,
A. Chailloux,
N. Aharon,
I. Kerenidis,
S. Pironio,
S. Massar
Abstract:
In the distrustful quantum cryptography model the different parties have conflicting interests and do not trust one another. Nevertheless, they trust the quantum devices in their labs. The aim of the device-independent approach to cryptography is to do away with the necessity of making this assumption, and, consequently, significantly increase security. In this paper we enquire whether the scope o…
▽ More
In the distrustful quantum cryptography model the different parties have conflicting interests and do not trust one another. Nevertheless, they trust the quantum devices in their labs. The aim of the device-independent approach to cryptography is to do away with the necessity of making this assumption, and, consequently, significantly increase security. In this paper we enquire whether the scope of the device-independent approach can be extended to the distrustful cryptography model, thereby rendering it `fully' distrustful. We answer this question in the affirmative by presenting a device-independent (imperfect) bit-commitment protocol, which we then use to construct a device-independent coin flipping protocol.
△ Less
Submitted 27 January, 2011; v1 submitted 26 January, 2011;
originally announced January 2011.
-
Quantum Commitments from Complexity Assumptions
Authors:
André Chailloux,
Iordanis Kerenidis,
Bill Rosgen
Abstract:
Bit commitment schemes are at the basis of modern cryptography. Since information-theoretic security is impossible both in the classical and the quantum regime, we need to look at computationally secure commitment schemes. In this paper, we study worst-case complexity assumptions that imply quantum bit-commitment schemes. First, we show that QSZK not included in QMA implies a computationally hidin…
▽ More
Bit commitment schemes are at the basis of modern cryptography. Since information-theoretic security is impossible both in the classical and the quantum regime, we need to look at computationally secure commitment schemes. In this paper, we study worst-case complexity assumptions that imply quantum bit-commitment schemes. First, we show that QSZK not included in QMA implies a computationally hiding and statistically binding auxiliary-input quantum commitment scheme. Additionally, we give auxiliary-input commitment schemes using quantum advice that depend on the much weaker assumption that QIP is not included in QMA (which is weaker than PSPACE not included in PP). Finally, we find a quantum oracle relative to which honest-verifier QSZK is not contained in QCMA, the class of languages that can be verified using a classical proof in quantum polynomial time.
△ Less
Submitted 25 July, 2011; v1 submitted 13 October, 2010;
originally announced October 2010.
-
Improved Loss-Tolerant Quantum Coin Flipping
Authors:
André Chailloux
Abstract:
In this paper, we present a loss-tolerant quantum strong coin flipping protocol with bias 0.359. This is an improvement over Berlin etal's protocol [BBBG08] which achieves a bias of 0.4. To achieve this, we extend Berlin et al.'s protocol by adding an encryption step that hides some information to Bob until he confirms that he successfully measured. We also show using numerical analysis that a we…
▽ More
In this paper, we present a loss-tolerant quantum strong coin flipping protocol with bias 0.359. This is an improvement over Berlin etal's protocol [BBBG08] which achieves a bias of 0.4. To achieve this, we extend Berlin et al.'s protocol by adding an encryption step that hides some information to Bob until he confirms that he successfully measured. We also show using numerical analysis that a we cannot improve this bias by considering a k-fold repetition of Berlin etal's protocol for k > 2.
△ Less
Submitted 11 March, 2011; v1 submitted 31 August, 2010;
originally announced September 2010.
-
Lower Bounds for Quantum Oblivious Transfer
Authors:
André Chailloux,
Iordanis Kerenidis,
Jamie Sikora
Abstract:
Oblivious transfer is a fundamental primitive in cryptography. While perfect information theoretic security is impossible, quantum oblivious transfer protocols can limit the dishonest players' cheating. Finding the optimal security parameters in such protocols is an important open question. In this paper we show that every 1-out-of-2 oblivious transfer protocol allows a dishonest party to cheat wi…
▽ More
Oblivious transfer is a fundamental primitive in cryptography. While perfect information theoretic security is impossible, quantum oblivious transfer protocols can limit the dishonest players' cheating. Finding the optimal security parameters in such protocols is an important open question. In this paper we show that every 1-out-of-2 oblivious transfer protocol allows a dishonest party to cheat with probability bounded below by a constant strictly larger than 1/2. Alice's cheating is defined as her probability of guessing Bob's index, and Bob's cheating is defined as his probability of guessing both input bits of Alice. In our proof, we relate these cheating probabilities to the cheating probabilities of a coin flipping protocol and conclude by using Kitaev's coin flipping lower bound. Then, we present an oblivious transfer protocol with two messages and cheating probabilities at most 3/4. Last, we extend Kitaev's semidefinite programming formulation to more general primitives, where the security is against a dishonest player trying to force the outcome of the other player, and prove optimal lower and upper bounds for them.
△ Less
Submitted 23 March, 2013; v1 submitted 12 July, 2010;
originally announced July 2010.
-
Optimal quantum strong coin flipping
Authors:
André Chailloux,
Iordanis Kerenidis
Abstract:
Coin flipping is a fundamental cryptographic primitive that enables two distrustful and far apart parties to create a uniformly random bit [Blu81]. Quantum information allows for protocols in the information theoretic setting where no dishonest party can perfectly cheat. The previously best-known quantum protocol by Ambainis achieved a cheating probability of at most 3/4 [Amb01]. On the other ha…
▽ More
Coin flipping is a fundamental cryptographic primitive that enables two distrustful and far apart parties to create a uniformly random bit [Blu81]. Quantum information allows for protocols in the information theoretic setting where no dishonest party can perfectly cheat. The previously best-known quantum protocol by Ambainis achieved a cheating probability of at most 3/4 [Amb01]. On the other hand, Kitaev showed that no quantum protocol can have cheating probability less than $1/\sqrt{2}$ [Kit03]. Closing this gap has been one of the important open questions in quantum cryptography.
In this paper, we resolve this question by presenting a quantum strong coin flipping protocol with cheating probability arbitrarily close to $1/\sqrt{2}$. More precisely, we show how to use any weak coin flipping protocol with cheating probability $1/2+ε$ in order to achieve a strong coin flipping protocol with cheating probability $1/\sqrt{2}+O(ε)$. The optimal quantum strong coin flipping protocol follows from our construction and the optimal quantum weak coin flipping protocol described by Mochon [Moc07].
△ Less
Submitted 9 April, 2009;
originally announced April 2009.
-
The role of help in Classical and Quantum Zero-Knowledge
Authors:
André Chailloux,
Iordanis Kerenidis
Abstract:
We study the role of help in Non-Interactive Zero-Knowledge protocols and its relation to the standard interactive model. In the classical case, we show that help and interaction are equivalent, answering an open question of Ben-Or and Gutfreund. This implies a new complete problem for the class SZK, the Image Intersection Density. For this problem, we also prove a polarization lemma which is st…
▽ More
We study the role of help in Non-Interactive Zero-Knowledge protocols and its relation to the standard interactive model. In the classical case, we show that help and interaction are equivalent, answering an open question of Ben-Or and Gutfreund. This implies a new complete problem for the class SZK, the Image Intersection Density. For this problem, we also prove a polarization lemma which is stronger than the previously known one.
In the quantum setting, we define the notion of quantum help and show in a more direct way that help and interaction are again equivalent. Moreover, we define quantum Non-Interactive Zero-Knowledge with classical help and prove that it is equal to the class of languages that have classical honest-Verifier Zero Knowledge protocols secure against quantum Verifiers. Last, we provide new complete problems for all these quantum classes.
Similar results were independently discovered by Dragos Florin Ciocan and Salil Vadhan.
△ Less
Submitted 29 November, 2007; v1 submitted 27 November, 2007;
originally announced November 2007.
-
Increasing the power of the verifier in Quantum Zero Knowledge
Authors:
André Chailloux,
Iordanis Kerenidis
Abstract:
In quantum zero knowledge, the assumption was made that the verifier is only using unitary operations. Under this assumption, many nice properties have been shown about quantum zero knowledge, including the fact that Honest-Verifier Quantum Statistical Zero Knowledge (HVQSZK) is equal to Cheating-Verifier Quantum Statistical Zero Knowledge (QSZK) (see [Wat02,Wat06]).
In this paper, we study wh…
▽ More
In quantum zero knowledge, the assumption was made that the verifier is only using unitary operations. Under this assumption, many nice properties have been shown about quantum zero knowledge, including the fact that Honest-Verifier Quantum Statistical Zero Knowledge (HVQSZK) is equal to Cheating-Verifier Quantum Statistical Zero Knowledge (QSZK) (see [Wat02,Wat06]).
In this paper, we study what happens when we allow an honest verifier to flip some coins in addition to using unitary operations. Flipping a coin is a non-unitary operation but doesn't seem at first to enhance the cheating possibilities of the verifier since a classical honest verifier can flip coins. In this setting, we show an unexpected result: any classical Interactive Proof has an Honest-Verifier Quantum Statistical Zero Knowledge proof with coins. Note that in the classical case, honest verifier SZK is no more powerful than SZK and hence it is not believed to contain even NP. On the other hand, in the case of cheating verifiers, we show that Quantum Statistical Zero Knowledge where the verifier applies any non-unitary operation is equal to Quantum Zero-Knowledge where the verifier uses only unitaries.
One can think of our results in two complementary ways. If we would like to use the honest verifier model as a means to study the general model by taking advantage of their equivalence, then it is imperative to use the unitary definition without coins, since with the general one this equivalence is most probably not true. On the other hand, if we would like to use quantum zero knowledge protocols in a cryptographic scenario where the honest-but-curious model is sufficient, then adding the unitary constraint severely decreases the power of quantum zero knowledge protocols.
△ Less
Submitted 27 October, 2008; v1 submitted 26 November, 2007;
originally announced November 2007.
