Quantum Cryptography at ERATOQCI Project, JST

Research on Quantum Computational Complexity and Quantum Cryptography at ERATOQCI Project, JST

Hiroshi IMAI ERATO QCI Project, JST Dept. Computer Science, Univ. Tokyo

21st Century COE Security Program and RDI, Chuo University 2003 International Symposium on Next Generation Cryptography and Related Mathematics Complexity Theory vs. Cryptography

• Most of current cryptosystems – Computationally secure based on Computational Complexity Theory

•This talk: – Quantum Computing/Cryptography • Quantum states ⇔ information – Let’s start with various complexity classes Classical Computational NEXP NEXP Complexity Classes EXP EXP Exponential Time

PSPACE PSPACE Polynomial Space

NP NP Nondeterministic Intractable Polynomial Time

Tractable P P Polynomial Time Probabilistic Complexity NEXP NEXP EXP EXP

PSPACE PSPACE PP Probabilistic Polynomial

Bounded-error Probabilistic Polynomial NP BPP NP co-NP

Randomized RP co-RP Polynomial ZPP Zero-error Probabilistic P P Polynomial Probabilistic Complexity NEXP NEXP EXP EXP

PSPACE PSPACE PP however, Before 2002 Integer Factoring PRIMES ???

2002 NP BPP NP co-NP PRIMES RP co-RP (next talk by ZPP Prof. Agrawal) P P Quantum Computing NEXP NEXP EXP EXP

PSPACE IntegerPSPACE factoring inPP Quantum Bounded-error Polynomial Time Quantum (Shor 1994) Polynomial time BQP NP BPP NP co-NP RP co-RP ZPP P P Interactive Proof System NEXP NEXP=MIP Multi-prover Interctive Proof EXP EXP

PSPACE PSPACE=IP IP=IPpoly=AMpoly Interactive Proof PP Mathematical Model of Cryptographic Protocol

AM=AM =AM =IP MA=AM1 c≧2 2 2 Arthur-Merline Game NP BPP NP co-NP RP co-RP ZPP P P Quantum Complexity NEXP NEXP=MIP=QMIP EXP EXP Quantum MIP QIP Quantum IP PSPACE BQPSPACE=PrQPSPACE=(N)PSPACE=IP PrQP = PP AQMA QMA NQP=co-C=P RQMA MA=AM BQP 1 EQMA NP BPP NP(=EMA) co-NP RP co-RP ZPP P P Quantum Computing/Cryptography

Quantum Computing & Information – exponential speed-up by quantum superposition – information transmission by quantum entanglements Impacts: – Quantum Computer destroys IT security (cryptosystem) – P. Shor: Integer Factoring, easy for Quantum Computer collapse of public key cryptosysytem (RSA crypto, etc.) – Quantum Cryptography (possible next-generation crypto.) – secure by quantum principle (physical law) – BB84, B92, etc. Quantum Cryptography

• Aims at Unconditionally Secure cryptoprotocols – Attempts to overcome the limit of computational secure protocols – Unconditional security by quantum power • Measurment ⇒ state reduction • This enales us to detect the existence of eavesdropper

• From Computational Complexity Assumptions to Physical Principles Existing Research on Quantum Cryptography

• Quantum Key Distribution: BB84, B92, etc. – unconditionally secure key distribution by quantum law • Quantum law allows detection of the eavesdropper – unconditionally secure crypt. (one-time pad) • Quantum Bit Commitment – Impossibility theorem? (Mayers; Lo and Chau 1997) • Quantum Coin Flipping – Impossibility theorem?? • Almost no other cryptoprotocols by quantum information QuantumQuantum CryptoCrypto sender receiver (Alice） (Bob) ＋receiver 1 ＋basis： Horizontal: 0 0 Quantum effect ： Vertical:1 Single photon Correct comm. 0,1 of ＋basis Q communication Select one of bases received ＋rec. Send 0 or 1 on it 0,1 of ☓ bases 1 0 Received by ☓ rec ☓basis： ○: 45 : 0 No information： ○ 135 : 1 eavesdroppter ☓receiver ＋,☓ different rec (Eve) (with ½ probability)

Verification through classical communication both can’t be used Detection of the eavesdroppter （uncertainty p.） Need for quantum research to develop other protocols • Digital Signature • Secrete Sharing • Authentification • E-voting, E-money, E-… •… • Multi-party Protocol Computationally Secure Multi-party Protocol

Computational secure multi-party protocol

Oblivious Transfer Coin Flipping Zero-Knowledge Proof for any ＮＰ Problem

Bit Commitment

One-way function with trap door Non-Interactive Quantum Statistical and Perfect Zero-Knowledge Proofs

Hirotada Kobayashi

Quantum Computation and Information (QCI) Project ERATO (Exploratory Research for Advanced Technology) JST (Japan Science and Technology Corporation)

Concerning this part, cf. quant-ph/0207158 Title: Non-Interactive Quantum Statistical and Perfect Zero- Knowledge Author: Hirotada Kobayashi Interactive Proof Systems [Babai 1985, Goldwasser, Micali, and Rackoff 1985] • Two players: prover, verifier – Prover tries to convince verifier of her assertion. – Verifier must check validity of prover’s assertion. (probabilistically and efficiently) probabilistically ⇒ with bounded error efficiently ⇒ in time polynomial to input length

Interactive Peggy (Prover) Communication Victor (Verifier) Example: Graph Non-Isomorphism

Graph Non-Isomorphism Problem (GNI)

INPUT: Two graphs G1, G2 of n vertices

QUESTION: For all permutation π ∈ Sn on vertices, π (G1) ≠ G2? ◎ Protocol of verifier V: 1. Choose an index i ∈ {1,2} of graphs

and a permutation π ∈ Sn at random. Send a graph π (Gi) to prover P to ask which of the two is isomorphic to π (Gi). 2. Receive an index j from P. Accept iff i = j. 1 12同型 4 4 3 3 2

1 4 非同型

2 3

4 2

31 Summary

• Non-interactive quantum zero-knowledge proofs – NIQSZK, NIQPZK – Necessity of shared randomness or shared entanglement – NIQPZK of perfect completeness with shared EPR pairs • Complete problem for NIQPZK(1, b) – NIQPZK proofs for graph non-automorphism problem – Complete problem for BQP