Cryptography from Pseudorandom Quantum States
Prabhanjan Ananth �UC Santa Barbara
Luowen Qian�Boston University
Henry Yuen�Columbia
Cryptography: dazzling possibilities
Encryption
Bit commitment
Coin Flipping
Program Obfuscation
Digital Signatures
Secure Multiparty Computation
Homomorphic�Encryption
Zero-Knowledge
Cryptography: dazzling possibilities
Encryption
Bit commitment
Coin Flipping
Program Obfuscation
Digital Signatures
Secure Multiparty Computation
Homomorphic�Encryption
Zero-Knowledge
Amazing possibilities rely on�hardness assumptions: some computational task is difficult for all resource-limited adversaries.
The Zoo of Assumptions
One-way functions
Pseudorandom Generators
Hardness of�factoring
LPN
Hardness of lattice problems
DDH
Trapdoor�One-way functions
RSA
SXDH
LWE
SVP
DCR
rand(t)
The Zoo of Assumptions
One-way functions
Pseudorandom Generators
Hardness of�factoring
LPN
Hardness of lattice problems
DDH
Trapdoor�One-way functions
RSA
SXDH
LWE
SVP
DCR
rand(t)
OWFs: (provably) minimal crypto assumption. �Necessary assumption for cryptography.
…at least, for classical protocols.
Cryptography in a quantum world
Quantum Key Distribution
BB84 protocol: unconditionally-�secure key distribution, using quantum communication.
Classical key distribution requires assumptions stronger than OWFs.
Shor’s Algorithm
Quantum computers can factor integers in poly time.��Security of RSA assumes hardness of factoring.
(More) Recent �Developments
Public-key Quantum Money
Quantum Copy Protection
Device-Independent Protocols
Secure Multiparty Computation � based only on OWFs� + quantum communication
Cryptography in a quantum world
Quantum Key Distribution
BB84 protocol: unconditionally-�secure key distribution, using quantum communication.
Classical key distribution requires assumptions stronger than OWFs.
Shor’s Algorithm
Quantum computers can factor integers in poly time.��Security of RSA assumes hardness of factoring.
Public-key Quantum Money
Quantum Copy Protection
Device-Independent Protocols
Secure Multiparty Computation � based only on OWFs
+ quantum communication
What are the minimal assumptions needed for cryptography in the quantum world?
(More) Recent �Developments
This talk
We show that “Crypto 101” tasks, such as�
can be performed using pseudorandom quantum states (PRS), rather than one-way functions.
PRS can provide an �alternative foundation for security of cryptographic tasks.
Pseudorandom Quantum States
A quantum analogue of pseudorandom generators
Pseudorandom Generator
Deterministic�poly-time function
Pseudorandom State Generator
Quantum�poly-time algorithm
Haar-random quantum states
Pseudorandom quantum states
Pseudorandom quantum states
Pseudorandom quantum states
A candidate PRS generator
Pseudorandom quantum states
Pseudorandom states are efficient imitators of Haar-random states.
2018: Zhengfeng Ji, Yi-Kai Liu, Fang Song defined PRS as quantum analogue of PRGs.
Construction: PRS generators can be constructed from one-way functions (OWFs).
Cryptographic applications: Private-key quantum money schemes.
2021: William Kretschmer showed OWFs cannot be constructed from PRS �in generic, black-box way.
In quantum crypto, PRS may be more fundamental than OWFs!
Pseudorandom quantum states
Pseudorandom states are efficient imitators of Haar-random states.
2018: Zhengfeng Ji, Yi-Kai Liu, Fang Song defined PRS as quantum analogue of PRGs.
Construction: PRS generators can be constructed from one-way functions (OWFs).
Cryptographic applications: Private-key quantum money schemes.
2021: William Kretschmer showed OWFs cannot be constructed from PRS �in generic, black-box way.
In quantum crypto, PRS may be more fundamental than OWFs!
What cryptography can be built from pseudorandom quantum states?
PRG vs PRS
Pseudorandom Generator
Pseudorandom State Generator
Extremely useful in classical cryptography.
Unclear how to use PRS for crypto.
Equivalent to OWFs.
OWFs do not generically imply PRS.
Unclear how to stretch output length of PRS generator.
Truncating output of PRG still yields PRG.
PRS are highly entangled, so cannot be truncated.
Can copy outputs of PRG.
Cannot copy PRS.
Pseudorandom states are brittle!
Pseudorandom function-like states
We introduce a new notion: pseudorandom function-like states (PRFS).
Designed to be more flexible and less brittle than PRS.
PRFS is quantum analogue of a pseudorandom function (PRF) in
classical cryptography -- hence the name function-like.
Pseudorandom function-like states
Pseudorandom function-like states
Easy direction: PRFS generators implies the existence of PRS generators.
Harder direction: Using OWFs, can build PRFS generators using Ji, Liu, Song’s construction.
Not obvious how to construct PRFS using PRS as a black box.
The famous Goldreich-Goldwasser-Micali construction that builds classical pseudorandom functions (PRF) from PRGs requires copying outputs. ��GGM seems incompatible with PRS!
Applications of PRFS
PRFS
Pseudo one-time pad
Bit commitment
Message authentication codes*
Secure�multiparty computation
PRS
Symmetric-key encryption*
Work of �Bartusek-Coladangelo-Khurana-Ma ‘21
We construct PRFS from PRS under a certain parameter range.
Look Ma -- no one-way functions!
Also (concurrently) obtained from PRS by Morimae-Yamakawa ’21.
Encryption from PRFS
(Private-key)
Private-key �Encryption
= shared random key
Looks completely random �to me…
adversary
One-time Pad
Looks completely random �to me…
unbounded adversary
Pseudo�One-time Pad
Still looks completely random �to me…
poly-time adversary
Pseudo�One-time Pad
Still looks completely random �to me…
poly-time adversary
Using PRG, can imitate one-time pad with shorter key (assuming poly-time adversary).
Pseudo�One-time Pad
Still looks completely random �to me…
poly-time adversary
Natural idea: replace PRG with PRS gen? �Doesn’t work: e.g., no obvious way to decode.
Quantum Pseudo�One-time Pad
Still looks completely random �to me…
= PRFS generator with
poly-time adversary
Quantum Pseudo�One-time Pad
poly-time adversary
Commitments from PRFS
Commitment schemes
Protocol executed between two mistrustful parties (committer, receiver). �Cryptographic equivalent of putting a message in sealed envelope that is opened later.
Committer
Receiver
…
Commitment schemes
Protocol executed between two mistrustful parties (committer, receiver). �Cryptographic equivalent of putting a message in sealed envelope that is opened later.
Committer
Receiver
…
Commitment schemes
Example use: bids in auction can be confidentially submitted using a�commitment scheme, and only opened when everyone has submitted their bids.
Commitment schemes are fundamental building block in cryptography. They can be used to construct:
Commitment schemes can be built from PRGs.
Naor Commitment Scheme
Committer
Receiver
Commitment Phase:
Opening Phase:
Committer
Receiver
QNaor Commitment Scheme
Committer
Receiver
Commitment Phase:
Opening Phase:
Committer
Receiver
= PRFS generator with
QNaor Commitment Scheme
Committer
Receiver
Commitment Phase:
Opening Phase:
Committer
Receiver
= PRFS generator with
PRFS from PRS
Open question: construct PRFS from PRS in a black box way.
Corollary: This Theorem is enough to build the PRFS needed for the previous applications (pseudo one-time pad, encryption).
Summary
Open Questions
Thank You!