Patent Application
20230162076
The present invention relates generally to the field of secure computing using quantum communications and more particularly to the computation of a logical AND between multiple participants connected to a communication network.
Generally speaking, the invention relates to the field of secure multi-party computation, which is a branch of cryptography whose objective is to allow participants to obtain the result of a common function without any of them being able to know the inputs of the other participants.
This type of problem seems to have been raised in the 1970s in the article by A. Shamir, R. Rivest, and L. Adleman, “Mental Poker”, Technical Report LCS/TR-125, Massachusetts Institute of Technology, April 1979. In the 1980s, the problem was applied to the theoretical problem of billionaires which consisted of determining the richest person in a set of billionaires without any of them disclosing their fortune to anyone. A notable example is the article by Andrew C. Yao, “Protocols for secure computations” which presents the problem and a protocol to solve it.
Other applications of secure multi-party computation include auction or voting mechanisms, statistics on medical data, etc. In these applications, generally speaking, one wants to achieve a result based on all the input data while keeping it private, that is secret from other parties. In the case of medical data, for example, it may be interesting to construct statistical or aggregate data, but for legal reasons, individual data cannot be accessible to anyone. Similarly, in auction systems, for example in a wholesale market for agricultural products, the issue is to determine which party has won the auction but without the different parties having to reveal their bids.
While there is theoretical work on secure multi-party computation, very few industrial developments exist. Indeed, privacy protection is a relatively new concern: the first large-scale implementation dates back to 2009, and the first practical solutions are necessarily coming to market with some delay.
Furthermore, existing proposals generally induce an additional cost in terms of computation time which makes them prohibitive for practical uses.
Another drawback of existing proposals is their high level of technicality, linked to cryptographic techniques, which makes them difficult to integrate into existing products and systems.
The purpose of the invention is to at least improve the situation by providing an efficient. secure multi-party computation method making use of a quantum communication channel.
More particularly, the invention concerns the sub-problem of a distributed computation of a logical AND, as this computation allows any multi-party logic functions to be carried out.
To this end, the present invention proposes a method for calculating a logical AND between two chosen bits, xi, xj held by a first and a second participant, Ci, Cj respectively, connected to each other and to a server by at least one quantum communication channel Lq and one conventional communication channel Lc, comprising
a first phase using said quantum communication channel and comprising
According to preferred embodiments, the invention comprises one or several of the following features which may be used separately or in partial combination with each other or in total combination with each other:
Another aspect of the invention relates to a device for calculating a logical AND between two chosen bits, xi, xj held by a first and a second participants, Ci, Cj respectively, connected to each other and to a server by at least one quantum communication channel and one conventional communication channel, comprising means for implementing the previously described method.
According to preferred embodiments, the invention comprises one or several of the following features which may be used separately or in partial combination with each other or in total combination with each other:
The use of quantum communication allows an excellent level of security for a modest computational overhead. The security is perpetual because it does not rely on the solving of computational problems. Thus, it is not possible to record the communication to break the protocol later, in the future. The computational overhead for an AND is not very large: a few qubit exchanges.
As discussed in the introduction, one of the purposes of the invention is to enable secure multi-party computation between a set of participants.
According to one embodiment, these participants can be organized in a chain as shown in
The N participants C1, C2, C3 . . . CN can communicate with their immediate neighbors only and through at least two communication channels: a quantum communication channel Lq and a classical, or conventional, communication channel LC.
This conventional communication channel Lc can be secured. The security can be achieved for example through the quantum communication channel which allows the exchange of encryption keys with unconditional security. It can be of different types, depending on the embodiments. Typically, it can be a digital communication channel compliant with the TCP/IP protocol stack. It can be a wired channel (Ethernet, etc.) or wireless (WiFi, cellular, etc).
According to another embodiment, the conventional communication channel Lc can be of the “broadcast” type. Thus, all participants receive data from all participants. However, the security by exchanging encryption keys can be peer-to-peer, so that the conventional “physical” communication channel Le supports a set of peer-to-peer “logical” communication channels, connecting each of the participants to its neighbors.
In practice, the participants can be of various types: they can be computers connected to a communication network, or virtual machines deployed on a server or on a server farm, etc.
The quantum communication channel Lq can be implemented in different ways as well.
According to one embodiment, the quantum communication channel Lq is provided to allow the transmission of light signals enabling the transport of quantum bits, generally called “qubits”. It is typically an optical fiber.
Quantum bits can be encoded with photons according to their degree of freedom. “Photon degree of freedom” refers to a physical property described by quantum mechanics and usable for quantum communications. Examples of photon degrees of freedom are phase, phase difference, frequency, polarization or temporal location. In this description, we use the formalism that represents a quantum state as a vector |α> in a d-dimensional Hilbert vector space. The concept of Hilbert vector space extends the methods of linear algebra by generalizing the notions of Euclidean space (like the Euclidean plane or the usual space of dimension 3) and Hermitian space to spaces of any dimension (finite or infinite). A vector |α> of a d-dimensional Hilbert vector space can be described via a basis of the d-dimensional Hilbert vector space.
A first participant C1 is intended to emit the photons, which will be transmitted from one to the next along the chain.
According to a chain embodiment, as shown in
According to a ring embodiment, as shown in
The first participant C1 can be called the “sender”. In practice, it can be implemented in different ways. For example, it may comprise a laser capable of generating photons and an initial modulator capable of modulating a degree of freedom of a generated photon.
According to one embodiment, a modulation is carried out on the time interval for which a photon is to be generated, the overall energy of which corresponds to a photon energy quantum.
According to another embodiment, the phase difference is used as a degree of freedom to encode the qubits. Also, the sender C1 generates the photons by modulating them according to two peaks, each in a half-interval of the interval corresponding to the photon to be generated. The total energy of this modulation being, by configuration, equal to the energy quantum of a photon, each photon thus generated is a superposition of a photon between these two half-intervals.
The laser can be provided with a wavelength of 1550 nm which corresponds to the minimum attenuation in optical fibers commonly used in telecommunications.
The N-2 participants besides the endpoint participants C1, CN are modulators. They are not designed to emit photons but only to modulate an electromagnetic field in which the photons pass in order to modify one of their degrees of freedom.
According to one embodiment (
The receiving participant, C1, CN, may comprise a single photon detector. Different mechanisms exist in the prior art. For example, there are detectors based on avalanche photodiodes (APDs).
It is possible to set up bidirectional communication channels, so that quantum bits (or qubits) can be transmitted in both directions of the chain. In such a case, the sender C1 can also be a receiver, that is it can have measuring means (single photon detector).
Depending on the type of degree of freedom, different types of modulators and detectors can be used by the participants C1, C2, C3 . . . CN.
When the degree of freedom of photons to encode quantum bits is the phase, the modulators can be phase modulators. For example, the LN53S-FC or LN65S-FC model marketed by Thorlabs can be used.
When the degree of freedom of photons to encode quantum bits is photon polarization, the modulators can be polarization modulators. For example, a model from the PSC-LN series of products marketed by iXblue Photonics can be used.
When the degree of freedom of the photons to encode the quantum bits is the temporal location of the photons, the modulators may each comprise a number d of delay lines and a number 2d of splitter plates, where d represents the dimension of the Hilbert vector space of representation of the quantum states. The superposition of temporal locations to be realized to create an incompatible base can be obtained by programming the splitter plates.
The same principle can be used for detection by the receiver CN. This can have only one single photon detector, downstream of a similar device allowing to separate the beams and to delay the beams differently so that after recombination of the beams, the instant of the detection of the photon makes it possible to determine the temporal location of that photon.
This architecture can be used for secure multi-party computation between participants.
It is known that any computation on binary data can be reduced to a combination of universal logical operators. These universal logical operators are “NAND” (for “Not And”) and “NOR” (for “Not Or”).
Carrying out a logical “NOT” operator does not pose any particular problem of security since it is a local operator. On the other hand, the logical operators AND OR can involve several participants and thus imply a security problem to make it possible to obtain the result of the operation without any of the participants knowing the value held by the other participants.
It is more common to use the “NOT AND” operator. Also, the invention addresses the particular sub-problem of computing a logical AND between multiple participants. More specifically, it deals with the computation of a logical AND between two participants, it being understood that switching to more than two participants amounts to combining several “AND” operators.
In the following we will denote xi Λ xj the logical “and” operation between the bits xi and xj.
The invention thus aims to calculate a logical AND between bits xi and xj held by two participants, Ci and Cj respectively, where 1<i<N and 1<j<N and, of course, i≠j, with the constraints that
We will call these two bits xi and xj, “chosen bits”.
Especially, the method according to the invention involves a third party, called server in the following. This server may know the final result xi Λ xj but must not know the value of xi nor the value of xj. This server also has the function of creating and emitting a photon in a given state, and can therefore be implemented, at least partially, by the sender C1.
According to a first embodiment based on a ring architecture (
According to a second embodiment based on a chain architecture (
Even more implementations are possible. In the following, for simplicity, we will assign the reference C1 to the server.
In a very general way, this computation is based on correlation, known as “magic”, between three binary variables α, β γ each determined, respectively, by the two participants Ci, Cj and the server C1 and corresponding to a logical “and” between two bits b1, b2 held by the participants so that α+β+γ=b1 Λ b2. Furthermore, the marginal distributions of the three variables α, β γ must satisfy the uniformity criterion: when viewed individually, each bit can equiprobably take the value 0 or 1. In the following, we will call these three variables “correlation variables”.
A first phase consists of establishing a magic correlation corresponding to the logical “and” between two random bits and using the quantum communication channel Lq and quantum computation. At the end of this first phase, we therefore determine the three variables α, β, γ forming the magic correlation.
A second phase is to use this magic correlation (α, β γ) to compute the logical “and” between the two chosen bits xi, xj, that is, the final result sought, using a conventional secure communication channel, Lc.
In the first phase, participants Ci and Cj will apply quantum gates, U and V, to input qubits in order to generate output qubits.
The quantum gate V transforms the state (or qubit) of a photon into an orthogonal state, in any orthonormal basis. The quantum gate U corresponds to a square root of the transformation performed by the quantum gate V.
On the Bloch sphere, these operations are therefore equivalent to saying that the whole quantum part is defined to within one rotation.
The qubit is generated by the server C1, in a first state, in an orthonormal basis.
According to an embodiment, this first state is denoted |+>. This notation is, however, arbitrary, since it is sufficient, according to the invention, to have any two orthogonal states, but it allows for clearer description.
In the following, we will denote as |0> and |1> two orthogonal states (that is perfectly distinguishable) among the quantum degrees of freedom of the emitted photon in this orthonormal basis.
We denote as |+> and |−> two states formed by the superposition of these two orthogonal qubits. We can write:
We can also write
The gate V is a Pauli-Z gate which is equivalent to a rotation around the Z-axis of the Bloch sphere by π radians. It can be represented by the Pauli-Z matrix:
In other words, such a gate V transforms the state |+> into the state |−>, and, reciprocally the state |−> into the state |+>
As said before, the gate U is a square root of the gate V. According to one embodiment, it may be a rotation about the Z axis of the Bloch sphere by π/2 radians. In other words, by applying the U gate twice, we obtain the equivalent of a V gate.
In an embodiment of encoding phase difference information, the qubit |+> may correspond to a photon in uniform superposition over these two half-intervals. In this case, the rotations U and V correspond to a phase shift of the 2nd half-interval of x and π/2, respectively.
In all the cases described above and in general, the implementations are carried out by applying an appropriate modulation.
Also of interest is the paper by Marco Clementi, Anna Pappa, Andreas Eckstein, Ian Walmsley, Elham Kashefi, et al, “Classical multiparty computation using quantum resources” in Physical Review A, American Physical Society, 2017, 96 (6), pp. 062317. (10.1103/PhysRevA.96.062317). (hal-02164423). In this paper, the states |+> and |−> are implemented using vertical and horizontal polarizations. The rotations U and V are implemented with half-wave plates.
In this example, it is assumed that two participants Ci and Cj have, at a given time, two bits, respectively xi and xj whose logical “and” is to be calculated.
In a step S1, each participant Ci, Cj determines, for example randomly, a value for its respective correlation variable α, β intended to form a magic correlation. Each participant also determines the value of two other bits, p and q respectively, also at random. These 4 random bits α, β, p, q can be determined in this preliminary step S1 or later, before these bits are needed in the computations required by the subsequent steps of the protocol.
In a step S2, the server C1 prepares and sends a photon in a superposition state of orthogonal states in a given orthonormal basis.
According to one embodiment, the server C1 prepares and transmits a |+> state which is a uniform superposition of two |0> and |1> states, to the first participant Ci. According to another embodiment, the server C1 prepares and sends a |−> state. As said above, the initial state itself does not matter, it is only important that the transformation V transforms this state into an orthogonal state.
Note that the two participants are interchangeable, since the logical “and” is a commutative operation. Therefore, the terms “first” and “second” participants are only used to distinguish them, for the clarity of the description, without establishing any order or hierarchy between them.
In a step S3, the first participant Ci receives this state of the photon and applies to it a first quantum transformation formed by the succession of quantum gates performing a rotation of angle n around the Z-axis and the other a rotation of angle π/2 around the Z-axis, this transformation depending on the two random bits determined by this first participant, that is a et p.
More precisely, this first transformation can be written VaUp.
This notation Tc means that if the exponent e is equal to 1, we apply the transformation T and if it is equal to 0, we do not apply it.
The first participant C1 can then send the qubit resulting from this transformation in the quantum communication channel Lq to the second participant Cj.
In a step S4, the second participant Cj performs a similar transformation but based on the two random bits at its disposal: β and q. This second transformation can be written VβUq. The qubit resulting from this transformation can then be sent in the quantum communication channel Lq to the server C1.
In a step S5, the server C1 performs a third transformation which can be written as (U*)p+q, where U* is the inverse transformation of U.
According to the invention, the value p+q is transmitted to the server C1, without communicating the individual values of p and q.
According to a preferred mode of implementation of the invention, the protocol is secured by secretly sharing a bit r between the two participants Ci and Cj in order to encode the communication of bits p and q to the server C1. Also, during step S1 (which can be extended to this step S4),
Other secure methods can be used to transmit the value of t1+t2 to the server C1, as will be seen later.
The sign “+” indicates binary addition. Since we are only interested in a single bit, this operation is equivalent to an “exclusive or”
The server C1 can then calculate the third transformation (U*)t1+t2
After this transformation, the state of the qubit is: (U*)t1+t2·Vβ Uq Vα Up|+>
This expression can be simplified, depending on the different values that the random bits p and q can take (due to the commutativity of the ports U, V and U*) into:
Here we can recall that the gate V amounts to swapping the |+> and |−> states, so that the number of swaps depends on the value of the correlation values α and β.
We can therefore write the following truth table:
The server C1 then measures the received qubit in the {|+>, |−>} base, and determines the value of its correlation variable γ as follows:
From then on, we can notice that γ=α+β+(pΛq).
In other words, α+β+γ=pΛq
This expression is that of a magic correlation between the three correlation variables α, β, γ, the binary sum of which is used to calculate the logical “and” of the two bits p and q.
Once this correlation is established, it allows us to calculate, in a second phase, the logical “and” for other bits, and in particular the chosen bits xi, xj.
It is noteworthy that this first phase is independent of the chosen bits xi, xj.
According to one embodiment, the first steps S1, S2, S3, S4, S5 constituting a first phase, can be carried out upstream of the moment when the participants Ci and Cj have the respective bits xi, xj whose logical “and” is to be calculated. In other words, this first phase can be precomputed, so as to reduce the computations to be performed between the moment when the bits xi and xj are known and the result is made available, xi Λ xj.
This type of implementation allows significant gains in performance and security.
In a step S6, the participants Ci, Cj exchange a value depending on the sum between the random bit, respectively p, q, and the chosen bit, respectively xi, xj.
For example,
In a step S7, both participants Ci, Cj and the server C1 each separately provide a value, a, b, c, respectively, such that a+b+c=xi Λ xj.
More precisely,
The values of u1 and u2 are random and are shared among the participants beforehand. This sharing can be done through the conventional secure communication channel Lc.
It may then be verified that a+b+c=xi Λ xj, which is the desired result.
Indeed,
Identical terms cancel each other out since they are binary additions on a single bit (without a carry), thus equivalent to an exclusive “or”. Therefore, this expression can be simplified, effectively, into a+b+c=xi Λ xj
One can thus obtain, by this simple binary sum of independent terms, the value of the logical “and” between the bits xi and xj chosen respectively by the first participant Ci, and the second participant Cj without their value being known by another entity than the one that chose it. Thus, the desired property of secure multi-party computation is ensured.
Moreover, in the case where the first phase (quantum) is carried out in advance, the phase of effective computation of this “logical and” (second phase) is very effective since it only involves a double exchange between the two participants (step S6), bit additions and the provision of the values a, b, c which can simply be summed to obtain the result.
According to one embodiment of the invention, the security of the method can be enhanced in various ways.
The conventional communication channel Lc can be secured by conventional or quantum means.
As previously described, a bit r can be shared secretly between the participants and the server. This bit can be shared using a quantum key distribution, for example.
Quantum key security mechanisms are known per se, and there are various commercial devices to perform this step. Among others, mention may be made of the devices “Cerberis3 QKD System” marketed by ID Quantique, “QKD System” marketed by Toshiba, or “Quantum Key Distribution (QKD)” from Quintessence Labs.
Another example is the patent application FR1909839 entitled “Method for secure transmission of quantum state sequences between multiple online participants over a quantum communication channel”.
Also, a different bit, r1, r2, r3 can be shared between each pair of the set constituted by the participants and the server. Thus, the first participant C; and the server C1 exchange a first bit r1; the second participant Cj and the server C1 exchange a second bit r2, and the first and second participants exchange a third bit r3.
During the initialization phase S1, it is then possible to have:
The computation of a binary logical “and” can be applied to solve any computational problem distributed between the two participants Ci, Cj.
In the case of an application to an auction mechanism, it is assumed that each of the participants Ci, Cj holds two numbers, respectively xi, xj, of n bits each and representing a bid value: xjj ∈{0,1}n
For two binary inputs a, b, we define the function f(a,b)=1+aΛ(1+b). This function takes the value 1 if b≥a, and 0 otherwise.
This function can be calculated, for one bit, according to the method previously described. Indeed, noting that 1+b is a logical NOT, this function is calculated as f(a,b)=NOT(a and (NOT b))
It is then possible to determine the winner between two bids in the auction by performing a bit-by-bit comparison of the two values xi, xj starting from the most significant bit, and using this comparison function f for each bit.
If f returns 0 for one bit, then xi>xj and Ci carries the bid over Cj; otherwise xj≥xi and the bid is either carried by Cj or both participants have made the same bid.
By doing this computation in both directions, that is also by swapping xi and xj for the second computation, it can be determined in all situations which of the participants won the auction.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2004295 | Apr 2020 | FR | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/FR2021/050662 | 4/15/2021 | WO |
