Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Cryptography with Certified Deletion

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14085))

Included in the following conference series:

Abstract

We propose a unifying framework that yields an array of cryptographic primitives with certified deletion. These primitives enable a party in possession of a quantum ciphertext to generate a classical certificate that the encrypted plaintext has been information-theoretically deleted, and cannot be recovered even given unbounded computational resources.

  • For \(X \in \{\textsf{public}\text {-}\textsf{key},\mathsf {attribute\text {-}based},\mathsf {fully\text {-}homomorphic},\textsf{witness},\textsf{timed}\text {-}\textsf{release}\}\), our compiler converts any (post-quantum) X encryption to X encryption with certified deletion. In addition, we compile statistically-binding commitments to statistically-binding commitments with certified everlasting hiding. As a corollary, we also obtain statistically-sound zero-knowledge proofs for QMA with certified everlasting zero-knowledge assuming statistically-binding commitments.

  • We also obtain a strong form of everlasting security for two-party and multi-party computation in the dishonest majority setting. While simultaneously achieving everlasting security against all parties in this setting is known to be impossible, we introduce everlasting security transfer (EST). This enables any one party (or a subset of parties) to dynamically and certifiably information-theoretically delete other participants’ data after protocol execution. We construct general-purpose secure computation with EST assuming statistically-binding commitments, which can be based on one-way functions or pseudorandom quantum states.

We obtain our results by developing a novel proof technique to argue that a bit b has been information-theoretically deleted from an adversary’s view once they output a valid deletion certificate, despite having been previously information-theoretically determined by the ciphertext they held in their view. This technique may be of independent interest.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In contrast, in the one-time pad encryption setting as considered by [11], the original encrypted message is already information-theoretically hidden from the adversary, so to obtain any interesting notion of certified deletion, one must explicitly consider leaking the secret key.

  2. 2.

    Subsequent to the original posting of our paper on arXiv, an update to [39] was posted with somewhat different results. We provide a comparison between our work and the updated version of [39] in Sect. 1.3.

  3. 3.

    In order to fully capture all of our applications, we actually allow \(\mathcal{Z}_\lambda \) to operate on all inputs, including the BB84 states. See Sect. 3 for the precise details.

  4. 4.

    It may seem counter-intuitive that the certified deletion guarantees provided by our theorem hold even when instantiating \(\mathcal{Z}_\lambda \) with general semantically secure schemes, such as a fully-homomorphic encryption scheme. In particular, what if an adversary evaluated the FHE to recover a classical encryption of b, and then reversed their computation and finally produced a valid deletion certificate? This may seem to contradict everlasting security, since a classical ciphertext could be used to recover b given unbounded time. However, this attack is actually not feasible. After performing FHE evaluation coherently, the adversary would obtain a register holding a superposition over classical ciphertexts encrypting b, but with different random coins. Measuring this superposition to obtain a single classical ciphertext would collapse the state, and prevent the adversary from reversing their computation to eventually produce a valid deletion certificate. Indeed, our Theorem rules out this (and all other) efficient attacks.

  5. 5.

    We discuss comparisons with a recently updated version of [39] in Sect. 1.3.

  6. 6.

    One might be concerned that extending this argument to multi-bit messages may eventually reduce the advantage by too much, since the entire message must be guessed. However, it actually suffices to prove Theorem 1 for single bit messages and then use a bit-by-bit hybrid argument to obtain security for any polynomial-length message.

  7. 7.

    It suffices to require that the relative Hamming weight of each u is \(< 1/2\).

  8. 8.

    This proof strategy is inspired by the techniques of [8], who show a similar claim using a seeded extractor.

  9. 9.

    If we had tried to rely on generic properties of a seeded randomness extractor, as done in [11], we would still have had to deal with the fact the adversary’s view includes an encryption of the seed, which is required to be uniform and independent of the source of entropy. Even if the challenger’s state can be shown to produce a sufficient amount of min-entropy when measured in the standard basis, we cannot immediately claim that this source of entropy is perfectly independent of the seed of the extractor. Similar issues with using seeded randomness extraction in a related context are discussed by [41] in their work on revocable timed-release encryption.

  10. 10.

    In this notion, the adversary is an eavesdropper who sits between a ciphertext generator Alice and a ciphertext receiver Bob (using a symmetric-key encryption scheme), who attempts to learn some information about the ciphertext. The guarantee is that, either the eavesdropper gains information-theoretically no information about the underlying plaintext, or Bob can detect that the ciphertext was tampered with. While this is peripherally related to our setting, [22] does not consider public-key encryption, and moreover Bob’s detection procedure is quantum.

  11. 11.

    The term “ideal committment” can sometimes refer to the commitment ideal funtionality, but in this work we use the term ideal commitment to refer to a real-world protocol that can be shown to securely implement the commitment ideal functionality.

  12. 12.

    Technically, we require that for any \(\{\mathcal{A}_\lambda \}_{\lambda \in {\mathbb N}} \in \mathscr {A}\), every adversary \(\mathcal{B}\) with time and space complexity that is linear in \(\lambda \) more than that of \(\mathcal{A}_\lambda \), is also in \(\mathscr {A}\).

  13. 13.

    One might expect that the everlasting security definition described above already captures this property, since whether the certificate accepts or rejects is included in the output of the experiment. However, this experiment does not include the output of the adversary in the case that the certificate is rejected. So we still need to capture the fact that the joint distribution of the final adversarial state and the bit indicating whether the verification passes semantically hides b.

References

  1. California Consumer Privacy Act (CCPA)

  2. Agarwal, A., Bartusek, J., Khurana, D., Kumar, N.: A new framework for quantum oblivious transfer. CoRR abs/2209.04520 (2022). https://doi.org/10.48550/arXiv.2209.04520

  3. Ananth, P., Qian, L., Yuen, H.: Cryptography from pseudorandom quantum states. To appear in CRYPTO (2022). https://ia.cr/2021/1663

  4. Bartusek, J., Coladangelo, A., Khurana, D., Ma, F.: One-way functions imply secure computation in a quantum world. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 467–496. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_17

    Chapter  Google Scholar 

  5. Bartusek, J., Khurana, D.: Cryptography with certified deletion. Cryptology ePrint Archive, Paper 2022/1178 (2022). https://eprint.iacr.org/2022/1178

  6. Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, pp. 175–179 (1984)

    Google Scholar 

  7. Biehl, I., Meyer, B., Wetzel, S.: Ensuring the integrity of agent-based computations by short proofs. In: Rothermel, K., Hohl, F. (eds.) MA 1998. LNCS, vol. 1477, pp. 183–194. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0057658

    Chapter  Google Scholar 

  8. Bouman, N.J., Fehr, S.: Sampling in a quantum population, and applications. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 724–741. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_39

    Chapter  Google Scholar 

  9. Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) lwe. In: 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pp. 97–106 (2011). https://doi.org/10.1109/FOCS.2011.12

  10. Brassard, G., Crépeau, C., Jozsa, R., Langlois, D.: A quantum bit commitment scheme provably unbreakable by both parties. In: 34th FOCS, pp. 362–371. IEEE Computer Society Press (1993). https://doi.org/10.1109/SFCS.1993.366851

  11. Broadbent, A., Islam, R.: Quantum encryption with certified deletion. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12552, pp. 92–122. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_4

    Chapter  Google Scholar 

  12. Coiteux-Roy, X., Wolf, S.: Proving erasure. In: IEEE International Symposium on Information Theory, ISIT 2019, Paris, France, 7–12 July 2019, pp. 832–836 (2019). https://doi.org/10.1109/ISIT.2019.8849661

  13. Crépeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions (extended abstract). In: 29th FOCS, pp. 42–52. IEEE Computer Society Press (1988). https://doi.org/10.1109/SFCS.1988.21920

  14. Crépeau, C., van de Graaf, J., Tapp, A.: Committed oblivious transfer and private multi-party computation. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 110–123. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_9

    Chapter  Google Scholar 

  15. Damgård, I., Fehr, S., Lunemann, C., Salvail, L., Schaffner, C.: Improving the security of quantum protocols via commit-and-open. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 408–427. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_24

    Chapter  Google Scholar 

  16. Dulek, Y., Grilo, A.B., Jeffery, S., Majenz, C., Schaffner, C.: Secure multi-party quantum computation with a dishonest majority. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 729–758. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_25

    Chapter  Google Scholar 

  17. European Commission: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) (2016). https://eur-lex.europa.eu/eli/reg/2016/679/oj

  18. Fu, H., Miller, C.A.: Local randomness: examples and application. Phys. Rev. A 97, 032324 (2018). https://doi.org/10.1103/PhysRevA.97.032324

  19. Garg, S., Goldwasser, S., Vasudevan, P.N.: Formalizing data deletion in the context of the right to be forgotten. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 373–402. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_13

    Chapter  Google Scholar 

  20. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1536414.1536440

  21. Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5

    Chapter  Google Scholar 

  22. Gottesman, D.: Uncloneable encryption. Quant. Inf. Comput. 3, 581–602 (2003)

    MathSciNet  Google Scholar 

  23. Grilo, A.B., Lin, H., Song, F., Vaikuntanathan, V.: Oblivious transfer is in MiniQCrypt. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 531–561. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_18

    Chapter  Google Scholar 

  24. Heisenberg, W.: Über den anschaulichen Inhalt der quantentheoretischen Kinematik und Mechanik. Zeitschrift fur Physik 43(3–4), 172–198 (1927). https://doi.org/10.1007/BF01397280

    Article  Google Scholar 

  25. Hiroka, T., Morimae, T., Nishimaki, R., Yamakawa, T.: Quantum encryption with certified deletion, revisited: public key, attribute-based, and classical communication. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 606–636. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_21

    Chapter  Google Scholar 

  26. Hiroka, T., Morimae, T., Nishimaki, R., Yamakawa, T.: Certified everlasting functional encryption. Cryptology ePrint Archive, Paper 2022/969 (2022). https://eprint.iacr.org/2022/969, https://eprint.iacr.org/2022/969

  27. Hiroka, T., Morimae, T., Nishimaki, R., Yamakawa, T.: Certified everlasting zero-knowledge proof for QMA. CRYPTO (2022). https://ia.cr/2021/1315

  28. Kalai, Y.T., Raz, R.: Probabilistically checkable arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 143–159. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_9

    Chapter  Google Scholar 

  29. Katz, J., Thiruvengadam, A., Zhou, H.-S.: Feasibility and infeasibility of adaptively secure fully homomorphic encryption. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 14–31. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_2

    Chapter  Google Scholar 

  30. Khurana, D., Mughees, M.H.: On statistical security in two-party computation. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 532–561. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_19

    Chapter  Google Scholar 

  31. Kilian, J.: Founding cryptography on oblivious transfer. In: 20th ACM STOC, pp. 20–31. ACM Press (1988). https://doi.org/10.1145/62212.62215

  32. Kundu, S., Tan, E.Y.Z.: Composably secure device-independent encryption with certified deletion (2020). https://doi.org/10.48550/ARXIV.2011.12704, https://arxiv.org/abs/2011.12704

  33. Lo, H.K.: Insecurity of quantum secure computations. Phys. Rev. A 56, 1154–1162 (1997). https://doi.org/10.1103/PhysRevA.56.1154, https://link.aps.org/doi/10.1103/PhysRevA.56.1154

  34. Lo, H.K., Chau, H.F.: Is quantum bit commitment really possible? Phys. Rev. Lett. 78(17), 3410 (1997)

    Article  Google Scholar 

  35. Mayers, D.: Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett. 78(17), 3414 (1997)

    Article  Google Scholar 

  36. Mayers, D., Salvail, L.: Quantum oblivious transfer is secure against all individual measurements. In: Proceedings Workshop on Physics and Computation. PhysComp 1994, pp. 69–77. IEEE (1994)

    Google Scholar 

  37. Morimae, T., Yamakawa, T.: Quantum commitments and signatures without one-way functions. To appear in CRYPTO (2022). https://ia.cr/2021/1691

  38. Naor, M.: Bit commitment using pseudo-randomness. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 128–136. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_13

    Chapter  Google Scholar 

  39. Poremba, A.: Quantum proofs of deletion for learning with errors. Cryptology ePrint Archive, Report 2022/295 (2022). https://ia.cr/2022/295

  40. Unruh, D.: Everlasting multi-party computation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 380–397. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_22

    Chapter  Google Scholar 

  41. Unruh, D.: Revocable quantum timed-release encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 129–146. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_8

    Chapter  Google Scholar 

  42. Watrous, J.: Zero-knowledge against quantum attacks. In: Kleinberg, J.M. (ed.) 38th ACM STOC, pp. 296–305. ACM Press (2006). https://doi.org/10.1145/1132516.1132560

  43. Wiesner, S.: Conjugate coding. SIGACT News 15, 78–88 (1983)

    Article  Google Scholar 

  44. Winter, A.J.: Coding theorem and strong converse for quantum channels. IEEE Trans. Inf. Theory 45(7), 2481–2485 (1999). https://doi.org/10.1109/18.796385, https://doi.org/10.1109/18.796385

  45. Yao, A.C.C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, pp. 160–164. IEEE Computer Society Press (1982). https://doi.org/10.1109/SFCS.1982.38

  46. Yao, A.C.C.: Security of quantum protocols against coherent measurements. In: 27th ACM STOC, pp. 67–75. ACM Press (1995). https://doi.org/10.1145/225058.225085

Download references

Acknowledgments

We thank Bhaskar Roberts and Alex Poremba for comments on an earlier draft, and for noting that quantum fully-homomorphic encryption is not necessary for our FHE with certified deletion scheme, classical fully-homomorphic encryption suffices.

D.K. was supported in part by DARPA, NSF 2112890 and NSF 2247727. This material is based on work supported by DARPA under Contract No. HR001120C0024. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.

Author information

Authors and Affiliations

  1. UC Berkeley, Berkeley, USA

    James Bartusek

  2. UIUC, Champaign, USA

    Dakshita Khurana

Authors
  1. James Bartusek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dakshita Khurana
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dakshita Khurana .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bartusek, J., Khurana, D. (2023). Cryptography with Certified Deletion. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14085. Springer, Cham. https://doi.org/10.1007/978-3-031-38554-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38554-4_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38553-7

  • Online ISBN: 978-3-031-38554-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation