Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Collusion-Resistant Quantum Secure Key Leasing Beyond Decryption

Fuyuki Kitagawa, Ryo Nishimaki, Nikhil Pappu

TL;DR

The paper develops a unified framework for collusion-resistant secure key leasing (SKL) in the quantum setting, extending beyond decryption to PRFs and signatures. It introduces multi-level traitor tracing (MLTT) and shows how to compile MLTT schemes into SKL for a broad class of primitives, achieving bounded collusion-resistance for PRF-SKL from LWE and unbounded collusion-resistance for DS-SKL from SIS under OWFs. A key technical innovation is the use of two-superposition quantum states to enable robust, parallelizable tracing and deletion properties, together with a verification-oracle resilience mechanism via tokenized MACs. The results significantly advance SKL by enabling collusion-resistant leasing under standard cryptographic assumptions and providing practical constructions with verification-query resilience, broadening the applicability of quantum-secure SKL to more primitives and real-world scenarios.

Abstract

Secure key leasing (SKL) enables the holder of a secret key for a cryptographic function to temporarily lease the key using quantum information. Later, the recipient can produce a deletion certificate, which proves that they no longer have access to the secret key. The security guarantee ensures that even a malicious recipient cannot continue to evaluate the function, after producing a valid deletion certificate. Most prior work considers an adversarial recipient that obtains a single leased key, which is insufficient for many applications. In the more realistic collusion-resistant setting, security must hold even when polynomially many keys are leased (and subsequently deleted). However, achieving collusion-resistant SKL from standard assumptions remains poorly understood, especially for functionalities beyond decryption. We improve upon this situation by introducing new pathways for constructing collusion-resistant SKL. Our main contributions are as follows: - A generalization of quantum-secure collusion-resistant traitor tracing called multi-level traitor tracing (MLTT), and a compiler that transforms an MLTT scheme for a primitive X into a collusion-resistant SKL scheme for primitive X. - The first bounded collusion-resistant SKL scheme for PRFs, assuming LWE. - A compiler that upgrades any single-key secure SKL scheme for digital signatures into one with unbounded collusion-resistance, assuming OWFs. - A compiler that upgrades collusion-resistant SKL schemes with classical certificates to ones having verification-query resilience, assuming OWFs.

Collusion-Resistant Quantum Secure Key Leasing Beyond Decryption

TL;DR

The paper develops a unified framework for collusion-resistant secure key leasing (SKL) in the quantum setting, extending beyond decryption to PRFs and signatures. It introduces multi-level traitor tracing (MLTT) and shows how to compile MLTT schemes into SKL for a broad class of primitives, achieving bounded collusion-resistance for PRF-SKL from LWE and unbounded collusion-resistance for DS-SKL from SIS under OWFs. A key technical innovation is the use of two-superposition quantum states to enable robust, parallelizable tracing and deletion properties, together with a verification-oracle resilience mechanism via tokenized MACs. The results significantly advance SKL by enabling collusion-resistant leasing under standard cryptographic assumptions and providing practical constructions with verification-query resilience, broadening the applicability of quantum-secure SKL to more primitives and real-world scenarios.

Abstract

Secure key leasing (SKL) enables the holder of a secret key for a cryptographic function to temporarily lease the key using quantum information. Later, the recipient can produce a deletion certificate, which proves that they no longer have access to the secret key. The security guarantee ensures that even a malicious recipient cannot continue to evaluate the function, after producing a valid deletion certificate. Most prior work considers an adversarial recipient that obtains a single leased key, which is insufficient for many applications. In the more realistic collusion-resistant setting, security must hold even when polynomially many keys are leased (and subsequently deleted). However, achieving collusion-resistant SKL from standard assumptions remains poorly understood, especially for functionalities beyond decryption. We improve upon this situation by introducing new pathways for constructing collusion-resistant SKL. Our main contributions are as follows: - A generalization of quantum-secure collusion-resistant traitor tracing called multi-level traitor tracing (MLTT), and a compiler that transforms an MLTT scheme for a primitive X into a collusion-resistant SKL scheme for primitive X. - The first bounded collusion-resistant SKL scheme for PRFs, assuming LWE. - A compiler that upgrades any single-key secure SKL scheme for digital signatures into one with unbounded collusion-resistance, assuming OWFs. - A compiler that upgrades collusion-resistant SKL schemes with classical certificates to ones having verification-query resilience, assuming OWFs.

Paper Structure

This paper contains 52 sections, 23 theorems, 33 equations.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Related Work
  4. Compilers for Copy-Detection and SSL.
  5. Secure Key Leasing.
  6. Technical Overview
  7. Collusion-Resistant SKL
  8. Challenges in Achieving Collusion-Resistance
  9. Constructions based on BB84 States.
  10. Constructions based on Guassian Superpositions.
  11. Unbounded Collusion-Resistant PKE-SKL.
  12. Collusion-Resistance of Two-Superposition States
  13. Leveraging Traitor Tracing
  14. Tracing Quantum Adversaries
  15. Unbounded Collusion-Resistant Signatures
  16. ...and 37 more sections

Key Result

Theorem 2.1

Let there be an SKL scheme for application $(\mathpzc{F}, \mathpzc{E}, t)$ with standard-KLA security and classical revocation. Then, there is an SKL scheme for $(\mathpzc{F}, \mathpzc{E}, t)$ with VO-KLA security and classical revocation, assuming OWFs.

Theorems & Definitions (86)

  • Theorem 2.1: VO-Resilience (Informal)
  • Definition 3.1: Quantum Programs (with classical inputs and outputs) C:ALLZZ21
  • Definition 3.2: Positive Operator-Valued Measure (POVM)
  • Definition 3.3: Quantum Measurement
  • Definition 3.4: Projective Measurement/POVM
  • Definition 3.5: $(\epsilon, \delta)$-Almost Projective Measurement TCC:Zhandry20
  • Definition 3.6: Mixture of Projective Measurements TCC:Zhandry20
  • Lemma 3.7: Gentle Measurement Winter99
  • Definition 3.8: Projective Implementation
  • Theorem 3.9: TCC:Zhandry20, Lemma 1
  • ...and 76 more