Cryptography with Certified Deletion

We propose a new, unifying framework that yields an array of cryptographic primitives with {\em certified deletion}. These primitives enable a party in possession of a quantum ciphertext to generate a classical certificate that the encrypted plaintext has been information-theoretically deleted, and cannot be recovered even given unbounded computational resources. For $X \in \{\mathsf{public}\text{-}\mathsf{key},\mathsf{attribute\text{-}based},\mathsf{fully\text{-}homomorphic},\mathsf{witness},\mathsf{timed}\text{-}\mathsf{release}\}$, our compiler yields post-quantum $X$ encryption with certified deletion, assuming post-quantum $X$ encryption. Assuming the existence of statistically-binding commitments, our compiler yields statistically-binding commitments with certified everlasting hiding as well as statistically-sound zero-knowledge proofs for QMA with certified everlasting zero-knowledge. We also introduce and construct information-theoretic secret sharing with certified deletion. Next, we take the notion of certified deletion a step further, and explore its implications in the context of mistrustful two-(and multi-)party cryptography. Here, there is a strong impossibility result by Unruh (Crypto 2013) building on Lo, Chau, and Mayers (Physical Review Letters) showing that everlasting security against \emph{every} party is impossible to achieve, even with quantum communication, and even if parties are computationally bounded during the protocol. Nevertheless, we introduce the notion of \emph{Everlasting Security Transfer}, enabling participants to dynamically request that \emph{any} party (or parties) information-theoretically delete their data, even \emph{after} the protocol execution completes. We show how to construct secure two-party and multi-party computation satisfying this notion of security, assuming only statistically-binding commitments.