1 / 21

Randomness Extraction and Privacy Amplification with quantum eavesdroppers

Randomness Extraction and Privacy Amplification with quantum eavesdroppers. Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann , Anindya De, and Renato Renner. Outline. Privacy amplification and randomness extraction A one-bit extractor Trevisan’s construction.

abner
Télécharger la présentation

Randomness Extraction and Privacy Amplification with quantum eavesdroppers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Randomness Extraction and Privacy Amplificationwith quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya De, and Renato Renner

  2. Outline • Privacy amplification and randomness extraction • A one-bit extractor • Trevisan’s construction

  3. Quantum Key Distribution quantum channel classical channel Two phases: • Quantum communication • Classical communication • Parameter estimation: bound Eve’s knowledge • Error correction: A, B compute identical n-bit strings • Privacy amplification: A, B share identical private m-bit strings Final shared string to be used in subsequent protocol:require universallycomposable security: Goals: Security (bound Eve’s knowledge)+Efficiency (bitrate) Eve

  4. Privacy amplification [BBR’88] bits • Goal: given Eve’s (bounded) knowledge about , appears close to uniform: • minimize communication + complexity of applying • Additional rand. necessary: no deterministic process will work • Alice chooses random function from family, tells Bob F Classical communication Eve bits

  5. Examples bits F Classical communication • Output single position: • Output random XOR: (Repeat the above for different positions/XORs.) • Random function, • Apply random 2-universal hash function All are “strong randomness extractors!” bits

  6. Aside: randomness extraction (1) PX(x) PX(x) • Fundamental concept from TCS [NZ’96] • Weak randomness is “readily” available • Many applications require “perfect” randomness • Can we convert one to the other? Public source X: x x PU(x) PX(x) • Randomized algorithms • Crypto • Modeling Ideal uniform source: x x Ext?

  7. Aside: randomness extraction (2) Ext? PX(x) • Obvious restriction: • Still, even extracting one bit is impossible in this setting! • No single function will work for every distribution • Need extra randomness to get started: seed • extractor: such thatfor every X with is -close to • Strong extractor: is -close to for • Goals: short seed, large output, efficient construction. x PU(x) x PY(x) + x

  8. Extractors for privacy amplification bits F Classical communication • A,B share X. Classical eavesdropper holds E • Suppose . Then ) large for most • If is strong extractor then Ext(,) -close to uniform • Security of strong extractor = requirement for privacy ampl. [Lu02]! • Quantum eavesdropper: no such • Can still define, and [KRS’09] • [Renner’05] appropriate measure of extractable randomness • Usual definition of strong extractor no longer sufficient bits

  9. Example: the perfect matching extractor [GKKRW’07] Ext: {0,1}n x {0,1}2log n → {0,1}n/2 X: n-bit string Y: perfect matching chosen among n2 x1 x2 x3 x4 Ext Output is uniformly random xn-1 xn • Classical adversary: cannot do better than birthday paradox • → need ≈ √n bits of information about x • Quantum adversary: • on seeing x, store • when matching revealed, measure in → only need ≈ log n qubits!

  10. Summary of known constructions

  11. Outline • Privacy amplification and randomness extraction • A one-bit extractor • Trevisan’s construction

  12. A one-bit extractor • , seed , • Classical security proof • Given random Y, Eve can distinguish from uniform:she can predict a random k-XOR with advantage • Query Eve on every Y: recover string which agrees with k-XOR encoding of X in fraction of positions • List of all k-XORs is list-decodable encoding of Xnarrows X down to list of possibilities • Extractor is secure as long as • Proof based on reconstruction argument: recover X from Eve’s information impossible as long as large enough

  13. Quantum eavesdroppers • … cannot be repeated! • Unclear how to recover X from Eve’s state • Same problem arises in analysis of RAC • Thm[DV10,J11]: is strong extractor for any • [BRdW’07] proved weaker result in bounded storage model • Proof follows from [KT’06] • Argument constructive, based on Pretty-Good Measurement:Given seed y, Eve has to distinguish from PGM is almost-optimal. By linearity, equiv. to:measure using , get ,output • Reduces Eve to being classical

  14. Outline • Privacy amplification and randomness extraction • A one-bit extractor • Trevisan’s construction

  15. Trevisan’s construction (1) • How do we extract more bits? • Repeating m times works, but uses a lot of seed! • Idea: make more efficient use of the seed • Combinatorial design: subsets with small pairwise intersections. • Partition seed into overlapping sets, so bits can be re-used(Use to compute -th output.) • Ex [HR03]: for prime , where ranges over polynomials of degree get subsets of of size small pairwise intersection • Design can be pre-computed and stored y 1 0 0 1 0 1 0

  16. Trevisan’s construction (2) • Introduced in [T99]; breakthrough construction building on work on pseudo-random generators • Fix a design and one-bit extractor • Polyvalent: use any design; many possible one-bit extractors • Can focus on efficiency or optimality • Near-optimal in all parameters (seed&output length, efficiency) x + y 1 0 0 1 0 1 0

  17. Some parameters • Input length , seed length , output length , min-entropy • Construction based on k-XOR • , seed • Extracts bits from entropy • Locally computable • Optimal seed length • Extract bits from entropy • Optimal output length • Seed , extracts from any • Can also extract from weakly uniform seed • All constructions “efficient” (polynomial)

  18. Overview of security proof x: n bits + y: t bits 1 0 0 1 0 1 0 • By contradiction: assume eavesdropper E can distinguish output from uniform with success ɛ. • First step: using E, construct an eavesdropper E’ such that • E’ has access to the same side information as E • E’ has some additional classical information over m bits • E’ breaks the one-bit extractor with success prob. ½+ɛ/m Based on hybrid argument + properties of comb. design • Second step: such an E’ cannot exist! • We already know is secure against quantum eavesdroppers : log n bits

  19. Summary • Privacy amplification is an important step in QKD • Well-understood classically, but quantum eavesdropper is a challenge • Some constructions proved to carry over • 2-universal hashing most often used: efficient (matrix multiplication), extracts most key. • All previous const. require as many “fresh” random bits as length of key • Trevisan’s construction has many advantages • Efficient (local XOR computation) • Extracts longest possible key, only polylog random bits required • Proof of security based on reconstruction argument + [KT’06]

  20. Open problems • Can we do even better? Extract many bits with a logarithmic seed? • Trevisan’s extractor only extracts , for any • Classical constructions exist, but based on different ideas. • Could all reasonable extractors be secure against quantum eavesdroppers? • Hidden matching is not, but really bad extractor • Could still have generic proof with small loss in parameters • How much information is there in a quantum state? • Similar questions asked in comm. compl., but in worst-case

  21. Thank you!

More Related