Presentation is loading. Please wait.

Presentation is loading. Please wait.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Published byXavier Decourcy Modified over 10 years ago

Similar presentations

Presentation on theme: "Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1."— Presentation transcript:

1 Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1

2 Privacy amplification [BB] Alice and Bob share information that is partially secret towards an eavesdropper Eve. Their goal is to extract a shorter string that is completely secret. They may use a short, public random string.

3 More formally: Alice and Bob share x {0,1} n. x has a-priori distribution X that has a lot of entropy. H (X) k a Pr[X=a] 2 -k Eve holds a random variable W on {0,1} b that holds partial information about x. 3

4 A (k,b, ) extractor - classical case E:{0,1} n {0,1} t {0,1} m is a (k,b, ) extractor, if: For every X with H (X) k, and, For every W=W(X) distributed on {0,1} b |U t E(X, U t ) W(X) – U t U m W(X) | Sample: x X, y {0,1} t Output: y,E(x,y),W(x) Sample: x X, y {0,1} t,u {0,1} m Output: y,u,W(x) 4

5 In the classical world The problem can be solved almost optimally using extractors. Solutions give: t=O(log(n/ )) m= (k-b) 5

6 A (k,b, ) extractor - quantum case E:{0,1} n {0,1} t {0,1} m is a (k,b, ) extractor against quantum storage, if: For every X with H (X) k, and, For every = (X) on b qubits |U t E(X, U t ) (X) – U t U m (X) | tr Sample: x X, y {0,1} t Output: y,E(x,y), (x) Sample: x X, y {0,1} t,u {0,1} m Output: y,u, (x) 6

7 In the quantum world Some extractors fail. [GKKRWJ] show an extractor against b bits that fails against polylog(b) qubits. Some extractors work. Konig, Maurer,Renner 04 Fehr, Schaffner 08 Konig Terhal 08 7

8 Previous extractors - quantum case TechniqueSeed lengthAuthor Pair-wise independence, Collisionst= (n)Konig, Maurer, Renner Almost pair-wise independencet= (m)Variation on KMR Z 2 n Fourier transformt= (b)Fehr, Schaffner Any one-output extractor is goodt= (m)Konig Terhal Any extractor is good with error 2 b t= (b)Konig Terhal Several methodst=O(log(n))Classical E : {0,1} n {0,1} t {0,1} m 8

9 Our result A (k,b, ) extractor E:{0,1} n {0,1} t {0,1} m against quantum storage, with: Optimal t=O(log n) when m=n (1) Trevisan: m=(k-b) (1) Optimal: (k-b) 9

10 The basic paradigm Reconstruction algorithms Reconstruction Extraction in the classical world [Trevisan] Reconstruction with few queries Extraction against quantum storage. 10

11 Distinguisher A test is a function T : {0,1} m {0,1} A test T -distinguishes D 1 from D 2 if | Pr x D1 [T(x)=1] – Pr x D2 [T(x)=1] | 11

12 Reconstruction algorithms A function E:{0,1} n {0,1} t {0,1} m has a reconstruction algorithm R if For every x {0,1} n, and every T that distinguishes U t E(x,U t ) from U t+m There exists a string adv=adv(x) of a bits, s.t. R T (adv(x))=x 12

13 Reconstruction Extraction [Tre] Suppose E has reconstruction with a advice bits, Suppose E is not a (k,b, ) extractor. Then, there exist: X with H (X) k, Eve storing b bits of information, -distinguishing E from uniform. B={x| Eve -dist W(x) U t E(x, U t ) from W(x) U t+m } |B| ε|X| 13

14 For every x B The test T: Gets advice W(x). Applies Eve( W(x), y, w). -distinguishes U t E(x, U t ) from U t+m. The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x. Thus x B can be reconstructed using a+b bits. 14

15 Reconstruction Extraction [Tre] |B| 2 a+b and 2 k |X| |B|/. Thus, ka+b+log(1/ ). 15

16 Extractor against quantum storage Suppose E has reconstruction with q queries. Suppose E is not a (k,b, ) extractor. Then, there exist: X with H (X) k, Eve storing b qubits of information, B={x| Eve -dist (x) U t E(x, U t ) from (x) U t+m } |B| ε|X| 16

17 For every x B The test T: Gets advice (x). Applies Eve( (x), y, w). -distinguishes U t E(x, U t ) from U t+m. The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x. Thus x B can be reconstructed using a+qb bits For the classical advice adv(x) For q queries to Eve 17

18 Extractor against quantum storage |B| 2 a+qb. Thus, 2 k |X| 2 a+qb /. ka+qb+log(1/ ). 18

19 Conclusions so far A function E:{0,1} n {0,1} t {0,1} m that has a reconstruction algorithm with A short classical advice adv(x), and, A few queries to the distinguisher Yields a good extractor against quantum storage. 19

20 An extractor with reconstruction The NW generator List decoding Trevisans extractor The quantum case Trevisans work 20

21 The NW Generator NW:{0,1} n {0,1} t {0,1} m has reconstruction that is correct on average. Given a distinguisher T, and The right advice adv(x) R T (adv(x),i) = x i For most i [n] 21 The NW generator uses a single query

22 List decoding 22

23 Trevisans extractor Uses: NW and its reconstruction algorithm, A code C : {0,1} n {0,1} N that is (L=poly(n),p=1/2- ) list-decodable. T(x,y)= NW( C(x), y) 23

24 Reconstruction for Trevisans ext. T(x,y)= NW( C(x), y) Find a word w {0,1} N that is 1/2+ close to C(x) using the NW reconstruction algorithm. Apply list decoding. Get a List L of all code words close to w, x L. The advice tells us which is x. Works well, but requires N queries. 24

25 The way around NW generator – learns a single bit of C(x), with one query, on average over i [N] 25 Learn the whole of x, with poly(n) queries. Trevisan: List decoding Learn a single bit of x, with polylog(n) queries, for any i [n] of our choice. Us: Local list decoding

26 Two questions 1.How do we achieve that? Answer: using local list decoding. 2. Does this suffice for the analysis? Answer: Yes, using lower bounds on random access codes. 26

27 The new extractor Uses: NW generator and its reconstruction algorithm, A code C : {0,1} n {0,1} N that is (L=poly(n),p=1/2+ ) locally list-decodable with q=polylog(n) queries. E(x,y)= NW( C(x), y) 27

28 The Analysis Suppose E(x,y)= NW( C(x), y) is not a (k,b, ) ext, violated with X and = (X). For any x B Advice: a+qb qubits We can learn any bit of x, with succ. prob. 2/3. |B| 2 (a+qb) log n. 2 k |X| 2 (a+qb) log n /. k(a+qb) log n+log(1/ ). 28 a RAC for B using a+qb qubits

29 Random access code for X RAC : X density matrix over m qubits such that for every x X: For all i [n], one can recover x i from RAC(x) with success probability at least 2/3. For most i [n], one can recover x i from RAC(x). Average-case RAC Worst-case RAC 29

30 RAC for X Arbitrary XX={0,1} n (n) Worst case RAC 0 (n) Average case RAC 30

31 Summary For the construction, we use: Trevisan extractor, with Local, list-decodable error correcting codes For the analysis, we use: Reconstruction algorithms together with Random access codes 31

32 Local decoding A code C:{0,1} n {0,1} N has (q,, ) a local Decoding algorithm D, if For every x {0,1} n, y {0,1} N, d(y,C(x)) N For every i [n] Pr [ D y (i)=x i ] 1- and D makes at most q queries to y. 32

33 Challenge 1.Find an extractor that Works against quantum storage With optimal parameters. 2. Generalize the construction to Eve that holds more qubits but has few information about X.

34 List decoding A code C:{0,1} n {0,1} N is (L,p) list-decodable, if for every w {0,1} N there are at most L codewords that are p-close to w. |{i | y i =w i }| pN 34

35 Unique decoding 35

Download ppt "Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.

1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.
Topological Subsystem Codes with Local Gauge Group Generators Martin Suchara in collaboration with: Sergey Bravyi and Barbara Terhal December 08, 2010.

Topological Subsystem Codes with Local Gauge Group Generators Martin Suchara in collaboration with: Sergey Bravyi and Barbara Terhal December 08, 2010.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Milan Vojnović Microsoft Research Cambridge Collaborators: E. Perron and D. Vasudevan 1 Consensus – with Limited Processing and Signalling.

Milan Vojnović Microsoft Research Cambridge Collaborators: E. Perron and D. Vasudevan 1 Consensus – with Limited Processing and Signalling.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
Document #07-2I RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.

Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Similar presentations

Ads by Google