Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,

Similar presentations


Presentation on theme: "A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,"— Presentation transcript:

1 A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich, CH) Ivan Damgård, Louis Salvail (University of Århus, DK) QIP 2008, Delhi, India Thursday, December 20 th 2007

2 Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Ivan Damgård, Louis Salvail (University of Århus, DK) Secure Identification and QKD in the Bounded-Quantum-Storage Model QIP 2008, Delhi, India Thursday, December 20 th 2007

3 3 / 42 ~1970: Birth of Quantum Cryptography …

4 4 / Oblivious Transfer S C S 0 ; S 1 C 2 f 0 ; 1 g complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model OT

5 5 / 42 (Randomized) 1-2 Oblivious Transfer R an d OT S C S 0 ; S 1 C 2 f 0 ; 1 g complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model

6 6 / 42 Outline Motivation and Notation Quantum Uncertainty Relations Secure Identification Man-In-The-Middle Attacks Conclusion

7 7 / 42 Quantum Mechanics Notation Measurements: + basis £ basis j 0 i + j 1 i + j 1 i £ j 0 i £ EPR pairs:

8 8 / 42 ge t X ' Quantum 1-2 OT Protocol j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 S 1 = ? S 0 C = 0 £ 0 = + n Correctness Receiver-Security against Dishonest Alice £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n

9 9 / 42 Sender-Security? j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 ge t ½ £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Sender-Security: one of the strings looks completely random to dishonest Bob # qu b i t s < n = 4

10 10 / 42 ge t Entanglement-Based Protocol S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 ½ epr ­ n # qu b i t s < n = 4 Sender-Security: One of the strings looks completely random to dishonest Bob £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n ? ? ? ? ?

11 11 / 42 ge t Entanglement-Based Protocol j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 ½ # qu b i t s < n = 4 Sender-Security: One of the strings looks completely random to dishonest Bob £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n

12 12 / 42 Sender-Security: One of the strings looks completely random to dishonest Bob £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n ? ? ? ? ? Let Bob Act First F 1 2 R F 1 F 0 2 R F 0 ½ £ ; F 0 ; F 1 ge t epr ­ n / /... # qu b i t s < n = 4 S 0 ; S 1

13 13 / 42 Sender-Security: One of the strings looks completely random to dishonest Bob Privacy Amplification: ge t £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n ? ? ? ? ? Sender-Security  Uncertainty Relation F 1 2 R F 1 F 0 2 R F 0 ½ £ ; F 0 ; F 1 epr ­ n / /... # qu b i t s < n = 4 [ R enner K Ä on i g 05, R enner 06 ] H 1 ( X j £ ) ¸ ? S 0 ; S 1 H 1 ( X j £ ) |{z} ¸ ? > # qu b i t s |{z} < n = 4

14 14 / 42 Outline Motivation and Notation Quantum Uncertainty Relations Secure Identification Man-In-The-Middle Attacks Conclusion

15 15 / 42 Entropic Uncertainty Relation for One Qubit

16 16 / 42 I ngenera l : H ( ¢ ) ¸ H 1 ( ¢ ) ) H " 1 ( X n j £ ) n ! 1 ¼ n ¢ H ( X i j £ i ) ¸ n = 2 £ 2 R s t a t e f + ; £ g n ½... Quantum Uncertainty Relation needed / / H 1 ( X j £ ) ¸ ? X i i n d epen d en t H ( X i j £ i ) ¸ 1 2 excep t w i t h pro b · " X i : = X 1 ::: X i

17 17 / 42 £ 2 R s t a t e f + ; £ g n ½... Main Result / / H 1 ( X j £ ) ¸ ? X i d epen d en t H ( X i j £ i ) ¸ 1 2 Q uan t um U ncer t a i n t y R e l a t i on: L e t X = ( X 1 ;:::; X n ) b e t h eou t come. T h en, H " 1 ( X j £ ) & n = 2 w i t h "neg l i g i bl e i nn. H ( X i j £ i ; X i ¡ 1 = x i ¡ 1 ; £ i ¡ 1 = µ i ¡ 1 ) ¸ 1 2

18 18 / 42 Main Technical Lemma Z 1 ;:::; Z n ( d epen d en t ) ran d omvar i a bl es T h en, H " 1 ( Z ) & n ¢ h w i t h "neg l i g i bl e i nn w i t h H ( Z i j Z i ¡ 1 = z i ¡ 1 ) ¸ h. P roo f : ² i n f orma t i on t h eory ² genera l i ze d C h erno ®b oun d ( A zuma i nequa li t y )

19 19 / 42 conjugate coding / BB84: £ 2 R s t a t e f + ; £ g n ½... classical technical lemma: instantiate it for various quantum codings: High-Order Entropic Uncertainty Relations H ( Z i j Z i ¡ 1 = z ) ¸ h ) H " 1 ( Z n ) & h n / / H " 1 ( X j £ ) & n = 2

20 20 / 42 conjugate coding / BB84: three bases / six-state: … classical technical lemma: instantiate it for various quantum codings: High-Order Entropic Uncertainty Relations / / / / £ 2 R s t a t e f + ; £ ; ª g n ½... H " 1 ( X j £ ) & n = 2 H " 1 ( X j £ ) & 2 3 n H ( Z i j Z i ¡ 1 = z ) ¸ h ) H " 1 ( Z n ) & h n

21 21 / 42 Outline Motivation and Notation Quantum Uncertainty Relation Secure Identification Man-In-The-Middle Attacks Conclusion

22 22 / 42 Why Secure Identification? I’m Alice my PIN is IMAB52 I want $25 Alright Alice, here you go.

23 23 / 42 Why Secure Identification? I’m Alice my PIN is IMAB52 I want $25 Sorry, I’m out of order Alice: IMAB52

24 24 / 42 Why Secure Identification? Alice: IMAB52 I’m Alice my PIN is IMAB52 I want $25,000,000 Alright Alice, here you go.

25 25 / 42 Secure Evaluation of the Equality PIN-based identification scheme should be a secure evaluation of the equality function A dishonest player can exclude only one possible password = ? W A W B W A ? = W B W A ? = W B

26 26 / 42 ge t X ' Recall: Quantum 1-2 OT Protocol j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 S 1 = ? S 0 C = 0 £ 0 = + n £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n

27 27 / 42 C ( 0 ) X ' C ( 1 ) X ' £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Quantum 1-m OT Protocol j X i £ W 2 W C ( W ) C o d e C : W ! f + ; £ g n

28 28 / 42 C ( 0 ) X ' C ( 1 ) X ' £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Quantum 1-m OT Protocol j X i £ S 0 W 2 W C ( W ) C o d e C : W ! f + ; £ g n S 0 £ ; F 0

29 29 / 42 C ( 0 ) X ' C ( 1 ) X ' £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Quantum 1-m OT Protocol j X i £ S 0 W 2 W C ( W ) S 1 £ ; F 0 ; F 1 ;::: S 0 ; S 1 ;::: C o d e C : W ! f + ; £ g n £ ; F 0 ; F 1 ;:::

30 30 / 42 C ( 0 ) X ' C ( 1 ) X ' £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Quantum 1-m OT Protocol j X i £ S 0 W 2 W C ( W ) S 1 S 0 ; S 1 ;::: C o d e C : W ! f + ; £ g n £ ; F 0 ; F 1 ;::: £ ; F 0 ; F 1 ;:::

31 31 / 42 Idea correct dishonest Bob can learn at most one S W and compare it with (the random) S W. He can at most exclude his W. Dishonest Alice learns nothing about W by the OT  but can e.g. set all S i = 0, then send S W = 0 R an d 1 -m OT S 0 ; S 1 ;:::; S m ¡ 1 W 2 f 0 ; 1 ;:::; m ¡ 1 g W 2 f 0 ; 1 ;:::; m ¡ 1 g WS W S W S W ? = S W W 2 f 0 ; 1 ;:::; m ¡ 1 g W 2 f 0 ; 1 ;:::; m ¡ 1 g W 2 f 0 ; 1 ;:::; m ¡ 1 g

32 32 / 42 T W : = g ( W ) © S W Dishonest Alice learns nothing about W by the OT with high probability: all T i are different Alice has to guess the right T W Dishonest Alice S W g g 2 R G : W ! f 0 ; 1 g ` T W ? = g ( W ) © S W strongly universal R an d 1 -m OT W 2 f 0 ; 1 ;:::; m ¡ 1 g WS 0 ; S 1 ;:::; S m ¡ 1 W = ? ) S W ? = S W

33 33 / 42 Properties of the Basic Scheme efficient: n qubits, 3 classical messages, honest players do not require quantum memory provably secure against:  unbounded dishonest user Alice  dishonest server Bob with quantum memory < n/11  both have unbounded computing power and classical memory can be extended to tolerate noise, therefore implementable with current technology OT P i n W P i n W

34 34 / 42 Outline Motivation and Notation Quantum Uncertainty Relation Secure Identification Man-In-The-Middle Attacks Conclusion

35 35 / 42 Dishonest Alice or Bob can only exclude one possible PIN W Eve learns nothing about W ? Extension: Man-in-the-Middle Attack P i n WP i n W  nontrivial K ey KK ey K

36 36 / 42 Dishonest Alice or Bob can only exclude one possible PIN W, even given key K Eve learns nothing about W and only negligible information about key K Extension: Man-in-the-Middle Attack P i n WP i n W K ey KK ey K

37 37 / 42 Application: QKD au t h K ( ¢ ) = ( K 0 ; SK ) = ( K 0 ; SK ) au t h K 0 ( ¢ ) K ey KK ey K

38 38 / 42 Problem: Eve interferes with communication au t h K ( ¢ ) = ( K 0 ; SK ) = ( K 0 ; SK ) au t h K 0 ( ¢ ) honest players run out of authentication key secure QKD no longer possible K ey KK ey K

39 39 / 42 Solution: QKD based on Secure Identification au t h K ( ¢ ) P i n WP i n W = ? = ? K and W remain secure, can be re-used over and over again, even if scheme is disrupted Losing key K does not compromise security (if loss is noticed) BUT: security holds only against a quantum-memory bounded eavesdropper K ey KK ey K

40 40 / 42 High-order entropic quantum uncertainty relations : Bounded-Quantum-Storage Model:  Oblivious Transfer: Non-interactive, practical protocols for 1-2 OT and Bit Commitment secure according to strong security definitions.  Secure PIN-based Identification: dito non-trivial extension to handle man-in-the-middle attacks Conclusion H " 1 ( X j £ ) ¸ 2 3 n H " 1 ( X j £ ) ¸ n = 2,

41 41 / 42 High-order entropic quantum uncertainty relations: Quantum Key Distribution: ( assuming quantum-memory bounded Eve)  security proofs: for higher error rates (=longer distances)  robustness: Eve cannot make parties run out of authentication key Conclusion H " 1 ( X j £ ) ¸ 2 3 n H " 1 ( X j £ ) ¸ n = 2,

42 42 / 42 Thanks to you! Follow-up work [Wehner, Terhal, S]: a step closer to reality: Cryptography from Noisy Photonic Storage see poster and

43 43 / 42 name d e ¯ n i t i on H 0 ( Z ) l og ¯ ¯ f z j P Z ( z ) > 0 g ¯ ¯ n H ( Z ) ¡ P z P Z ( z ) l og ( P Z ( z )) ¼ n H 1 ( Z ) ¡ l og ( max z P Z ( z )) n = 2 Entropies H 1 · H · H 0 … ¼ 2 ¡ n |{z} 2 n ¡ 1 2 ¡ n 2 Z P Z Z ran d omvar i a bl eover f 0 ; 1 g n l ower b oun d on H 6 ) l ower b oun d on H 1

44 44 / 42 … ¼ 2 ¡ n |{z} 2 n ¡ 1 2 ¡ n 2 Z P Z Smooth Min-Entropy  " f or" = 2 ¡ n 2 Z ran d omvar i a bl eover f 0 ; 1 g n

45 45 / 42 Smooth Min-Entropy [ R enner W o lf 05 ] Z i : = Z 1 ;:::; Z i Z ran d omvar i a bl eover f 0 ; 1 g n H " 1 ( Z ) : = max P r [ E ] ¸ 1 ¡ " H 1 ( Z E ) Z i : = Z 1 ;:::; Z i

46 46 / 42 £ 2 R s t a t e f + ; £ g n ½... Proof of Quantum Uncertainty Relation Z i : = ( X i ; £ i ) MU : ½ 1 -qu b i t s t a t e: H ( X 0 j £ 0 ) ¸ 1 2 / / T h m: H ( Z i j Z i ¡ 1 = z ) ¸ h ) H " 1 ( Z n ) & h n Q uan t um U ncer t a i n t y R e l a t i on: L e t X = ( X 1 ;:::; X n ) b e t h eou t come. T h en, H " 1 ( X j £ ) & n = 2 w i t h "neg l i g i bl e i nn. H ( Z i j Z i ¡ 1 = z ) = H ( X i j £ i ; Z i ¡ 1 = z ) + H ( £ i j Z i ¡ 1 = z ) ¸ = : h : H " 1 ( X j £ ) ¼ H " 1 ( Z n ) ¡ H 0 ( £ ) & n = 2 + n ¡ n :

47 47 / 42 Tight? MU : ½ 1 -qu b i t s t a t e: H ( X 0 j £ 0 ) ¸ 1 2 H ( X j £ ) = 1 2 ¡ H ( X j £ = + ) |{z} = 0 + H ( X j £ = £ ) |{z} = 1 ¢ = 1 2 : £ 2 R s t a t e f + ; £ g n ½... / / Q uan t um U ncer t a i n t y R e l a t i on: L e t X = ( X 1 ;:::; X n ) b e t h eou t come. T h en, H " 1 ( X j £ ) & n = 2 w i t h "neg l i g i bl e i nn. F or t h epures t a t e j 0 i ­ n, t h e X are i n d epen d en t an d we k now t h a t H " 1 ( X j £ ) n ! 1 ¼ H ( X j £ ) = n = 2.

48 48 / 42 £ 2 R s t a t e f + ; £ g n ½... £ 2 R s t a t e f + n ; £ n g ½ Comparison to Previous Bound / / P rev i ous: T h ereex i s t saneven t E w i t h P r [ E ] & 1 2 suc h t h a t H 1 ( X j E ; £ ) ¸ n = 2 : N ew: H " 1 ( X j £ ) & n = 2 w i t h neg l i g i bl e" 8 µ 2 f + ; £ g n 9 even t E µ w i t h 2 ¡ n P µ P r [ E µ ] ¼ 1 an d H 1 ( X j E µ ; £ = µ ) & n = 2 :

49 49 / 42 Bounded-Quantum-Storage Model: Non-interactive, practical protocols for 1-2 OT and BC secure according new composable security definitions. Quantum Key Distribution: Security proofs in realistic setting of a quantum-memory bounded eavesdropper. Tolerate higher error rates than against unbounded adversaries. Composition of certain Quantum Ciphers: key-uncertainty adds up in terms of min-entropy. Contributions II: Applications

50 50 / 42 two-way post processing QKD with more bases in higher-dimensional (non-binary) systems using less randomness: avoid sifting stage Open Questions


Download ppt "A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,"

Similar presentations


Ads by Google