Presentation is loading. Please wait.

Presentation is loading. Please wait.

The question Can we generate provable random numbers? 10110111101101000010010001111101001001001001111010100 …. ?

Published byAudrey Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "The question Can we generate provable random numbers? 10110111101101000010010001111101001001001001111010100 …. ?"— Presentation transcript:

1

2 The question Can we generate provable random numbers? 10110111101101000010010001111101001001001001111010100 …. ?

3 Why it matters Security of protocols like RSA breaks down if randomness is bad. P,Q (primes) P,Q [Lenstra+ 12, Heninger+ 12]

4 Existing solutions “[We assume] that the developer understands the behavior of the entropy source and has made a good-faith effort to produce a consistent source of entropy.” Can we generate randomness without assuming good faith?

5 Quantum random number generation Untrusted-device randomness expansion Untrusted-device randomness amplification Semi-device-independent random number generation. Contextuality-based randomness expansion. Randomness extraction.

6 Quantum random number generation Untrusted-device randomness expansion Untrusted-device randomness amplification Semi-device-independent random number generation. Randomness extraction 0 0 1 1 1 0 1 1 Small uniform seed + untrusted device -> uniform randomness 101011110110001001101100 1111011001101111011111111 10100001010001001111110 10101010111010101010 …. Only assumption: Non-communication.

7

8 Timeline 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Colbeck Colbeck proposed a protocol based on repeating a nonlocal game. 00…00… 11…11… 0101 1111 Us

9 Timeline 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Us Colbeck Pironio+: analysis & experiment. I started working in quantum information. 00…00… 11…11… 0101 1111 Pironio+ started

10 Timeline 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Us Colbeck Pironio+: analysis & experiment. I started working in quantum information. 00…00… 11…11… 0101 1111 Pironio+ started 001…001… 110…110… 000000 101101 Quantum information can be locked – accessible only to entangled adversaries. [E.g., DiVincenzo+ 04] The challenge of the entangled adversary

11 Timeline 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Us Colbeck Pironio+: analysis & experiment. I started working in quantum information. 00…00… 11…11… 0101 1111 Pironio+ started

12 Timeline 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Us Colbeck Pironio+, Fehr+, Coudron+ proved security against unentangled adversary. Methods: Classical statistical arguments (e.g., Azuma’s inequality). 00…00… 11…11… 0101 1111 Pironio+ Fehr+ Coudron+ started

13 Timeline 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Us Colbeck Vazirani-Vidick proved full security against an entangled adversary (no error tolerance). Method: Insecurity implies communication paradox. 00…00… 11…11… 0101 1111 Pironio+ started Pironio+ Fehr+ Vazirani+ Coudron+

14 Timeline 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Us Colbeck We proved full security, with error-tolerance >1.4%. Method: Constraints on X |-> Tr [ X 1+  ] for adversary-output states. 00…00… 11…11… 0101 1111 Pironio+ started Pironio+ Fehr+ Vazirani+ Coudron+ Miller+

15 Timeline 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Us Colbeck Coudron+ and Chung+ proved unbounded rate of expansion. Pironio+ started Pironio+ Fehr+ Vazirani+ Coudron+ Chung+ 11011 1010010001011101010001011101101010001111111010100010 …. Miller+ 00…00… 11…11… 0101 1111

16 Timeline 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Us Colbeck Coudron+ and Chung+ proved unbounded rate of expansion. Our current paper: Covers all nonlocal games, maximal noise tolerance. 00…00… 11…11… 0101 1111 Pironio+ started Pironio+ Fehr+ Vazirani+ Coudron+ Miller+ Coudron+ Chung+

17

18 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. Small resources, high rate Not fully secure Let G = nonlocal game, a = fixed input. 1.Run the device N times. During “game rounds,” play G. Otherwise, just input a. 2.If the average score during game rounds was < C, abort. 3.Otherwise, apply randomness extractor. 0010000000000100000000 0010000010000100000100 11011101 01110111 Game rounds occur with probability  The spot-checking protocol (Coudron-Vidick-Yuen 2013, Vazirani-Vidick 2012)

19 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. Small resources, high rate Not fully secure Let G = nonlocal game, a = fixed input. 1.Run the device N times. During “game rounds,” play G. Otherwise, just input a. 2.If the average score during game rounds was < C, abort. 3.Otherwise, apply randomness extractor. 0010000000000100000000 0010000010000100000100 11011101 01110111 Game rounds occur with probability  The spot-checking protocol (Coudron-Vidick-Yuen 2013, Vazirani-Vidick 2012) Let W G,a = optimal score among devices that are deterministic on a. Thm (CVY 13): The protocol is secure against an unentangled adversary if C > W G,a. Thm (MS 15): The protocol is secure against any adversary if C > W G,a. Best possible!

20 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. noise threshold vs. # of random bits per round How much randomness (MS 15) W G,a WGWG

21

22 Randomness Expansion [Several authors]: Security proof against an unentangled adversary. A Mathematical Preliminary Consider the function f(X) = Tr [ |X| 1+  ]. - If X is a density operator, f measures how deterministic X is. (Smaller = more random.) - f is “almost” a norm on Hermitian operators.

23 Randomness Expansion [Several authors]: Security proof against an unentangled adversary. The function Tr [ |X| 1+  ] is uniformly convex. [Ball+ 94] 11011 1010010001011101010001011101101010001111111010100010 …. S T (S+T)/2 Gap is  A Mathematical Preliminary

24 Randomness Expansion [Several authors]: Security proof against an unentangled adversary. Consequence [MS 15]: Suppose  ’ is the result of a binary measurement. The more disturbance caused by a measurement, the more randomness it adds. Call this the ( 1+  uncertainty principle. 11011 1010010001011101010001011101101010001111111010100010 …. ’’  U  U * Gap = increase in randomness. A Mathematical Preliminary

25 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. Small resources, high rate Not fully secure Let G = nonlocal game, a = fixed input. 1.Run the device N times. During “game rounds,” play G. Otherwise, just input a. 2.If the average score during game rounds was < C, abort. 3.Otherwise, apply randomness extractor. 0010000000000100000000 0010000010000100000100 11011101 01110111 How do we prove security for this protocol?

26 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. Small resources, high rate Not fully secure Let G = nonlocal game, a = fixed input. 1.Run the device N times. During “game rounds,” play G. Otherwise, just input a. 2.If the average score during game rounds was < C, abort. 3.Otherwise, apply randomness extractor. 0010000000000100000000 0010000010000100000100 11011101 01110111 How do we prove security for this protocol? A starting point: Suppose  is a function such that any device satisfies H ( output | input = a) >=  (P ( win )) Prop (easy): In the non-adversarial IID case, the protocol produces at least  ( C) N extractable bits.  “simple rate curve”

27 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. What about non-IID? Compare: * von Neumann entropy (H) * Renyi entropy (H 1   H 1  proves extractable bits in the non-IID case! But it’s hard to relate to the winning probability. 1 1+  ?!! P ( win )

28 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. What about non-IID? Compare: * von Neumann entropy (H) * Renyi entropy (H 1   H 1  proves extractable bits in the non-IID case! But it’s hard to relate to the winning probability. Def: the (1+  )-winning probability of a device is where  = adversary’s state. 1 1+  P ( win ) P 1  (win )

29 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. What about non-IID? Def:  is a strong rate curve for the game G on input a if for all devices D, H 1  (output on input a | adversary ) is greater than or equal to   (P 1  (win )) + O dev.-ind. (  Thm [MS 15]: If  is a strong rate curve, then the spot-checking protocol produces N  (C) extractable bits. (N = # of rounds, C = noise threshold.) 1 1+  P ( win ) P 1  (win )

30 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. How do we prove strong rate curves? Want: High P 1  (win ) implies high H 1 . Create a new device by pre-measuring w/ input a. If this brings the score down significantly, then a significant amount of state disturbance has occurred. ( 1+  uncertainty principle says that randomness was generated! So if P 1+  (win) is significantly larger than W G,a, we have randomness. Pre-apply the measurement for input a. P 1+  (win) <= W G,a P 1+  (win) vs.

31 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. The universal rate curves W G,a WGWG Thm: For any (G,a) the function is a strong rate curve. Noise tolerance for CHSH game: 10.3%!

32

33 Randomness Expansion [Several authors]: Security proof against an unentangled adversary. Device-independent Quantum Key Distribution Our proof can be adapted to give another proof of DI-QKD. 1. Do step 1 of the spot-checking protocol. Communicate to check score. 11011 1010010001011101010001011101101010001111111010100010 …. 010011101… 110110000…

34 Randomness Expansion [Several authors]: Security proof against an unentangled adversary. Device-independent Quantum Key Distribution Our proof can be adapted to give another proof of DI-QKD. 1. Do step 1 of the spot-checking protocol. Communicate to check score. 2. Have Alice make an optimal guess at Bob’s bits using her bits. 11011 1010010001011101010001011101101010001111111010100010 …. 010011101… 011011100…

35 Randomness Expansion [Several authors]: Security proof against an unentangled adversary. Device-independent Quantum Key Distribution Our proof can be adapted to give another proof of DI-QKD. 1. Do step 1 of the spot-checking protocol. Communicate to check score. 2. Have Alice make an optimal guess at Bob’s bits using her bits. 3. Perform information reconciliation. 11011 1010010001011101010001011101101010001111111010100010 …. 010011101…

36 Randomness Expansion [Several authors]: Security proof against an unentangled adversary. Device-independent Quantum Key Distribution Our proof can be adapted to give another proof of DI-QKD. 1. Do step 1 of the spot-checking protocol. Communicate to check score. 2. Have Alice make an optimal guess at Bob’s bits using her bits. 3. Perform information reconciliation. 4. Perform randomness extraction. This works if step 1 generates more entropy than is lost at step 3. 11011 1010010001011101010001011101101010001111111010100010 …. 111011100…

37

38 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. Prove the best possible rate curves W G,a WGWG We have two families of rate curves, neither optimal. What are the best rate curves? Can we match the classical- adversary rate curves?

39 Randomness Expansion 11011 1010010001011101010001011101101010001111111010100010 …. [Several authors]: Security proof against an unentangled adversary. Parallel randomness expansion Give inputs to the boxes all at once. Can we still verify randomness? 011010 110101110 111011010 001000100 001001101 01101011 111101 010100101 101010111 101011111 010101010 00100000 0010010 101110101 000000001 101111011 010111010 010010 010111 10101000 111110000 010101010 010101101 01100000

40 Randomness Expansion [Several authors]: Security proof against an unentangled adversary.

41

Download ppt "The question Can we generate provable random numbers? 10110111101101000010010001111101001001001001111010100 …. ?"

Similar presentations

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Robust device independent randomness amplification with few devices F.G.S.L Brandao 1, R. Ramanathan 2 A. Grudka 3, K. 4, M. 5,P. 6 Horodeccy 1 Department.

Robust device independent randomness amplification with few devices F.G.S.L Brandao 1, R. Ramanathan 2 A. Grudka 3, K. 4, M. 5,P. 6 Horodeccy 1 Department.
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Tony Short University of Cambridge (with Sabri Al-Safi – PRA 84, 042323 (2011))

Tony Short University of Cambridge (with Sabri Al-Safi – PRA 84, (2011))
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
I NFORMATION CAUSALITY AND ITS TESTS FOR QUANTUM COMMUNICATIONS I- Ching Yu Host : Prof. Chi-Yee Cheung Collaborators: Prof. Feng-Li Lin (NTNU) Prof. Li-Yi.

I NFORMATION CAUSALITY AND ITS TESTS FOR QUANTUM COMMUNICATIONS I- Ching Yu Host : Prof. Chi-Yee Cheung Collaborators: Prof. Feng-Li Lin (NTNU) Prof. Li-Yi.
Robust Randomness Expansion Upper and Lower Bounds Matthew Coudron, Thomas Vidick, Henry Yuen arXiv:1305.6626.

Robust Randomness Expansion Upper and Lower Bounds Matthew Coudron, Thomas Vidick, Henry Yuen arXiv:
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
Quantum Cryptography ( EECS 598 Presentation) by Amit Marathe.

Quantum Cryptography ( EECS 598 Presentation) by Amit Marathe.
The Unique Games Conjecture with Entangled Provers is False Julia Kempe Tel Aviv University Oded Regev Tel Aviv University Ben Toner CWI, Amsterdam.

The Unique Games Conjecture with Entangled Provers is False Julia Kempe Tel Aviv University Oded Regev Tel Aviv University Ben Toner CWI, Amsterdam.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Online Scheduling with Known Arrival Times Nicholas G Hall (Ohio State University) Marc E Posner (Ohio State University) Chris N Potts (University of Southampton)

Online Scheduling with Known Arrival Times Nicholas G Hall (Ohio State University) Marc E Posner (Ohio State University) Chris N Potts (University of Southampton)
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.

Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Some Limits on Non-Local Randomness Expansion Matt Coudron and Henry Yuen 6.845 12/12/12 God does not play dice. --Albert Einstein Einstein, stop telling.

Some Limits on Non-Local Randomness Expansion Matt Coudron and Henry Yuen /12/12 God does not play dice. --Albert Einstein Einstein, stop telling.
Outline 1.Introduction 2.The Framework of Untrusted-Device Extraction. 3.Our results 4.Proof Techniques: Miller-Shi 5.Proof Techniques: Chung-Shi-Wu 6.Further.

Outline 1.Introduction 2.The Framework of Untrusted-Device Extraction. 3.Our results 4.Proof Techniques: Miller-Shi 5.Proof Techniques: Chung-Shi-Wu 6.Further.
Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.

Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.

Similar presentations

Ads by Google