Presentation is loading. Please wait.

Presentation is loading. Please wait.

What are the minimal assumptions needed for infinite randomness expansion? Henry Yuen (MIT) Stellenbosch, South Africa 27 October 2015.

Published byRandall Stewart Modified over 8 years ago

Similar presentations

Presentation on theme: "What are the minimal assumptions needed for infinite randomness expansion? Henry Yuen (MIT) Stellenbosch, South Africa 27 October 2015."— Presentation transcript:

1 What are the minimal assumptions needed for infinite randomness expansion? Henry Yuen (MIT) Stellenbosch, South Africa 27 October 2015

2 Certified randomness expansion is an answer to the following question: How do we know we have seen randomness?

3 Like all non-trivial epistemological questions, the answer must rely on some underlying assumptions. “I think, therefore I am (… but that’s about it)”

4 Certified randomness expansion is an answer to the following question: How do we know we have seen randomness? Goal : derive the most interesting answers to this, while minimizing our assumptions.

5 The hierarchy of randomness expansion Nothing. Exponential expansion Strong security against eavesdroppers Infinite randomness expansion ∞ ∞ Assumptions ? ? ? ?

6 0 1 1 0 1 1 1 0..

7 1 0 1 0 0 1 0 1..

8 1 1 1 1..

9 0 0 0 0..

10 0 0 0 0.. Cannot a priori certify whether outputs are random or not. Need additional assumptions!

11 1101001 If we assume: Initial seed randomness Boxes are not able to communicate. Then randomness certification becomes possible.

12 1101001 Clauser-Horne-Shimony-Holt game : 1.Experimenter chooses random bits x, y 1.Sends x to 1 st box and y to 2 nd box simultaneously 2.1 st box answers with bit a, 2 nd box answers with bit b 3.Experimenter checks if a + b = x ∧ y Optimal deterministic success probability: 75% Suppose boxes win CHSH with > 75% chance. Conclusion : a, b must be random!

13 Spooky action at a distance Boxes with success probability > 75% exist in a world governed by (at least) QM. Optimal quantum strategy: ≈ 85.4%

14 1101001 Expanding randomness 1.Use m-bit seed to generate CHSH inputs (x 1,y 1 ), …, (x N,y N ), with N >> m. 2.Play CHSH N times, getting outputs (a 1,b 1 ), …, (a N,b N ). 3.Accept if boxes win ≥ 85% of games. 4.Post-process outputs using randomness extractor to produce (z 1,..,z N’ ) Theorem : If Pr[boxes pass] > , then (z 1,…,z N’ ) is  -close to uniform on N’ bits. x 1,x 2,..,x N y 1,y 2,..,y N 1 0 0 0 1 1 1 0 1 0 1 1 1 1 0 0 0 0 0 1 0 1 0 0 1 1 1 0 1 0 0 1 1 01 0 0 10 10 0 10 01

15 1101001 Theorem : If Pr[boxes pass] > , then (z 1,…,z N’ ) is  -close to uniform on N’ bits. Roger Colbeck PhD thesis, 2009 Obtained N =  (m) Linear expansion Pironio, Acin, Massar, et al. Nature 2010 Obtained N =  (m 2 ) Quadratic expansion Vazirani, Vidick STOC 2012 Obtained N = exp(  (m 1/3 )) Exponential expansion Assumptions : Seed randomness Boxes cannot communicate

16 The hierarchy of randomness expansion Nothing. Exponential expansion Assumptions 1. Initial randomness 2. No signaling No assumptions

17 Security against eavesdroppers

18 Device-independent paradigm: can certify randomness even if RNG devices are adversarial! Next goal: Certify randomness that is secure against eavesdroppers.

19 Security against eavesdroppers Possible if we assume quantum mechanics! Assume there is an underlying quantum state, and outcome probabilities are described by local measurements on the state.

20 Security against eavesdroppers Possible if we assume quantum mechanics! [Vazirani, Vidick STOC 2012]: Exponential randomness expansion with quantum security. [Miller, Shi STOC 2014]: Simpler, robust protocol, and with much stronger parameters.

21 Security against eavesdroppers Key enabler of quantum security: “monogamy of entanglement” Basic idea: Optimal quantum strategy for CHSH Outputs are independent of the rest of the universe! Assumption:

22 Strong security against eavesdroppers Outputs are secure even when inputs are prepared by adversary! Assumption: [Coudron, Y. STOC 2014]: Gave a strong randomness expansion protocol. [Chung, Shi, Wu QIP 2014]: Equivalence Lemma shows all secure expansion protocols are automatically strongly secure! Note: not possible with classical randomness extractors!

23 Strong security against eavesdroppers Assumptions : 1.Initial seed is uncorrelated with boxes 2.Boxes and adversary are mutually non-signaling 3.Boxes and adversary obey quantum mechanics. Do we really need this?

24 Strong security against eavesdroppers Can we only assume non- signaling? Not known yet. It’s plausible that this is impossible: there are limitations on, e.g. privacy amplification in the non- signaling model [Arnon-Friedman, Hanggi, Ta-Shma]

25 The hierarchy of randomness expansion Nothing. Exponential expansion Strong security against eavesdroppers Assumptions 1. Initial randomness 2. No signaling No assumptions 1. Initial randomness 2. No signaling 3. Quantum mechanics

26 Infinite randomness expansion

27 The infinite randomness expansion question Is there a protocol P involving a fixed number of boxes, using m ≥ m 0 bits of seed, that can certify N bits of (approximately) uniform randomness, for any N?

28 P = e.g. Vazirani-Vidick or Miller-Shi exponential expansion protocol P m-bit seed PPPP ….. 2m2m 2m2m 2 2m2m 2 2 2m2m 2 2 2 2m2m 2 2 2 2 Output length

29 P m-bit seed Can we do it non-adaptively? N-bit output Unlikely [Coudron-Vidick-Y. 2013]: For a wide class of protocols, there is a limit f(m) = exp(exp(m)) in the amount of certifiable randomness! Limitation applies to all non-adaptive protocols we know of! Idea : if seed is too small, after too many rounds, the input patterns become predictable and the players can recycle answers, producing no additional randomness.

30 P m-bit seed Adaptive protocols, take #1 f(m)-bit output P = randomness expansion protocol

31 P f(m)-bit seed Adaptive protocols, take #1 f(f(m))-bit output P = randomness expansion protocol …ad infinitum Unclear this works. The boxes in P could memorize their outputs and take advantage of that in the next iteration!

32 P m-bit seed Adaptive protocols, take #2 f(m)-bit output P = randomness expansion protocol P f(f(m))-bit output

33 P Adaptive protocols, take #2 f(f(f(m)))- bit output P = randomness expansion protocol P f(f(m))-bit output This output is secure against 1 st because of strong security! P

34 P Adaptive protocols, take #2 f(f(f(m)))- bit output P = randomness expansion protocol P After i iterations, conditioned on not aborting, the output of this protocol is f (i) (m) bits that is  1 +  2 +  3 + … ≤  close to uniform in statistical distance. Number of boxes : 4 … [Coudron-Y, Miller-Shi, Chung-Shi-Wu 2014] Infinite randomness expansion is possible!

35 m0m0 [Gross, Aaronson 2014]: Using the Miller-Shi expansion protocol,

36 m0m0 715,000 bits of uniform seed are sufficient to “jump start” infinite randomness expansion, to get output within distance  = 10 -6 to uniform. [arxiv:1410.8019]

37 Revisiting the non-signaling assumption Adaptivity means we can’t rely on spatial separation to enforce non-signaling. PP By triangle inequality, distance from P1  P2 is less than P1  Experimenter  P2. So if the protocol is adaptive, P1 could signal to P2, in principle!

38 Revisiting the non-signaling assumption This was also a problem for “non-adaptive” randomness expansion, because the experimenter wanted to use the randomness for e.g., cryptography. PE Maybe we should just assume Faraday cages suffice for enforcing non- signaling…

39 Revisiting the non-signaling assumption This was also a problem for “non-adaptive” randomness expansion, because the experimenter wanted to use the randomness for e.g., cryptography. PE Maybe we should just assume Faraday cages suffice for enforcing non- signaling… I’m not ready to call it quits just yet…

40 Crazy Idea No. 1 Let’s assume General Relativity! Can we manipulate the geometry of space and time to control the propagation of information? – i.e. can we simulate “secure lines of communication”?

41 Crazy Idea No. 1 PP

42 PP

43 PP

44 Crazy Idea No. 2 Use ideas from relativistic bit commitment? Commit phase

45 Crazy Idea No. 2 Use ideas from relativistic bit commitment? Sustain phase

46 Crazy Idea No. 2 Use ideas from relativistic bit commitment? Open phase

47 The hierarchy of randomness expansion Nothing. Exponential expansion Strong security against eavesdroppers Infinite randomness expansion ∞ ∞ Assumptions 1. Initial randomness 2. No signaling No assumptions 1. Initial randomness 2. No signaling 3. Quantum mechanics 1. Initial randomness 2. (Enforced) No signaling 3. Quantum mechanics

48 The hierarchy of randomness expansion Nothing. Exponential expansion Strong security against eavesdroppers Infinite randomness expansion ∞ ∞ Assumptions 1. Initial randomness 2. No signaling No assumptions 1. Initial randomness 2. No signaling 3. Quantum mechanics 1. Initial randomness 2. General relativity? 3. Quantum mechanics

49 Open questions Can we prove non-signaling security of randomness expansion protocols? Can we replace “enforced no-signaling” with assuming General Relativity, or use some scheme like sustained relativistic bit commitment? Minimum requirements on initial seed randomness?

50 Open questions Can we prove non-signaling security of randomness expansion protocols? Can we replace “enforced no-signaling” with assuming General Relativity, or use some scheme like sustained relativistic bit commitment? Minimum requirements on initial seed randomness? Thanks!

Download ppt "What are the minimal assumptions needed for infinite randomness expansion? Henry Yuen (MIT) Stellenbosch, South Africa 27 October 2015."

Similar presentations

Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
How Much Information Is In Entangled Quantum States? Scott Aaronson MIT |

How Much Information Is In Entangled Quantum States? Scott Aaronson MIT |
The Learnability of Quantum States Scott Aaronson University of Waterloo.

The Learnability of Quantum States Scott Aaronson University of Waterloo.
Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1 23 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.

Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.
Limitations of Quantum Advice and One-Way Communication Scott Aaronson UC Berkeley IAS Useful?

Limitations of Quantum Advice and One-Way Communication Scott Aaronson UC Berkeley IAS Useful?
How Much Information Is In A Quantum State? Scott Aaronson MIT |

How Much Information Is In A Quantum State? Scott Aaronson MIT |
Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.

Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.
QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.

QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.
Oracles Are Subtle But Not Malicious Scott Aaronson University of Waterloo.

Oracles Are Subtle But Not Malicious Scott Aaronson University of Waterloo.
The Equivalence of Sampling and Searching Scott Aaronson MIT.

The Equivalence of Sampling and Searching Scott Aaronson MIT.
Parallel Repetition of Two Prover Games Ran Raz Weizmann Institute and IAS.

Parallel Repetition of Two Prover Games Ran Raz Weizmann Institute and IAS.
Robust device independent randomness amplification with few devices F.G.S.L Brandao 1, R. Ramanathan 2 A. Grudka 3, K. 4, M. 5,P. 6 Horodeccy 1 Department.

Robust device independent randomness amplification with few devices F.G.S.L Brandao 1, R. Ramanathan 2 A. Grudka 3, K. 4, M. 5,P. 6 Horodeccy 1 Department.
QCRYPT 2011, Zurich, September 2011 Lluis Masanes 1, Stefano Pironio 2 and Antonio Acín 1,3 1 ICFO-Institut de Ciencies Fotoniques, Barcelona 2 Université.

QCRYPT 2011, Zurich, September 2011 Lluis Masanes 1, Stefano Pironio 2 and Antonio Acín 1,3 1 ICFO-Institut de Ciencies Fotoniques, Barcelona 2 Université.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Robust Randomness Expansion Upper and Lower Bounds Matthew Coudron, Thomas Vidick, Henry Yuen arXiv:1305.6626.

Robust Randomness Expansion Upper and Lower Bounds Matthew Coudron, Thomas Vidick, Henry Yuen arXiv:
P LAYING ( QUANTUM ) GAMES WITH OPERATOR SPACES David Pérez-García Universidad Complutense de Madrid Bilbao 8-Oct-2011.

P LAYING ( QUANTUM ) GAMES WITH OPERATOR SPACES David Pérez-García Universidad Complutense de Madrid Bilbao 8-Oct-2011.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

Similar presentations

Ads by Google