A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,

Slides:



Advertisements
Similar presentations
Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Advertisements

1 A B C
Scenario: EOT/EOT-R/COT Resident admitted March 10th Admitted for PT and OT following knee replacement for patient with CHF, COPD, shortness of breath.
Angstrom Care 培苗社 Quadratic Equation II
AP STUDY SESSION 2.
1
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
David Burdett May 11, 2004 Package Binding for WS CDL.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
CALENDAR.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt RhymesMapsMathInsects.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Chapter 7 Sampling and Sampling Distributions
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
Break Time Remaining 10:00.
This module: Telling the time
Turing Machines.
Table 12.1: Cash Flows to a Cash and Carry Trading Strategy.
PP Test Review Sections 6-1 to 6-6
1 The Blue Café by Chris Rea My world is miles of endless roads.
Bright Futures Guidelines Priorities and Screening Tables
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
Bellwork Do the following problem on a ½ sheet of paper and turn in.
CS 6143 COMPUTER ARCHITECTURE II SPRING 2014 ACM Principles and Practice of Parallel Programming, PPoPP, 2006 Panel Presentations Parallel Processing is.
Operating Systems Operating Systems - Winter 2010 Chapter 3 – Input/Output Vrije Universiteit Amsterdam.
Exarte Bezoek aan de Mediacampus Bachelor in de grafische en digitale media April 2014.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
1 RA III - Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Buenos Aires, Argentina, 25 – 27 October 2006 Status of observing programmes in RA.
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
Adding Up In Chunks.
MaK_Full ahead loaded 1 Alarm Page Directory (F11)
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt Synthetic.
Artificial Intelligence
Subtraction: Adding UP
: 3 00.
5 minutes.
1 hi at no doifpi me be go we of at be do go hi if me no of pi we Inorder Traversal Inorder traversal. n Visit the left subtree. n Visit the node. n Visit.
Prof.ir. Klaas H.J. Robers, 14 July Graduation: a process organised by YOU.
1 Let’s Recapitulate. 2 Regular Languages DFAs NFAs Regular Expressions Regular Grammars.
Speak Up for Safety Dr. Susan Strauss Harassment & Bullying Consultant November 9, 2012.
Essential Cell Biology
Converting a Fraction to %
Clock will move after 1 minute
PSSA Preparation.
Essential Cell Biology
Immunobiology: The Immune System in Health & Disease Sixth Edition
Physics for Scientists & Engineers, 3rd Edition
Energy Generation in Mitochondria and Chlorplasts
30.1 Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Select a time to count down from the clock above
Murach’s OS/390 and z/OS JCLChapter 16, Slide 1 © 2002, Mike Murach & Associates, Inc.
Distributed Computing 9. Sorting - a lower bound on bit complexity Shmuel Zaks ©
1 Decidability continued…. 2 Theorem: For a recursively enumerable language it is undecidable to determine whether is finite Proof: We will reduce the.
A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (University.
Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Workshop on Post-Quantum Security Models Paris, France Tuesday,
Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October.
Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January.
Christian Schaffner CWI Amsterdam, Netherlands Quantum Cryptography beyond Key Distribution Tropical QKD Waterloo, ON, Canada Wednesday, 16 June 2010.
Cryptography In the Bounded Quantum-Storage Model
Presentation transcript:

A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich, CH) Ivan Damgård, Louis Salvail (University of Århus, DK) QIP 2008, Delhi, India Thursday, December 20 th 2007

Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Ivan Damgård, Louis Salvail (University of Århus, DK) Secure Identification and QKD in the Bounded-Quantum-Storage Model QIP 2008, Delhi, India Thursday, December 20 th 2007

3 / 42 ~1970: Birth of Quantum Cryptography …

4 / Oblivious Transfer S C S 0 ; S 1 C 2 f 0 ; 1 g complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model OT

5 / 42 (Randomized) 1-2 Oblivious Transfer R an d OT S C S 0 ; S 1 C 2 f 0 ; 1 g complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model

6 / 42 Outline Motivation and Notation Quantum Uncertainty Relations Secure Identification Man-In-The-Middle Attacks Conclusion

7 / 42 Quantum Mechanics Notation Measurements: + basis £ basis j 0 i + j 1 i + j 1 i £ j 0 i £ EPR pairs:

8 / 42 ge t X ' Quantum 1-2 OT Protocol j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 S 1 = ? S 0 C = 0 £ 0 = + n Correctness Receiver-Security against Dishonest Alice £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n

9 / 42 Sender-Security? j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 ge t ½ £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Sender-Security: one of the strings looks completely random to dishonest Bob # qu b i t s < n = 4

10 / 42 ge t Entanglement-Based Protocol S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 ½ epr ­ n # qu b i t s < n = 4 Sender-Security: One of the strings looks completely random to dishonest Bob £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n ? ? ? ? ?

11 / 42 ge t Entanglement-Based Protocol j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 ½ # qu b i t s < n = 4 Sender-Security: One of the strings looks completely random to dishonest Bob £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n

12 / 42 Sender-Security: One of the strings looks completely random to dishonest Bob £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n ? ? ? ? ? Let Bob Act First F 1 2 R F 1 F 0 2 R F 0 ½ £ ; F 0 ; F 1 ge t epr ­ n / /... # qu b i t s < n = 4 S 0 ; S 1

13 / 42 Sender-Security: One of the strings looks completely random to dishonest Bob Privacy Amplification: ge t £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n ? ? ? ? ? Sender-Security  Uncertainty Relation F 1 2 R F 1 F 0 2 R F 0 ½ £ ; F 0 ; F 1 epr ­ n / /... # qu b i t s < n = 4 [ R enner K Ä on i g 05, R enner 06 ] H 1 ( X j £ ) ¸ ? S 0 ; S 1 H 1 ( X j £ ) |{z} ¸ ? > # qu b i t s |{z} < n = 4

14 / 42 Outline Motivation and Notation Quantum Uncertainty Relations Secure Identification Man-In-The-Middle Attacks Conclusion

15 / 42 Entropic Uncertainty Relation for One Qubit

16 / 42 I ngenera l : H ( ¢ ) ¸ H 1 ( ¢ ) ) H " 1 ( X n j £ ) n ! 1 ¼ n ¢ H ( X i j £ i ) ¸ n = 2 £ 2 R s t a t e f + ; £ g n ½... Quantum Uncertainty Relation needed / / H 1 ( X j £ ) ¸ ? X i i n d epen d en t H ( X i j £ i ) ¸ 1 2 excep t w i t h pro b · " X i : = X 1 ::: X i

17 / 42 £ 2 R s t a t e f + ; £ g n ½... Main Result / / H 1 ( X j £ ) ¸ ? X i d epen d en t H ( X i j £ i ) ¸ 1 2 Q uan t um U ncer t a i n t y R e l a t i on: L e t X = ( X 1 ;:::; X n ) b e t h eou t come. T h en, H " 1 ( X j £ ) & n = 2 w i t h "neg l i g i bl e i nn. H ( X i j £ i ; X i ¡ 1 = x i ¡ 1 ; £ i ¡ 1 = µ i ¡ 1 ) ¸ 1 2

18 / 42 Main Technical Lemma Z 1 ;:::; Z n ( d epen d en t ) ran d omvar i a bl es T h en, H " 1 ( Z ) & n ¢ h w i t h "neg l i g i bl e i nn w i t h H ( Z i j Z i ¡ 1 = z i ¡ 1 ) ¸ h. P roo f : ² i n f orma t i on t h eory ² genera l i ze d C h erno ®b oun d ( A zuma i nequa li t y )

19 / 42 conjugate coding / BB84: £ 2 R s t a t e f + ; £ g n ½... classical technical lemma: instantiate it for various quantum codings: High-Order Entropic Uncertainty Relations H ( Z i j Z i ¡ 1 = z ) ¸ h ) H " 1 ( Z n ) & h n / / H " 1 ( X j £ ) & n = 2

20 / 42 conjugate coding / BB84: three bases / six-state: … classical technical lemma: instantiate it for various quantum codings: High-Order Entropic Uncertainty Relations / / / / £ 2 R s t a t e f + ; £ ; ª g n ½... H " 1 ( X j £ ) & n = 2 H " 1 ( X j £ ) & 2 3 n H ( Z i j Z i ¡ 1 = z ) ¸ h ) H " 1 ( Z n ) & h n

21 / 42 Outline Motivation and Notation Quantum Uncertainty Relation Secure Identification Man-In-The-Middle Attacks Conclusion

22 / 42 Why Secure Identification? I’m Alice my PIN is IMAB52 I want $25 Alright Alice, here you go.

23 / 42 Why Secure Identification? I’m Alice my PIN is IMAB52 I want $25 Sorry, I’m out of order Alice: IMAB52

24 / 42 Why Secure Identification? Alice: IMAB52 I’m Alice my PIN is IMAB52 I want $25,000,000 Alright Alice, here you go.

25 / 42 Secure Evaluation of the Equality PIN-based identification scheme should be a secure evaluation of the equality function A dishonest player can exclude only one possible password = ? W A W B W A ? = W B W A ? = W B

26 / 42 ge t X ' Recall: Quantum 1-2 OT Protocol j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 S 1 = ? S 0 C = 0 £ 0 = + n £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n

27 / 42 C ( 0 ) X ' C ( 1 ) X ' £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Quantum 1-m OT Protocol j X i £ W 2 W C ( W ) C o d e C : W ! f + ; £ g n

28 / 42 C ( 0 ) X ' C ( 1 ) X ' £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Quantum 1-m OT Protocol j X i £ S 0 W 2 W C ( W ) C o d e C : W ! f + ; £ g n S 0 £ ; F 0

29 / 42 C ( 0 ) X ' C ( 1 ) X ' £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Quantum 1-m OT Protocol j X i £ S 0 W 2 W C ( W ) S 1 £ ; F 0 ; F 1 ;::: S 0 ; S 1 ;::: C o d e C : W ! f + ; £ g n £ ; F 0 ; F 1 ;:::

30 / 42 C ( 0 ) X ' C ( 1 ) X ' £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n Quantum 1-m OT Protocol j X i £ S 0 W 2 W C ( W ) S 1 S 0 ; S 1 ;::: C o d e C : W ! f + ; £ g n £ ; F 0 ; F 1 ;::: £ ; F 0 ; F 1 ;:::

31 / 42 Idea correct dishonest Bob can learn at most one S W and compare it with (the random) S W. He can at most exclude his W. Dishonest Alice learns nothing about W by the OT  but can e.g. set all S i = 0, then send S W = 0 R an d 1 -m OT S 0 ; S 1 ;:::; S m ¡ 1 W 2 f 0 ; 1 ;:::; m ¡ 1 g W 2 f 0 ; 1 ;:::; m ¡ 1 g WS W S W S W ? = S W W 2 f 0 ; 1 ;:::; m ¡ 1 g W 2 f 0 ; 1 ;:::; m ¡ 1 g W 2 f 0 ; 1 ;:::; m ¡ 1 g

32 / 42 T W : = g ( W ) © S W Dishonest Alice learns nothing about W by the OT with high probability: all T i are different Alice has to guess the right T W Dishonest Alice S W g g 2 R G : W ! f 0 ; 1 g ` T W ? = g ( W ) © S W strongly universal R an d 1 -m OT W 2 f 0 ; 1 ;:::; m ¡ 1 g WS 0 ; S 1 ;:::; S m ¡ 1 W = ? ) S W ? = S W

33 / 42 Properties of the Basic Scheme efficient: n qubits, 3 classical messages, honest players do not require quantum memory provably secure against:  unbounded dishonest user Alice  dishonest server Bob with quantum memory < n/11  both have unbounded computing power and classical memory can be extended to tolerate noise, therefore implementable with current technology OT P i n W P i n W

34 / 42 Outline Motivation and Notation Quantum Uncertainty Relation Secure Identification Man-In-The-Middle Attacks Conclusion

35 / 42 Dishonest Alice or Bob can only exclude one possible PIN W Eve learns nothing about W ? Extension: Man-in-the-Middle Attack P i n WP i n W  nontrivial K ey KK ey K

36 / 42 Dishonest Alice or Bob can only exclude one possible PIN W, even given key K Eve learns nothing about W and only negligible information about key K Extension: Man-in-the-Middle Attack P i n WP i n W K ey KK ey K

37 / 42 Application: QKD au t h K ( ¢ ) = ( K 0 ; SK ) = ( K 0 ; SK ) au t h K 0 ( ¢ ) K ey KK ey K

38 / 42 Problem: Eve interferes with communication au t h K ( ¢ ) = ( K 0 ; SK ) = ( K 0 ; SK ) au t h K 0 ( ¢ ) honest players run out of authentication key secure QKD no longer possible K ey KK ey K

39 / 42 Solution: QKD based on Secure Identification au t h K ( ¢ ) P i n WP i n W = ? = ? K and W remain secure, can be re-used over and over again, even if scheme is disrupted Losing key K does not compromise security (if loss is noticed) BUT: security holds only against a quantum-memory bounded eavesdropper K ey KK ey K

40 / 42 High-order entropic quantum uncertainty relations : Bounded-Quantum-Storage Model:  Oblivious Transfer: Non-interactive, practical protocols for 1-2 OT and Bit Commitment secure according to strong security definitions.  Secure PIN-based Identification: dito non-trivial extension to handle man-in-the-middle attacks Conclusion H " 1 ( X j £ ) ¸ 2 3 n H " 1 ( X j £ ) ¸ n = 2,

41 / 42 High-order entropic quantum uncertainty relations: Quantum Key Distribution: ( assuming quantum-memory bounded Eve)  security proofs: for higher error rates (=longer distances)  robustness: Eve cannot make parties run out of authentication key Conclusion H " 1 ( X j £ ) ¸ 2 3 n H " 1 ( X j £ ) ¸ n = 2,

42 / 42 Thanks to you! Follow-up work [Wehner, Terhal, S]: a step closer to reality: Cryptography from Noisy Photonic Storage see poster and

43 / 42 name d e ¯ n i t i on H 0 ( Z ) l og ¯ ¯ f z j P Z ( z ) > 0 g ¯ ¯ n H ( Z ) ¡ P z P Z ( z ) l og ( P Z ( z )) ¼ n H 1 ( Z ) ¡ l og ( max z P Z ( z )) n = 2 Entropies H 1 · H · H 0 … ¼ 2 ¡ n |{z} 2 n ¡ 1 2 ¡ n 2 Z P Z Z ran d omvar i a bl eover f 0 ; 1 g n l ower b oun d on H 6 ) l ower b oun d on H 1

44 / 42 … ¼ 2 ¡ n |{z} 2 n ¡ 1 2 ¡ n 2 Z P Z Smooth Min-Entropy  " f or" = 2 ¡ n 2 Z ran d omvar i a bl eover f 0 ; 1 g n

45 / 42 Smooth Min-Entropy [ R enner W o lf 05 ] Z i : = Z 1 ;:::; Z i Z ran d omvar i a bl eover f 0 ; 1 g n H " 1 ( Z ) : = max P r [ E ] ¸ 1 ¡ " H 1 ( Z E ) Z i : = Z 1 ;:::; Z i

46 / 42 £ 2 R s t a t e f + ; £ g n ½... Proof of Quantum Uncertainty Relation Z i : = ( X i ; £ i ) MU : ½ 1 -qu b i t s t a t e: H ( X 0 j £ 0 ) ¸ 1 2 / / T h m: H ( Z i j Z i ¡ 1 = z ) ¸ h ) H " 1 ( Z n ) & h n Q uan t um U ncer t a i n t y R e l a t i on: L e t X = ( X 1 ;:::; X n ) b e t h eou t come. T h en, H " 1 ( X j £ ) & n = 2 w i t h "neg l i g i bl e i nn. H ( Z i j Z i ¡ 1 = z ) = H ( X i j £ i ; Z i ¡ 1 = z ) + H ( £ i j Z i ¡ 1 = z ) ¸ = : h : H " 1 ( X j £ ) ¼ H " 1 ( Z n ) ¡ H 0 ( £ ) & n = 2 + n ¡ n :

47 / 42 Tight? MU : ½ 1 -qu b i t s t a t e: H ( X 0 j £ 0 ) ¸ 1 2 H ( X j £ ) = 1 2 ¡ H ( X j £ = + ) |{z} = 0 + H ( X j £ = £ ) |{z} = 1 ¢ = 1 2 : £ 2 R s t a t e f + ; £ g n ½... / / Q uan t um U ncer t a i n t y R e l a t i on: L e t X = ( X 1 ;:::; X n ) b e t h eou t come. T h en, H " 1 ( X j £ ) & n = 2 w i t h "neg l i g i bl e i nn. F or t h epures t a t e j 0 i ­ n, t h e X are i n d epen d en t an d we k now t h a t H " 1 ( X j £ ) n ! 1 ¼ H ( X j £ ) = n = 2.

48 / 42 £ 2 R s t a t e f + ; £ g n ½... £ 2 R s t a t e f + n ; £ n g ½ Comparison to Previous Bound / / P rev i ous: T h ereex i s t saneven t E w i t h P r [ E ] & 1 2 suc h t h a t H 1 ( X j E ; £ ) ¸ n = 2 : N ew: H " 1 ( X j £ ) & n = 2 w i t h neg l i g i bl e" 8 µ 2 f + ; £ g n 9 even t E µ w i t h 2 ¡ n P µ P r [ E µ ] ¼ 1 an d H 1 ( X j E µ ; £ = µ ) & n = 2 :

49 / 42 Bounded-Quantum-Storage Model: Non-interactive, practical protocols for 1-2 OT and BC secure according new composable security definitions. Quantum Key Distribution: Security proofs in realistic setting of a quantum-memory bounded eavesdropper. Tolerate higher error rates than against unbounded adversaries. Composition of certain Quantum Ciphers: key-uncertainty adds up in terms of min-entropy. Contributions II: Applications

50 / 42 two-way post processing QKD with more bases in higher-dimensional (non-binary) systems using less randomness: avoid sifting stage Open Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.