New Results of Quantum-proof Randomness Extractors Xiaodi Wu (MIT) 1 st Trustworthy Quantum Information Workshop Ann Arbor, USA 1 based on work w/ Kai-Min.

Slides:

Advertisements

Similar presentations

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

Advertisements

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Deterministic Extractors for Small Space Sources Jesse Kamp, Anup Rao, Salil Vadhan, David Zuckerman.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness David Zuckerman University of Texas at Austin.

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya.

Simple extractors for all min- entropies and a new pseudorandom generator Ronen Shaltiel Chris Umans.

Expander Graphs, Randomness Extractors and List-Decodable Codes Salil Vadhan Harvard University Joint work with Venkat Guruswami (UW) & Chris Umans (Caltech)

Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness.

Robust Randomness Expansion Upper and Lower Bounds Matthew Coudron, Thomas Vidick, Henry Yuen arXiv:

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

Local correlation breakers and applications Gil Cohen.

Serge Fehr & Christian Schaffner CWI Amsterdam, The Netherlands 1 Randomness Extraction via ± -Biased Masking in the Presence of a Quantum Attacker TCC.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.

Outline 1.Introduction 2.The Framework of Untrusted-Device Extraction. 3.Our results 4.Proof Techniques: Miller-Shi 5.Proof Techniques: Chung-Shi-Wu 6.Further.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Time vs Randomness a GITCS presentation February 13, 2012.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Constant Degree, Lossless Expanders Omer Reingold AT&T joint work with Michael Capalbo (IAS), Salil Vadhan (Harvard), and Avi Wigderson (Hebrew U., IAS)

On Uniform Amplification of Hardness in NP Luca Trevisan STOC 05 Paper Review Present by Hai Xu.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Toyohiro Tsurumaru (Mitsubishi Electric Corporation) Masahito Hayashi (Graduate School of Information Sciences, Tohoku University / CQT National University.

1 Streaming Computation of Combinatorial Objects Ziv Bar-Yossef U.C. Berkeley Omer Reingold AT&T Labs – Research Ronen.

EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.

Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.

Extractors with Weak Random Seeds Ran Raz Weizmann Institute.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

Simulating independence: new constructions of Condensers, Ramsey Graphs, Dispersers and Extractors Boaz Barak Guy Kindler Ronen Shaltiel Benny Sudakov.

1 Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871 Richard Cleve QNC 3129 Lecture 18 (2014)

Extractors against classical and quantum adversaries AmnonTa-Shma Tel-Aviv University.

1 Introduction to Quantum Information Processing QIC 710 / CS 667 / PH 767 / CO 681 / AM 871 Richard Cleve DC 2117 Lecture 16 (2011)

Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.

Physical Randomness Extractor Xiaodi Wu (MIT) device ……. Ext(x,s i ) Ext(x,0) Decouple ……. Z1Z1 ZiZi Z i+1 Eve Decouple ……. x uniform-to-all uniform-to-device.

New extractors and condensers from Parvaresh- Vardy codes Amnon Ta-Shma Tel-Aviv University Joint work with Chris Umans (CalTech)

Why Extractors? … Extractors, and the closely related “Dispersers”, exhibit some of the most “random-like” properties of explicitly constructed combinatorial.

Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.

Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:

Private Approximation of Search Problems Amos Beimel Paz Carmi Kobbi Nissim Enav Weinreb (Technion)

XOR lemmas & Direct Product thms - Many proofs Avi Wigderson IAS, Princeton ’82 Yao ’87 Levin ‘89 Goldreich-Levin ’95 Impagliazzo ‘95 Goldreich-Nisan-Wigderson.

Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness Seeded.

PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L.

1 Explicit Two-Source Extractors and Resilient Functions Eshan Chattopadhyay David Zuckerman UT Austin.

Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness.

The question Can we generate provable random numbers? …. ?

Randomness Extraction Beyond the Classical World Kai-Min Chung Academia Sinica, Taiwan 1 Based on joint works with Xin Li, Yaoyun Shi, and Xiaodi Wu.

What are the minimal assumptions needed for infinite randomness expansion? Henry Yuen (MIT) Stellenbosch, South Africa 27 October 2015.

Constructing Ramsey Graphs Gil Cohen (or Two-source dispersers for polylog-entropy and improved Ramsey graphs)

Feb 18 th, 2014 IQI Seminar, Caltech Kai-Min Chung IIS, Sinica,Taiwan Yaoyun Shi University of Michigan Xiaodi Wu MIT/UC Berkeley device ……. Ext(x,s i.

1 Leonid Reyzin Boston University Adam Smith Weizmann  IPAM  Penn State Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets Yevgeniy.

List Decoding Using the XOR Lemma Luca Trevisan U.C. Berkeley.

Quantum Cryptography Antonio Acín

Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.

Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.

Non-malleable Reductions and Applications Divesh Aggarwal * Yevgeniy Dodis * Tomasz Kazana ** Maciej Obremski ** Non-Malleable Codes from Two-Source Extractors.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

Foundations of Secure Computation

Sampling of min-entropy relative to quantum knowledge Robert König in collaboration with Renato Renner TexPoint fonts used in EMF. Read the TexPoint.

Efficient Device-Independent Quantum Key Distribution

When are Fuzzy Extractors Possible?

Extractors: Optimal Up to Constant Factors

When are Fuzzy Extractors Possible?

Non-Malleable Extractors New tools and improved constructions

Indistinguishability by adaptive procedures with advice, and lower bounds on hardness amplification proofs Aryeh Grinberg, U. Haifa Ronen.

The Zig-Zag Product and Expansion Close to the Degree

Presentation transcript:

New Results of Quantum-proof Randomness Extractors Xiaodi Wu (MIT) 1 st Trustworthy Quantum Information Workshop Ann Arbor, USA 1 based on work w/ Kai-Min Chung and Xin Li, arXiv: and work w/Kai-Min Chung, in preparation

Randomness Extractor: Seeded [SV84,Vaz85,VV85,CG85,Vaz87,CW89,Zuc90,Zuc91,…] A deterministic function converts indep. weak random sources with entropy to almost-uniform randomness 2 seed source X UdUd Z

Randomness Extractor: Multi-source [CG85, BIK04, Raz, Rao, Bourgain, Li ……] A deterministic function converts indep. weak random sources with entropy to almost-uniform randomness 3 weak random source X1X1 XtXt Z

Applications beyond randomness Classical TCS – Cryptography, Derandomization [Sis88, NZ93,…], Distributed algorithms [WZ95], Data structures [Ta02], Hardness of Approximation [Zuc93,…] Quantum Information – Privacy amplification (QKD) [BB84, BBR…], device- independent crypto [VV12, MS14, CSW14, B+, …] – Bounded-storage model [DFSS08,…] 4

5 This talk: Q. Seeded Extractors with Optimal Parameters: (Chung, W, in preparation) * a new construction optimal w/ inverse poly rate source * new techniques for quantum-proof condensers Q. Side Info Model for Multi-source Extraction: (Chung, Li, W, arXiv: ) * a proposal naturally unifying and extending existing models * q. multi-source extractors w/ matching paras to classical

6 Q. Seeded Extractors with Optimal Parameters: (Chung, W, in preparation) * a new construction optimal w/ inverse poly rate source * new techniques for quantum-proof condensers

Quantum Side Info: seeded extraction 7

Seeded Extractors against Side Info [R05,KMR05,KT08,DV10,T11,DPVR11] 8 seed source Seeded Randomness Extractor X UdUd Z adversary classical-secure marginal-secure for classical side-info for no side-info

What do we want? 9 Trevisan [T, DV, DPVR] m=k 0.98 d=O(log(n)) Left-over hashing [KMR, TSSR] m~=k

10 What GUV requires? GUV: Very Good Condenser Block Extraction & Composition Partial Progress: Cond. Inv. poly Extends to quantum setting Q. Extractor: (new even classically) Remark: inverse-poly rate sources are good for most applications! Our Contribution:

Our strategy Refer to Chung’s talk for technique limitations Resort to extractor paradigm [NZ,SZ, Zuc] before Trevisian, based on block-sampling & block-extraction. Our Observation: – A) this paradigm extends to the quantum setting – B) A new condenser/extractor in this paradigm 11 (n,k) source Sampling a subset: Hope: min-entropy rate remains Non-trivial to prove classically (e.g, Zuc97, Vad03). The quantum version by Koenig & Renner 11 However, this does not condense! Block-Sampling!

Block Sampling & Extraction [NZ,SZ,Zuc] 12 (n,k) source Block-Sampling (one by one) : Structure Entropy while keeping the rate Block-Extraction (one by one): Competing Parameters: 1) able to sample 2) able to extract => optimal paras for const entropy-rate sources [Zuc] Exp. increase Seed length Our Contribution: this construction is also quantum-proof. Observation: well, it does not need to be able to sample & extract at the same time! When fails to sample, it condenses! A win-win argument! Observation: well, it does not need to be able to sample & extract at the same time! When fails to sample, it condenses! A win-win argument!

Condenser: 1/poly rate -> const rate (Win-Win argument) 13 (n,k) Sampling ( if success -> extraction, otherwise condensing) E1E1 E2E2 Sample again on a shorter input …… E3E3 C 0 length k …… const Rounds (C0, E1,E2,…) -> const rate source Quantum: 1) sampling [KR] 2) remaining analysis & comp.

Summary: 14 Zuckerman’s Extractor Win-Win Condenser

15 Q. Side Info Model for Multi-source Extraction: (Chung, Li, W, arXiv: ) * a proposal naturally unifying and extending existing models * q. multi-source extractors w/ matching paras to classical

Multi-source Extractors [BIW04] 16 source X1X1 XtXt Z Multi-source Extractor

Side Info. of multiple sources? 17 Want: a general definition of entropy & sufficient entropy => extractability. adversary Restriction on E is necessary!

Simple Models Independent Adversary (IA): each source leaks own side information However, IA fails to consider the entanglement /correlation. Bounded Storage Adv (BS): allow entangle; one-round leaking [KK12] May break independence; non-trivial even for classical side info 18 source X1X1 X2X2 Z Two-source Extractor adversary A2A2 E2E2 A1A1 E1E1

Kasher & Kempe The [DEOR04] extractor works with comparable parameters in both IA & BS models, although side info breaks independence. ISSUEs: No unified model & No unified entropy measure Technique-wise very specific to the [DEOR04] extractor Our Contribution: A Unified & Generalized Model: General Entangled (GE) model Take the one-round leaking model [KK12] + right entropy measure Prove most existing two-/multi-source extractors are GE-secure e.g., Raz, Bourgain, Li, BRSW, Rao, …. Remarks on the model: 1. Could refer to a practical scenario of generating side-info: when parties are far apart from each other & leaking procedure is short! 2. Unclear about extension to multiple rounds. Could fall into the previous counter-example.

Entropy measure: problematic [KK12]

EtEt Contribution I: General Entangled (GE) Model 21 adversary X2X2 XtXt X1X1 A1A1 AtAt E1E1 A2A2 E2E2 A1A1 AtAt

General Entangled (GE) Model 22

General Entangled (GE) Model 23

GE-secure Multi-source Extractors 24 source X1X1 XtXt Z Multi-source Extractor adversary

Existing Two-source Extractors (e.g., Raz, Bourgain, existential ones) are GE-secure. Any Multi-source Extractors (e.g., Li, BRSW, Rao) can be upgraded to be GE-secure. Both w/ matching parameters. 25 Contribution II: GE-secure extractors GE- Strong OA Security Equivalence! Obtain Strong OA Security: XOR, +1 source, block-source Omitted!

Only get side info from a single source – at adversary’s choice (without seeing the sources) Weaker than IA & GE OA-sources & OA-secure extractors defined similarly One-sided Adversary (OA) Model 26 adversary XiXi XtXt X1X1 AiAi EiEi

Strong OA-GE Security Equivalence 27 M OA IA BS GE classical side-info no side-info strong ext.

Strong OA-GE Security Equivalence 28 EtEt adversary X2X2 XtXt X1X1 A1A1 AtAt E1E1 A2A2 E2E2 A1A1 A2A2 Apply Ext S Leaking on X S

Proof: simulation b/c 29 Apply OA Ext Leaking on X S COMMUTE (strong) Leaking on X t, Leaking on X S, Apply Ext Leaking on X t, Apply Ext, Leaking on X S = Apply OA security w/ sufficient entropy

Summary 30 M OA IA BS GE strong ext.

31 Conclusions: Q. Seeded Extractor optimal w/ inv. poly rate sources Q. Multi-source: side info model & extractors Open Questions: Better Q. Extractor/Condenser? Optimal Parameters for any source? Alternative/General Side Info Model allowing extraction?

Thanks! Questions? 32

Obtain Strong OA-security (I): +1 source 33 X1X1 XtXt Y X t+1 Z LIFT: marginal uniform + seeded quantum extractor -> quantum-proof uniform

34

Entropy measure: problematic [KK12] 35 X1X1 X2X2 adversary