Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,

Published byKaia Claypoole Modified over 9 years ago

Similar presentations

Presentation on theme: "A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,"— Presentation transcript:

1 A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich, CH) Ivan Damgård, Louis Salvail (University of Århus, DK) QIP 2008, Delhi, India Thursday, December 20 th 2007

2 Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Ivan Damgård, Louis Salvail (University of Århus, DK) Secure Identification and QKD in the Bounded-Quantum-Storage Model QIP 2008, Delhi, India Thursday, December 20 th 2007

3 3 / 42 ~1970: Birth of Quantum Cryptography …

4 4 / 42 1-2 Oblivious Transfer S C S 0 ; S 1 C 2 f 0 ; 1 g complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model 1 - 2 OT

5 5 / 42 (Randomized) 1-2 Oblivious Transfer R an d 1 - 2 OT S C S 0 ; S 1 C 2 f 0 ; 1 g complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model

6 6 / 42 Outline Motivation and Notation Quantum Uncertainty Relations Secure Identification Man-In-The-Middle Attacks Conclusion

7 7 / 42 Quantum Mechanics Notation Measurements: + basis £ basis j 0 i + j 1 i + j 1 i £ j 0 i £ EPR pairs:

8 8 / 42 ge t X ' 0 0 1 1 0 Quantum 1-2 OT Protocol j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 S 1 = ? S 0 C = 0 £ 0 = + n Correctness Receiver-Security against Dishonest Alice £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n 0 1 1 1 0

9 9 / 42 Sender-Security? j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 ge t ½ £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n 0 1 1 1 0 Sender-Security: one of the strings looks completely random to dishonest Bob # qu b i t s < n = 4

10 10 / 42 ge t Entanglement-Based Protocol S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 ½ epr ­ n # qu b i t s < n = 4 Sender-Security: One of the strings looks completely random to dishonest Bob £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n ? ? ? ? ?

11 11 / 42 ge t Entanglement-Based Protocol j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 ½ # qu b i t s < n = 4 Sender-Security: One of the strings looks completely random to dishonest Bob £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n 0 1 1 1 0

12 12 / 42 Sender-Security: One of the strings looks completely random to dishonest Bob £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n ? ? ? ? ? Let Bob Act First F 1 2 R F 1 F 0 2 R F 0 ½ £ ; F 0 ; F 1 ge t epr ­ n / /... # qu b i t s < n = 4 S 0 ; S 1

13 13 / 42 Sender-Security: One of the strings looks completely random to dishonest Bob Privacy Amplification: ge t £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n ? ? ? ? ? Sender-Security  Uncertainty Relation F 1 2 R F 1 F 0 2 R F 0 ½ £ ; F 0 ; F 1 epr ­ n / /... # qu b i t s < n = 4 [ R enner K Ä on i g 05, R enner 06 ] H 1 ( X j £ ) ¸ ? S 0 ; S 1 H 1 ( X j £ ) |{z} ¸ ? > # qu b i t s |{z} < n = 4

14 14 / 42 Outline Motivation and Notation Quantum Uncertainty Relations Secure Identification Man-In-The-Middle Attacks Conclusion

15 15 / 42 Entropic Uncertainty Relation for One Qubit

16 16 / 42 I ngenera l : H ( ¢ ) ¸ H 1 ( ¢ ) ) H " 1 ( X n j £ ) n ! 1 ¼ n ¢ H ( X i j £ i ) ¸ n = 2 £ 2 R s t a t e f + ; £ g n ½... Quantum Uncertainty Relation needed / / H 1 ( X j £ ) ¸ ? X i i n d epen d en t H ( X i j £ i ) ¸ 1 2 excep t w i t h pro b · " X i : = X 1 ::: X i

17 17 / 42 £ 2 R s t a t e f + ; £ g n ½... Main Result / / H 1 ( X j £ ) ¸ ? X i d epen d en t H ( X i j £ i ) ¸ 1 2 Q uan t um U ncer t a i n t y R e l a t i on: L e t X = ( X 1 ;:::; X n ) b e t h eou t come. T h en, H " 1 ( X j £ ) & n = 2 w i t h "neg l i g i bl e i nn. H ( X i j £ i ; X i ¡ 1 = x i ¡ 1 ; £ i ¡ 1 = µ i ¡ 1 ) ¸ 1 2

18 18 / 42 Main Technical Lemma Z 1 ;:::; Z n ( d epen d en t ) ran d omvar i a bl es T h en, H " 1 ( Z ) & n ¢ h w i t h "neg l i g i bl e i nn w i t h H ( Z i j Z i ¡ 1 = z i ¡ 1 ) ¸ h. P roo f : ² i n f orma t i on t h eory ² genera l i ze d C h erno ®b oun d ( A zuma i nequa li t y )

19 19 / 42 conjugate coding / BB84: £ 2 R s t a t e f + ; £ g n ½... classical technical lemma: instantiate it for various quantum codings: High-Order Entropic Uncertainty Relations H ( Z i j Z i ¡ 1 = z ) ¸ h ) H " 1 ( Z n ) & h n / / H " 1 ( X j £ ) & n = 2

20 20 / 42 conjugate coding / BB84: three bases / six-state: … classical technical lemma: instantiate it for various quantum codings: High-Order Entropic Uncertainty Relations / / / / £ 2 R s t a t e f + ; £ ; ª g n ½... H " 1 ( X j £ ) & n = 2 H " 1 ( X j £ ) & 2 3 n H ( Z i j Z i ¡ 1 = z ) ¸ h ) H " 1 ( Z n ) & h n

21 21 / 42 Outline Motivation and Notation Quantum Uncertainty Relation Secure Identification Man-In-The-Middle Attacks Conclusion

22 22 / 42 Why Secure Identification? I’m Alice my PIN is IMAB52 I want $25 Alright Alice, here you go.

23 23 / 42 Why Secure Identification? I’m Alice my PIN is IMAB52 I want $25 Sorry, I’m out of order Alice: IMAB52

24 24 / 42 Why Secure Identification? Alice: IMAB52 I’m Alice my PIN is IMAB52 I want $25,000,000 Alright Alice, here you go.

25 25 / 42 Secure Evaluation of the Equality PIN-based identification scheme should be a secure evaluation of the equality function A dishonest player can exclude only one possible password = ? W A W B W A ? = W B W A ? = W B

26 26 / 42 ge t X ' 0 0 1 1 0 Recall: Quantum 1-2 OT Protocol j X i £ S 0 ; S 1 F 1 2 R F 1 F 0 2 R F 0 £ ; F 0 ; F 1 S 1 = ? S 0 C = 0 £ 0 = + n £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n 0 1 1 1 0

27 27 / 42 C ( 0 ) X ' C ( 1 ) X ' 00 01 11 10 00 00 10 11 01 00 £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n 0 1 1 1 0 0 1 1 1 0 Quantum 1-m OT Protocol j X i £ W 2 W C ( W ) C o d e C : W ! f + ; £ g n

28 28 / 42 C ( 0 ) X ' C ( 1 ) X ' 00 01 11 10 00 00 10 11 01 00 £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n 0 1 1 1 0 0 1 1 1 0 Quantum 1-m OT Protocol j X i £ S 0 W 2 W C ( W ) C o d e C : W ! f + ; £ g n S 0 £ ; F 0

29 29 / 42 C ( 0 ) X ' C ( 1 ) X ' 00 01 11 10 00 00 10 11 01 00 £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n 0 1 1 1 0 0 1 1 1 0 Quantum 1-m OT Protocol j X i £ S 0 W 2 W C ( W ) S 1 £ ; F 0 ; F 1 ;::: S 0 ; S 1 ;::: C o d e C : W ! f + ; £ g n £ ; F 0 ; F 1 ;:::

30 30 / 42 C ( 0 ) X ' C ( 1 ) X ' 00 01 11 10 00 00 10 11 01 00 £ 2 R X 2 R sen d f + ; £ g n f 0 ; 1 g n 0 1 1 1 0 0 1 1 1 0 Quantum 1-m OT Protocol j X i £ S 0 W 2 W C ( W ) S 1 S 0 ; S 1 ;::: C o d e C : W ! f + ; £ g n £ ; F 0 ; F 1 ;::: £ ; F 0 ; F 1 ;:::

31 31 / 42 Idea correct dishonest Bob can learn at most one S W and compare it with (the random) S W. He can at most exclude his W. Dishonest Alice learns nothing about W by the OT  but can e.g. set all S i = 0, then send S W = 0 R an d 1 -m OT S 0 ; S 1 ;:::; S m ¡ 1 W 2 f 0 ; 1 ;:::; m ¡ 1 g W 2 f 0 ; 1 ;:::; m ¡ 1 g WS W S W S W ? = S W W 2 f 0 ; 1 ;:::; m ¡ 1 g W 2 f 0 ; 1 ;:::; m ¡ 1 g W 2 f 0 ; 1 ;:::; m ¡ 1 g

32 32 / 42 T W : = g ( W ) © S W Dishonest Alice learns nothing about W by the OT with high probability: all T i are different Alice has to guess the right T W Dishonest Alice S W g g 2 R G : W ! f 0 ; 1 g ` T W ? = g ( W ) © S W strongly universal R an d 1 -m OT W 2 f 0 ; 1 ;:::; m ¡ 1 g WS 0 ; S 1 ;:::; S m ¡ 1 W = ? ) S W ? = S W

33 33 / 42 Properties of the Basic Scheme efficient: n qubits, 3 classical messages, honest players do not require quantum memory provably secure against:  unbounded dishonest user Alice  dishonest server Bob with quantum memory < n/11  both have unbounded computing power and classical memory can be extended to tolerate noise, therefore implementable with current technology OT P i n W P i n W

34 34 / 42 Outline Motivation and Notation Quantum Uncertainty Relation Secure Identification Man-In-The-Middle Attacks Conclusion

35 35 / 42 Dishonest Alice or Bob can only exclude one possible PIN W Eve learns nothing about W ? Extension: Man-in-the-Middle Attack P i n WP i n W  nontrivial K ey KK ey K

36 36 / 42 Dishonest Alice or Bob can only exclude one possible PIN W, even given key K Eve learns nothing about W and only negligible information about key K Extension: Man-in-the-Middle Attack P i n WP i n W K ey KK ey K

37 37 / 42 Application: QKD au t h K ( ¢ ) = ( K 0 ; SK ) = ( K 0 ; SK ) au t h K 0 ( ¢ ) K ey KK ey K

38 38 / 42 Problem: Eve interferes with communication au t h K ( ¢ ) = ( K 0 ; SK ) = ( K 0 ; SK ) au t h K 0 ( ¢ ) honest players run out of authentication key secure QKD no longer possible K ey KK ey K

39 39 / 42 Solution: QKD based on Secure Identification au t h K ( ¢ ) P i n WP i n W = ? = ? K and W remain secure, can be re-used over and over again, even if scheme is disrupted Losing key K does not compromise security (if loss is noticed) BUT: security holds only against a quantum-memory bounded eavesdropper K ey KK ey K

40 40 / 42 High-order entropic quantum uncertainty relations : Bounded-Quantum-Storage Model:  Oblivious Transfer: Non-interactive, practical protocols for 1-2 OT and Bit Commitment secure according to strong security definitions.  Secure PIN-based Identification: dito non-trivial extension to handle man-in-the-middle attacks Conclusion H " 1 ( X j £ ) ¸ 2 3 n H " 1 ( X j £ ) ¸ n = 2,

41 41 / 42 High-order entropic quantum uncertainty relations: Quantum Key Distribution: ( assuming quantum-memory bounded Eve)  security proofs: for higher error rates (=longer distances)  robustness: Eve cannot make parties run out of authentication key Conclusion H " 1 ( X j £ ) ¸ 2 3 n H " 1 ( X j £ ) ¸ n = 2,

42 42 / 42 Thanks to you! Follow-up work [Wehner, Terhal, S]: a step closer to reality: Cryptography from Noisy Photonic Storage see poster and http://arxiv.org/0711.2895

43 43 / 42 name d e ¯ n i t i on H 0 ( Z ) l og ¯ ¯ f z j P Z ( z ) > 0 g ¯ ¯ n H ( Z ) ¡ P z P Z ( z ) l og ( P Z ( z )) ¼ n H 1 ( Z ) ¡ l og ( max z P Z ( z )) n = 2 Entropies H 1 · H · H 0 … ¼ 2 ¡ n |{z} 2 n ¡ 1 2 ¡ n 2 Z P Z Z ran d omvar i a bl eover f 0 ; 1 g n l ower b oun d on H 6 ) l ower b oun d on H 1

44 44 / 42 … ¼ 2 ¡ n |{z} 2 n ¡ 1 2 ¡ n 2 Z P Z Smooth Min-Entropy  " f or" = 2 ¡ n 2 Z ran d omvar i a bl eover f 0 ; 1 g n

45 45 / 42 Smooth Min-Entropy [ R enner W o lf 05 ] Z i : = Z 1 ;:::; Z i Z ran d omvar i a bl eover f 0 ; 1 g n H " 1 ( Z ) : = max P r [ E ] ¸ 1 ¡ " H 1 ( Z E ) Z i : = Z 1 ;:::; Z i

46 46 / 42 £ 2 R s t a t e f + ; £ g n ½... Proof of Quantum Uncertainty Relation Z i : = ( X i ; £ i ) MU : ½ 1 -qu b i t s t a t e: H ( X 0 j £ 0 ) ¸ 1 2 / / T h m: H ( Z i j Z i ¡ 1 = z ) ¸ h ) H " 1 ( Z n ) & h n Q uan t um U ncer t a i n t y R e l a t i on: L e t X = ( X 1 ;:::; X n ) b e t h eou t come. T h en, H " 1 ( X j £ ) & n = 2 w i t h "neg l i g i bl e i nn. H ( Z i j Z i ¡ 1 = z ) = H ( X i j £ i ; Z i ¡ 1 = z ) + H ( £ i j Z i ¡ 1 = z ) ¸ 1 2 + 1 = : h : H " 1 ( X j £ ) ¼ H " 1 ( Z n ) ¡ H 0 ( £ ) & n = 2 + n ¡ n :

47 47 / 42 Tight? MU : ½ 1 -qu b i t s t a t e: H ( X 0 j £ 0 ) ¸ 1 2 H ( X j £ ) = 1 2 ¡ H ( X j £ = + ) |{z} = 0 + H ( X j £ = £ ) |{z} = 1 ¢ = 1 2 : £ 2 R s t a t e f + ; £ g n ½... / / Q uan t um U ncer t a i n t y R e l a t i on: L e t X = ( X 1 ;:::; X n ) b e t h eou t come. T h en, H " 1 ( X j £ ) & n = 2 w i t h "neg l i g i bl e i nn. F or t h epures t a t e j 0 i ­ n, t h e X are i n d epen d en t an d we k now t h a t H " 1 ( X j £ ) n ! 1 ¼ H ( X j £ ) = n = 2.

48 48 / 42 £ 2 R s t a t e f + ; £ g n ½... £ 2 R s t a t e f + n ; £ n g ½ Comparison to Previous Bound / / P rev i ous: T h ereex i s t saneven t E w i t h P r [ E ] & 1 2 suc h t h a t H 1 ( X j E ; £ ) ¸ n = 2 : N ew: H " 1 ( X j £ ) & n = 2 w i t h neg l i g i bl e" 8 µ 2 f + ; £ g n 9 even t E µ w i t h 2 ¡ n P µ P r [ E µ ] ¼ 1 an d H 1 ( X j E µ ; £ = µ ) & n = 2 :

49 49 / 42 Bounded-Quantum-Storage Model: Non-interactive, practical protocols for 1-2 OT and BC secure according new composable security definitions. Quantum Key Distribution: Security proofs in realistic setting of a quantum-memory bounded eavesdropper. Tolerate higher error rates than against unbounded adversaries. Composition of certain Quantum Ciphers: key-uncertainty adds up in terms of min-entropy. Contributions II: Applications

50 50 / 42 two-way post processing QKD with more bases in higher-dimensional (non-binary) systems using less randomness: avoid sifting stage Open Questions

Download ppt "A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,"

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
1 A B C 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52.

1 A B C
Scenario: EOT/EOT-R/COT Resident admitted March 10th Admitted for PT and OT following knee replacement for patient with CHF, COPD, shortness of breath.

Scenario: EOT/EOT-R/COT Resident admitted March 10th Admitted for PT and OT following knee replacement for patient with CHF, COPD, shortness of breath.
Angstrom Care 培苗社 Quadratic Equation II

Angstrom Care 培苗社 Quadratic Equation II
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Processes and Operating Systems

Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.

Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.

Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
CALENDAR.

CALENDAR.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.

1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt RhymesMapsMathInsects.

1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt RhymesMapsMathInsects.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

Similar presentations

Ads by Google