Post on 01-Apr-2015
A Tight High-Order Entropic Quantum Uncertainty Relationwith Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL)
Renato Renner (ETH Zürich, CH)
Ivan Damgård, Louis Salvail (University of Århus, DK)
QIP 2008, Delhi, India
Thursday, December 20th 2007
Serge Fehr, Christian Schaffner (CWI Amsterdam, NL)
Ivan Damgård, Louis Salvail (University of Århus, DK)
Secure Identification and QKD in the Bounded-Quantum-Storage Model
QIP 2008, Delhi, India
Thursday, December 20th 2007
3 / 42
~1970: Birth of Quantum Cryptography
…
4 / 42
1-2 Oblivious Transfer
SC
S0;S1C 2 f0;1g
complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model
1-2OT
5 / 42
(Randomized) 1-2 Oblivious Transfer
Rand1-2OT SC
S0;S1C 2 f0;1g
complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model
6 / 42
Outline
Motivation and Notation
Quantum Uncertainty Relations
Secure Identification
Man-In-The-Middle Attacks
Conclusion
7 / 42
Quantum Mechanics Notation
Measurements:
+ basis
£ basis
j0i+ j1i+
j1i£j0i£
EPR pairs:
8 / 42
get X'
0
0
1
1
0
Quantum 1-2 OT ProtocoljX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
S1 = ?S0
C = 0£ 0= +n
Correctness
Receiver-Security against Dishonest Alice
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
9 / 42
Sender-Security?jX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
get
½
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
Sender-Security: one of the strings looks completely random to dishonest Bob
# qubits < n=4
10 / 42
get
Entanglement-Based Protocol
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
½
epr n
# qubits < n=4
Sender-Security: One of the strings looks completely random to dishonest Bob
£ 2R X 2R sendf+;£gn f0;1gn
?
?
?
?
?
11 / 42
get
Entanglement-Based ProtocoljX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
½
# qubits < n=4
Sender-Security: One of the strings looks completely random to dishonest Bob
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
12 / 42
Sender-Security: One of the strings looks completely random to dishonest Bob
£ 2R X 2R sendf+;£gn f0;1gn
?
?
?
?
?
Let Bob Act First
F1 2R F 1F0 2R F 0
½
£ ;F0;F1
getepr n
//...
# qubits < n=4
S0;S1
13 / 42
Sender-Security: One of the strings looks completely random to dishonest Bob
Privacy Amplification:
get£ 2R X 2R send
f+;£gn f0;1gn
?
?
?
?
?
Sender-Security Uncertainty Relation
F1 2R F 1F0 2R F 0
½
£ ;F0;F1
epr n
//...
# qubits < n=4
[Renner KÄonig 05, Renner 06]
H1 (X j £ ) ¸ ?S0;S1
H1 (X j £)| {z }
¸ ?
> # qubits| {z }
<n=4
14 / 42
Outline
Motivation and Notation
Quantum Uncertainty Relations
Secure Identification
Man-In-The-Middle Attacks
Conclusion
15 / 42
M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,
H(X i j £ i ) = 12
¡H(X i j £ i = +) + H(X i j £ i = £)| {z }
¸ 1
¢¸ 1
2:
Entropic Uncertainty Relation for One Qubit
16 / 42
In general: H(¢) ¸ H1 (¢)
) H"1 (X n j £ )
n! 1¼ n ¢H(X i j £ i ) ¸ n=2
£ 2R statef+;£gn ½
...
Quantum Uncertainty Relation needed
//
H1 (X j £) ¸ ?
X i independent
H(X i j £ i ) ¸ 12
M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,
H(X i j £ i ) = 12
¡H(X i j £ i = +) + H(X i j £ i = £)| {z }
¸ 1
¢¸ 1
2:
except with prob · "
X i := X 1 : : :X i
17 / 42
£ 2R statef+;£gn ½
...
Main Result
//
H1 (X j £) ¸ ?
X i dependent
H(X i j £ i ) ¸ 12
Quantum Uncertainty R elation: LetX = (X 1; : : : ;X n) be the outcome. Then,
H"1 (X j £ ) & n=2
with " negligible in n.
H(X i j £ i ;X i ¡ 1 = xi ¡ 1;£ i ¡ 1 = µi ¡ 1) ¸ 12
M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,
H(X i j £ i ) = 12
¡H(X i j £ i = +) + H(X i j £ i = £)| {z }
¸ 1
¢¸ 1
2:
18 / 42
Main Technical Lemma
Z1; : : : ;Zn (dependent) random variables
Then, H"1 (Z) & n ¢h with " negligible in n
with H(Zi j Z i ¡ 1 = zi ¡ 1) ¸ h.
P roof:
² information theory
² generalized Cherno®bound (A zuma inequality)
19 / 42
conjugate coding / BB84:£ 2R state
f+;£gn ½
...
classical technical lemma:
instantiate it for various quantum codings:
High-Order Entropic Uncertainty Relations
H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn
//
H"1 (X j £) & n=2
20 / 42
conjugate coding / BB84:
three bases / six-state:
…
classical technical lemma:
instantiate it for various quantum codings:
High-Order Entropic Uncertainty Relations
//
//
£ 2R statef+;£;ª gn ½
...
H"1 (X j £) & n=2
H"1 (X j £) & 2
3n
H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn
21 / 42
Outline
Motivation and Notation
Quantum Uncertainty Relation
Secure Identification
Man-In-The-Middle Attacks
Conclusion
22 / 42
Why Secure Identification?
I’m Alice my PIN is IMAB52
I want $25
Alright Alice, here you go.
23 / 42
Why Secure Identification?
I’m Alice my PIN is IMAB52
I want $25
Sorry, I’m out of order
Alice: IMAB52
24 / 42
Why Secure Identification?Alice: IMAB52
I’m Alice my PIN is IMAB52I want $25,000,000
Alright Alice, here you go.
25 / 42
Secure Evaluation of the Equality
PIN-based identification scheme should be a secure evaluation of the equality function
A dishonest player can exclude only one possible password
=?WA WB
WA?= WBWA
?= WB
26 / 42
get X'
0
0
1
1
0
Recall: Quantum 1-2 OT ProtocoljX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
S1 = ?S0
C = 0£ 0= +n
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
27 / 42
C(0) X' C(1) X '
0 0
0 1
1 1
1 0
0 0
0 0
1 0
1 1
0 1
0 0
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
0
1
1
1
0
Quantum 1-m OT ProtocoljX i£
W 2 W
C(W)
Code C:W ! f+;£gn
28 / 42
C(0) X' C(1) X '
0 0
0 1
1 1
1 0
0 0
0 0
1 0
1 1
0 1
0 0
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
0
1
1
1
0
Quantum 1-m OT ProtocoljX i£
S0
W 2 W
C(W)
Code C:W ! f+;£gn
S0
£ ;F0
29 / 42
C(0) X' C(1) X '
0 0
0 1
1 1
1 0
0 0
0 0
1 0
1 1
0 1
0 0
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
0
1
1
1
0
Quantum 1-m OT ProtocoljX i£
S0
W 2 W
C(W)
S1
£ ;F0;F1; : : :
S0;S1; : : :
Code C:W ! f+;£gn
£ ;F0;F1; : : :
31 / 42
Idea
correct
dishonest Bob can learn at most one SW and compare it with
(the random) SW . He can at most exclude his W.
Dishonest Alice learns nothing about W by the OT
but can e.g. set all Si = 0 , then send SW = 0
Rand1-mOTS0;S1; : : : ;Sm¡ 1
W 2 f0;1;: : : ;m¡ 1gW 2 f0;1;: : : ;m¡ 1g
W
SW
SWSW
?= SW
W 2 f0;1;: : : ;m¡ 1gW 2 f0;1;: : : ;m¡ 1gW 2 f0;1;: : : ;m¡ 1g
32 / 42
TW := g(W) ©SW
Dishonest Alice learns nothing about W by the OT
with high probability: all Ti are different
Alice has to guess the right TW
Dishonest Alice
SW
g g 2R G : W ! f0;1g̀
TW?= g(W) ©SW
strongly universal
Rand1-mOT
W 2 f0;1;: : : ;m¡ 1g
W
S0;S1; : : : ;Sm¡ 1
W = ?
)
SW?= SW
33 / 42
Properties of the Basic Scheme
efficient: n qubits, 3 classical messages, honest players do not require quantum memory
provably secure against: unbounded dishonest user Alice dishonest server Bob with quantum memory < n/11 both have unbounded computing power and
classical memory can be extended to tolerate noise, therefore
implementable with current technology
OTPin WPin W
34 / 42
Outline
Motivation and Notation
Quantum Uncertainty Relation
Secure Identification
Man-In-The-Middle Attacks
Conclusion
35 / 42
Dishonest Alice or Bob can only exclude one possible PIN W
Eve learns nothing about W ?
Extension: Man-in-the-Middle AttackPin W Pin W
nontrivialKeyK KeyK
36 / 42
Dishonest Alice or Bob can only exclude one possible PIN W, even given key K
Eve learns nothing about W and
only negligible information about key K
Extension: Man-in-the-Middle Attack Pin W Pin W
KeyK KeyK
37 / 42
Application: QKD
authK (¢)
= (K 0;SK ) = (K 0;SK )
authK 0(¢)
KeyK KeyK
38 / 42
Problem: Eve interferes with communication
authK (¢)
= (K 0;SK ) = (K 0;SK )
authK 0(¢) honest players run out of authentication key secure QKD no longer possible
KeyK KeyK
39 / 42
Solution: QKD based on Secure Identification
authK (¢)
Pin W Pin W
=? =? K and W remain secure, can be re-used over and over again,
even if scheme is disrupted Losing key K does not compromise security
(if loss is noticed) BUT: security holds only against a
quantum-memory bounded eavesdropper
KeyK KeyK
40 / 42
High-order entropic quantum uncertainty relations :
Bounded-Quantum-Storage Model:
Oblivious Transfer: Non-interactive, practical protocols for 1-2 OT and Bit Commitment secure according to strong security definitions.
Secure PIN-based Identification: ditonon-trivial extension to handle man-in-the-middle attacks
Conclusion
H"1 (X j £) ¸ 2
3nH"1 (X j £) ¸ n=2,
41 / 42
High-order entropic quantum uncertainty relations:
Quantum Key Distribution: (assuming quantum-memory bounded Eve)
security proofs: for higher error rates (=longer distances)
robustness: Eve cannot make parties run out of authentication key
Conclusion
H"1 (X j £) ¸ 2
3nH"1 (X j £) ¸ n=2,
42 / 42
Thanks to
you!
Follow-up work
[Wehner, Terhal, S]: a step closer to reality:Cryptography from Noisy Photonic Storage
see poster and http://arxiv.org/0711.2895