Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is...
Transcript of Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is...
![Page 1: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/1.jpg)
Randomness: between faith and reality
Yaoyun Shi University of Michigan
joint works with Carl Miller (arXiv:1402.0489&1411.6608), Kai-Min Chung and Xiaodi Wu (arXiv:1402.4797)
Kai-Min Chung Xiaodi WuCarl Miller
![Page 2: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/2.jpg)
Randomness is a faith
![Page 3: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/3.jpg)
Randomness is a faith“[We assume] that
the developer understands the behavior of the entropy source
and has made a good faith effort to
produce a consistent source
of entropy.”
![Page 4: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/4.jpg)
Randomness is impossible to test directly
• All randomness test can be easily fooled
• A test program is a Boolean function TEST()
• Fix an input x such that TEST(x) = ACCEPT
• Always outputting x passes the test
![Page 5: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/5.jpg)
Randomness may not exist at all
• Could the world be deterministic?
• Possible even when quantum theory is correct (but not complete)
• We’d never know
![Page 6: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/6.jpg)
Randomness = Secrecy
?
Perfect secrecy/ random
?Almost perfect secrecy/random
?
![Page 7: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/7.jpg)
Randomness is indispensable in reality
• Random Number Generators (RNGs) provide the mother secret for cryptography
• RNGs are in all computers/smart phones
• Hardware generator: Intel’s on-chip generator RdRand/RdSeed
• Software generator: Linux’s /dev/random
• 100 T bits/day worldwide?
• Each computer process uses randomness in starting: Address space layout randomization
• We trust that they are doing their jobs
![Page 8: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/8.jpg)
Blind faith is dangerous• Lack of entropy causes weak cryptography keys
[Heninger+, Lenstra+]
• Backdoors may be in government standards for RNGs [Snowden]
• Hardware may be maliciously modified
• [Becker+’13]: Changing the dopant-level in Intel’s RNG can essentially remove the output randomness
![Page 9: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/9.jpg)
How much of blind faith is necessary for ensuring
true randomness?
![Page 10: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/10.jpg)
Necessary blind faith: Randomness exits
• Min-entropy source: Weakest form of randomness?
• A (n, k)-source consists of n bits, which the adversary can guess correctly by no more than 2-k probability
• A Santha-Vazirani source is a (n, cn) source for a constant c, thus highly random
![Page 11: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/11.jpg)
Faith required by classical approach
• Randomness extractors [since 1980’s]: transform input weak sources to output true randomness
• Requires two independent sources
• Single-source extraction is impossible
deterministicweak randomness sources
true randomness
![Page 12: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/12.jpg)
Independence is impossible to test
• Uniform (x, x) is maximumly correlated
• but is a convex combination of independent distributions
![Page 13: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/13.jpg)
Put faith in quantum theory• Randomness is postulated in quantum theory
• Measuring |0>+|1> state yields a perfect coin
• Thus faith in both the correctness and the completeness of quantum theory implies the existence of unlimited perfect randomness
• Correctness: consistent with experiments
• Completeness: adversary has no better than quantum strategy to cheat
![Page 14: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/14.jpg)
Knowing that it exists does not mean knowing that you have it
![Page 15: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/15.jpg)
We cannot verify quantum states and quantum operations directly
![Page 16: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/16.jpg)
Is the faith in the device necessary?
![Page 17: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/17.jpg)
Imperfect and completely untrusted quantum devices
• Mayers-Yao’98: what if the quantum device is imperfect?
• Trusting certain “self-testing” procedure
• Completely untrusted devices [Barrett-Hardy-Kent’05, Colbeck’06, Colbeck-Renner’12]
• This talk focuses on quantum devices
• Entanglement among the device components and the adversary
Adversary
![Page 18: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/18.jpg)
Faiths on the user
• Can interact with the device classically
• Can restrict communications among the device components and the adversary
• Necessary for all cryptography
![Page 19: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/19.jpg)
Results [Miller-Shi’14,’15, Chung-Shi-Wu’14]
• Start with a single (n, k)-source
• Arbitrary output length
• Failure chance “close” to best possible (≧2-k)
• Failure: reject on honest device or accept and output is not random enough
• Full quantum security
• Robust: device error can approach maximum (for CHSH, .751 suffices)
deterministic
(n, k) source
Adversary
arbitrary length
error=exp(-kc)
![Page 20: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/20.jpg)
Step 1: reduction of seedless extraction to seeded extraction [CSW’14]
• Seeded:input is uniform; seedless:input is weak
• From weak source create “somewhere” randomness
• Most blocks are (almost) uniform
• Decoupling: each seeded extraction transform uniform-to-device input to global uniform output
≅uniform to device
≅uniform to adversary
X
Input X
Ext
seed=10 · · · 0· · · · · ·Ext
seed=00 · · · 0Ext
seed=11 · · · 1
PExtseed· · · · · ·PExtseed PExtseed
�
Output Z if no more than ⌘ fraction of PExtseed reject.
X X
X
S00···0 S11···1S10···0
Z00···0 Z11···1
Z10···0
Figure 2: Our Physical Randomness Extractor PExt with parameters Ext, PExtseed, and ⌘. Ext is a
quantum-proof strong extractor 30 and PExtseed a seeded-PRE whose input length equals the output
length of Ext. For each distinct seed value i of Ext, run an instance of Ext with that seed value and
X as the source. Use the output Si as the input to a separate instance of PExtseed. Output the XOR
of the Zi’s, or abort if � ⌘ fraction of PExtseed aborted.
15
![Page 21: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/21.jpg)
Step 2: seeded extraction (randomness expansion introduced by Colbeck’06)
[MS’14,’15]• Faith: globally uniform input
• Match Vazirani-Vidick’12: 2 components, exponential expanding, quantum security (Classical/restricted security by [Pironio+’10,Pironio-Massar’13, Fehr+’13, Coudron+’13])
• Cryptographic security: failure prob. is negligible
• Robustness
• Can be used for QKD (first robust QKD proved by Vazirani-Vidick’13)
• Other properties:Unit-size quantum memory, flexible building block, new proof technique
error: exp(-logtN)for any ts < μ
μ ∈[.5, 1] a universal constant
deterministicuniform
k bits
∼N rounds
N=exp(ks) bits
Adversary
![Page 22: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/22.jpg)
Step 3: Unbounded expansion [MS-CSW’14]
• Any two expansion protocols can cross-feed securely for unbounded expansion
• First proved for a specific construction by Coudron-Yuen’14
![Page 23: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/23.jpg)
Key insights: many pieces fit together
Equivalence Lemma
Strong self-testing
Forcing TrustSchatten-
norm Uncertainty
Principle
Amortizing randomness generation
Quantifying randomness
![Page 24: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/24.jpg)
Equivalence Lemma [CSW’14]
• Secure under global uniform input if and only if secure under uniform-to-device input
• Enables decoupling and unbounded expansion
Adversary
X: global uniform
Adversary=X:
uniform to device
![Page 25: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/25.jpg)
EL enables generating private randomness from public randomness
• NIST’s Randomness Beacon project: broadcasting public randomness
• Can be used for Miller-Shi input
• Faith: NIST randomness is uniform to your device
![Page 26: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/26.jpg)
Have we minimized faith?• Chung-Shi-Wu is not cryptographically secure (Miller-Shi
is)
• Too many device components are used
• Open problem: minimal faith for cryptographic randomness
• ? Possible: single weak source, 2 device-components, cryptographic level of security, robustness
• Weakening faith on physics: Non-signaling security?
![Page 27: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/27.jpg)
Conclusions• Faith is necessary to be assured of true randomness
• All current RNGs are “trusted” solutions: you must have faith on them
• Unlimited true randomness can be obtained on the faiths of
• A weak source, quantum theory, restriction of communication
• Cryptographic randomness can be obtained on
• A short seed, quantum theory, restriction of communication
• Such a RNG delivers assured randomness and is trustworthy
• Assurance: you know that you are getting it
• Trustworthiness: the hardware proves its integrity to you
![Page 28: Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is impossible to test directly • All randomness test can be easily fooled • A test](https://reader034.fdocuments.net/reader034/viewer/2022042100/5e7d2676f3c1037d532e3014/html5/thumbnails/28.jpg)
June 28 – July 2, 2015 University of Michigan, Ann Arbor, Michigan, USA!
Trustworthy Quantum Information !
1 s t I n t e r n a t i o n a l W o r k s h o p o n
Registration: tyqi.org!