Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source

Size: px

Start display at page:

Download "Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source"

Jacob Riley
5 years ago
Views:

1 Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source Jan Bouda, Marcin Paw lowski, Matej Pivoluska, Martin Plesch J. B., M. P. 3 DI Extraction from min-entropy sources / 20

2 Outline Motivation and Related Work. Ingredients. Our Protocol. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

3 Importance of Randomness Randomness is useful in: Gambling. Simulation and Computation. Cryptography. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

4 Importance of Randomness Randomness is useful in: Gambling. Simulation and Computation. Cryptography. Impact of imperfect randomness can be devastating: Attacks on RSA [Lenstra et. al. (2012)] Attacks on QKD[Bouda et. al. (2012), Huber and Paw lowski (2013)] J. B., M. P. 3 DI Extraction from min-entropy sources / 20

5 Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware Seed Initialization function Transformation function State PRNG Random bits J. B., M. P. 3 DI Extraction from min-entropy sources / 20

6 Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware J. B., M. P. 3 DI Extraction from min-entropy sources / 20

7 Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware J. B., M. P.3 DI Extraction from min-entropy sources / 20

8 Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware Statistical tests vs. Unpredictability Official certification J. B., M. P. 3 DI Extraction from min-entropy sources / 20

9 Device Independent Approach Challenge Untrusted Device Response Passed? Randomness Yes Challenges have to be random. Similarity to randomness extraction. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

10 Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

11 Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. Classical Extraction Additional Independent Randomness Imperfect Randomness Classical Extractor Uniform Randomness J. B., M. P. 3 DI Extraction from min-entropy sources / 20

12 Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. Classical Extraction Additional Independent Randomness Quantum Extraction Additional Independent Randomness Imperfect Randomness Classical Extractor Imperfect Randomness Quantum Extractor Uniform Randomness Uniform Randomness J. B., M. P. 3 DI Extraction from min-entropy sources / 20

13 Related work Santha-Vazirani sources Colbeck and Renner (2012). Gallego et. al. (2013). Brandão et. al. (2013). Min-Entropy sources Chung, Shi, Wu (2014). This presentation. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

14 Quantum Device - GHZ test Quantum Extractor Quantum Device Quantum Device. Quantum Device x y z A B C a b c J. B., M. P. 3 DI Extraction from min-entropy sources / 20

15 Quantum Device - GHZ test Quantum Extractor Quantum Device Quantum Device. Quantum Device x y z A B C a b c Input xyz {111, 001, 010, 100}. Test if a b c = x y z. Classical strategies succeed with probability at most 3/4. Quantum strategy succeeds with probability 1 and produces perfect random bits. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

16 GHZ devices - rigidity (MP bound) Let inputs into D i be uniform. If D i wins GHZ game with probability p > f (ɛ) then bias of a m is at most ɛ. Function f (ɛ) obtained by SDP. 1 0,98 0,96 0,94 f( ) 0,92 0,9 0,88 0,86 0 0,05 0,1 0,15 0,2 0,25 0,3 0,35 0,4 0,45 0,5 J. B., M. P. 3 DI Extraction from min-entropy sources / 20

17 Weak Source of Randomness - Definition Source of randomness {X i } i N is (n, k) block source if X i is random variable with n bit output. It holds that x 1,, x i 1 {0, 1} n, e I(E), H (X i X i 1 = x i 1,, X 1 = x 1, E = e) k. H is min-entropy. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

18 Weak Source of Randomness - Definition Source of randomness {X i } i N is (n, k) block source if Notes: X i is random variable with n bit output. It holds that H is min-entropy. x 1,, x i 1 {0, 1} n, e I(E), H (X i X i 1 = x i 1,, X 1 = x 1, E = e) k. Classically cannot be extracted. For n = 1 Santha Vazirani (SV) source is recovered. For n > 1 cannot be transformed into SV source existing protocols do not work. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

19 Set of Hashing Functions {0, 1} n h h 2 Let h i : {0, 1} n {0, 1} 2. Let H = {h i } m i=1. For each subset S of {0, 1} n of size 4 there exists h i, such that h i (S) = {00, 01, 10, 11}. There is a construction of H with size polynomial in n. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

20 One Round of Protocol 1 We obtain the (weakly) random n bit string r i from an (n, 2) block source. 2 Into each device D i we input the 3 bit string inputs X i, Y i and Z i derived from h i (r i ) and obtain the outputs A i, B i and C i. 3 We verify whether for each device D i the condition Z i Y i Z i = A i B i C i holds. If this is not true, we abort the protocol. 4 We define the output bit of the protocol as b i = m j=1 A j. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

21 Protocol Scheme (n, 2) r i R X i D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources / 20

22 Single Round Analysis - The Flat Sources (n, 2) flat source 4 elements of {0, 1} n with probability 1 4, others with probability 0. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

23 Single Round Analysis - The Flat Sources Uniform Input (n, 2) flat source 4 elements of {0, 1} n with probability 1 4, others with probability 0. D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources / 20

24 Single Round Analysis - The Non-Flat Sources = ( ) ( ) Any (n, 2) distribution d can be expressed as a convex combination of at most N = 2 n (n, 2) flat distributions d i. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

25 Single Round Analysis - The Non-Flat Sources II = D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources / 20

26 Multiple Rounds Repeat the protocol l times. Output b = If b has bias greater than ɛ, each of b i has bias at least ɛ. To achieve bias ɛ adversary has to risk l times - success f (ɛ) l. For target parameters ɛ, δ set l > log δ/ log f (ɛ) l j=1 b j. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources / 20

27 Robustness - Imperfect Honest Devices 1 f (ɛ) 2m Let us allow µ = fraction of all the ml devices to fail the test. Then honest but faulty devices with failure probability µ/2 pass the protocol with high probability. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources / 20

28 Malicious Devices Adversary needs to cheat for devices with uniform input. By increasing number of rounds we can make sure that (a lot) less errors are allowed than the number of devices adversary needs to cheat. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources / 20

29 Conclusion Protocol uses arbitrary block source. Protocol produces single bit biased at most ɛ with probability 1 δ for arbitrary ɛ, δ. Number of devices used scales polynomially with the length of the block. J. B., M. P. 3 DI Extraction from min-entropy sources / 20

30 Conclusion Protocol uses arbitrary block source. Protocol produces single bit biased at most ɛ with probability 1 δ for arbitrary ɛ, δ. Number of devices used scales polynomially with the length of the block. THANK YOU! J. B., M. P. 3 DI Extraction from min-entropy sources / 20

Tutorial: Device-independent random number generation. Roger Colbeck University of York

Tutorial: Device-independent random number generation Roger Colbeck University of York Outline Brief motivation of random number generation Discuss what we mean by a random number Discuss some ways of