Untrusted quantum devices. Yaoyun Shi University of Michigan updated Feb. 1, 2014
|
|
- Dennis Gibbs
- 6 years ago
- Views:
Transcription
1 Untrusted quantum devices Yaoyun Shi University of Michigan updated Feb. 1, 2014
2 Quantum power is incredible!
3 Quantum power is incredible!
4 Quantum power is incredible! Spooky action at a distance
5 Quantum power is incredible! simulating quantum physics Spooky action at a distance
6 Quantum power is incredible! simulating quantum physics Spooky action at a distance super-fast factoring
7 Quantum power is incredible! simulating quantum physics super-fast factoring Spooky action at a distance Unbreakable codes
8 Quantum power is incredible! simulating quantum physics super-fast factoring Spooky action at a distance Unbreakable codes Bla..bla..bla..
9
10
11 Do you believe in half-dead halfalive cats?
12 Do you believe in half-dead halfalive cats?! Quantum Poems, No. 4 by Smita Krishnaswamy A group of physicist perform a hoax about a cat half-alive half-dead in a box The equations so well worked out And observations to tout Only mathematicians fall for such jokes!!
13 Quantum power is incredible!
14 Quantum power is incredible! We are classical beings
15 Quantum power is incredible! We are classical beings
16 Quantum power is incredible! We are classical beings It s THE CAT!
17 Quantum power is incredible! We are classical beings It s THE CAT! Technological challenges
18 Quantum power is incredible! We are classical beings It s THE CAT! Technological challenges
19 Quantum power is incredible! We are classical beings It s THE CAT! Technological challenges
20 Quantum power is incredible! We are classical beings It s THE CAT! Technological challenges Entanglement experiments still have Loopholes
21 Quantum power is incredible! We are classical beings It s THE CAT! Technological challenges Entanglement experiments still have Loopholes Security concerns
22 Quantum power is incredible! We are classical beings It s THE CAT! Technological challenges Entanglement experiments still have Loopholes Security concerns
23 Quantum power is incredible! We are classical beings It s THE CAT! Technological challenges Entanglement experiments still have Loopholes Security concerns Certified by???
24
25 Can we still reap the quantum benefits without trusting the device?
26 Can we still reap the quantum benefits without trusting the device?
27 Can we still reap the quantum benefits without trusting the device? Untrusted-device quantum computation
28 Can we still reap the quantum benefits without trusting the device? Untrusted-device quantum computation Untrusted-device randomness extraction
29 Can we still reap the quantum benefits without trusting the device? Untrusted-device quantum computation Untrusted-device randomness extraction Untrusted-device key distribution
30
31 Foundation: Classical Test of a Quantum Duck
32 Foundation: Classical Test of a Quantum Duck
33 Foundation: Classical Test of a Quantum Duck Interrogate the device classically, check if behaving like the ideal q. device
34 Foundation: Classical Test of a Quantum Duck Interrogate the device classically, check if behaving like the ideal q. device Self-testing: if behaving exactly as ideal, then must be ideal
35 Foundation: Classical Test of a Quantum Duck Interrogate the device classically, check if behaving like the ideal q. device Self-testing: if behaving exactly as ideal, then must be ideal Robust Self-testing: if behaving close to ideal, then must be close to the ideal
36
37 Strategy: mixing work and play (test)
38 Strategy: mixing work and play (test)
39 Strategy: mixing work and play (test) The device can t tell if it s work or test
40 Strategy: mixing work and play (test) The device can t tell if it s work or test If trying to avoid work, will fail the test
41 Strategy: mixing work and play (test) The device can t tell if it s work or test If trying to avoid work, will fail the test Two guarantees
42 Strategy: mixing work and play (test) The device can t tell if it s work or test If trying to avoid work, will fail the test Two guarantees Completeness. On honest device (thus job well-done), accept w.h.p.
43 Strategy: mixing work and play (test) The device can t tell if it s work or test If trying to avoid work, will fail the test Two guarantees Completeness. On honest device (thus job well-done), accept w.h.p. Soundness. On any device, almost always reject or accept a welldone job
44 Strategy: mixing work and play (test) The device can t tell if it s work or test If trying to avoid work, will fail the test Two guarantees Completeness. On honest device (thus job well-done), accept w.h.p. Soundness. On any device, almost always reject or accept a welldone job Reject a malicious device w.h.p.
45 How could self-testing be possible? Do you love me, daughters? Dear father, we do! Impossible if no additional constraints on the device
46 Additional constraint: Spatial separation Communication impossible A B
47 Additional constraint: Spatial separation Communication impossible A B Device has multiple-parts
48 Additional constraint: Spatial separation Communication impossible A B Device has multiple-parts Spatially separated so that no communications allowed among parts within the testing time
49 The CHSH game x y A B a b
50 The CHSH game x y A B a b Each part receives a bit, outputs a bit
51 The CHSH game x y A B a b Each part receives a bit, outputs a bit Input bits are uniformly random
52 The CHSH game x y A B a b Each part receives a bit, outputs a bit Input bits are uniformly random Device wins if a b=x y
53 Classical strategies x y A B a b
54 Classical strategies x y A B a b
55 Classical strategies x y A B a b Each applies a deterministic function on his/her input
56 Classical strategies x y A B a b Each applies a deterministic function on his/her input Best classical winning prob: 3/4
57 Classical strategies x y A B a b Each applies a deterministic function on his/her input Best classical winning prob: 3/4 Bell-type inequality
58 Classical strategies x y A B a b Each applies a deterministic function on his/her input Best classical winning prob: 3/4 both output 0 on all inputs achieves 3/4 Bell-type inequality
59 Quantum strategies x y A B a b
60 Quantum strategies x y A B a b
61 Quantum strategies x y A B a b Share entanglement before game starts
62 Quantum strategies x y A B a b Share entanglement before game starts Each applies a local measurement chosen by the input
63 Quantum strategies x y A B a b Share entanglement before game starts Each applies a local measurement chosen by the input Best quantum winning prob: cos 2 ᴨ/8
64 Quantum strategies x y A B a b Share entanglement before game starts Each applies a local measurement chosen by the input Best quantum winning prob: cos 2 ᴨ/8 Achievable
65 Quantum strategies x y A B a b Share entanglement before game starts Each applies a local measurement chosen by the input Best quantum winning prob: cos 2 ᴨ/8 Achievable Tsirelsen-type inequality
66 CHSH is a strong self-test x y A B a b
67 CHSH is a strong self-test x y A B a b
68 CHSH is a strong self-test x y A B a b Self-test [Popescu,Rorhlick 1999]: Any q. strategy achieving cos 2 ᴨ/8 must be the ideal protocol (up to local isometry)
69 CHSH is a strong self-test x y A B a b Self-test [Popescu,Rorhlick 1999]: Any q. strategy achieving cos 2 ᴨ/8 must be the ideal protocol (up to local isometry) Robust self-test [McKague et al., Miller-S, Reichardt et al. 2012],: Any q. strategy achieving close to cos 2 ᴨ/8 must be close to ideal
70 CHSH is a strong self-test x y A B a b Self-test [Popescu,Rorhlick 1999]: Any q. strategy achieving cos 2 ᴨ/8 must be the ideal protocol (up to local isometry) Robust self-test [McKague et al., Miller-S, Reichardt et al. 2012],: Any q. strategy achieving close to cos 2 ᴨ/8 must be close to ideal Strong (robust) self-test [Miller-S, Reichardt et al. 2012]: ϵ-close in prob implies O( ϵ)-close to ideal (strongest possible)
71 Many other robust self-tests x y z A B C a b c
72 Many other robust self-tests x y z A B C a b c
73 Many other robust self-tests x y z A B C a b c GHZ-game: classical 3/4 vs quantum 1
74 Many other robust self-tests x y z A B C a b c GHZ-game: classical 3/4 vs quantum 1 Binary XOR games: input/output binary, XOR of output bits determines game outcome
75 Many other robust self-tests x y z A B C a b c GHZ-game: classical 3/4 vs quantum 1 Binary XOR games: input/output binary, XOR of output bits determines game outcome All strong delft-testing binary XOR games characterized in [Miller, Shi 2012]
76 Self-testing sequential CHSH [Reichardt, Unger, Vazirani 2012] x1 y1 A B a1 x2 a2 x3 A A B B b1 y2 b2 y3 time Theorem [RUV12] If an average game wins with very close to quantum optimal, a random block of significant length is close to ideal tensor a3 xn b3 yn strategy. A B an bn
77 Self-testing graph states [McKague 2013]
78 Self-testing graph states [McKague 2013] Graph states
79 Self-testing graph states [McKague 2013] Graph states Each vertex corresponds to a qubit
80 Self-testing graph states [McKague 2013] Graph states Each vertex corresponds to a qubit May be highly entangled
81 Self-testing graph states [McKague 2013] Graph states Each vertex corresponds to a qubit May be highly entangled Robust self-testing
82 Self-testing graph states [McKague 2013] Graph states Each vertex corresponds to a qubit May be highly entangled Robust self-testing translated error depends on vertex number linearly.
83 Toward untrusted-device quantum computation random bits deterministic Quantum resource restricted q. operations Randomized algorithm Quantum algorithm
84 Toward untrusted-device quantum computation random bits deterministic Quantum resource restricted q. operations Randomized algorithm Quantum algorithm Randomized algorithm = deterministic algorithm + random bits
85 Toward untrusted-device quantum computation random bits deterministic Quantum resource restricted q. operations Randomized algorithm Quantum algorithm Randomized algorithm = deterministic algorithm + random bits Quantum algorithm = quantum resources + restricted operations
86 Computation by Teleportation [Gottesman and Chuang 1999] EPR pairs Bell-measurements + single-qubit operations Quantum algorithm
87 UD quantum computation by Self-testing sequential CHSH [Reichardt, Unger, Vazirani 2012] B A Randomized classical Verifier
88 UD quantum computation by Self-testing sequential CHSH [Reichardt, Unger, Vazirani 2012] B A Mix sequential CHSH test with work for teleportation-based computation Randomized classical Verifier
89 UD quantum computation by Self-testing sequential CHSH [Reichardt, Unger, Vazirani 2012] B A Mix sequential CHSH test with work for teleportation-based computation Not following instruction risks failing the test Randomized classical Verifier
90 UD quantum computation by Self-testing sequential CHSH [Reichardt, Unger, Vazirani 2012] B Randomized classical Verifier A Mix sequential CHSH test with work for teleportation-based computation Not following instruction risks failing the test Honest device starts with EPR pairs, applies instructed measurements and single-qubit operations
91 UD quantum computation by Self-testing graph state [McKague 2013] Randomized classical Verifier
92 UD quantum computation by Self-testing graph state [McKague 2013] Each vertex is a device component Randomized classical Verifier
93 UD quantum computation by Self-testing graph state [McKague 2013] Each vertex is a device component No communications among them Randomized classical Verifier
94 UD quantum computation by Self-testing graph state [McKague 2013] Each vertex is a device component No communications among them A single message to and from each component Randomized classical Verifier
95 UD quantum computation by Self-testing graph state [McKague 2013] Each vertex is a device component No communications among them A single message to and from each component Mix test with work Randomized classical Verifier
96 UD quantum computation by Self-testing graph state [McKague 2013] Each vertex is a device component No communications among them A single message to and from each component Mix test with work Honest device stores the Randomized classical Verifier graph state, applies instructed measurements
97 Randomness is vital
98 Digital security Randomness is vital
99 Digital security Randomness is vital
100 Randomness is vital Digital security Randomized algorithms
101 Randomness is vital Digital security Randomized algorithms Scientific simulations
102 Randomness is vital Digital security Randomized algorithms Scientific simulations Gambling
103 Wish list for randomness
104 High quality Wish list for randomness
105 High quality Wish list for randomness
106 Wish list for randomness High quality close to uniform
107 Wish list for randomness High quality close to uniform secure
108 Wish list for randomness High quality close to uniform secure Crypto secure
109 Wish list for randomness High quality close to uniform secure Crypto secure Large quantity
110 Wish list for randomness High quality close to uniform secure Crypto secure Large quantity 1 trillion bits/day?
111 Wish list for randomness High quality close to uniform secure Crypto secure Large quantity 1 trillion bits/day? Minimum assumptions
112 Wish list for randomness High quality close to uniform secure Crypto secure Large quantity 1 trillion bits/day? Minimum assumptions least amount of trust
113 Widely used: Linux s random number generator system boot time current process id Deterministic Deterministic stretch On-chip circuit user input
114 The perils of the lack of randomness and blinded trust
115 The perils of the lack of randomness and blinded trust The lack of initial randomness has led to a large number of broken keys
116 The perils of the lack of randomness and blinded trust The lack of initial randomness has led to a large number of broken keys Backdoors built-in chips and standards
117 The perils of the lack of randomness and blinded trust The lack of initial randomness has led to a large number of broken keys Backdoors built-in chips and standards Security based on unproved computational assumptions
118 The perils of the lack of randomness and blinded trust The lack of initial randomness has led to a large number of broken keys Backdoors built-in chips and standards Security based on unproved computational assumptions vulnerable to advances in algorithms and technology
119
120 How can we be sure it s random?
121 How can we be sure it s random? How could fundamentally unpredictable events possible?
122
123 We can t be sure
124 We can t be sure without believing
125 We can t be sure without believing first of all its existence
126 How can we generate a large number of provably unconditional secure random bits with minimal assumptions?
127 Classical theory is inadequate: Independence requirement for minentropy sources Min-entropy source Min-entropy source Must be independent! deterministic
128 Classical theory is inadequate: Independence requirement for minentropy sources Min-entropy source Min-entropy source Must be independent! deterministic Classical theory of Randomness Extraction
129 Classical theory is inadequate: Independence requirement for minentropy sources Min-entropy source Min-entropy source Must be independent! deterministic Classical theory of Randomness Extraction Models weak source as min-entropy string
130 Classical theory is inadequate: Independence requirement for minentropy sources Min-entropy source Min-entropy source Must be independent! deterministic Classical theory of Randomness Extraction Models weak source as min-entropy string Min-entropy=k: adversary can t predict with > 2 -k prob
131 Classical theory is inadequate: Independence requirement for minentropy sources Min-entropy source Min-entropy source Must be independent! deterministic Classical theory of Randomness Extraction Models weak source as min-entropy string Min-entropy=k: adversary can t predict with > 2 -k prob Possible only when having 2 or more independent sources!
132 Classical theory is inadequate: Independence requirement for minentropy sources Min-entropy source Min-entropy source Must be independent! deterministic Classical theory of Randomness Extraction Models weak source as min-entropy string Min-entropy=k: adversary can t predict with > 2 -k prob Possible only when having 2 or more independent sources! How to be sure of independence? Impossible!
133 Can we get around the independence requirement?
134 Trusting quantum device solves almost all the problems
135 Trusting quantum device solves almost all the problems Postulates of quantum mechanics promise true randomness
136 Trusting quantum device solves almost all the problems Postulates of quantum mechanics promise true randomness Measuring the +> state gives 0/1 with equal prob
137 Trusting quantum device solves almost all the problems Postulates of quantum mechanics promise true randomness Measuring the +> state gives 0/1 with equal prob Commercial products available
138 Trusting quantum device solves almost all the problems Postulates of quantum mechanics promise true randomness Measuring the +> state gives 0/1 with equal prob Commercial products available Problem: Should we trust
139 Trusting quantum device solves almost all the problems Postulates of quantum mechanics promise true randomness Measuring the +> state gives 0/1 with equal prob Commercial products available Problem: Should we trust the device not malicious?
140 Trusting quantum device solves almost all the problems Postulates of quantum mechanics promise true randomness Measuring the +> state gives 0/1 with equal prob Commercial products available Problem: Should we trust the device not malicious? the device working properly?
141 Trusting quantum device solves almost all the problems Postulates of quantum mechanics promise true randomness Measuring the +> state gives 0/1 with equal prob Commercial products available Problem: Should we trust the device not malicious? the device working properly? trust the device maker and the certifying agency?
142 Randomness from untrusted quantum device
143 Randomness from untrusted quantum device Randomness Amplification [Colbeck and Renner 2012]
144 Randomness from untrusted quantum device Randomness Amplification [Colbeck and Renner 2012] SV-source untrusted q. devices one near perfect random bit
145 Randomness from untrusted quantum device Randomness Amplification [Colbeck and Renner 2012] SV-source untrusted q. devices one near perfect random bit SV source: each bit of constant bias conditioned on previous bits
146 Randomness from untrusted quantum device Randomness Amplification [Colbeck and Renner 2012] Randomness Expansion [Colbeck 2006; Colbeck and Kent 2011] SV-source untrusted q. devices one near perfect random bit SV source: each bit of constant bias conditioned on previous bits
147 Randomness from untrusted quantum device Randomness Amplification [Colbeck and Renner 2012] Randomness Expansion [Colbeck 2006; Colbeck and Kent 2011] SV-source untrusted q. devices one near perfect random bit SV source: each bit of constant bias conditioned on previous bits Perfect randomness untrusted q. devices more near perfect randomness
148 Framework for extracting untrusted quantum device [Chung, Shi, Wu 2014] Adversary Device A Device B deterministic min-entropy source almost perfect randomness
149 Framework for extracting untrusted quantum device [Chung, Shi, Wu 2014] Adversary Adversary: all powerful Device A Device B deterministic min-entropy source almost perfect randomness
150 Framework for extracting untrusted quantum device [Chung, Shi, Wu 2014] Adversary Adversary: all powerful prepares/may entangle with device Device A Device B deterministic min-entropy source almost perfect randomness
151 Framework for extracting untrusted quantum device [Chung, Shi, Wu 2014] Device Adversary Device Adversary: all powerful prepares/may entangle with device can t talk to/change device after protocol starts A B deterministic min-entropy source almost perfect randomness
152 Framework for extracting untrusted quantum device [Chung, Shi, Wu 2014] Device Adversary Device Adversary: all powerful prepares/may entangle with device can t talk to/change device after protocol starts Device: multi-component A B deterministic min-entropy source almost perfect randomness
153 Framework for extracting untrusted quantum device [Chung, Shi, Wu 2014] Device A Adversary Device B Adversary: all powerful prepares/may entangle with device can t talk to/change device after protocol starts Device: multi-component User: deterministic deterministic min-entropy source almost perfect randomness
154 Framework for extracting untrusted quantum device [Chung, Shi, Wu 2014] Device A Adversary Device B Adversary: all powerful prepares/may entangle with device can t talk to/change device after protocol starts Device: multi-component User: deterministic can restrict communication among device components deterministic min-entropy source almost perfect randomness
155 Framework for extracting untrusted quantum device [Chung, Shi, Wu 2014] Device A Adversary deterministic Device B Adversary: all powerful prepares/may entangle with device can t talk to/change device after protocol starts Device: multi-component User: deterministic can restrict communication among device components Min-entropy source min-entropy source almost perfect randomness
156 Framework for extracting untrusted quantum device [Chung, Shi, Wu 2014] Device A min-entropy source Adversary deterministic Device B almost perfect randomness Adversary: all powerful prepares/may entangle with device can t talk to/change device after protocol starts Device: multi-component User: deterministic can restrict communication among device components Min-entropy source necessary; otherwise Adversary can cheat
157 Amplification and expansion seen in the framework Adversary Device A Device B deterministic min-entropy source almost perfect randomness
158 Amplification and expansion seen in the framework Adversary Randomness Amplification: seedless extraction with an SV source Device A Device B deterministic min-entropy source almost perfect randomness
159 Amplification and expansion seen in the framework Adversary Randomness Amplification: seedless extraction with an SV source Device A Device B SV untrusted one bit deterministic min-entropy source almost perfect randomness
160 Amplification and expansion seen in the framework Adversary Randomness Amplification: seedless extraction with an SV source Device A deterministic Device B SV untrusted one bit Randomness Expansion: seeded extraction (classical source perfectly random) min-entropy source almost perfect randomness
161 Amplification and expansion seen in the framework Adversary Randomness Amplification: seedless extraction with an SV source Device A deterministic Device B SV untrusted one bit Randomness Expansion: seeded extraction (classical source perfectly random) min-entropy source almost perfect randomness Perfect untrusted more
162 Amplification and expansion seen in the framework Randomness to be extracted is in the device Adversary Randomness Amplification: seedless extraction with an SV source Device A deterministic Device B SV untrusted one bit Randomness Expansion: seeded extraction (classical source perfectly random) min-entropy source almost perfect randomness Perfect untrusted more
163 Amplification and expansion seen in the framework Randomness to be extracted is in the device Adversary Randomness Amplification: seedless extraction with an SV source Device A Used to unlock he randomness deterministic Device B SV untrusted one bit Randomness Expansion: seeded extraction (classical source perfectly random) min-entropy source almost perfect randomness Perfect untrusted more
164 Goals: basic list Adversary Device A Device B deterministic min-entropy source almost perfect randomness
165 Goals: basic list Adversary 1. Security: quantum Device A Device B deterministic min-entropy source almost perfect randomness
166 Goals: basic list Adversary 1. Security: quantum 2. Quality: negligible errors Device A Device B deterministic min-entropy source almost perfect randomness
167 Goals: basic list Adversary 1. Security: quantum 2. Quality: negligible errors Completeness error Device A Device B deterministic min-entropy source almost perfect randomness
168 Goals: basic list Device Adversary Device 1. Security: quantum 2. Quality: negligible errors Completeness error Soundness error, A B deterministic min-entropy source almost perfect randomness
169 Goals: basic list Device Adversary Device 1. Security: quantum 2. Quality: negligible errors Completeness error Soundness error, Cryptographic security A B deterministic min-entropy source almost perfect randomness
170 Goals: basic list Device A Adversary Device B 1. Security: quantum 2. Quality: negligible errors Completeness error Soundness error, Cryptographic security 3. Output length: extract full device capacity deterministic min-entropy source almost perfect randomness
171 Goals: basic list Device A Adversary deterministic Device B 1. Security: quantum 2. Quality: negligible errors Completeness error Soundness error, Cryptographic security 3. Output length: extract full device capacity 4. Classical source: arbitrary min-entropy source min-entropy source almost perfect randomness
172 Goals: Premium list critical for realization Adversary Device A Device B deterministic min-entropy source almost perfect randomness
173 Goals: Premium list critical for realization Adversary 5. Robustness: tolerate a constant-level device imprecision Device A Device B deterministic min-entropy source almost perfect randomness
174 Goals: Premium list critical for realization Device Adversary Device 5. Robustness: tolerate a constant-level device imprecision Model noise by deviation from ideal A B deterministic min-entropy source almost perfect randomness
175 Goals: Premium list critical for realization Device A Adversary Device B 5. Robustness: tolerate a constant-level device imprecision Model noise by deviation from ideal 6. Efficiency deterministic min-entropy source almost perfect randomness
176 Goals: Premium list critical for realization Device A Adversary Device B 5. Robustness: tolerate a constant-level device imprecision Model noise by deviation from ideal 6. Efficiency Minimize device number deterministic min-entropy source almost perfect randomness
177 Goals: Premium list critical for realization Device A Adversary Device B 5. Robustness: tolerate a constant-level device imprecision Model noise by deviation from ideal 6. Efficiency Minimize device number Computationally efficient deterministic min-entropy source almost perfect randomness
178 Goals: Premium list critical for realization Device A min-entropy source Adversary deterministic Device B almost perfect randomness 5. Robustness: tolerate a constant-level device imprecision Model noise by deviation from ideal 6. Efficiency Minimize device number Computationally efficient 7. Quantum memory: the smaller needed the better
179 Seeded extraction of Vazirani- Vidick [2012] and subsequent works N rounds of CHSH deterministic k uniform bits exp(k c )-bits exp(-k c ) error
180 Seeded extraction of Vazirani- Vidick [2012] and subsequent works N rounds of CHSH 1 device (2 components), play N sequential CHSH deterministic k uniform bits exp(k c )-bits exp(-k c ) error
181 Seeded extraction of Vazirani- Vidick [2012] and subsequent works N rounds of CHSH 1 device (2 components), play N sequential CHSH choose a small number of games for testing; others for generating deterministic k uniform bits exp(k c )-bits exp(-k c ) error
182 Seeded extraction of Vazirani- Vidick [2012] and subsequent works N rounds of CHSH 1 device (2 components), play N sequential CHSH choose a small number of games for testing; others for generating Test round: use random input Generating round: use constant deterministic k uniform bits exp(k c )-bits exp(-k c ) error
183 Seeded extraction of Vazirani- Vidick [2012] and subsequent works k uniform bits N rounds of CHSH deterministic exp(k c )-bits exp(-k c ) error 1 device (2 components), play N sequential CHSH choose a small number of games for testing; others for generating Test round: use random input Generating round: use constant Abort when losing too much in test rounds
184 Self-testing and generating random numbers x y A B a b
185 Self-testing and generating random numbers x y A B a b Optimal quantum strategy: a is uniform (to adversary)
186 Self-testing and generating random numbers x y A B a b Optimal quantum strategy: a is uniform (to adversary) by strong self-testing: close to optimal implies close to uniform
187 Intuition for why it should work
188 Intuition for why it should work A B A 0 0 B Te s t ing Generating
189 Intuition for why it should work A B A 0 0 B Te s t ing Generating Mix work and test: cheating on input 0 risks failing test
190 Intuition for why it should work A B A 0 0 B Te s t ing Generating Mix work and test: cheating on input 0 risks failing test Winning ratio of testing rounds good estimate for that of generating rounds
191 Intuition for why it should work A B A 0 0 B Te s t ing Mix work and test: cheating on input 0 risks failing test Winning ratio of testing rounds good estimate for that of generating rounds Generating Strong self-testing ensures randomness if many rounds strategy close to optimal
192 Intuition for why it should work A B A 0 0 B Te s t ing Mix work and test: cheating on input 0 risks failing test Winning ratio of testing rounds good estimate for that of generating rounds Generating Strong self-testing ensures randomness if many rounds strategy close to optimal Actual proof is very difficult
193 Intuition for why it should work A B really? A 0 0 B Te s t ing Mix work and test: cheating on input 0 risks failing test Winning ratio of testing rounds good estimate for that of generating rounds Generating Strong self-testing ensures randomness if many rounds strategy close to optimal Actual proof is very difficult
194 Seeded extraction of Miller-Shi [2014] N rounds of CHSH deterministic k uniform bits exp(k c )-bits exp(-k c ) error
195 Seeded extraction of Miller-Shi [2014] N rounds of CHSH Cryptographic security: errors = negligible in running time deterministic k uniform bits exp(k c )-bits exp(-k c ) error
196 Seeded extraction of Miller-Shi [2014] N rounds of CHSH Cryptographic security: errors = negligible in running time Robustness: OPT - constant winning prob. suffices deterministic k uniform bits exp(k c )-bits exp(-k c ) error
197 Seeded extraction of Miller-Shi [2014] N rounds of CHSH Cryptographic security: errors = negligible in running time Robustness: OPT - constant winning prob. suffices Constant size q. memory: allow inbetween-rounds communications deterministic k uniform bits exp(k c )-bits exp(-k c ) error
198 Seeded extraction of Miller-Shi [2014] N rounds of CHSH Cryptographic security: errors = negligible in running time Robustness: OPT - constant winning prob. suffices Constant size q. memory: allow inbetween-rounds communications Any strong self-test can be used (including CHSH and GHZ) deterministic k uniform bits exp(k c )-bits exp(-k c ) error
199 Seeded extraction of Miller-Shi [2014] N rounds of CHSH deterministic Cryptographic security: errors = negligible in running time Robustness: OPT - constant winning prob. suffices Constant size q. memory: allow inbetween-rounds communications Any strong self-test can be used (including CHSH and GHZ) Translates to QKD: exponential expansion at the same time k uniform bits exp(k c )-bits exp(-k c ) error
200 Seeded extraction of Miller-Shi [2014] k uniform bits N rounds of CHSH deterministic exp(k c )-bits exp(-k c ) error Cryptographic security: errors = negligible in running time Robustness: OPT - constant winning prob. suffices Constant size q. memory: allow inbetween-rounds communications Any strong self-test can be used (including CHSH and GHZ) Translates to QKD: exponential expansion at the same time Composed for unbounded expansion
201 Seeded extraction of Miller-Shi [2014] k uniform bits N rounds of CHSH deterministic Cryptographic security: errors = negligible in running time Robustness: OPT - constant winning prob. suffices Constant size q. memory: allow inbetween-rounds communications Any strong self-test can be used (including CHSH and GHZ) Translates to QKD: exponential expansion at the same time Composed for unbounded expansion exp(k c )-bits Proof quite involved exp(-k c ) error
202 Quantum-proof seeded extractors for min-entropy source [De et al. 2012] min-entropy source deterministic short seed near uniform
203 Quantum-proof seeded extractors for min-entropy source [De et al. 2012] min-entropy source deterministic short seed! Trevisan s Extractors still work against quantum adversaries near uniform
204 Quantum Somewhere Randomness [Chung, Shi, Wu 2014] Adversary Min-entropy Source X X X seed=0 0 X seed=1 0 seed=1 1 Ext Ext Ext y0 0 y1 0 y1 1
205 Quantum Somewhere Randomness [Chung, Shi, Wu 2014] Adversary Min-entropy Source X X X seed=0 0 X seed=1 0 seed=1 1 Ext Ext Ext y0 0 y1 0 y1 1 The average of y s is close to uniform to Adversary
206 Quantum Somewhere Randomness [Chung, Shi, Wu 2014] Adversary Min-entropy Source X X X seed=0 0 X seed=1 0 seed=1 1 Ext Ext Ext y0 0 y1 0 y1 1 The average of y s is close to uniform to Adversary A y in an unknown location is close to uniform to Adversary
207 Randomness Decoupling [Chung, Shi, Wu 2014] Adversary D X Y
208 Randomness Decoupling [Chung, Shi, Wu 2014] If: X uniformly random to Device Adversary D X Y
209 Randomness Decoupling [Chung, Shi, Wu 2014] Adversary If: X uniformly random to Device could be known completely to Adversary D X Y
210 Randomness Decoupling [Chung, Shi, Wu 2014] Adversary If: X uniformly random to Device could be known completely to Adversary Then: Y is close to uniform to all except Device D X Y
211 Randomness Decoupling [Chung, Shi, Wu 2014] X Adversary D Y If: X uniformly random to Device could be known completely to Adversary Then: Y is close to uniform to all except Device In particular Y is random to Adversary, even conditioned on X
212 Randomness Decoupling [Chung, Shi, Wu 2014] X Adversary D Y If: X uniformly random to Device could be known completely to Adversary Then: Y is close to uniform to all except Device In particular Y is random to Adversary, even conditioned on X Turn local randomness to global randomness
213 Seedless extraction of Chung-Shi-Wu [2014] Min-entropy Source X X X seed=0 0 X seed=1 0 seed=1 1 Ext Ext Ext G 1 0 Y 1 0 G 0 0 Y 0 0 G 1 1 Y 1 1 ^ Accept/Abort G Output Y
214 Seedless extraction of Chung-Shi-Wu [2014] X Min-entropy Source X X Input: arbitrary min-entropy source seed=0 0 X seed=1 0 seed=1 1 Ext Ext Ext G 1 0 Y 1 0 G 0 0 Y 0 0 G 1 1 Y 1 1 ^ Accept/Abort G Output Y
215 Seedless extraction of Chung-Shi-Wu [2014] Ext X seed=0 0 Min-entropy Source X X seed=1 0 Ext X Ext seed=1 1 Input: arbitrary min-entropy source Delicate composition of quantumproof extractors for min-entropy source and Randomness Decoupling G 1 0 Y 1 0 G 0 0 Y 0 0 G 1 1 Y 1 1 ^ Accept/Abort G Output Y
216 Seedless extraction of Chung-Shi-Wu [2014] Ext X seed=0 0 Min-entropy Source X seed=1 0 Ext ^ G 1 0 X Y 1 0 Ext G 0 0 Y 0 0 G 1 1 Y 1 1 X seed=1 1 Input: arbitrary min-entropy source Delicate composition of quantumproof extractors for min-entropy source and Randomness Decoupling First create quantum somewhere randomness, then transformed to global randomness through Randomness Decoupling Accept/Abort G Output Y
217 Seedless extraction of Chung-Shi-Wu [2014] Ext X seed=0 0 Min-entropy Source X seed=1 0 Ext ^ G 1 0 X Y 1 0 X random to device Ext G 0 0 Y 0 0 G 1 1 Y 1 1 seed=1 1 Input: arbitrary min-entropy source Delicate composition of quantumproof extractors for min-entropy source and Randomness Decoupling First create quantum somewhere randomness, then transformed to global randomness through Randomness Decoupling Accept/Abort G Output Y
218 Seedless extraction of Chung-Shi-Wu [2014] Ext X seed=0 0 Min-entropy Source X seed=1 0 Ext ^ G 1 0 X Y 1 0 X random to device Ext random to all G 0 0 Y 0 0 G 1 1 Y 1 1 seed=1 1 Input: arbitrary min-entropy source Delicate composition of quantumproof extractors for min-entropy source and Randomness Decoupling First create quantum somewhere randomness, then transformed to global randomness through Randomness Decoupling Accept/Abort G Output Y
219 Seedless extraction of Chung-Shi-Wu [2014] Ext X seed=0 0 Min-entropy Source X seed=1 0 Ext ^ G 1 0 Accept/Abort G X Y 1 0 X Output Y random to device Ext random to all G 0 0 Y 0 0 G 1 1 Y 1 1 seed=1 1 Input: arbitrary min-entropy source Delicate composition of quantumproof extractors for min-entropy source and Randomness Decoupling First create quantum somewhere randomness, then transformed to global randomness through Randomness Decoupling XORed with others still globally random
220 global-uniform Equivalence Lemma uniform to device [Chung, Shi, Wu 2014] Adversary Adversary X X Equivalent X Y X Y P works for global-uniform input if and only if P works for uniform-to-device input
221 global-uniform Equivalence Lemma uniform to device [Chung, Shi, Wu 2014] Adversary Adversary X X Equivalent X Y X Y P works for global-uniform input if and only if P works for uniform-to-device input Copying X to Adversary commutes with P: b/c no interaction between Adversary and Device
222 global-uniform Equivalence Lemma uniform to device [Chung, Shi, Wu 2014] Adversary Adversary X X Equivalent X Y X Y P works for global-uniform input if and only if P works for uniform-to-device input Copying X to Adversary commutes with P: b/c no interaction between Adversary and Device Uniform-to-device = Apply commuting operation on global-uniform
223 Implication of E.L: Instantiation of seedless extraction Min-entropy Source X X X seed=0 0 X seed=1 0 seed=1 1 Ext Ext Ext G 1 0 Y 1 0 G 0 0 Y 0 0 G 1 1 Y 1 1 ^ Accept/Abort G Output Y
224 Implication of E.L: Instantiation of seedless extraction X Min-entropy Source X X X needs only to have minentropy against Devices seed=0 0 X seed=1 0 seed=1 1 Ext Ext Ext G 1 0 Y 1 0 G 0 0 Y 0 0 G 1 1 Y 1 1 ^ Accept/Abort G Output Y
225 Implication of E.L: Instantiation of seedless extraction Ext X seed=0 0 Min-entropy Source X X seed=1 0 Ext X Ext seed=1 1 X needs only to have minentropy against Devices П can be any untrusted device expansion or KD protocol G 1 0 Y 1 0 G 0 0 Y 0 0 G 1 1 Y 1 1 ^ Accept/Abort G Output Y
226 Ext Implication of E.L: Instantiation of seedless extraction X seed=0 0 Min-entropy Source X seed=1 0 Ext ^ G 1 0 X Y 1 0 Ext G 0 0 Y 0 0 G 1 1 Y 1 1 X seed=1 1 X needs only to have minentropy against Devices П can be any untrusted device expansion or KD protocol Vazirani-Vidick for expansion (not robust) Accept/Abort G Output Y
227 Ext Implication of E.L: Instantiation of seedless extraction X seed=0 0 Min-entropy Source X seed=1 0 Ext ^ G 1 0 X Y 1 0 Ext G 0 0 Y 0 0 G 1 1 Y 1 1 X seed=1 1 X needs only to have minentropy against Devices П can be any untrusted device expansion or KD protocol Vazirani-Vidick for expansion (not robust) Miller-Shi (robust) Accept/Abort G Output Y
228 Ext Implication of E.L: Instantiation of seedless extraction X seed=0 0 Min-entropy Source X seed=1 0 Ext ^ G 1 0 X Y 1 0 Ext G 0 0 Y 0 0 G 1 1 Y 1 1 X seed=1 1 X needs only to have minentropy against Devices П can be any untrusted device expansion or KD protocol Vazirani-Vidick for expansion (not robust) Miller-Shi (robust) Vazirani-Vidick for KD (robust) Accept/Abort G Output Y
229 Unbounded Expansion
230 Unbounded Expansion!! Straightforward by sequential composition To get N bits need only O(log* N) applications of an exp expanding protocol Seed length independent of N Classically seed length >=log N Multiple-Device extraction Not surprising in our view since randomness comes from device
231 Unbounded Expansion X2,X4, X2N X1,X3,X5, X2N+1! X0 D0! Y0,Y2,Y4, Y2N Straightforward by sequential composition To get N bits need only O(log* N) applications of an exp expanding protocol Seed length independent of N Classically seed length >=log N Multiple-Device extraction Not surprising in our view since randomness comes from device D1 Y1,Y3,Y5, Y2N-1 Y2N+1
232 Unbounded Expansion X2,X4, X2N X1,X3,X5, X2N+1! X0 D0! Y0,Y2,Y4, Y2N Straightforward by sequential composition To get N bits need only O(log* N) applications of an exp expanding protocol Seed length independent of N Classically seed length >=log N Multiple-Device extraction Not surprising in our view since randomness comes from device!! D1 Y1,Y3,Y5, Y2N-1 Y2N+1 Reduce log*n to a constant? Crossfeeding composition problem: the output of D0 when used by D1 is not globaluniform [Fehr-Gelles-Schaffner 13] Constant-number-device Unbounded (non-robust) expansion first claimed by Coudron-Yuen [2013] Use sequential rigidity of CHSH [RUV] to transform device-uniform input to adversary-uniform output
233 Implication of E.L.: Unbounded Expansion using 2 devices and any sub-protocol
234 Implication of E.L.: Unbounded Expansion using 2 devices and any sub-protocol X2,X4, X2N X1,X3,X5, X2N+1 X0 Y2N+1 D0 Y0,Y2,Y4, Y2N D1 Y1,Y3,Y5, Y2N-1
235 Implication of E.L.: Unbounded Expansion using 2 devices and any sub-protocol X2,X4, X2N X1,X3,X5, X2N+1 X0 Y2N+1 D0 D1! Y0,Y2,Y4, Y2N Y1,Y3,Y5, Y2N-1! Each output is random to the other device, ensuring next output is globally random by E.L. Any expansion protocol can be used: Vazirani-Vidick (not robust) Miller-Shi (robust)
236 Put together MS and CSW many devices Adversary 2 devices k min-entropy CSW Θ(k)-bit local randomness MS for unbounded expansion N-bit exp(-k c )- close to uniform
237 Put together MS and CSW many devices Adversary 2 devices k min-entropy CSW Robust unbounded expansion from an arbitrary min-entropy source Θ(k)-bit local randomness MS for unbounded expansion N-bit exp(-k c )- close to uniform
238 Put together MS and CSW many devices Adversary 2 devices k min-entropy CSW Robust unbounded expansion from an arbitrary min-entropy source Θ(k)-bit local randomness MS for unbounded expansion Based on an arbitrary strong self-test N-bit exp(-k c )- close to uniform
239 Untrusted Device Key Distribution [Vazirani, Vidick 2013], [Miller, Shi 2014] Adversary public channel Alice X Bob Y Y
240 Untrusted Device Key Distribution [Vazirani, Vidick 2013], [Miller, Shi 2014] Adversary public channel Alice X Bob Coordinate through public channel Y Y
241 Untrusted Device Key Distribution [Vazirani, Vidick 2013], [Miller, Shi 2014] Adversary public channel Alice X Bob Coordinate through public channel Not a problem by Equivalence Lemma Y Y
242 Untrusted Device Key Distribution [Vazirani, Vidick 2013], [Miller, Shi 2014] Adversary public channel Alice X Bob Coordinate through public channel Not a problem by Equivalence Lemma Leakage due to classical post-processing Y Y
243 Untrusted Device Key Distribution [Vazirani, Vidick 2013], [Miller, Shi 2014] Adversary public channel Alice X Bob Coordinate through public channel Not a problem by Equivalence Lemma Leakage due to classical post-processing Miller-Shi Y Y
244 Untrusted Device Key Distribution [Vazirani, Vidick 2013], [Miller, Shi 2014] Adversary public channel Alice X Bob Coordinate through public channel Not a problem by Equivalence Lemma Leakage due to classical post-processing Miller-Shi expansion at the same time Y Y
245 Untrusted Device Key Distribution [Vazirani, Vidick 2013], [Miller, Shi 2014] Adversary public channel Alice X Bob Coordinate through public channel Not a problem by Equivalence Lemma Leakage due to classical post-processing Miller-Shi expansion at the same time Any strong self-test Y Y
246
247 Conclusions
248 Conclusions
249 Conclusions We may not want to trust quantum devices
250 Conclusions We may not want to trust quantum devices Yet we can still make them work their magic
251 Conclusions We may not want to trust quantum devices Yet we can still make them work their magic Many fundamental questions remain open
252 Open Problems on robust self-testing x y x1 y1 A a B b a1 x2 A B b1 y2 a2 x3 a3 xn an A A A B B B b2 y3 b3 yn bn time
253 Open Problems on robust self-testing x y x1 y1 A a B b a1 x2 A B b1 y2 A B Characterize all (robust) selftesting non-local games a2 x3 b2 y3 time A B a3 xn b3 yn A B an bn
254 Open Problems on robust self-testing x y x1 y1 A a B b a1 x2 A B b1 y2 A B Characterize all (robust) selftesting non-local games going beyond binary XOR games and graph states a2 x3 a3 xn A B b2 y3 b3 yn time A B an bn
255 Open Problems on robust self-testing x y x1 y1 A a B b a1 x2 A B b1 y2 A B Characterize all (robust) selftesting non-local games going beyond binary XOR games and graph states Characterize all sequentially self-testing games a2 x3 a3 xn an A A B B b2 y3 b3 yn bn time
256 Open Problems on untrusted device q. computation B A Randomized classical Verifier
257 Open Problems on untrusted device q. computation B A Robustness Randomized classical Verifier
258 Open Problems on untrusted device q. computation B A Robustness Quantum memory Randomized classical Verifier
259 Open Problems on untrusted device q. computation B A Robustness Quantum memory Broader class of games Randomized classical Verifier
260 Perfect Untrusted-Device Extractor?
261 Perfect Untrusted-Device Extractor? Is there a untrusted device protocol achieving the following simultaneously?
262 Perfect Untrusted-Device Extractor? Is there a untrusted device protocol achieving the following simultaneously? Classical source: arbitrary min-entropy source
263 Perfect Untrusted-Device Extractor? Is there a untrusted device protocol achieving the following simultaneously? Classical source: arbitrary min-entropy source Device (honest):
264 Perfect Untrusted-Device Extractor? Is there a untrusted device protocol achieving the following simultaneously? Classical source: arbitrary min-entropy source Device (honest): Single (multi-part) device
265 Perfect Untrusted-Device Extractor? Is there a untrusted device protocol achieving the following simultaneously? Classical source: arbitrary min-entropy source Device (honest): Single (multi-part) device Robust
266 Perfect Untrusted-Device Extractor? Is there a untrusted device protocol achieving the following simultaneously? Classical source: arbitrary min-entropy source Device (honest): Single (multi-part) device Robust Constant quantum memory
267 Perfect Untrusted-Device Extractor? Is there a untrusted device protocol achieving the following simultaneously? Classical source: arbitrary min-entropy source Device (honest): Single (multi-part) device Robust Constant quantum memory Output:
268 Perfect Untrusted-Device Extractor? Is there a untrusted device protocol achieving the following simultaneously? Classical source: arbitrary min-entropy source Device (honest): Single (multi-part) device Robust Constant quantum memory Output: Exponential expanding (or even more?)
269 Perfect Untrusted-Device Extractor? Is there a untrusted device protocol achieving the following simultaneously? Classical source: arbitrary min-entropy source Device (honest): Single (multi-part) device Robust Constant quantum memory Output: Exponential expanding (or even more?) Quantum crypto security
270 Other open problems in untrusted-device extractors
271 Other open problems in untrusted-device extractors Parameter limits and tradeoffs in seeded extraction
272 Other open problems in untrusted-device extractors Parameter limits and tradeoffs in seeded extraction output length in terms of entanglement
273 Other open problems in untrusted-device extractors Parameter limits and tradeoffs in seeded extraction output length in terms of entanglement maximum output length for a fixed number of devices
274 Other open problems in untrusted-device extractors Parameter limits and tradeoffs in seeded extraction output length in terms of entanglement maximum output length for a fixed number of devices Security proof based only on non-signaling (local changes will not affect other systems local behavior)
275 Physical Extractors: a new paradigm for randomness extraction Min-entropy sources deterministic physical sources Near uniform bits Allow physical sources Base security of the validity of physical theory Any different systems?
Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices
Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices Carl A. Miller and Yaoyun Shi Department of Electrical Engineering and Computer Science University
More informationRobust protocols for securely expanding randomness and distributing keys using untrusted quantum devices
Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices Carl A. Miller and Yaoyun Shi Department of Electrical Engineering and Computer Science University
More informationTrustworthy Quantum Information. Yaoyun Shi University of Michigan
Trustworthy Quantum Information Yaoyun Shi University of Michigan QI 2.0 QI 2.0 Some hairy questions QI 1.0: using trusted q. device QI 2.0: using untrusted q. device The device(s) prove to you their trustworthiness
More informationDevice Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source
Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source Jan Bouda, Marcin Paw lowski, Matej Pivoluska, Martin Plesch 6.6.2014 J. B., M. P. 3 DI Extraction from min-entropy sources
More informationEntropy Accumulation in Device-independent Protocols
Entropy Accumulation in Device-independent Protocols QIP17 Seattle January 19, 2017 arxiv: 1607.01796 & 1607.01797 Rotem Arnon-Friedman, Frédéric Dupuis, Omar Fawzi, Renato Renner, & Thomas Vidick Outline
More informationPhysical Randomness Extractors: Generating Random Numbers with Minimal Assumptions
Physical Randomness Extractors: Generating Random Numbers with Minimal Assumptions Kai-Min Chung Yaoyun Shi Xiaodi Wu Abstract How to generate provably true randomness with minimal assumptions? This question
More informationUniversal security for randomness expansion
Universal security for randomness expansion Carl A. Miller and Yaoyun Shi Department of Electrical Engineering and Computer Science University of Michigan, Ann Arbor, MI 48109, USA carlmi,shiyy@umich.edu
More informationTutorial: Device-independent random number generation. Roger Colbeck University of York
Tutorial: Device-independent random number generation Roger Colbeck University of York Outline Brief motivation of random number generation Discuss what we mean by a random number Discuss some ways of
More informationXXXX Robust Protocols for Securely Expanding Randomness and Distributing Keys Using Untrusted Quantum Devices
XXXX Robust Protocols for Securely Expanding Randomness and Distributing Keys Using Untrusted Quantum Devices CARL A. MILLER, University of Michigan YAOYUN SHI, University of Michigan Randomness is a vital
More informationDevice-independent Quantum Key Distribution and Randomness Generation. Stefano Pironio Université Libre de Bruxelles
Device-independent Quantum Key Distribution and Randomness Generation Stefano Pironio Université Libre de Bruxelles Tropical QKD, Waterloo, June 14-17, 2010 Device-independent security proofs establish
More informationChallenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley
Challenges in Quantum Information Science Umesh V. Vazirani U. C. Berkeley 1 st quantum revolution - Understanding physical world: periodic table, chemical reactions electronic wavefunctions underlying
More informationRandomness in nonlocal games between mistrustful players
Randomness in nonlocal games between mistrustful players Carl A. Miller and Yaoyun Shi* Source paper: Forcing classical behavior for quantum players by C. Miller and Y. Shi (2016), attached. One of the
More informationQuantum Cryptography
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam Centrum Wiskunde & Informatica Winter 17 QuantumDay@Portland
More informationQuantum Supremacy and its Applications
Quantum Supremacy and its Applications HELLO HILBERT SPACE Scott Aaronson (University of Texas, Austin) Simons Institute, Berkeley, June 12, 2018 Based on joint work with Lijie Chen (CCC 2017, arxiv: 1612.05903)
More informationSome limits on non-local randomness expansion
Some limits on non-local randomness expansion Matt Coudron and Henry Yuen December 12, 2012 1 Introduction God does not play dice. Albert Einstein Einstein, stop telling God what to do. Niels Bohr One
More informationQuantum Supremacy and its Applications
Quantum Supremacy and its Applications HELLO HILBERT SPACE Scott Aaronson (University of Texas at Austin) USC, October 11, 2018 Based on joint work with Lijie Chen (CCC 2017, arxiv:1612.05903) and on forthcoming
More informationBit-Commitment and Coin Flipping in a Device-Independent Setting
Bit-Commitment and Coin Flipping in a Device-Independent Setting J. Silman Université Libre de Bruxelles Joint work with: A. Chailloux & I. Kerenidis (LIAFA), N. Aharon (TAU), S. Pironio & S. Massar (ULB).
More informationClassical Verification of Quantum Computations
Classical Verification of Quantum Computations Urmila Mahadev UC Berkeley September 12, 2018 Classical versus Quantum Computers Can a classical computer verify a quantum computation? Classical output (decision
More informationQuantum Information Transfer and Processing Miloslav Dušek
Quantum Information Transfer and Processing Miloslav Dušek Department of Optics, Faculty of Science Palacký University, Olomouc Quantum theory Quantum theory At the beginning of 20 th century about the
More informationMore Randomness From Noisy Sources
More Randomness From Noisy Sources Jean-Daniel Bancal and Valerio Scarani,2 Centre for Quantum Technologies, National University of Singapore 3 Science Drive 2, Singapore 7543 2 Department of Physics,
More informationQuantum Technology: Challenges and Opportunities for Cyber Security. Yaoyun Shi University of Michigan
Quantum Technology: Challenges and Opportunities for Cyber Security Yaoyun Shi University of Michigan The Alien Monsters Are Coming! Written by Yaoyun Shi Illustrated by Oriana Shi Ultimatum to Earthlings
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationQuantum Key Distribution. The Starting Point
Quantum Key Distribution Norbert Lütkenhaus The Starting Point Quantum Mechanics allows Quantum Key Distribution, which can create an unlimited amount of secret key using -a quantum channel -an authenticated
More informationZero-Knowledge Against Quantum Attacks
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP
More informationAn Introduction to Quantum Information and Applications
An Introduction to Quantum Information and Applications Iordanis Kerenidis CNRS LIAFA-Univ Paris-Diderot Quantum information and computation Quantum information and computation How is information encoded
More informationCryptography in a quantum world
T School of Informatics, University of Edinburgh 25th October 2016 E H U N I V E R S I T Y O H F R G E D I N B U Outline What is quantum computation Why should we care if quantum computers are constructed?
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationUnconditionally secure deviceindependent
Unconditionally secure deviceindependent quantum key distribution with only two devices Roger Colbeck (ETH Zurich) Based on joint work with Jon Barrett and Adrian Kent Physical Review A 86, 062326 (2012)
More informationFree randomness can be amplified
Free randomness can be amplified Colbeck and Renner June 18, 2013 arxiv Abstract Are there fundamentally random processes in nature? Theoretical predictions, confirmed experimentally, such as the violation
More informationOverlapping qubits. Parallel self-testing of (tilted) EPR pairs via copies of (tilted) CHSH. The parallel-repeated magic square game is rigid
Rui Chao USC Ben W. Reichardt USC Overlapping qubits Chris Sutherland USC Thomas Vidick Caltech arxiv 1701.01062 Parallel self-testing of (tilted) EPR pairs via copies of (tilted) CHSH Andrea W. Coladangelo
More informationDevice-Independent Quantum Information Processing
Device-Independent Quantum Information Processing Antonio Acín ICREA Professor at ICFO-Institut de Ciencies Fotoniques, Barcelona Chist-Era kick-off seminar, March 2012, Warsaw, Poland Quantum Information
More informationSecure Identification and QKD in the Bounded-Quantum-Storage Model
Secure Identification and QKD in the Bounded-Quantum-Storage Model Ivan B. Damgård 1, Serge Fehr 2, Louis Salvail 1, and Christian Schaffner 2 1 BRICS, FICS, Aarhus University, Denmark {ivan salvail}@brics.dk
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationClassical Verification of Quantum Computations
2018 IEEE 59th Annual Symposium on Foundations of Computer Science Classical Verification of Quantum Computations Urmila Mahadev Department of Computer Science, UC Berkeley mahadev@berkeley.edu Abstract
More informationarxiv: v1 [quant-ph] 21 Aug 2013
Robust Device Independent Randomness Amplification arxiv:308.4635v [quant-ph] Aug 03 Ravishankar Ramanathan,, Fernando G. S. L. Brandão, 3 Andrzej Grudka, 4 Karol Horodecki,, 5 Michał Horodecki,, and Paweł
More informationA semi-device-independent framework based on natural physical assumptions
AQIS 2017 4-8 September 2017 A semi-device-independent framework based on natural physical assumptions and its application to random number generation T. Van Himbeeck, E. Woodhead, N. Cerf, R. García-Patrón,
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationExplicit bounds on the entangled value of multiplayer XOR games. Joint work with Thomas Vidick (MIT)
Explicit bounds on the entangled value of multiplayer XOR games Jop Briët Joint work with Thomas Vidick (MIT) Waterloo, 2012 Entanglement and nonlocal correlations [Bell64] Measurements on entangled quantum
More information5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes
5th March 2004 Unconditional Security of Quantum Key Distribution With Practical Devices Hermen Jan Hupkes The setting Alice wants to send a message to Bob. Channel is dangerous and vulnerable to attack.
More informationDevice-Independent Quantum Information Processing (DIQIP)
Device-Independent Quantum Information Processing (DIQIP) Maciej Demianowicz ICFO-Institut de Ciencies Fotoniques, Barcelona (Spain) Coordinator of the project: Antonio Acín (ICFO, ICREA professor) meeting,
More informationIntroduction to Quantum Key Distribution
Fakultät für Physik Ludwig-Maximilians-Universität München January 2010 Overview Introduction Security Proof Introduction What is information? A mathematical concept describing knowledge. Basic unit is
More informationLecture 20: Bell inequalities and nonlocality
CPSC 59/69: Quantum Computation John Watrous, University of Calgary Lecture 0: Bell inequalities and nonlocality April 4, 006 So far in the course we have considered uses for quantum information in the
More informationQuantum Cryptography. Chris1an Schaffner. Research Center for Quantum So8ware
Quantum Cryptography Chris1an Schaffner Research Center for Quantum So8ware Ins1tute for Logic, Language and Computa1on (ILLC) University of Amsterdam Centrum Wiskunde & Informa1ca Physics@FOM, Veldhoven
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationEntanglement and information
Ph95a lecture notes for 0/29/0 Entanglement and information Lately we ve spent a lot of time examining properties of entangled states such as ab è 2 0 a b è Ý a 0 b è. We have learned that they exhibit
More informationSecurity of Quantum Key Distribution with Imperfect Devices
Security of Quantum Key Distribution with Imperfect Devices Hoi-Kwong Lo Dept. of Electrical & Comp. Engineering (ECE); & Dept. of Physics University of Toronto Email:hklo@comm.utoronto.ca URL: http://www.comm.utoronto.ca/~hklo
More informationCyber Security in the Quantum Era
T Computer Security Guest Lecture University of Edinburgh 27th November 2017 E H U N I V E R S I T Y O H F R G E D I N B U Outline Quantum Computers: Is it a threat to Cyber Security? Why should we act
More informationPhysics is becoming too difficult for physicists. David Hilbert (mathematician)
Physics is becoming too difficult for physicists. David Hilbert (mathematician) Simple Harmonic Oscillator Credit: R. Nave (HyperPhysics) Particle 2 X 2-Particle wave functions 2 Particles, each moving
More informationUnconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel
Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel Kiyoshi Tamaki *Perimeter Institute for Theoretical Physics Collaboration with Masato Koashi
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationQuantum Pseudo-Telepathy
Quantum Pseudo-Telepathy Michail Lampis mlambis@softlab.ntua.gr NTUA Quantum Pseudo-Telepathy p.1/24 Introduction In Multi-Party computations we are interested in measuring communication complexity. Communication
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationDirect product theorem for discrepancy
Direct product theorem for discrepancy Troy Lee Rutgers University Adi Shraibman Weizmann Institute of Science Robert Špalek Google Direct product theorems: Why is Google interested? Direct product theorems:
More informationCS/Ph120 Homework 8 Solutions
CS/Ph0 Homework 8 Solutions December, 06 Problem : Thinking adversarially. Solution: (Due to De Huang) Attack to portocol : Assume that Eve has a quantum machine that can store arbitrary amount of quantum
More informationEntanglement. arnoldzwicky.org. Presented by: Joseph Chapman. Created by: Gina Lorenz with adapted PHYS403 content from Paul Kwiat, Brad Christensen
Entanglement arnoldzwicky.org Presented by: Joseph Chapman. Created by: Gina Lorenz with adapted PHYS403 content from Paul Kwiat, Brad Christensen PHYS403, July 26, 2017 Entanglement A quantum object can
More informationFully device independent quantum key distribution
Fully device independent quantum key distribution Umesh Vazirani Thomas Vidick Abstract We give the first device-independent proof of security of a protocol for quantum key distribution that guarantees
More informationQuantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139
Quantum Error Correcting Codes and Quantum Cryptography Peter Shor M.I.T. Cambridge, MA 02139 1 We start out with two processes which are fundamentally quantum: superdense coding and teleportation. Superdense
More informationNonlocal Quantum XOR Games for Large Number of Players
onlocal Quantum XOR Games for Large umber of Players Andris Ambainis, Dmitry Kravchenko, ikolajs ahimovs, Alexander Rivosh Faculty of Computing, University of Latvia Abstract onlocal games are used to
More informationLecture 15: Privacy Amplification against Active Attackers
Randomness in Cryptography April 25, 2013 Lecture 15: Privacy Amplification against Active Attackers Lecturer: Yevgeniy Dodis Scribe: Travis Mayberry 1 Last Time Previously we showed that we could construct
More informationPractical Quantum Coin Flipping
Practical Quantum Coin Flipping Anna Pappa, 1, André Chaillloux, 2, Eleni Diamanti, 1, and Iordanis Kerenidis 2, 1 LTCI, CNRS - Télécom ParisTech, Paris, France 2 LIAFA, CNRS - Université Paris 7, Paris,
More informationPractical quantum-key. key- distribution post-processing
Practical quantum-key key- distribution post-processing processing Xiongfeng Ma 马雄峰 IQC, University of Waterloo Chi-Hang Fred Fung, Jean-Christian Boileau, Hoi Fung Chau arxiv:0904.1994 Hoi-Kwong Lo, Norbert
More informationDevice-independent quantum information. Valerio Scarani Centre for Quantum Technologies National University of Singapore
Device-independent quantum information Valerio Scarani Centre for Quantum Technologies National University of Singapore Looking for post-doc Commitment to fairness: in case of otherwise equally competent
More informationQuantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security
Areas for Discussion Joseph Spring Department of Computer Science MSc Distributed Systems and Security Introduction Photons Quantum Key Distribution Protocols BB84 A 4 state QKD Protocol B9 A state QKD
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationStream Computation and Arthur- Merlin Communication
Stream Computation and Arthur- Merlin Communication Justin Thaler, Yahoo! Labs Joint Work with: Amit Chakrabarti, Dartmouth Graham Cormode, University of Warwick Andrew McGregor, Umass Amherst Suresh Venkatasubramanian,
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More information: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8
0368.4170: Cryptography and Game Theory Ran Canetti and Alon Rosen Lecture 8 December 9, 2009 Scribe: Naama Ben-Aroya Last Week 2 player zero-sum games (min-max) Mixed NE (existence, complexity) ɛ-ne Correlated
More informationBeginnings... Computers might as well be made of green cheese. It is no longer safe to assume this! The first axiom I learnt in Computer Science:
Beginnings... The first axiom I learnt in Computer Science: Computers might as well be made of green cheese It is no longer safe to assume this! (Department of Computer Science, Quantum Universitycomputation:
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationHigh Fidelity to Low Weight. Daniel Gottesman Perimeter Institute
High Fidelity to Low Weight Daniel Gottesman Perimeter Institute A Word From Our Sponsor... Quant-ph/0212066, Security of quantum key distribution with imperfect devices, D.G., H.-K. Lo, N. Lutkenhaus,
More informationVerification of quantum computation
Verification of quantum computation THOMAS VIDICK CALIFORNIA INSTITUTE OF TECHNOLOGY Slides: http://users.cms.caltech.edu/~vidick/verification.{ppsx,pdf} 1. Problem formulation 2. Overview of existing
More informationQuantum Communication
Quantum Communication Harry Buhrman CWI & University of Amsterdam Physics and Computing Computing is physical Miniaturization quantum effects Quantum Computers ) Enables continuing miniaturization ) Fundamentally
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationPrivacy Amplification in the Isolated Qubits Model
Privacy Amplification in the Isolated Qubits Model Yi-Kai Liu Applied and Computational Mathematics Division National Institute of Standards and Technology Gaithersburg, MD, USA yi-kai.liu@nist.gov Abstract.
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationA Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness
A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness Gilad Asharov Yehuda Lindell Tal Rabin February 25, 2013 Abstract It is well known that it is impossible
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More information10. Physics from Quantum Information. I. The Clifton-Bub-Halvorson (CBH) Theorem.
10. Physics from Quantum Information. I. The Clifton-Bub-Halvorson (CBH) Theorem. Clifton, Bub, Halvorson (2003) Motivation: Can quantum physics be reduced to information-theoretic principles? CBH Theorem:
More informationLecture 11 September 30, 2015
PHYS 7895: Quantum Information Theory Fall 015 Lecture 11 September 30, 015 Prof. Mark M. Wilde Scribe: Mark M. Wilde This document is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike
More informationLecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationTransmitting and Hiding Quantum Information
2018/12/20 @ 4th KIAS WORKSHOP on Quantum Information and Thermodynamics Transmitting and Hiding Quantum Information Seung-Woo Lee Quantum Universe Center Korea Institute for Advanced Study (KIAS) Contents
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More information6.896 Quantum Complexity Theory November 4th, Lecture 18
6.896 Quantum Complexity Theory November 4th, 2008 Lecturer: Scott Aaronson Lecture 18 1 Last Time: Quantum Interactive Proofs 1.1 IP = PSPACE QIP = QIP(3) EXP The first result is interesting, because
More informationExperimentally Generated Random Numbers Certified by the Impossibility of Superluminal Signaling
Experimentally Generated Random Numbers Certified by the Impossibility of Superluminal Signaling Peter Bierhorst, Lynden K. Shalm, Alan Mink, Stephen Jordan, Yi-Kai Liu, Scott Glancy, Bradley Christensen,
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationThe Future. Currently state of the art chips have gates of length 35 nanometers.
Quantum Computing Moore s Law The Future Currently state of the art chips have gates of length 35 nanometers. The Future Currently state of the art chips have gates of length 35 nanometers. When gate lengths
More informationAdriaan van Wijngaarden
Adriaan van Wijngaarden From his Wikipedia article: His education was in mechanical engineering, for which he received a degree from Delft University of Technology in 1939. He then studied for a doctorate
More information6.896 Quantum Complexity Theory 30 October Lecture 17
6.896 Quantum Complexity Theory 30 October 2008 Lecturer: Scott Aaronson Lecture 17 Last time, on America s Most Wanted Complexity Classes: 1. QMA vs. QCMA; QMA(2). 2. IP: Class of languages L {0, 1} for
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationSharing and verifying quantum informa3on with differing degrees of trust
Sharing and verifying quantum informa3on with differing degrees of trust Damian Markham Paris Centre for Quantum Compu3ng pcqc.fr Basics Measurements Random State ϕ Projector P r for result Proabibity
More informationQuantum Communication. Serge Massar Université Libre de Bruxelles
Quantum Communication Serge Massar Université Libre de Bruxelles Plan Why Quantum Communication? Prepare and Measure schemes QKD Using Entanglement Teleportation Communication Complexity And now what?
More informationQuantum Information Theory and Cryptography
Quantum Information Theory and Cryptography John Smolin, IBM Research IPAM Information Theory A Mathematical Theory of Communication, C.E. Shannon, 1948 Lies at the intersection of Electrical Engineering,
More information