Unconditionally secure deviceindependent

Similar documents
Tutorial: Device-independent random number generation. Roger Colbeck University of York

Entropy Accumulation in Device-independent Protocols

Cryptography in a quantum world

Bit-Commitment and Coin Flipping in a Device-Independent Setting

Trustworthiness of detectors in quantum key distribution with untrusted detectors

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Quantum key distribution for the lazy and careless

Practical Quantum Coin Flipping

High Fidelity to Low Weight. Daniel Gottesman Perimeter Institute

Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel

Security of Quantum Key Distribution with Imperfect Devices

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Introduction to Quantum Key Distribution

Device-independent Quantum Key Distribution and Randomness Generation. Stefano Pironio Université Libre de Bruxelles

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Introduction to Quantum Cryptography

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

Ping Pong Protocol & Auto-compensation

Entanglement and information

Device-independent quantum information. Valerio Scarani Centre for Quantum Technologies National University of Singapore

Practical Quantum Coin Flipping

Security Implications of Quantum Technologies

Quantum Key Distribution. The Starting Point

Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source

Quantum Information Transfer and Processing Miloslav Dušek

A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols

CPSC 467b: Cryptography and Computer Security

arxiv: v7 [quant-ph] 20 Mar 2017

PERFECTLY secure key agreement has been studied recently

Practical quantum-key. key- distribution post-processing

An Introduction to Quantum Information and Applications

Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result

Secure Quantum Signatures Using Insecure Quantum Channels

arxiv:quant-ph/ v1 13 Mar 2007

High rate quantum cryptography with untrusted relay: Theory and experiment

+ = OTP + QKD = QC. ψ = a. OTP One-Time Pad QKD Quantum Key Distribution QC Quantum Cryptography. θ = 135 o state 1

Other Topics in Quantum Information

Fully device independent quantum key distribution

Untrusted quantum devices. Yaoyun Shi University of Michigan updated Feb. 1, 2014

Lecture 3,4: Multiparty Computation

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Quantum Cryptography

Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

Challenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley

1 Secure two-party computation

10 - February, 2010 Jordan Myronuk

Device-Independent Quantum Information Processing (DIQIP)

Asymptotic Analysis of a Three State Quantum Cryptographic Protocol

Cryptography and Security Final Exam

A semi-device-independent framework based on natural physical assumptions

Randomness in nonlocal games between mistrustful players

Lecture 15: Privacy Amplification against Active Attackers

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

An Introduction to Quantum Information. By Aditya Jain. Under the Guidance of Dr. Guruprasad Kar PAMU, ISI Kolkata

Introduction to Cryptography Lecture 13

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

More Randomness From Noisy Sources

arxiv: v2 [quant-ph] 22 Sep 2008

Advanced Cryptography Quantum Algorithms Christophe Petit

John Preskill, Caltech Biedenharn Lecture 2 8 September The security of quantum cryptography

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

Device-Independent Quantum Information Processing

Universal Single Server Blind Quantum Computation Revisited

Quantum Cryptography. Marshall Roth March 9, 2007

arxiv: v1 [quant-ph] 21 Aug 2013

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices

Asymmetric Communication Complexity and Data Structure Lower Bounds

Lecture: Quantum Information

Quantum Technologies for Cryptography

Lecture 14, Thurs March 2: Nonlocal Games

Error-Tolerant Combiners for Oblivious Primitives

Ph 219/CS 219. Exercises Due: Friday 3 November 2006

Quantum Cryptography

Free randomness can be amplified

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Gravitational Attacks on Relativistic Quantum Cryptography

Trustworthy Quantum Information. Yaoyun Shi University of Michigan

Attacks against a Simplified Experimentally Feasible Semiquantum Key Distribution Protocol

Error Reconciliation in QKD. Distribution

Edinburgh Research Explorer

arxiv:quant-ph/ v1 13 Jan 2003

Applications of Quantum Key Distribution (QKD)

Realization of B92 QKD protocol using id3100 Clavis 2 system

A. Quantum Key Distribution

Lecture 1: Introduction to Public key cryptography

Quantum key distribution with 2-bit quantum codes

Quantum Communication. Serge Massar Université Libre de Bruxelles

arxiv: v1 [quant-ph] 3 Jul 2018

On Achieving the Best of Both Worlds in Secure Multiparty Computation

Fundamental Security Issues in Continuous Variable Quantum Key Distribution

Lecture 22: RSA Encryption. RSA Encryption

Quantum Noise. Michael A. Nielsen. University of Queensland

Cryptography and Security Final Exam

Security of Device-Independent Quantum Key Distribution Protocols

Optimal quantum strong coin flipping

arxiv: v2 [quant-ph] 2 Apr 2014

Fundamental rate-loss tradeoff for optical quantum key distribution

University of Bristol - Explore Bristol Research. Peer reviewed version. Link to published version (if available): /PhysRevA.93.

Transcription:

Unconditionally secure deviceindependent quantum key distribution with only two devices Roger Colbeck (ETH Zurich) Based on joint work with Jon Barrett and Adrian Kent Physical Review A 86, 062326 (2012)

Outline Motivation for device-independence Brief History Recent developments Main result Remaining problems and open questions

Two sides of cryptography Theoretical Start with clean, welldefined assumptions and try to prove security based on these. Practical Try to build devices that satisfy the theoretical assumptions as closely as possible.

Two sides of cryptography Theoretical Start with clean, welldefined assumptions and try to prove security based on these. Practical Try to build devices that satisfy the theoretical assumptions as closely as possible. e.g. have a device that emits single photons in a state of my choice and can perform arbitrary measurements with arbitrarily high fidelity.

Two sides of cryptography Theoretical Start with clean, welldefined assumptions and try to prove security based on these. e.g. have a device that emits single photons in a state of my choice and can perform arbitrary measurements with arbitrarily high fidelity. Practical Try to build devices that satisfy the theoretical assumptions as closely as possible. You must be joking What we can do is this

Two sides of cryptography Theoretical Start with clean, welldefined assumptions and try to prove security based on these. Hmm ok, I have to change my assumptions and work on my proof Practical Try to build devices that satisfy the theoretical assumptions as closely as possible. You must be joking What we can do is this

Things can go wrong Motivation E.g. Alice s device may start sending multiple states If the protocol doesn t check this, then it is quickly rendered insecure Attacks exploiting the difference between real devices and how they are modelled are relevant in practice e.g. Gerhardt et al. N. Comms 2 (2011)

Motivation Basing a proof on weaker assumptions makes it easier for a particular implementation to come closer to satisfying the assumptions. Motivates device-independence, in which one tries to prove security without making any assumptions about the workings of quantum devices. Idea first introduced in [Mayers-Yao FOCS 98] and significantly developed in [AGM PRL 97, 120405 (2006), Scarani et al. PRA 74, 042339 (2006), ]

Device-independence No trust at all in any quantum devices used for the protocol. With device-independence, it wouldn t matter if an adversary tampered with or substituted my devices: we would still have security. Clean, well-defined assumption Tests the devices during the protocol (if critical faults have developed, the protocol aborts)

Device-independence assumptions

Limitations of prior works Various protocols have been proven unconditionally secure with no trust on the devices, for example: BHK, PRL 95, 010503 (2005) Masanes et al., quant-ph/0606049 HR, arxiv:1009.1833 MPA, N. Comms. 2, 238 (2011) All have the weakness that the security proofs apply only with many separated devices

Recent developments 3 recent works show that this limitation can be removed (all at QIP13). Each uses a different technique to achieve security with only two devices.

Recent developments 3 recent works show that this limitation can be removed (all at QIP13). Each uses a different technique to achieve security with only two devices. X1 X2 Y1 Y2 A1 A2 Old proofs B1 B2

Recent developments 3 recent works show that this limitation can be removed (all at QIP13). Each uses a different technique to achieve security with only two devices. X1 X2 X3 Y1 Y2 Y3 A1 A2 A3 New proofs B1 B2 B3

Our technique In the spirit of minimizing assumptions, our protocol is secure against a non-signalling (not necessarily quantum) adversary. Design the protocol in such a way that the optimal eavesdropping attack is i.i.d. Exploit a set of super-strong quantum correlations Correlations are monogamous in nonsignalling sense.

Our technique Non-signalling monogamy: X Y A B P XY AB is the distribution from particular measurements on a maximally entangled state

Our technique Non-signalling monogamy: X Y Z A P XY AB is the distribution from particular measurements on a maximally entangled state B C P XYZ ABC non-signalling Uniform distribution on X P XZ ABC = P X P Z ABC

Our technique Non-signalling monogamy: X Y Z A P XY AB is the distribution from particular measurements on a maximally entangled state B C P XYZ ABC non-signalling Uniform distribution on X P XZ ABC = P X P Z ABC

Our technique On each round, Alice randomly decides whether to test the devices (high probability) or to generate key (low probability). test device, with setting B

Our technique On each round, Alice randomly decides whether to test the devices (high probability) or to generate key (low probability). I got outcome Y1 X1 Y1 Pass/fail A1 B1

Our technique If the test passes, the whole protocol repeats. We can strengthen Eve by giving the devices back to her before repeating the protocol Eventually, Alice will randomly choose to generate key, in which case, Alice and Bob both make measurements and take their outcomes to be key bits (Note that our protocol does not need privacy amplification).

Drawbacks of our protocol Inefficient and has low tolerance to noise (in contrast to previous talk) Although it allows device reuse within the same protocol, devices cannot be reused in future protocols If the same (untrusted) devices are reused in future protocols, this can compromise previously generated keys [BCK PRL 110, 010503 (2013)]

Device-reuse problem Consider a malicious device with memory and using it to generate a secure key X 1 X 2 X 3 Y 1 Y 2 Y 3 Public communication A 1 A 2 A 3 B 1 B 2 B 3 S = f(x 1, X 2, ) S = g(y 1, Y 2, )

Device-reuse problem Reuse it to generate second key X 1 X 2 X 3 Y 1 Y 2 Y 3 Public communication A 1 A 2 A 3 B 1 B 2 B 3 S = f (X 1, X 2, ) S = g (Y 1, Y 2, )

Device-reuse problem Device with memory can re-output previous bits via a pre-agreed strategy e.g. X 2 = X 15 X 1 X 2 X 3 Y 1 Y 2 Y 3 X 2 A 1 A 2 A 3 B 1 B 2 B 3 S = f (X 1, X 2, ) S = g (Y 1, Y 2, )

Device-reuse problem If a malicious device with memory is used to generate a secure key, it can leak data relevant to the first key and potentially compromise it This problem is present in all existing protocols

Open questions Prove security of a protocol that solves the problem of reusing untrusted devices in multiple protocols Need for new security notion Universal device-reuse (reuse of untrusted devices in an arbitrary future application) is not possible However, we think restricted device reuse is possible (reuse the devices only in certain ways) Are there efficient and noise tolerant protocols secure against non-signalling adversaries?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback