Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source Jan Bouda, Marcin Paw lowski, Matej Pivoluska, Martin Plesch 6.6.2014 J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 1 / 20
Outline Motivation and Related Work. Ingredients. Our Protocol. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 2 / 20
Importance of Randomness Randomness is useful in: Gambling. Simulation and Computation. Cryptography. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 3 / 20
Importance of Randomness Randomness is useful in: Gambling. Simulation and Computation. Cryptography. Impact of imperfect randomness can be devastating: Attacks on RSA [Lenstra et. al. (2012)] Attacks on QKD[Bouda et. al. (2012), Huber and Paw lowski (2013)] J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 3 / 20
Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware Seed Initialization function Transformation function State PRNG Random bits J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 4 / 20
Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 4 / 20
Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware J. B., M. P.3 DI Extraction from min-entropy sources 6.6.2014 4 / 20
Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware Statistical tests vs. Unpredictability Official certification J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 4 / 20
Device Independent Approach Challenge Untrusted Device Response Passed? Randomness Yes Challenges have to be random. Similarity to randomness extraction. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 5 / 20
Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 6 / 20
Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. Classical Extraction Additional Independent Randomness Imperfect Randomness Classical Extractor Uniform Randomness J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 6 / 20
Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. Classical Extraction Additional Independent Randomness Quantum Extraction Additional Independent Randomness Imperfect Randomness Classical Extractor Imperfect Randomness Quantum Extractor Uniform Randomness Uniform Randomness J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 6 / 20
Related work Santha-Vazirani sources Colbeck and Renner (2012). Gallego et. al. (2013). Brandão et. al. (2013). Min-Entropy sources Chung, Shi, Wu (2014). This presentation. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 7 / 20
Quantum Device - GHZ test Quantum Extractor Quantum Device Quantum Device. Quantum Device x y z A B C a b c J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 8 / 20
Quantum Device - GHZ test Quantum Extractor Quantum Device Quantum Device. Quantum Device x y z A B C a b c Input xyz {111, 001, 010, 100}. Test if a b c = x y z. Classical strategies succeed with probability at most 3/4. Quantum strategy succeeds with probability 1 and produces perfect random bits. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 8 / 20
GHZ devices - rigidity (MP bound) Let inputs into D i be uniform. If D i wins GHZ game with probability p > f (ɛ) then bias of a m is at most ɛ. Function f (ɛ) obtained by SDP. 1 0,98 0,96 0,94 f( ) 0,92 0,9 0,88 0,86 0 0,05 0,1 0,15 0,2 0,25 0,3 0,35 0,4 0,45 0,5 J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 9 / 20
Weak Source of Randomness - Definition Source of randomness {X i } i N is (n, k) block source if X i is random variable with n bit output. It holds that x 1,, x i 1 {0, 1} n, e I(E), H (X i X i 1 = x i 1,, X 1 = x 1, E = e) k. H is min-entropy. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 10 / 20
Weak Source of Randomness - Definition Source of randomness {X i } i N is (n, k) block source if Notes: X i is random variable with n bit output. It holds that H is min-entropy. x 1,, x i 1 {0, 1} n, e I(E), H (X i X i 1 = x i 1,, X 1 = x 1, E = e) k. Classically cannot be extracted. For n = 1 Santha Vazirani (SV) source is recovered. For n > 1 cannot be transformed into SV source existing protocols do not work. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 10 / 20
Set of Hashing Functions {0, 1} n 00 01 h 1 11 10 h 2 Let h i : {0, 1} n {0, 1} 2. Let H = {h i } m i=1. For each subset S of {0, 1} n of size 4 there exists h i, such that h i (S) = {00, 01, 10, 11}. There is a construction of H with size polynomial in n. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 11 / 20
One Round of Protocol 1 We obtain the (weakly) random n bit string r i from an (n, 2) block source. 2 Into each device D i we input the 3 bit string inputs X i, Y i and Z i derived from h i (r i ) and obtain the outputs A i, B i and C i. 3 We verify whether for each device D i the condition Z i Y i Z i = A i B i C i holds. If this is not true, we abort the protocol. 4 We define the output bit of the protocol as b i = m j=1 A j. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 12 / 20
Protocol Scheme (n, 2) r i R X i D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 13 / 20
Single Round Analysis - The Flat Sources 1 0.5 0 010 001 000 011 100 101 110 111 (n, 2) flat source 4 elements of {0, 1} n with probability 1 4, others with probability 0. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 14 / 20
Single Round Analysis - The Flat Sources 1 0.5 0 010 001 000 011 100 101 110 111 Uniform Input (n, 2) flat source 4 elements of {0, 1} n with probability 1 4, others with probability 0. D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 14 / 20
Single Round Analysis - The Non-Flat Sources 1 0.5 0 010 001 000 011 100 101 110 111 = 1 1 0.5 2 ( )+ 0 010 001 000 011 100 101 110 111 1 1 0.5 2( ) 0 010 001 000 011 100 101 110 111 Any (n, 2) distribution d can be expressed as a convex combination of at most N = 2 n (n, 2) flat distributions d i. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 15 / 20
Single Round Analysis - The Non-Flat Sources II = 1 2 + 1 2 D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 16 / 20
Multiple Rounds Repeat the protocol l times. Output b = If b has bias greater than ɛ, each of b i has bias at least ɛ. To achieve bias ɛ adversary has to risk l times - success f (ɛ) l. For target parameters ɛ, δ set l > log δ/ log f (ɛ) l j=1 b j. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 17 / 20
Robustness - Imperfect Honest Devices 1 f (ɛ) 2m Let us allow µ = fraction of all the ml devices to fail the test. Then honest but faulty devices with failure probability µ/2 pass the protocol with high probability. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 18 / 20
Malicious Devices Adversary needs to cheat for devices with uniform input. By increasing number of rounds we can make sure that (a lot) less errors are allowed than the number of devices adversary needs to cheat. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 19 / 20
Conclusion Protocol uses arbitrary block source. Protocol produces single bit biased at most ɛ with probability 1 δ for arbitrary ɛ, δ. Number of devices used scales polynomially with the length of the block. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 20 / 20
Conclusion Protocol uses arbitrary block source. Protocol produces single bit biased at most ɛ with probability 1 δ for arbitrary ɛ, δ. Number of devices used scales polynomially with the length of the block. THANK YOU! J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 20 / 20