Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source

Similar documents
Tutorial: Device-independent random number generation. Roger Colbeck University of York

Untrusted quantum devices. Yaoyun Shi University of Michigan updated Feb. 1, 2014

Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices

Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices

Universal security for randomness expansion

More Randomness From Noisy Sources

XXXX Robust Protocols for Securely Expanding Randomness and Distributing Keys Using Untrusted Quantum Devices

Entropy Accumulation in Device-independent Protocols

Unconditionally secure deviceindependent

arxiv: v1 [quant-ph] 21 Aug 2013

Trustworthy Quantum Information. Yaoyun Shi University of Michigan

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Notes on Zero Knowledge

Physical Randomness Extractors: Generating Random Numbers with Minimal Assumptions

Secret Sharing CPT, Version 3

CS/Ph120 Homework 8 Solutions

A semi-device-independent framework based on natural physical assumptions

Kolmogorov-Loveland Randomness and Stochasticity

Bit-Commitment and Coin Flipping in a Device-Independent Setting

Lecture 09: Next-bit Unpredictability. Lecture 09: Next-bit Unpredictability

Free randomness can be amplified

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Random number generators

How many rounds can Random Selection handle?

: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8

On the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses

Pseudo-Random Generators

Pseudo-Random Generators

Contents. ID Quantique SA Tel: Chemin de la Marbrerie 3 Fax : Carouge

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

On the power of non-adaptive quantum chosen-ciphertext attacks

CPSC 467b: Cryptography and Computer Security

Randomness in nonlocal games between mistrustful players

Lecture Notes 20: Zero-Knowledge Proofs

Extractors and the Leftover Hash Lemma

Introduction to Quantum Key Distribution

Device-independent Quantum Key Distribution and Randomness Generation. Stefano Pironio Université Libre de Bruxelles

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Quantum Technology: Challenges and Opportunities for Cyber Security. Yaoyun Shi University of Michigan

Extending Oblivious Transfers Efficiently

Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification

Multichannel liar games with a fixed number of lies

Quantum Simultaneous Contract Signing

Yuval Ishai Technion

Randomness and non-uniformity

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

CPSC 467: Cryptography and Computer Security

Cryptographical Security in the Quantum Random Oracle Model

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Lecture Hardness of Set Cover

Quantum Supremacy and its Applications

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Authentication. Chapter Message Authentication

Deterministic Extractors - Lecture Notes

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Known and Chosen Key Differential Distinguishers for Block Ciphers

The Entropy Bogeyman. Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference

Introduction to Cryptography Lecture 13

Lecture 15: Privacy Amplification against Active Attackers

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

Lecture 3: Randomness in Computation

CPSC 467b: Cryptography and Computer Security

Simple extractors via crypto pseudo-random generators

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

arxiv: v3 [quant-ph] 1 Mar 2018

1 Number Theory Basics

On the (Im)possibility of Cryptography with Imperfect Randomness

An Identification Scheme Based on KEA1 Assumption

Quantum information and quantum mechanics: fundamental issues. John Preskill, Caltech 23 February

Yale University Department of Computer Science

Quantum to Classical Randomness Extractors

Quantum Supremacy and its Applications

Unconditionally Secure and Universally Composable Commitments from Physical Assumptions

Device-Independent Quantum Information Processing

Notes for Lecture 25

Katz, Lindell Introduction to Modern Cryptrography

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Lecture 10 - MAC s continued, hash & MAC

New Imperfect Random Source with Applications to Coin-Flipping

From Secure MPC to Efficient Zero-Knowledge

ECS 189A Final Cryptography Spring 2011

Practical quantum-key. key- distribution post-processing

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Attribute-based Encryption & Delegation of Computation

Some limits on non-local randomness expansion

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Attacks on hash functions: Cat 5 storm or a drizzle?

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries

Lecture 15 - Zero Knowledge Proofs

Information Security

Benny Pinkas Bar Ilan University

1 Cryptographic hash functions

PAPER An Identification Scheme with Tight Reduction

Round-Efficient Multi-party Computation with a Dishonest Majority

Provable Security in Symmetric Key Cryptography

Transcription:

Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source Jan Bouda, Marcin Paw lowski, Matej Pivoluska, Martin Plesch 6.6.2014 J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 1 / 20

Outline Motivation and Related Work. Ingredients. Our Protocol. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 2 / 20

Importance of Randomness Randomness is useful in: Gambling. Simulation and Computation. Cryptography. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 3 / 20

Importance of Randomness Randomness is useful in: Gambling. Simulation and Computation. Cryptography. Impact of imperfect randomness can be devastating: Attacks on RSA [Lenstra et. al. (2012)] Attacks on QKD[Bouda et. al. (2012), Huber and Paw lowski (2013)] J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 3 / 20

Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware Seed Initialization function Transformation function State PRNG Random bits J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 4 / 20

Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 4 / 20

Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware J. B., M. P.3 DI Extraction from min-entropy sources 6.6.2014 4 / 20

Randomness Production + Testing Pseudorandomness Classical Hardware Quantum Hardware Statistical tests vs. Unpredictability Official certification J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 4 / 20

Device Independent Approach Challenge Untrusted Device Response Passed? Randomness Yes Challenges have to be random. Similarity to randomness extraction. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 5 / 20

Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 6 / 20

Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. Classical Extraction Additional Independent Randomness Imperfect Randomness Classical Extractor Uniform Randomness J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 6 / 20

Randomness Extraction Randomness extraction is a procedure to transform imperfect randomness into (close to) perfect randomness. Classical Extraction Additional Independent Randomness Quantum Extraction Additional Independent Randomness Imperfect Randomness Classical Extractor Imperfect Randomness Quantum Extractor Uniform Randomness Uniform Randomness J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 6 / 20

Related work Santha-Vazirani sources Colbeck and Renner (2012). Gallego et. al. (2013). Brandão et. al. (2013). Min-Entropy sources Chung, Shi, Wu (2014). This presentation. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 7 / 20

Quantum Device - GHZ test Quantum Extractor Quantum Device Quantum Device. Quantum Device x y z A B C a b c J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 8 / 20

Quantum Device - GHZ test Quantum Extractor Quantum Device Quantum Device. Quantum Device x y z A B C a b c Input xyz {111, 001, 010, 100}. Test if a b c = x y z. Classical strategies succeed with probability at most 3/4. Quantum strategy succeeds with probability 1 and produces perfect random bits. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 8 / 20

GHZ devices - rigidity (MP bound) Let inputs into D i be uniform. If D i wins GHZ game with probability p > f (ɛ) then bias of a m is at most ɛ. Function f (ɛ) obtained by SDP. 1 0,98 0,96 0,94 f( ) 0,92 0,9 0,88 0,86 0 0,05 0,1 0,15 0,2 0,25 0,3 0,35 0,4 0,45 0,5 J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 9 / 20

Weak Source of Randomness - Definition Source of randomness {X i } i N is (n, k) block source if X i is random variable with n bit output. It holds that x 1,, x i 1 {0, 1} n, e I(E), H (X i X i 1 = x i 1,, X 1 = x 1, E = e) k. H is min-entropy. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 10 / 20

Weak Source of Randomness - Definition Source of randomness {X i } i N is (n, k) block source if Notes: X i is random variable with n bit output. It holds that H is min-entropy. x 1,, x i 1 {0, 1} n, e I(E), H (X i X i 1 = x i 1,, X 1 = x 1, E = e) k. Classically cannot be extracted. For n = 1 Santha Vazirani (SV) source is recovered. For n > 1 cannot be transformed into SV source existing protocols do not work. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 10 / 20

Set of Hashing Functions {0, 1} n 00 01 h 1 11 10 h 2 Let h i : {0, 1} n {0, 1} 2. Let H = {h i } m i=1. For each subset S of {0, 1} n of size 4 there exists h i, such that h i (S) = {00, 01, 10, 11}. There is a construction of H with size polynomial in n. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 11 / 20

One Round of Protocol 1 We obtain the (weakly) random n bit string r i from an (n, 2) block source. 2 Into each device D i we input the 3 bit string inputs X i, Y i and Z i derived from h i (r i ) and obtain the outputs A i, B i and C i. 3 We verify whether for each device D i the condition Z i Y i Z i = A i B i C i holds. If this is not true, we abort the protocol. 4 We define the output bit of the protocol as b i = m j=1 A j. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 12 / 20

Protocol Scheme (n, 2) r i R X i D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 13 / 20

Single Round Analysis - The Flat Sources 1 0.5 0 010 001 000 011 100 101 110 111 (n, 2) flat source 4 elements of {0, 1} n with probability 1 4, others with probability 0. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 14 / 20

Single Round Analysis - The Flat Sources 1 0.5 0 010 001 000 011 100 101 110 111 Uniform Input (n, 2) flat source 4 elements of {0, 1} n with probability 1 4, others with probability 0. D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 14 / 20

Single Round Analysis - The Non-Flat Sources 1 0.5 0 010 001 000 011 100 101 110 111 = 1 1 0.5 2 ( )+ 0 010 001 000 011 100 101 110 111 1 1 0.5 2( ) 0 010 001 000 011 100 101 110 111 Any (n, 2) distribution d can be expressed as a convex combination of at most N = 2 n (n, 2) flat distributions d i. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 15 / 20

Single Round Analysis - The Non-Flat Sources II = 1 2 + 1 2 D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i D 1 D 2 D 3 D m A 1 A 2 A 3 Am b i J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 16 / 20

Multiple Rounds Repeat the protocol l times. Output b = If b has bias greater than ɛ, each of b i has bias at least ɛ. To achieve bias ɛ adversary has to risk l times - success f (ɛ) l. For target parameters ɛ, δ set l > log δ/ log f (ɛ) l j=1 b j. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 17 / 20

Robustness - Imperfect Honest Devices 1 f (ɛ) 2m Let us allow µ = fraction of all the ml devices to fail the test. Then honest but faulty devices with failure probability µ/2 pass the protocol with high probability. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 18 / 20

Malicious Devices Adversary needs to cheat for devices with uniform input. By increasing number of rounds we can make sure that (a lot) less errors are allowed than the number of devices adversary needs to cheat. r 1 r 2 r i D1 1 D2 1 D3 1 Dm 1 D1 2 D2 2 D3 2 Dm 2 D1 i D2 i D3 i Dm i A 1 1 A 1 2 A 1 3 A 1 m A 2 1 A 2 2 A 2 3 A 2 m A i 1 A i 2 A i 3 A i m b 1 b 2 b i r j r k r l D j 1 D j 2 D j 3 Dm j D1 k D2 k D3 k Dm k D1 l D2 l D3 l Dm l A j 1 A j 2 A j 3 A j m A k 1 A k 2 A k 3 A k m A l 1 A l 2 A l 3 A l m b j b k b l J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 19 / 20

Conclusion Protocol uses arbitrary block source. Protocol produces single bit biased at most ɛ with probability 1 δ for arbitrary ɛ, δ. Number of devices used scales polynomially with the length of the block. J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 20 / 20

Conclusion Protocol uses arbitrary block source. Protocol produces single bit biased at most ɛ with probability 1 δ for arbitrary ɛ, δ. Number of devices used scales polynomially with the length of the block. THANK YOU! J. B., M. P. 3 DI Extraction from min-entropy sources 6.6.2014 20 / 20

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback