Entropic security using conditional min-entropy

Similar documents
Entanglement: concept, measures and open problems

Introduction to Quantum Computing

Randomness Extraction via δ-biased Masking in the Presence of a Quantum Attacker

EFFICIENT SIMULATION FOR QUANTUM MESSAGE AUTHENTICATION

QUANTUM INFORMATION -THE NO-HIDING THEOREM p.1/36

Quantum Entanglement- Fundamental Aspects

Lecture 4: Postulates of quantum mechanics

Entropy in Classical and Quantum Information Theory

Concentration of Measure Effects in Quantum Information. Patrick Hayden (McGill University)

Lecture: Quantum Information

MP 472 Quantum Information and Computation

Chapter 5. Density matrix formalism

Entanglement Manipulation

Maximal Entanglement A New Measure of Entanglement

Private quantum subsystems and error correction

Basics on quantum information

Lecture 14: Quantum information revisited

Basics on quantum information

Lecture Notes. Quantum Cryptography Week 2: The Power of Entanglement

Lecture 2: Perfect Secrecy and its Limitations

CS120, Quantum Cryptography, Fall 2016

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Security of Random Feistel Schemes with 5 or more Rounds

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

Invertible Quantum Operations and Perfect Encryption of Quantum States

An Introduction to Quantum Information. By Aditya Jain. Under the Guidance of Dr. Guruprasad Kar PAMU, ISI Kolkata

Quantum Statistics -First Steps

Quantum entanglement and symmetry

Introduction to Cryptology. Lecture 3

Quantum Computing: Foundations to Frontier Fall Lecture 3

DECAY OF SINGLET CONVERSION PROBABILITY IN ONE DIMENSIONAL QUANTUM NETWORKS

Dynamics and Quantum Channels

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Density Operators and Ensembles

Quantum Hashing for Finite Abelian Groups arxiv: v1 [quant-ph] 7 Mar 2016

CLASSIFICATION OF COMPLETELY POSITIVE MAPS 1. INTRODUCTION

Explicit bounds on the entangled value of multiplayer XOR games. Joint work with Thomas Vidick (MIT)

Quantum Entanglement and Error Correction

Quantum Entanglement, Quantum Cryptography, Beyond Quantum Mechanics, and Why Quantum Mechanics Brad Christensen Advisor: Paul G.

The Principles of Quantum Mechanics: Pt. 1

Introduction to Quantum Information Hermann Kampermann

Ensembles and incomplete information

Pseudorandom Generators

Multipartite entanglement in fermionic systems via a geometric

Notes for Lecture 27

Lecture Notes. edx Quantum Cryptography: Week 3

)j > Riley Tipton Perry University of New South Wales, Australia. World Scientific CHENNAI

Lecture 19 October 28, 2015

Unitary Process Discrimination with Error Margin

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lecture Notes on Secret Sharing

Mathematical Methods for Quantum Information Theory. Part I: Matrix Analysis. Koenraad Audenaert (RHUL, UK)

Introduction to Quantum Key Distribution

Adaptive Security of Compositions

Lecture 11 September 30, 2015

Fourier analysis of boolean functions in quantum computation

Quantum boolean functions

By allowing randomization in the verification process, we obtain a class known as MA.

Quantum Information Types

RANKS OF QUANTUM STATES WITH PRESCRIBED REDUCED STATES

Qubits vs. bits: a naive account A bit: admits two values 0 and 1, admits arbitrary transformations. is freely readable,

Introduction to Quantum Mechanics

On the Relation between Quantum Discord and Purified Entanglement

The Indistinguishability of the XOR of k permutations

arxiv:quant-ph/ v2 11 Jan 2006

Pseudorandom Generators

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Entanglement Measures and Monotones

Homework 3 - Solutions

Quantum security proofs using semi-classical oracles

Multivariate trace inequalities. David Sutter, Mario Berta, Marco Tomamichel

Quantum Computation. Alessandra Di Pierro Computational models (Circuits, QTM) Algorithms (QFT, Quantum search)

Entropic Security and the Encryption of High Entropy Messages

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Majorization-preserving quantum channels

Quantum Entanglement and the Bell Matrix

Quantum Computing Lecture 2. Review of Linear Algebra

The query register and working memory together form the accessible memory, denoted H A. Thus the state of the algorithm is described by a vector

Error Reconciliation in QKD. Distribution

Some Introductory Notes on Quantum Computing

Quantum NP - Cont. Classical and Quantum Computation A.Yu Kitaev, A. Shen, M. N. Vyalyi 2002

Entanglement and Symmetry in Multiple-Qubit States: a geometrical approach

Information quantique, calcul quantique :

AES side channel attacks protection using random isomorphisms

Physics 239/139 Spring 2018 Assignment 2 Solutions

Ph 219/CS 219. Exercises Due: Friday 20 October 2006

EME : extending EME to handle arbitrary-length messages with associated data

Entanglement and information

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

CPA-Security. Definition: A private-key encryption scheme

Quantum Data Compression

Quantum Symmetrically-Private Information Retrieval

Ping Pong Protocol & Auto-compensation

On the pseudo-random generator ISAAC

The BB84 cryptologic protocol

Teleportation of Quantum States (1993; Bennett, Brassard, Crepeau, Jozsa, Peres, Wootters)

Stop Conditions Of BB84 Protocol Via A Depolarizing Channel (Quantum Cryptography)

Applications of Semidefinite Programming in Quantum Cryptography

Quantum Setting with Applications

Transcription:

Entropic security using conditional min-entropy Frédéric Dupuis and Simon Pierre Desrosiers March 4, 007 1 Preliminary We will use the usual bra and ket notation for pure states where a unit length complex vector is written ψ = i α i i, where the i form a basis for the space in which the vector ψ is embeded and i α iα i = 11. A quantum state is axiomatically defined as a non-negative complex operator of trace equal to 1. By the spectral decomposition theorem ρ = i γ i r i r i, where the r i form a basis for the space in which the quantum state lives and the γ i are non-negative real numbers that sum up to one. This can be interpreted as saying that ρ is a source that will output with probability γ i the state r i if it is sampled in the base { r i }. By sampled, we meant the measurement of ρ in the eigen-basis of ρ. A special case for a basis is the computational basis. That is the set { i }, where i [a 1, a,..., a d ] T and for all j i we have that a j = 0 and a i = 1. If we take two quantum states, σ A and τ B, and put them side by side, the result is a state ρ AB which is equal to σ A σ B. The operator is the tensor operator which is defined for any two matrices X and Y as X 1,1 Y... X 1,n Y X Y =...... X m,1 Y... X m,n Y Note that the tensor product is not commutative in general. The partial trace is a kind of inverse to the tensor product operation. For any bi-partite state ρ AB, we have that ρ A = Tr A ρ AB ) ; the normal interpretation for such an operator is that if a physical state ρ AB lives in the space AB but one only has access to the space A to measure the state, then the statistics obtained can be explained using ρ B. 1 For a thorough introduction to quantum information theory, see [4]. We will present here only what is necessary to follow the proofs. To gain physical comprehension, the reader should refer himself to the provided reference. 1

Definitions Entropic security as introduced by Russel and Wang [6] and generalised by Dodis and Smith in [3] uses the definition of classical min-entropy to quantify the adversary s knowledge on the senders message space. Let M be a random variable that represent the message space and let M take value m with probability p m, where m p m = 1. Then the min entropy of M, written H M) is defined to be log max m p m ). Simon Pierre Desrosiers introduced in [] quantum versions of these security definition for the case where the eves dropper and the sender are not entangled. Then, the adversary s knowledge is represented by the quantum min-entropy of the adversary on the sender s state. The message space in this case is considered to be a valid interpretation {p i, σ i )} of a state ρ A = γ j j j = i p iσ i and where H ρ A ) = log max j γ j, where γ j j j is the spectral decomposition of ρ A. In this paper, we will show that we can fully generalise these security definition to a quantum setting. This time the only restriction on the adversary will be quantified by the following definition introduced by Renato Renner see [5]) in is proof that the BB84 scheme is secure in the most general setting! We shall make no other assumption on the sender-eves-dropper system than the eves dropper conditional min-entropy. Definition 1 Conditional min-entropie). For any valid state ρ shared between the eves-dropper and the sender, we define the conditional min-entropy of ρ relative to ρ E = Tr A ρ ) as H ρ ρ E ) = log λ, where λ is the minimum real number such that the Hermitian operator λi A ρ E ρ negative. is non Observe that the last operator is defined using the identity matrix on the A space and not the perfectly mixed state. We will also use the notation H A E) for H ρ ρ E ). One can prove a few properties about conditional min-entropy which will be handy later on. First, this Lemma : Lemma 1. Let the join state of the sender and the adversary be ρ AB = ρ A ρ B, then H AB B) = H ρ A ). Proof. The structure of ρ AB lets us write this equality. λi ρ B ρ AB = λi ρ A ) ρ B. We know that ρ B is positive, since it is a valid density operator, hence if we want this quantity to be positive, we need λi ρ A to be positive. This implies, since I commutes with everything, that λ = γ max, where γ max is the largest eigenvalue of ρ A. We can conclude from this lemma that if the sender and the adversary are not correlated, then the standard results of [] can be used. But there is a case which is still more general and yet implies no quantum correlation i.e. entanglement). We say a state ρ AB is separable if it can be written as ρ AB = i σa i τ B i. In this case, Lemma 3.1.8 of Renato Renner s Ph.D Thesis [5] let s us conclude something interesting. This lemma tells us that??? blablabla confue mélangé besion d aide.

Lemma. For any bipartite state over we have H A E) t = Tr A [ρ ] t ρ E. Proof. H A E) t ρ t I ρ E Tr A [ρ ] t [ Tr A ρ I ρ E)] Tr A [ρ ] t ρ E Both [3] and [] presented security definitions equivalent in their respective models to the following two security definition. Definition Entropic Security). An encryption system E is t, ε)-entropically secure if for all states ρ such that H min ρ ρ E ) t, all interpretations {p j, σj )} and all adversaries A, there exists an A such that for all functions f, we have Pr[σ i )) = fσi )] Pr[A σi E ) = fσi )] ε. 1) Definition 3 Entropic Indistinguishability). An encryption system E is t, ɛ)-indistinguishable if for all states ρ such that H ρ ρ E ) t we have that: Eρ ) I ρ E < ɛ. ) 1 3 Equivalence between the two security definitions Theorem 1. t 1, ε/)-indistinguishability implies t, ε)-entropic security for all functions. Proof. Suppose there exists an adversary B, a state ρ such that H min ρ ρ E ) t, an interpretation { p j, σj ) } for ρ and a function f such that Pr[BEσi )) fσi )] Pr[B ρ E ) fσi )] > ε 3) for all adversaries B. Then we know that there exists another adversary and a predicate h such that t, ε/)-entropic security is violated. Let s call this adversary A and let ut define the sets E 0 and E 1 as follows: E 0 = { i hσ i ) = 0 } 4) E 1 = { i hσ i ) = 1 }. 5) 3

Let r 0 = p i, i E 0 r 1 = p i, i E 1 τ0 = 1 p i σi r 0 i E 0 ) and ) τ1 = 1 p i σi. r 1 i E 1 Note that ρ = r 0 τ 0 + r 1 τ 1. Now, define the following states: where, as usual, τ E i = Tr A [τ i ]. Lemma 3. H min τ 0 τ E 0 ) t 1, and H min τ 1 τ E 1 ) t 1. Proof. First, it is clear that τ E 0 = τ E 1 = ρ E. We then have First observe that max ψ ψ τ 0 ψ ψ I ρ E ψ r 0 max ψ max ψ τ 0 = r 0 τ 0 + r 1 I τ E 1 6) τ 1 = r 1 τ 1 + r 0 I τ E 0, 7) ψ τ0 ψ ψ τ0 + r1 ψ I ρ E max ψ ψ ψ τ0 ψ ψ I ρ E ψ + r ψ I d 1 max A τ1 E ψ ψ ψ I ρ E ψ. 1 ψ ψ I ρ E 1 t. ψ r 0 r 0 τ Second, using theorem 3.1.1 from Renato Renner s thesis and the previous observation, we get max ψ ψ I τ1 E ψ ψ τ1 ψ ψ I ρ E max ψ ψ ψ I ρ E ψ 1 t. r 1 Combining these two results, we obtain max ψ ψ τ 0 ψ ψ I ρ E ψ t = t 1). Of course, an identical calculation yields the same result for τ 1. 4

To finish the proof, we need to show that A can distinguish E τ 0 ) from E τ 1 ). Assume that A can distinguish Eτ0 ) from Eτ1 ) in a r 0, r 1 mixture with probability η. Now assume that we feed it Eτ0 ) with probability 1/ and Eτ1 ) with probability 1/. Observe that this is exactly as if we gave it an r 0, r 1 mixture of Eτ0 ) and Eτ1 ) with probability 1/ and an r 1, r 0 mixture I of τ0 E and I τ1 E with probability 1/. Let s call the optimal probability of distinguishing these last two states α. We then have that the probability of distinguishing E τ 0 ) from E τ 1 ) using A is at least 1 η + 1 1 α) = 1 + 1 η α). But we know that η α = Pr[τ i )) = i] max Pr[A τ E A i ) = i] > ε/. Hence, the probability of distinguishing E τ 0 ) from E τ 1 ) is at least 1/ + ε/4, which implies that E τ 0 ) E τ 1 ) > ε and therefore that there exists a state ω with H A E) t such that Eω ) I ω E > ε/. Theorem. t, ε)-entropic security implies t 1, 6ε)-indistinguishability as long as t n A 1. Proof. We will prove the contrapositive. Let ρ be a state such that H min ρ ρ E ) t 1 and Eρ ) I ρ E > 6ε. Consider the following state ρ = 1 3 ρ + I ρ E. 3 We can easily show that H min ρ ρ E ) = H min ρ ρ E ) t: ψ ρ ψ ψ I ρ E ψ = 1 ψ ρ ψ 3 ψ I ρ E ψ + ψ I ρ E ψ 3 ψ I ρ E ψ 1 3 t 1) + 1 1 3 = 3 t + 1 ) ) t + t 3 = t. 5

Since Eρ ) I ρ E > 6ε, we know that there exists an adversary that can distinguish Eρ ) from I ρ E with probability at least 1 + 3 ε. Let s call this adversary A, and let s assume that it gives the right answer with probability η 1 when it is given Eρ ) and with probability η when it is given I ρ E. We then have 1 η 1 + η ) > 1 + 3 ε. Let I 0 and I 1 be two states such that I 0 +I 1 )/ = I ρ E and I 0 I ρ E I1, I ρ E, Tr A I 0 ) = Tr A I 1 ) = ρ E. It is clear that ρ = 1 3 ρ + 1 3 I 0 + 1 3 I 1. 8) Now, let s define a function h such that hρ ) = 0, hi 0 ) = 1, and hi 1 ) =. We will show that A violates entropic security on ρ, the interpretation given in 8) and the function h. First of all, it is clear that by having access only to Eve s system, no adversary can guess the value of h with a probability greater than 1/3. Let us now determine what A can do by having access to the encrypted version of ρ. When 0, we have: Pr[σ i )) = hσ i )] = 1 3 η 1 + η 3 = 1 3 η 1 + η ) > 1 1 + 3ε) 3 = 1 3 + ε. We then finally get Pr[σ i)) = hσ i )] 1 3 > ε which violates entropic security. 4 Two encryption schemes We shall first show a technical lemma which will be useful as an intermediate step for both encryption schemes. Lemma 4. For any valid bipartite state ρ, where Tr A [ρ ] = ρ E we have where is the dimension of the A space. [ ) ] [ Tr A ρ IA ρ E = Tr A ρ ] 1 ρ E, 6

Proof. By definition we have [ Tr A ρ I ) ] ρ E = Tr A [ρ ] [ )] I Tr A ρ ρ E + 1 ρ E. 9) Let us concentrate ourselves on the middle term of the right hand side. By the spectral decomposition theorem, there exists basis r i and j such that ρ E = i λ i r i r i and I ρ E = λ i i,j j j r i r i. So [ )] I Tr A ρ ρ E = Tr A ρ λ i j j r i r i d i,j A λ i = Tr A ρ j j r i r i d i A j = λ i [ Tr A ρ I A r i r i )] d i A = 1 λ i ρ E r i r i = ρe. Plugging this result in equation 9, we get the Lemma. i 4.1 A scheme based on delta-biased space We shall show that if HA E) t, then the Ambainis-Smith scheme, introduced in [1], is ε-secure using n A t + log n A + log 1 ε ) bits of key. To prove this, we first need to prove a few technical lemmas. Lemma 5. Tr A ρ Tr A ρ. Proof. Since the square root operator is concave and that a density operator is a convex combination of operators, we can conclude that for all projector P we have that P ρ P P ρ P. Hence, Tr A ρ = i I) ρ i I) i I)ρ i I) 1 = i I)ρ E i I) A 1 i I)ρ i I) = Tr A ρ 7

Lemma 6. For every hermitian matrix M on H A H E, Tr A [M ] = 1 Tr A [X u Z v I)M] Tr A [X u Z v I)M] Proof. We can easily show that u,v Tr A [M ] = ij Tr A [ i j A I E )M] Tr A [ i j A I E )M] Let s define a column vector of matrices W such that W m = Tr A [ i j A I E )M] where i = m and j = m mod n A. We now have Tr A [M ] = W W = W F F W, where F is a unitary matrix on vectors of dimension d A. In particular, we can choose F to be the unitary transformation i j 1 da X i Z j. This matrix exists since the Pauli matrices form an orthonormal basis for BH A ), as do the i j. Now, let s define W = F W. We then have W m = 1 da Tr A [X i Z j I E )M] and the statement immediately follows from the fact that Tr A [M ] = W F F W = W W. 0 n A 0 n A 0 n A 0 n A 0 n A 0 0 n A ca marche bien sur la ligne normal. Mais il n y a que 4 sortes de taille de police en mode math. Et donc dans le dernier cas, la taille pour n et pour A est la memes. En mettant des espaces negatifs, on obtient quelque chose de pas mal n A n A genre. Lemma 7. Tr A [Eρ ) I ρ E ) ] δ Tr A [ρ ]. Proof. Tr A [Eρ ) I ρ E ) ] = Tr A [Eρ ) ] 1 ρ E by lemma 4 = 1 = 1 u,v Tr A [X u Z v I)Eρ )] Tr A [X u Z v I)Eρ )] 1 ρ E uv 0 n A 0 n E δ uv 0 n A 0 n E δ uv = δ Tr A [ρ ]. Tr A [X u Z v I)Eρ )] Tr A [X u Z v I)Eρ )] Tr A [X u Z v I)ρ ] Tr A [X u Z v I)ρ ] Tr A [X u Z v I)ρ ] Tr A [X u Z v I)ρ ] 8

Lemma 8. Eρ ) I ρ E δ da t. Proof. Eρ ) I ρ E = Tr[Tr A[ Eρ ) I ρ d E ) ]] A Tr[ Tr A [Eρ ) I ρ d E ) ]] A Tr[ δ Tr A [ρ ]] = δ Tr[ Tr A [ρ ]]. Using Lemma we continue as follows: Eρ ) I ρ E δ Tr[ t ρ E ] = δ t Tr[ρ E ] = δ t. We are now ready to prove the main theorem: Theorem 3. If H A E) t, then the Ambainis-Smith scheme is ε-secure using n A t+ log n A + log 1 ε ) bits of key, where n A = log. Proof. If we choose δ ε/ n A t)/, we obtain log 1 ε ) bits of key. Eρ ) I ρ E ε with na t + log n A + 4. A scheme based on XOR-universal permutations Definition 4. Let H n = {h i } i I be a family of permutations over n bit strings. Consider the event A = h i x) h i y). We say the family H n is strongly-xor-universal if for all x, y and all a 0 we have Pr i I [A = a] 1 n. The family proposed in [3] naturally possesses this property. Notice that the probability of seeing A = a = 0 can be much larger than 1/ n : in fact it is equal to the collision probability of the input. 9

Proposition 1. Let H n be a strongly-xor-family of permutations. Consider the super-operator E k ρ) = i, X a Z b I E )ρ Z b X a I E ), where i is chosen at random uniformly over n bit strings and a b = h i k), where k is the secret key a b denotes the concatenation of the strings a and b). Then E is a quantum cipher. Theorem 4. The cipher of proposition 1 is t, ɛ)-indistinguishable for all state ρ H ρ ρ E ) t as long as H K) + H ρ ρ E ) n A + log1/ɛ). such that We will need the following lemma to complete the proof. Lemma 9. For a cipher as defined in Proposition 1, we have Tr A [ Eρ ) ] 1 I 1 [ K Tr A ρ ] + 1 ρ E Proof. The adversary s view can be written this way: ρ = Eρ) = E k,i [ i i X a Z b ρz b X a ], we have dropped the I E and the to simplify notation. Note that is the dimension of the input to E, but the output dimention is I. We are interested in the following quantity Tr Eρ) ). First note that Tr i i j j ) = δ ij, the diract function, and Tr A B) = Tr A) Tr B), for any operator A and B. SO Tr A Eρ) ) = 1 I Tr A Ek,k,i[X a Z b ρz b X a X c Z d ρz d X c ] ) 10) = 1 I Tr A Ek,k,i[Z d X c X a Z b ρz b X a X c Z d ρ] ) 11) = 1 I Tr A = 1 I Tr A = 1 I Tr A Ek,k,i[ 1) d c 1) d a X c X a Z d Z b ρz b X a X c Z d ρ] ) 1) Ek,k,i[ 1) d c ) 1) d a ) X c X a Z d Z b ρz b Z d X a X c ρ] ) 13) Eef,i [X e Z f ρz f X e ρ] ) 14) where a b = h i k) and c d = h i k ) and where k and k are independent instances of the key. Also e f = a c) b d) = a b) c d). By Definition 4, we know that the probability of seeing any string e f, different from zero, is bounded above by 1/ n. Let us divide Equation 14) into two terms, one for e f = 0 and the other for all the e f 0. Let us introduce the following notations: ρ ef instead of X e Z f ρz f X e and p ef for the probability that e f is observed. Thus, we can rewrite everything like this : Tr A Eρ) ) = 1 I Tr ρ A K + e,f where e f 0 ). p ef ρ ef ρ. 15) Observe two things: for all e f 0 we know that p ef 1/ n and 1 ef ρ n ef = I A / ρ E. Quantum mechanic also tells us that Tr ρσ) is the expectation of the observed eigenvalue if one X a Z b = X a 1Z b 1 X an Z bn if a = a 1... a n and b = b 1... b n. 10

measures the observable ρ on the state σ. A specific case is Tr I n ρ ) = 1/ n, since all eigenvalues of the perfectly mixed state are equal to 1/ n, the average can not be different from this number. Let A be the positive operator e,f p ef ρ ef. From the previous observations, we can conclude e f 0 that there exists a positive operator B such that A + B = I A / ρ E, i.e. B = e,f 1 p n ef )ρ ef and p 0 0 = 0. Therefore Tr A A + B)ρ) 1 ρ E, thus Tr A Aρ) + Tr A Bρ) 1 ρ E and finally Tr A Aρ) 1 ρ E. So we can rewrite Equation 15) this way: Tr A Eρ ) ) 1 I Which is equivalent to the lemma statement. Tr A Corollary 1. For a cipher as defined in Proposition 1, we have [ Tr A Eρ ) I ) ] ρ E 1 I K Tr Aρ ). ) ) ρ + 1 ρ E. 16) K Proof. This is easily proved by using Lemma 4 which says in our case: [ ) ] [ Tr A Eρ ) IA ρ E = Tr A Eρ ) ] 1 I Using the result of the previous Lemma 9), we get the result. 1 ρ E, And finaly we can prove Theorem 4. Proof. Well, trivially, we have Eρ ) I ρ E = Tr[Tr A[ Eρ ) I ρ d E ) ]] A Tr[ I Tr A [Eρ ) I ρ d E ) ]] A Tr[ K Tr A[ρ ]] = K Tr[ Tr A [ρ ]]. 11

Using Lemma we continue as follows: Eρ ) I ρ E = = K Tr[ t ρ E ] t Tr[ρ E ] K t. K Now, by hypothesis, we have H K) + H ρ ρ E ) n A + log1/ɛ), which can be transformed into log log K ) t log ɛ. Getting rid of the logs gives us t K ɛ. This in turn implies that Eρ ) I ρ E t ɛ, K which is the desired result. If one factors out log K in the last equation, we get n A t+ log 1 ɛ ) log K ). So, as long as the key length is larger than n A t+ log 1/ɛ), the scheme of Proposition 1 is a t, ɛ)-indistinguishable scheme. 5 Minimum requirement for the key length We can generalize the proof for the lower bound on the key length found in [3] to the quantum world and the conditional min entropy definition. Theorem 5. Any quantum encryption scheme which is t, ɛ)-entropically secure for inputs of length n requires a key of length at least n t 1. Proof. Let the ψ be a Bell state on n t qubits. So, by definition, assuming dimension of the A space is equal to the E space, we have that Tr A ψ ) = IE d E, where d E = n t)/. Let the input to the cipher be the state Tr ) B ψ U n+t, where U n+t simply a uniform classical random variable over n + t)/ bits. So is ρ = ψ ψ U A n+t. 1

Computing the conditional min-entropy is easy: H ρ ρ E ) = n t)/ + n + t)/ = t. We also know that for such a state, E A I E ) ψ U A n+t ) is statistically indistinguishable from I A Tr ) A ψ. It is well known that such a channel requires at least n t)/ 1 bits of key the minus one comes from the statistical relaxation to the security, where entanglement is present). Sadly, the proof of [3] for scheme using public coins, as 1, cannot be similarly generalised. References [1] Andris Ambainis andam Smith. Small pseudo-random families of matrices: Derandomizing approximate quantum encryption. In Klaus Jansen, Sanjeev Khanna, José D. P. Rolim, and Dana Ron, editors, APPROX-RANDOM, volume 31 of Lecture Notes in Computer Science, pages 49 60. Springer, 004. [] Simon Pierre Desrosiers. Entropic security in quantum cryptography. quanthph, 007. [3] Yevgeniy Dodis andam Smith. Entropic security and the encryption of high entropy messages. Cryptology eprint Archive, Report 004/19, 004. urlhttp://eprint.iacr.org/. [4] M. A. Nielsen and Isaac L. Chuang. Quantum computation and quantum information. Cambridge University Press, New York, NY, USA, 000. [5] Renato Renner. Security of Quantum Key Distribution. PhD thesis, Swiss Federal Institute of Technology, 005. [6] Alexander Russell and Hong Wang. How to fool an unbounded adversary with a short key. In EUROCRYPT 0: Proceedings of the International Conference on the Theory anpplications of Cryptographic Techniques, pages 133 148, London, UK, 00. Springer-Verlag. 13

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback