Entropic security using conditional min-entropy Frédéric Dupuis and Simon Pierre Desrosiers March 4, 007 1 Preliminary We will use the usual bra and ket notation for pure states where a unit length complex vector is written ψ = i α i i, where the i form a basis for the space in which the vector ψ is embeded and i α iα i = 11. A quantum state is axiomatically defined as a non-negative complex operator of trace equal to 1. By the spectral decomposition theorem ρ = i γ i r i r i, where the r i form a basis for the space in which the quantum state lives and the γ i are non-negative real numbers that sum up to one. This can be interpreted as saying that ρ is a source that will output with probability γ i the state r i if it is sampled in the base { r i }. By sampled, we meant the measurement of ρ in the eigen-basis of ρ. A special case for a basis is the computational basis. That is the set { i }, where i [a 1, a,..., a d ] T and for all j i we have that a j = 0 and a i = 1. If we take two quantum states, σ A and τ B, and put them side by side, the result is a state ρ AB which is equal to σ A σ B. The operator is the tensor operator which is defined for any two matrices X and Y as X 1,1 Y... X 1,n Y X Y =...... X m,1 Y... X m,n Y Note that the tensor product is not commutative in general. The partial trace is a kind of inverse to the tensor product operation. For any bi-partite state ρ AB, we have that ρ A = Tr A ρ AB ) ; the normal interpretation for such an operator is that if a physical state ρ AB lives in the space AB but one only has access to the space A to measure the state, then the statistics obtained can be explained using ρ B. 1 For a thorough introduction to quantum information theory, see [4]. We will present here only what is necessary to follow the proofs. To gain physical comprehension, the reader should refer himself to the provided reference. 1
Definitions Entropic security as introduced by Russel and Wang [6] and generalised by Dodis and Smith in [3] uses the definition of classical min-entropy to quantify the adversary s knowledge on the senders message space. Let M be a random variable that represent the message space and let M take value m with probability p m, where m p m = 1. Then the min entropy of M, written H M) is defined to be log max m p m ). Simon Pierre Desrosiers introduced in [] quantum versions of these security definition for the case where the eves dropper and the sender are not entangled. Then, the adversary s knowledge is represented by the quantum min-entropy of the adversary on the sender s state. The message space in this case is considered to be a valid interpretation {p i, σ i )} of a state ρ A = γ j j j = i p iσ i and where H ρ A ) = log max j γ j, where γ j j j is the spectral decomposition of ρ A. In this paper, we will show that we can fully generalise these security definition to a quantum setting. This time the only restriction on the adversary will be quantified by the following definition introduced by Renato Renner see [5]) in is proof that the BB84 scheme is secure in the most general setting! We shall make no other assumption on the sender-eves-dropper system than the eves dropper conditional min-entropy. Definition 1 Conditional min-entropie). For any valid state ρ shared between the eves-dropper and the sender, we define the conditional min-entropy of ρ relative to ρ E = Tr A ρ ) as H ρ ρ E ) = log λ, where λ is the minimum real number such that the Hermitian operator λi A ρ E ρ negative. is non Observe that the last operator is defined using the identity matrix on the A space and not the perfectly mixed state. We will also use the notation H A E) for H ρ ρ E ). One can prove a few properties about conditional min-entropy which will be handy later on. First, this Lemma : Lemma 1. Let the join state of the sender and the adversary be ρ AB = ρ A ρ B, then H AB B) = H ρ A ). Proof. The structure of ρ AB lets us write this equality. λi ρ B ρ AB = λi ρ A ) ρ B. We know that ρ B is positive, since it is a valid density operator, hence if we want this quantity to be positive, we need λi ρ A to be positive. This implies, since I commutes with everything, that λ = γ max, where γ max is the largest eigenvalue of ρ A. We can conclude from this lemma that if the sender and the adversary are not correlated, then the standard results of [] can be used. But there is a case which is still more general and yet implies no quantum correlation i.e. entanglement). We say a state ρ AB is separable if it can be written as ρ AB = i σa i τ B i. In this case, Lemma 3.1.8 of Renato Renner s Ph.D Thesis [5] let s us conclude something interesting. This lemma tells us that??? blablabla confue mélangé besion d aide.
Lemma. For any bipartite state over we have H A E) t = Tr A [ρ ] t ρ E. Proof. H A E) t ρ t I ρ E Tr A [ρ ] t [ Tr A ρ I ρ E)] Tr A [ρ ] t ρ E Both [3] and [] presented security definitions equivalent in their respective models to the following two security definition. Definition Entropic Security). An encryption system E is t, ε)-entropically secure if for all states ρ such that H min ρ ρ E ) t, all interpretations {p j, σj )} and all adversaries A, there exists an A such that for all functions f, we have Pr[σ i )) = fσi )] Pr[A σi E ) = fσi )] ε. 1) Definition 3 Entropic Indistinguishability). An encryption system E is t, ɛ)-indistinguishable if for all states ρ such that H ρ ρ E ) t we have that: Eρ ) I ρ E < ɛ. ) 1 3 Equivalence between the two security definitions Theorem 1. t 1, ε/)-indistinguishability implies t, ε)-entropic security for all functions. Proof. Suppose there exists an adversary B, a state ρ such that H min ρ ρ E ) t, an interpretation { p j, σj ) } for ρ and a function f such that Pr[BEσi )) fσi )] Pr[B ρ E ) fσi )] > ε 3) for all adversaries B. Then we know that there exists another adversary and a predicate h such that t, ε/)-entropic security is violated. Let s call this adversary A and let ut define the sets E 0 and E 1 as follows: E 0 = { i hσ i ) = 0 } 4) E 1 = { i hσ i ) = 1 }. 5) 3
Let r 0 = p i, i E 0 r 1 = p i, i E 1 τ0 = 1 p i σi r 0 i E 0 ) and ) τ1 = 1 p i σi. r 1 i E 1 Note that ρ = r 0 τ 0 + r 1 τ 1. Now, define the following states: where, as usual, τ E i = Tr A [τ i ]. Lemma 3. H min τ 0 τ E 0 ) t 1, and H min τ 1 τ E 1 ) t 1. Proof. First, it is clear that τ E 0 = τ E 1 = ρ E. We then have First observe that max ψ ψ τ 0 ψ ψ I ρ E ψ r 0 max ψ max ψ τ 0 = r 0 τ 0 + r 1 I τ E 1 6) τ 1 = r 1 τ 1 + r 0 I τ E 0, 7) ψ τ0 ψ ψ τ0 + r1 ψ I ρ E max ψ ψ ψ τ0 ψ ψ I ρ E ψ + r ψ I d 1 max A τ1 E ψ ψ ψ I ρ E ψ. 1 ψ ψ I ρ E 1 t. ψ r 0 r 0 τ Second, using theorem 3.1.1 from Renato Renner s thesis and the previous observation, we get max ψ ψ I τ1 E ψ ψ τ1 ψ ψ I ρ E max ψ ψ ψ I ρ E ψ 1 t. r 1 Combining these two results, we obtain max ψ ψ τ 0 ψ ψ I ρ E ψ t = t 1). Of course, an identical calculation yields the same result for τ 1. 4
To finish the proof, we need to show that A can distinguish E τ 0 ) from E τ 1 ). Assume that A can distinguish Eτ0 ) from Eτ1 ) in a r 0, r 1 mixture with probability η. Now assume that we feed it Eτ0 ) with probability 1/ and Eτ1 ) with probability 1/. Observe that this is exactly as if we gave it an r 0, r 1 mixture of Eτ0 ) and Eτ1 ) with probability 1/ and an r 1, r 0 mixture I of τ0 E and I τ1 E with probability 1/. Let s call the optimal probability of distinguishing these last two states α. We then have that the probability of distinguishing E τ 0 ) from E τ 1 ) using A is at least 1 η + 1 1 α) = 1 + 1 η α). But we know that η α = Pr[τ i )) = i] max Pr[A τ E A i ) = i] > ε/. Hence, the probability of distinguishing E τ 0 ) from E τ 1 ) is at least 1/ + ε/4, which implies that E τ 0 ) E τ 1 ) > ε and therefore that there exists a state ω with H A E) t such that Eω ) I ω E > ε/. Theorem. t, ε)-entropic security implies t 1, 6ε)-indistinguishability as long as t n A 1. Proof. We will prove the contrapositive. Let ρ be a state such that H min ρ ρ E ) t 1 and Eρ ) I ρ E > 6ε. Consider the following state ρ = 1 3 ρ + I ρ E. 3 We can easily show that H min ρ ρ E ) = H min ρ ρ E ) t: ψ ρ ψ ψ I ρ E ψ = 1 ψ ρ ψ 3 ψ I ρ E ψ + ψ I ρ E ψ 3 ψ I ρ E ψ 1 3 t 1) + 1 1 3 = 3 t + 1 ) ) t + t 3 = t. 5
Since Eρ ) I ρ E > 6ε, we know that there exists an adversary that can distinguish Eρ ) from I ρ E with probability at least 1 + 3 ε. Let s call this adversary A, and let s assume that it gives the right answer with probability η 1 when it is given Eρ ) and with probability η when it is given I ρ E. We then have 1 η 1 + η ) > 1 + 3 ε. Let I 0 and I 1 be two states such that I 0 +I 1 )/ = I ρ E and I 0 I ρ E I1, I ρ E, Tr A I 0 ) = Tr A I 1 ) = ρ E. It is clear that ρ = 1 3 ρ + 1 3 I 0 + 1 3 I 1. 8) Now, let s define a function h such that hρ ) = 0, hi 0 ) = 1, and hi 1 ) =. We will show that A violates entropic security on ρ, the interpretation given in 8) and the function h. First of all, it is clear that by having access only to Eve s system, no adversary can guess the value of h with a probability greater than 1/3. Let us now determine what A can do by having access to the encrypted version of ρ. When 0, we have: Pr[σ i )) = hσ i )] = 1 3 η 1 + η 3 = 1 3 η 1 + η ) > 1 1 + 3ε) 3 = 1 3 + ε. We then finally get Pr[σ i)) = hσ i )] 1 3 > ε which violates entropic security. 4 Two encryption schemes We shall first show a technical lemma which will be useful as an intermediate step for both encryption schemes. Lemma 4. For any valid bipartite state ρ, where Tr A [ρ ] = ρ E we have where is the dimension of the A space. [ ) ] [ Tr A ρ IA ρ E = Tr A ρ ] 1 ρ E, 6
Proof. By definition we have [ Tr A ρ I ) ] ρ E = Tr A [ρ ] [ )] I Tr A ρ ρ E + 1 ρ E. 9) Let us concentrate ourselves on the middle term of the right hand side. By the spectral decomposition theorem, there exists basis r i and j such that ρ E = i λ i r i r i and I ρ E = λ i i,j j j r i r i. So [ )] I Tr A ρ ρ E = Tr A ρ λ i j j r i r i d i,j A λ i = Tr A ρ j j r i r i d i A j = λ i [ Tr A ρ I A r i r i )] d i A = 1 λ i ρ E r i r i = ρe. Plugging this result in equation 9, we get the Lemma. i 4.1 A scheme based on delta-biased space We shall show that if HA E) t, then the Ambainis-Smith scheme, introduced in [1], is ε-secure using n A t + log n A + log 1 ε ) bits of key. To prove this, we first need to prove a few technical lemmas. Lemma 5. Tr A ρ Tr A ρ. Proof. Since the square root operator is concave and that a density operator is a convex combination of operators, we can conclude that for all projector P we have that P ρ P P ρ P. Hence, Tr A ρ = i I) ρ i I) i I)ρ i I) 1 = i I)ρ E i I) A 1 i I)ρ i I) = Tr A ρ 7
Lemma 6. For every hermitian matrix M on H A H E, Tr A [M ] = 1 Tr A [X u Z v I)M] Tr A [X u Z v I)M] Proof. We can easily show that u,v Tr A [M ] = ij Tr A [ i j A I E )M] Tr A [ i j A I E )M] Let s define a column vector of matrices W such that W m = Tr A [ i j A I E )M] where i = m and j = m mod n A. We now have Tr A [M ] = W W = W F F W, where F is a unitary matrix on vectors of dimension d A. In particular, we can choose F to be the unitary transformation i j 1 da X i Z j. This matrix exists since the Pauli matrices form an orthonormal basis for BH A ), as do the i j. Now, let s define W = F W. We then have W m = 1 da Tr A [X i Z j I E )M] and the statement immediately follows from the fact that Tr A [M ] = W F F W = W W. 0 n A 0 n A 0 n A 0 n A 0 n A 0 0 n A ca marche bien sur la ligne normal. Mais il n y a que 4 sortes de taille de police en mode math. Et donc dans le dernier cas, la taille pour n et pour A est la memes. En mettant des espaces negatifs, on obtient quelque chose de pas mal n A n A genre. Lemma 7. Tr A [Eρ ) I ρ E ) ] δ Tr A [ρ ]. Proof. Tr A [Eρ ) I ρ E ) ] = Tr A [Eρ ) ] 1 ρ E by lemma 4 = 1 = 1 u,v Tr A [X u Z v I)Eρ )] Tr A [X u Z v I)Eρ )] 1 ρ E uv 0 n A 0 n E δ uv 0 n A 0 n E δ uv = δ Tr A [ρ ]. Tr A [X u Z v I)Eρ )] Tr A [X u Z v I)Eρ )] Tr A [X u Z v I)ρ ] Tr A [X u Z v I)ρ ] Tr A [X u Z v I)ρ ] Tr A [X u Z v I)ρ ] 8
Lemma 8. Eρ ) I ρ E δ da t. Proof. Eρ ) I ρ E = Tr[Tr A[ Eρ ) I ρ d E ) ]] A Tr[ Tr A [Eρ ) I ρ d E ) ]] A Tr[ δ Tr A [ρ ]] = δ Tr[ Tr A [ρ ]]. Using Lemma we continue as follows: Eρ ) I ρ E δ Tr[ t ρ E ] = δ t Tr[ρ E ] = δ t. We are now ready to prove the main theorem: Theorem 3. If H A E) t, then the Ambainis-Smith scheme is ε-secure using n A t+ log n A + log 1 ε ) bits of key, where n A = log. Proof. If we choose δ ε/ n A t)/, we obtain log 1 ε ) bits of key. Eρ ) I ρ E ε with na t + log n A + 4. A scheme based on XOR-universal permutations Definition 4. Let H n = {h i } i I be a family of permutations over n bit strings. Consider the event A = h i x) h i y). We say the family H n is strongly-xor-universal if for all x, y and all a 0 we have Pr i I [A = a] 1 n. The family proposed in [3] naturally possesses this property. Notice that the probability of seeing A = a = 0 can be much larger than 1/ n : in fact it is equal to the collision probability of the input. 9
Proposition 1. Let H n be a strongly-xor-family of permutations. Consider the super-operator E k ρ) = i, X a Z b I E )ρ Z b X a I E ), where i is chosen at random uniformly over n bit strings and a b = h i k), where k is the secret key a b denotes the concatenation of the strings a and b). Then E is a quantum cipher. Theorem 4. The cipher of proposition 1 is t, ɛ)-indistinguishable for all state ρ H ρ ρ E ) t as long as H K) + H ρ ρ E ) n A + log1/ɛ). such that We will need the following lemma to complete the proof. Lemma 9. For a cipher as defined in Proposition 1, we have Tr A [ Eρ ) ] 1 I 1 [ K Tr A ρ ] + 1 ρ E Proof. The adversary s view can be written this way: ρ = Eρ) = E k,i [ i i X a Z b ρz b X a ], we have dropped the I E and the to simplify notation. Note that is the dimension of the input to E, but the output dimention is I. We are interested in the following quantity Tr Eρ) ). First note that Tr i i j j ) = δ ij, the diract function, and Tr A B) = Tr A) Tr B), for any operator A and B. SO Tr A Eρ) ) = 1 I Tr A Ek,k,i[X a Z b ρz b X a X c Z d ρz d X c ] ) 10) = 1 I Tr A Ek,k,i[Z d X c X a Z b ρz b X a X c Z d ρ] ) 11) = 1 I Tr A = 1 I Tr A = 1 I Tr A Ek,k,i[ 1) d c 1) d a X c X a Z d Z b ρz b X a X c Z d ρ] ) 1) Ek,k,i[ 1) d c ) 1) d a ) X c X a Z d Z b ρz b Z d X a X c ρ] ) 13) Eef,i [X e Z f ρz f X e ρ] ) 14) where a b = h i k) and c d = h i k ) and where k and k are independent instances of the key. Also e f = a c) b d) = a b) c d). By Definition 4, we know that the probability of seeing any string e f, different from zero, is bounded above by 1/ n. Let us divide Equation 14) into two terms, one for e f = 0 and the other for all the e f 0. Let us introduce the following notations: ρ ef instead of X e Z f ρz f X e and p ef for the probability that e f is observed. Thus, we can rewrite everything like this : Tr A Eρ) ) = 1 I Tr ρ A K + e,f where e f 0 ). p ef ρ ef ρ. 15) Observe two things: for all e f 0 we know that p ef 1/ n and 1 ef ρ n ef = I A / ρ E. Quantum mechanic also tells us that Tr ρσ) is the expectation of the observed eigenvalue if one X a Z b = X a 1Z b 1 X an Z bn if a = a 1... a n and b = b 1... b n. 10
measures the observable ρ on the state σ. A specific case is Tr I n ρ ) = 1/ n, since all eigenvalues of the perfectly mixed state are equal to 1/ n, the average can not be different from this number. Let A be the positive operator e,f p ef ρ ef. From the previous observations, we can conclude e f 0 that there exists a positive operator B such that A + B = I A / ρ E, i.e. B = e,f 1 p n ef )ρ ef and p 0 0 = 0. Therefore Tr A A + B)ρ) 1 ρ E, thus Tr A Aρ) + Tr A Bρ) 1 ρ E and finally Tr A Aρ) 1 ρ E. So we can rewrite Equation 15) this way: Tr A Eρ ) ) 1 I Which is equivalent to the lemma statement. Tr A Corollary 1. For a cipher as defined in Proposition 1, we have [ Tr A Eρ ) I ) ] ρ E 1 I K Tr Aρ ). ) ) ρ + 1 ρ E. 16) K Proof. This is easily proved by using Lemma 4 which says in our case: [ ) ] [ Tr A Eρ ) IA ρ E = Tr A Eρ ) ] 1 I Using the result of the previous Lemma 9), we get the result. 1 ρ E, And finaly we can prove Theorem 4. Proof. Well, trivially, we have Eρ ) I ρ E = Tr[Tr A[ Eρ ) I ρ d E ) ]] A Tr[ I Tr A [Eρ ) I ρ d E ) ]] A Tr[ K Tr A[ρ ]] = K Tr[ Tr A [ρ ]]. 11
Using Lemma we continue as follows: Eρ ) I ρ E = = K Tr[ t ρ E ] t Tr[ρ E ] K t. K Now, by hypothesis, we have H K) + H ρ ρ E ) n A + log1/ɛ), which can be transformed into log log K ) t log ɛ. Getting rid of the logs gives us t K ɛ. This in turn implies that Eρ ) I ρ E t ɛ, K which is the desired result. If one factors out log K in the last equation, we get n A t+ log 1 ɛ ) log K ). So, as long as the key length is larger than n A t+ log 1/ɛ), the scheme of Proposition 1 is a t, ɛ)-indistinguishable scheme. 5 Minimum requirement for the key length We can generalize the proof for the lower bound on the key length found in [3] to the quantum world and the conditional min entropy definition. Theorem 5. Any quantum encryption scheme which is t, ɛ)-entropically secure for inputs of length n requires a key of length at least n t 1. Proof. Let the ψ be a Bell state on n t qubits. So, by definition, assuming dimension of the A space is equal to the E space, we have that Tr A ψ ) = IE d E, where d E = n t)/. Let the input to the cipher be the state Tr ) B ψ U n+t, where U n+t simply a uniform classical random variable over n + t)/ bits. So is ρ = ψ ψ U A n+t. 1
Computing the conditional min-entropy is easy: H ρ ρ E ) = n t)/ + n + t)/ = t. We also know that for such a state, E A I E ) ψ U A n+t ) is statistically indistinguishable from I A Tr ) A ψ. It is well known that such a channel requires at least n t)/ 1 bits of key the minus one comes from the statistical relaxation to the security, where entanglement is present). Sadly, the proof of [3] for scheme using public coins, as 1, cannot be similarly generalised. References [1] Andris Ambainis andam Smith. Small pseudo-random families of matrices: Derandomizing approximate quantum encryption. In Klaus Jansen, Sanjeev Khanna, José D. P. Rolim, and Dana Ron, editors, APPROX-RANDOM, volume 31 of Lecture Notes in Computer Science, pages 49 60. Springer, 004. [] Simon Pierre Desrosiers. Entropic security in quantum cryptography. quanthph, 007. [3] Yevgeniy Dodis andam Smith. Entropic security and the encryption of high entropy messages. Cryptology eprint Archive, Report 004/19, 004. urlhttp://eprint.iacr.org/. [4] M. A. Nielsen and Isaac L. Chuang. Quantum computation and quantum information. Cambridge University Press, New York, NY, USA, 000. [5] Renato Renner. Security of Quantum Key Distribution. PhD thesis, Swiss Federal Institute of Technology, 005. [6] Alexander Russell and Hong Wang. How to fool an unbounded adversary with a short key. In EUROCRYPT 0: Proceedings of the International Conference on the Theory anpplications of Cryptographic Techniques, pages 133 148, London, UK, 00. Springer-Verlag. 13