Tutorial: Device-independent random number generation. Roger Colbeck University of York

Similar documents
Unconditionally secure deviceindependent

Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source

Bit-Commitment and Coin Flipping in a Device-Independent Setting

Device-independent Quantum Key Distribution and Randomness Generation. Stefano Pironio Université Libre de Bruxelles

A semi-device-independent framework based on natural physical assumptions

Entropy Accumulation in Device-independent Protocols

Untrusted quantum devices. Yaoyun Shi University of Michigan updated Feb. 1, 2014

Challenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley

Entanglement and information

Device-Independent Quantum Information Processing

Cryptography in a quantum world

More Randomness From Noisy Sources

Randomness in nonlocal games between mistrustful players

Chapter 13: Photons for quantum information. Quantum only tasks. Teleportation. Superdense coding. Quantum key distribution

An Introduction to Quantum Information. By Aditya Jain. Under the Guidance of Dr. Guruprasad Kar PAMU, ISI Kolkata

Device-independent quantum information. Valerio Scarani Centre for Quantum Technologies National University of Singapore

Introduction to Quantum Key Distribution

Universal security for randomness expansion

Free randomness can be amplified

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Practical quantum-key. key- distribution post-processing

Lecture 14, Thurs March 2: Nonlocal Games

Trustworthy Quantum Information. Yaoyun Shi University of Michigan

Lecture 15: Privacy Amplification against Active Attackers

Device-Independent Quantum Information Processing (DIQIP)

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Introduction to Cryptography Lecture 13

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Some limits on non-local randomness expansion

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 20: Bell inequalities and nonlocality

Security Implications of Quantum Technologies

Quantum key distribution for the lazy and careless

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science Quantum Optical Communication

Security of Quantum Key Distribution with Imperfect Devices

Fully device independent quantum key distribution

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

CPSC 467b: Cryptography and Computer Security

Quantum Cryptography

High Fidelity to Low Weight. Daniel Gottesman Perimeter Institute

arxiv: v1 [quant-ph] 21 Aug 2013

Quantum Entanglement, Quantum Cryptography, Beyond Quantum Mechanics, and Why Quantum Mechanics Brad Christensen Advisor: Paul G.

Lecture 14: Secure Multiparty Computation

CS/Ph120 Homework 8 Solutions

Quantum Supremacy and its Applications

Quantum Key Distribution. The Starting Point

Bell s inequalities and their uses

Security of Device-Independent Quantum Key Distribution Protocols

CS120, Quantum Cryptography, Fall 2016

Other Topics in Quantum Information

AQI: Advanced Quantum Information Lecture 6 (Module 2): Distinguishing Quantum States January 28, 2013

Introduction to Algorithms

Quantum Supremacy and its Applications

Quantum information and quantum mechanics: fundamental issues. John Preskill, Caltech 23 February

EPR paradox, Bell inequality, etc.

Quantum Symmetrically-Private Information Retrieval

Trustworthiness of detectors in quantum key distribution with untrusted detectors

Ph 219/CS 219. Exercises Due: Friday 3 November 2006

Lecture 6 Sept. 14, 2015

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Quantum Information Transfer and Processing Miloslav Dušek

Ping Pong Protocol & Auto-compensation

Sharing and verifying quantum informa3on with differing degrees of trust

Odd Things about Quantum Mechanics: Abandoning Determinism In Newtonian physics, Maxwell theory, Einstein's special or general relativity, if an initi

Physics is becoming too difficult for physicists. David Hilbert (mathematician)

1 Distributional problems

1 Cryptographic hash functions

Quantum Communication. Serge Massar Université Libre de Bruxelles

PERFECTLY secure key agreement has been studied recently

An Introduction to Quantum Information and Applications

Error Reconciliation in QKD. Distribution

1 Secure two-party computation

CPSC 467: Cryptography and Computer Security

LECTURE NOTES ON Quantum Cryptography

Classical Verification of Quantum Computations

Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices

Practical Quantum Coin Flipping

ASPECIAL case of the general key agreement scenario defined

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

High rate quantum cryptography with untrusted relay: Theory and experiment

Authentication. Chapter Message Authentication

Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices

Quantum to Classical Randomness Extractors

Nonlocality (CH. I & II)

Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel

Quantum Cryptography

What is the Q in QRNG?

Problem Set: TT Quantum Information

Experimentally Generated Random Numbers Certified by the Impossibility of Superluminal Signaling

Lecture 21: Quantum communication complexity

Cryptography and Security Final Exam

(Quantum?) Processes and Correlations with no definite causal order

Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

arxiv:quant-ph/ v1 13 Mar 2007

Secrecy and the Quantum

Lecture 6: Quantum error correction and quantum capacity

Question 1. The Chinese University of Hong Kong, Spring 2018

Realization of B92 QKD protocol using id3100 Clavis 2 system

The Laws of Cryptography Zero-Knowledge Protocols

Transcription:

Tutorial: Device-independent random number generation Roger Colbeck University of York

Outline Brief motivation of random number generation Discuss what we mean by a random number Discuss some ways of generating them leading up to device-independent protocols Explain the main ideas behind a deviceindependent random number generator Discuss what it means for a protocol to be secure Briefly mention related tasks

Why are random numbers important? gambling simulations cryptography

Random number generation

What is a random number? RNG X 1, X 2, Unpredictable by anyone (independent of everything else) Uniformly distributed

What is a random number? RNG E X 1, X 2, More formally, we can say X j is a uniform random bit (with respect to E) if P Xj E = P Xj = 1 2 where E represents everything else (includes X 1,, X j 1 )

What is a random number? Quantum case RNG X 1, X 2, x 1 X x x A ρ E E

What do we want in a random number generation protocol? Secure Reliable Easy to implement Technologically feasible Requires few devices Have a fast rate

Security Protocol should come with a rigorous, precisely formulated security proof and statement of validity E.g., if the protocol is used correctly, then no adversary can learn the random numbers even given unlimited time/resources (unless physics is wrong)

Security Protocol should come with a rigorous, precisely formulated security proof and statement of validity E.g., if the adversary is limited to have particular computational resources, the random string can be treated as random for a certain amount of time.

How might we generate random numbers?

How might we generate random numbers? Classical case Small random seed Knows protocol

How might we generate random numbers? Classical case Long random output F(S 1, S 2, S 3,, S m ) Small random seed S 1, S 2, S 3,, S m Knows F

Classical case Drawbacks: Cannot have unconditional security In general, we cannot prove hardness of breaking the protocol

Trusted quantum case random seed Knows protocol

Trusted quantum case For example: use a beamsplitter 0 1

Trusted quantum case For example: use a beamsplitter 0 1 This might be ok if: Trust the equipment Ensure that it doesn t change over time

Trusted quantum case For example: use a beamsplitter 0 1 This might be ok if: Trust the equipment Ensure that it doesn t change over time (Trust the physics and that it is complete)

Trusted quantum case For example: use a beamsplitter 0 1 Ideally we would like a certificate that outputs are random

Trusted quantum case Removes classical drawbacks; in particular, can have security based on physics. New drawbacks: Technologically harder to implement (but not too bad) Security relies on the devices behaving correctly

The setup (quantum) random seed Knows protocol

The setup (device-independent) random seed Knows protocol Want to generate longer random string

Device-independence No assumptions made about the workings of the devices used However, we do need some assumptions, in particular, both strong lab walls and initial randomness [necessary for cryptography]

Security proofs Protocol Assumptions Security proof

Security proofs Theory world Protocol Assumptions Security proof RNG possible in theory(world)

Security proofs Theory world Real world Protocol Assumptions Security proof Is our theory world proof relevant in the real world? RNG possible in theory(world)

Security proofs Weaker assumptions More security

Security proofs Weaker assumptions More security Device-independence tries to remove all the assumptions on the devices Removes this mismatch problem between the real world and theory world

Security proofs Weaker assumptions More security No assumptions on devices means the security proof has to work even with maliciously constructed devices.

Security proofs Weaker assumptions More security Protocol remains secure if devices stop working properly or are tampered with Protocol checks the workings of the devices on-the-fly (hence, self-testing)

Device-independence: main ideas Don t trust devices, so have to test them

How can we test the devices? RNG X 1, X 2,

How can we test for randomness? Overlapping permutations: Analyse sequences of five consecutive random numbers. The 120 possible orderings should occur with statistically equal probability. Ranks of matrices: Select some number of bits from some number of random numbers to form a matrix over {0,1}, then determine the rank of the matrix. Count the ranks. Monkey tests: Treat sequences of some number of bits as "words". Count the overlapping words in a stream. The number of "words" that don't appear should follow a known distribution. The craps test: Play 200,000 games of craps, counting the wins and the number of throws per game. Each count should follow a certain distribution.

How can we test for randomness? There is no good test that acts only on the outputs. RNG X 1, X 2, No f such that f X 1, X 2, = accept reject with accept only if the sequence is random.

How can we test for randomness? f Y 1, Y 2, =accept RNG Y 1, Y 2, X i = Y i RNG RNG X 1, X 2, f X 1, X 2, =accept

More advanced test X 1, X 2, There is no good test with only one device f A 1, A 2,, X 1, X 2, {pass, fail} Adversary knows f Adversary can supply pre-programmed classical device that will always pass A 1, A 2, (Random)

Device-independent randomness expansion: main ideas Bell inequality violation Non-classical behaviour (loophole-free)

Device-independent randomness expansion: main ideas Bell-inequality violation X Y P XY AB violates a Bell inequality A and B random Devices cannot communicate A B Eve cannot know X X not function of A Bell s theorem Roughly the idea of Ekert 91, although note that we re not making key here

Device-independent randomness expansion: main ideas Bell-inequality violation X Y P XY AB violates a Bell inequality A and B random Devices cannot communicate Bell s theorem A B Eve cannot know X X not function of A Doesn t mean that X is perfectly random

Device-independent randomness expansion: main ideas Bell-inequality violation X Y P XY AB violates a Bell inequality A and B random Devices cannot communicate Bell s theorem A E.g. CHSH game winning probability B Eve cannot know X X not function of A

Device-independent randomness expansion: main ideas CHSH game X {0,1} Y {0,1} Win if X = Y for A, B = 0,1, 2,1 or 2,3 X Y for A, B = (0,3). A {0,2} B {1,3} P cl 3 4 P qm 1 2 (1 + 1 2 ) 0.85. (Bell value 2) (Bell value 2 2)

Device-independent randomness expansion: main ideas X {0,1} Y {0,1} Win if X = Y for A, B = 0,1, 2,1 or 2,3 X Y for A, B = (0,3). A {0,2} B {1,3} 0 { 0, 1 } 1 2 { +, } P qm 1 2 (1 + 1 2 ) 0.85 3 ψ AB = 1 ( 00 + 11 ) 2

Device-independent randomness expansion: main ideas Maximum quantum violation Devices share max entangled (pure) state Eve has no information about the outcomes And X is uniform No entanglement with Eve ψ AB φ E Outcomes can be used as random numbers

Device-independent randomness expansion: main ideas Near maximum quantum violation Devices share state close to max entangled Eve has almost no information about the outcomes And X is near uniform Almost unentangled with Eve Outcomes can be processed to give random numbers

Device-independent randomness expansion: main ideas Near maximum quantum violation Eve has almost no information about the outcomes And X is near uniform Outcomes can be processed to give random numbers

Connecting Bell violation with Eve s knowledge How much can Eve know about X? P win = 1 2ε

Connecting Bell violation with Eve s knowledge How much can Eve know about X? P win = 1 2ε P XY AB = z p z P XY ABz Convex combination Quantum-realizable distributions

Connecting Bell violation with Eve s knowledge How much can Eve know about X? P win = 1 2ε P XY AB = z p z P XY ABz Convex combination Any non-signalling distribution

Connecting Bell violation with Eve s knowledge How much can Eve know about X? P win = 1 2ε P XY AB = z p z P XY ABz Convex combination Any non-signalling distribution P XY AB = Eve has no knowledge about X Eve knows X perfectly

Connecting Bell violation with Eve s knowledge How much can Eve know about X? P win = 1 2ε P XY AB = z p z P XY ABz Convex combination Any non-signalling distribution P XY AB = Eve has no knowledge about X Eve knows X perfectly Non-signalling Eve can guess X with probability 4ε + 1 2 1 4ε = 1 2 + 2ε

Device-independent randomness expansion protocol: Main ideas X1 X2 X3 Y1 Y2 Y3 A1 A2 A3 B1 B2 B3 Doing CHSH test costs randomness We want expansion

Device-independent randomness expansion protocol: Main ideas X1 X2 X3 Y1 Y2 Y3 A1 A2 A3 B1 B2 B3 Divide rounds into test rounds (T) and generation rounds (G) Test rounds are a small subset that cost randomness On the generation rounds, fixed inputs are used (no cost), e.g., (try to) measure in { 0, 1 } basis on both

Protocol structure A X B Y G 0 1 0 1 T 2 0 1 1 G 0 1 0 1 T 0 0 1 0 T 2 0 3 0 G 0 1 0 1 G 0 0 0 1 G 0 1 0 0 G 0 1 0 1 G 0 0 0 0 T 0 1 3 0 Use T rounds to check CHSH wins and error rate. For these If A, B = 0,1, 2,1 or (2,3), want X = Y If A, B = (0,3) want X Y Error rate too high abort 0 1 3 2

Protocol structure A X B Y G 0 1 0 1 T 2 0 1 1 G 0 1 0 1 T 0 0 1 0 T 2 0 3 0 G 0 1 0 1 G 0 0 0 1 G 0 1 0 0 G 0 1 0 1 G 0 0 0 0 T 0 1 3 0 Raw string is processed to give final random string S A = 1110110 01101 Randomness extraction NB: randomness extraction needs a short random seed.

Proof ingredients Protocol acts like a filter: for a significant probability of not aborting, the devices must have a large Bell inequality violation almost every time. Large Bell inequality violations implies difficulty for Eve to guess. If Eve cannot guess the output well, then we can compress the string to one she cannot guess at all. [via randomness extractor]

Randomness accounting Randomness input: To choose the test rounds To choose the tests (2 bits per test) To seed the randomness extractor Randomness output: If all goes well about 1 bit per round Few test rounds, short seed extractors expansion

Security definition What does it mean for a protocol to be secure? Define ideal Imagine Alice will randomly decide either to perform the real protocol or the ideal. The real protocol is secure if it is virtually impossible to distinguish the two.

Composable security Larger protocol 1. 2. n. Call randomness expansion sub-protocol n+1. Either use Real expansion sub-protocol, or Ideal How well can we tell the difference?

Security definition hear output (may be abort) Alice runs real or ideal Supply states and devices

The ideal We want the final state to have the form 1 ρ AE = X x x A ρ E x

The ideal We want the final state to have the form 1 ρ AE = X x x A ρ E x However, we don t simply define the ideal to output a state of this form. (It would be easy to distinguish this from the real protocol, e.g. by forcing real to abort)

The ideal Instead, take the ideal protocol to be the real protocol modified such that if it does not abort, right at the end Alice replaces her output by a perfect random string. x 1 X x x A ρ E

The ideal With the ideal defined in this way, it is impossible to distinguish the real and ideal based on abort. Only way to distinguish is if both: The protocol does not abort; and The output can be distinguished from a perfect random string D ρ AE, x 1 X x x A ρ E > 0 real

The ideal Thus, the security statement is a bound on the a priori probability that the protocol does not abort and the output can be distinguished from perfect randomness over all possible devices. NB: we don t make statements of the form Given the protocol did not abort, the output is secure (except with very small probability)

Technological aspects We have theoretical proofs: what about in practice?

Technological aspects What about in practice? Key ingredient is a Bell inequality violation Need to close detection loophole X Y P XY AB must violate a Bell inequality In order to verify this, have to include failure to detect events A B

Technological aspects What about in practice? Key ingredient is a Bell inequality violation Need to close detection loophole NB: easier to do this than for QKD X Y P XY AB must violate a Bell inequality In order to verify this, have to include failure to detect events A B

Technological aspects What about in practice? Need to close detection loophole (Note: no need to close locality loophole; although it doesn t hurt) X P XY AB -> security Y A B

Technological aspects What about in practice? Need to close detection loophole (Note: no need to close locality loophole; although it doesn t hurt) Need them to be faster to compete with current approaches

Some references random seed C, Thesis U.Camb. 2007, CK, JPhysA 44, 095305 2011 Pironio+, Nature 464, 1021 2010 PM, PRA 87, 012336, 2013 FGS, PRA 87, 012335, 2013 VV, Phil Trans 370, 3432, 2012 CY, STOC 14 MS, STOC 14, arxiv:1411.6608 ARV, later today

Related task: Randomness Amplification Imperfect randomness: - Looks random to Alice - Partly correlated with other information (that may be held by Eve) R j random seed e Want to generate perfect randomness

Related task: Randomness Amplification Imperfect randomness: - Looks random to Alice - Partly correlated with other information (that may be held by Eve) random seed R j e E.g., Santha-Vazirani source [FOCS 84] Limitation to the bias of each bit conditioned on previous ones and adversary. P Rj W 1 2 ε, 1 2 + ε Want to generate perfect randomness

Related task: Randomness Amplification R j CR, N.Phys 8 450 (2012) Gallego+, N. Commun 4, 2654 (2013) Brandao+, N.Commun 7, 11345 (2016) CY, STOC 14 CSW, arxiv:1402.4797 random seed e Want to generate perfect randomness

Another interesting scenario Non-quantum random seed Randomness expansion against non-signalling eavesdroppers

Summary Classical protocols aim to provide time-limited security Standard quantum protocols allow this to be upgraded to unconditional security Device-independent protocols allow security against device failure or tampering more security fewer assumptions

Summary Advantages: weaker assumptions -> more security certify security on-the-fly (calibration errors automatically caught). Open challenges Increased speed Sensible ways to reuse untrusted devices Can we get security against no-signalling adversaries?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback