A semi-device-independent framework based on natural physical assumptions

Similar documents
Device-independent Quantum Key Distribution and Randomness Generation. Stefano Pironio Université Libre de Bruxelles

Secure heterodyne-based QRNG at 17 Gbps

Tutorial: Device-independent random number generation. Roger Colbeck University of York

Bit-Commitment and Coin Flipping in a Device-Independent Setting

Device-Independent Quantum Information Processing

Quantum Information Transfer and Processing Miloslav Dušek

Ping Pong Protocol & Auto-compensation

More Randomness From Noisy Sources

Device-Independent Quantum Information Processing (DIQIP)

High rate quantum cryptography with untrusted relay: Theory and experiment

Quantum Key Distribution. The Starting Point

General Strong Polarization

Trustworthy Quantum Information. Yaoyun Shi University of Michigan

Device-independent quantum information. Valerio Scarani Centre for Quantum Technologies National University of Singapore

EPR paradox, Bell inequality, etc.

Cryptography in a quantum world

Attacks against a Simplified Experimentally Feasible Semiquantum Key Distribution Protocol

PHY103A: Lecture # 9

Challenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley

Quantum Hacking. Feihu Xu Dept. of Electrical and Computer Engineering, University of Toronto

Entropy Accumulation in Device-independent Protocols

Unconditionally secure deviceindependent

TECHNICAL NOTE AUTOMATIC GENERATION OF POINT SPRING SUPPORTS BASED ON DEFINED SOIL PROFILES AND COLUMN-FOOTING PROPERTIES

Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source

COMPRESSION FOR QUANTUM POPULATION CODING

Classical Verification of Quantum Computations

Universal security for randomness expansion

Untrusted quantum devices. Yaoyun Shi University of Michigan updated Feb. 1, 2014

Quantum-Secure Authentication

Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel

Fundamental rate-loss tradeoff for optical quantum key distribution

CS Lecture 8 & 9. Lagrange Multipliers & Varitional Bounds

Practical quantum-key. key- distribution post-processing

General Strong Polarization

Fundamental Security Issues in Continuous Variable Quantum Key Distribution

Cyber Security in the Quantum Era

Security of Device-Independent Quantum Key Distribution Protocols

High Fidelity to Low Weight. Daniel Gottesman Perimeter Institute

Elastic light scattering

An Introduction to Quantum Information. By Aditya Jain. Under the Guidance of Dr. Guruprasad Kar PAMU, ISI Kolkata

Lecture No. 5. For all weighted residual methods. For all (Bubnov) Galerkin methods. Summary of Conventional Galerkin Method

Variations. ECE 6540, Lecture 02 Multivariate Random Variables & Linear Algebra

Randomness in nonlocal games between mistrustful players

The controlled-not (CNOT) gate exors the first qubit into the second qubit ( a,b. a,a + b mod 2 ). Thus it permutes the four basis states as follows:

Lecture 11. Kernel Methods

Genuine three-partite entangled states with a hidden variable model

What is the Q in QRNG?

Realization of Finite-Size Continuous-Variable Quantum Key Distribution based on Einstein-Podolsky-Rosen Entangled Light

CHAPTER 5 Wave Properties of Matter and Quantum Mechanics I

Quantum non-demolition measurements:

Support Vector Machines. CSE 4309 Machine Learning Vassilis Athitsos Computer Science and Engineering Department University of Texas at Arlington

Charge carrier density in metals and semiconductors

Converse bounds for private communication over quantum channels

Security of Quantum Cryptography using Photons for Quantum Key Distribution. Karisa Daniels & Chris Marcellino Physics C191C

(Quantum?) Processes and Correlations with no definite causal order

Lecture 3. STAT161/261 Introduction to Pattern Recognition and Machine Learning Spring 2018 Prof. Allie Fletcher

Asymptotic Analysis of a Three State Quantum Cryptographic Protocol

Quantum random number generation

Quantum Communication

Quantum to Classical Randomness Extractors

Introduction to Quantum Key Distribution

An entangled LED driven quantum relay over 1km

10 - February, 2010 Jordan Myronuk

Quantum Communication. Serge Massar Université Libre de Bruxelles

Problem Set: TT Quantum Information

Control of Mobile Robots

Quantum Cryptography

Centre for Quantum Information and Communication

An ultrafast quantum random number generator based on quantum phase fluctuations

Cold atoms in optical lattices

DSGE (3): BASIC NEOCLASSICAL MODELS (2): APPROACHES OF SOLUTIONS

A Posteriori Error Estimates For Discontinuous Galerkin Methods Using Non-polynomial Basis Functions

Lecture No. 1 Introduction to Method of Weighted Residuals. Solve the differential equation L (u) = p(x) in V where L is a differential operator

Electric Field and Electric Potential (A)

QCRYPT Saturation Attack on Continuous-Variable Quantum Key Distribution System. Hao Qin*, Rupesh Kumar, and Romain Alléaume

Integrating Rational functions by the Method of Partial fraction Decomposition. Antony L. Foster

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

FUNDAMENTAL QUANTUM OPTICS EXPERIMENTS IN SPACE AND LAB. Luca Calderaro Admission to III year 22 September 2017

A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols

Speaker s name and affiliation Rotem Arnon- Friedman (ETH Zürich) de Finetti reductions in the context of non-local games

Uncertain Compression & Graph Coloring. Madhu Sudan Harvard

Independent Component Analysis and FastICA. Copyright Changwei Xiong June last update: July 7, 2016

Diffusive DE & DM Diffusve DE and DM. Eduardo Guendelman With my student David Benisty, Joseph Katz Memorial Conference, May 23, 2017

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science Quantum Optical Communication

Continuous-Variable Quantum Key Distribution Protocols Over Noisy Channels

Quantum state measurement

Quantum Correlations as Necessary Precondition for Secure Communication

Quantum key distribution

Building Blocks for Quantum Computing Part V Operation of the Trapped Ion Quantum Computer

Chapter 13: Photons for quantum information. Quantum only tasks. Teleportation. Superdense coding. Quantum key distribution

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Xiongfeng Ma Center for Quantum Information

Synthesizing Arbitrary Photon States in a Superconducting Resonator John Martinis UC Santa Barbara

From qubit to qudit with hybrid OAM-polarization quantum state

Analog quantum error correction with encoding a qubit into an oscillator

Toward the Generation of Bell Certified Randomness Using Photons

Quantum Mechanics. An essential theory to understand properties of matter and light. Chemical Electronic Magnetic Thermal Optical Etc.

A Guide to Experiments in Quantum Optics

Practical aspects of QKD security

(1) Correspondence of the density matrix to traditional method

Transcription:

AQIS 2017 4-8 September 2017 A semi-device-independent framework based on natural physical assumptions and its application to random number generation T. Van Himbeeck, E. Woodhead, N. Cerf, R. García-Patrón, S. Pironio arxiv:1612.06828

There exist vulnerabilities in quantum cryptography, successfully exploited by quantum hackers These attacks exploit a mismatch between the theoretical model used to prove security and the actual implementation

Device-independent quantum cryptography 1 Devices viewed as black boxes Randomness (bits) 0.8 0.6 0.4 0.2 A single natural physical assumption 0 2 2.2 2.4 2.6 2.8 Bell inequalition violation This approach can be used to certify the security of RNG and QKD protocols, or even the performance of quantum computers. Region not allowed by quantum theory if devices do not communicate

Usual, device-dependent quantum cryptography Based on a detailed characterization of the devices Semi-device-independent quantum cryptography Based on a few assumpions. Devices are partly untrusted. E.g.: Measurement-device-independence One-sided quantum cryptography Source-independent QRNG Qubit assumption Source & measurement independence Advantage: higher rate, easier to implement than fully device-independent protocols Fully device-independent quantum cryptography Based on minimal assumptions. Devices can be untrusted.

Semi-device-independent protocols based on an energy constraint Preparation Measurement ρρ xx Devices viewed as black boxes except for a single assumption: ρρ xx are optical signals close to the vacuum: 0 ρρ xx 0 ωω Randomness (bits) This assumption is sufficient to guarantee that devices behave in a genuinely quantum way. In particular, it allows for secure RNG protocols. Hopefully, it can also be used for QKD Bell violation analogue Region not allowed by quantum theory if prepared states satisfy the energy constraint

Device-independent quantum cryptography 1 Devices viewed as black boxes Randomness (bits) 0.8 0.6 0.4 0.2 A single natural physical assumption 0 2 2.2 2.4 2.6 2.8 Bell inequalition violation This approach can be used to certify the security of RNG and QKD protocols, or even the performance of quantum computers. Region not allowed by quantum theory if devices do not communicate

Semi-device-independent protocols based on an energy constraint Preparation Measurement ρρ xx Devices viewed as black boxes except for a single assumption: ρρ xx are optical signals close to the vacuum: 0 ρρ xx 0 ωω Randomness (bits) This assumption is sufficient to guarantee that devices behave in a genuinely quantum way. In particular, it allows for secure RNG protocols. Hopefully, it can also be used for QKD Bell violation analogue Region not allowed by quantum theory if prepared states satisfy the energy constraint

Usual, device-dependent quantum cryptography Based on a detailed characterization of the devices Semi-device-independent quantum cryptography Based on a few assumpions. Devices are partly untrusted. E.g.: Measurement-device-independence One-sided quantum cryptography Qubit assumption Source & measurement independence Energy constraint Fully device-independent quantum cryptography Based on minimal assumptions. Devices can be untrusted.

Outline Why semi-device-independent quantum cryptography? Motivation for our energy constraint assumption Results

Outline Why semi-device-independent quantum cryptography? Motivation for our energy constraint assumption Results

Even full DI requires non-trivial assumptions Usual, device-dependent quantum cryptography Semi-device-independent quantum cryptography Fully device-independent quantum cryptography Laser power is limited Electronics and classical computers are trusted No information leakage GPS are accurate

DI RNG implementations Monroe experiment Kwiat experiment / NIST analysis

Experimental requirements Device-independent Device-dependent Assumptions

Don t waste time developing cars: in the future planes will be easy to build, common, and affordable.

DI RNG implementations Monroe experiment Kwiat experiment / NIST analysis

Semi-DI protocols based on a qubit assumption ρρ xx CC 2

Semi-DI protocols based on a qubit assumption

Mismatch between model used for security proof and implementation! Qubit assumption is an idealization. Shows that it is important to choose well the assumptions.

αα 0 + ββ 1 + γγ 2 + Click with prob 1 αα 2 No-click with prob αα 2

Outline Why semi-device-independent quantum cryptography? Motivation for our energy constraint assumption Results

Semi-device-independent protocols based on an energy constraint Preparation Measurement ρρ xx Assumption: 0 ρρ xx 0 ωω xx

Semi-device-independent protocols based on an energy constraint Preparation Measurement ρρ xx Assumption: no-communication 0 ρρ xx 0 = 1

Semi-device-independent protocols based on an energy constraint Preparation Measurement ρρ xx Assumption: 0 ρρ xx 0 ωω xx - Natural relaxation of the no-communication assumption of full DI protocols

Semi-device-independent protocols based on an energy constraint Preparation Measurement ρρ xx Assumption: 0 ρρ xx 0 ωω xx - Natural relaxation of the no-communication assumption of full DI protocols - The appropriate space to describe quantum optics experiments is the Fock space of several quantum optical modes. In this context, it is natural to bound the average number of photons. - This is an assumption anyway made in many quantum optics experiments in which attenuated laser sources are used.

Semi-device-independent protocols based on an energy constraint Preparation Measurement ρρ xx Assumption: 0 ρρ xx 0 ωω xx - Natural relaxation of the no-communication assumption of full DI protocols - The appropriate space to describe quantum optics experiments is the Fock space of several quantum optical modes. In this context, it is natural to bound the average number of photons. - This is an assumption anyway made in many quantum optics experiments in which attenuated laser sources are used. - It is directly related to simple characteristics of the device components (laser power, attenuator) and robust to device imperfections.

Semi-device-independent protocols based on an energy constraint Preparation Measurement ρρ xx Assumption: 0 ρρ xx 0 ωω xx - Natural relaxation of the no-communication assumption of full DI protocols - The appropriate space to describe quantum optics experiments is the Fock space of several quantum optical modes. In this context, it is natural to bound the average number of photons. - This is an assumption anyway made in many quantum optics experiments in which attenuated laser sources are used. - It is directly related to simple characteristics of the device components (laser power, attenuator) and robust to device imperfections.

Semi-device-independent protocols based on an energy constraint Preparation Measurement ρρ xx Assumption: 0 ρρ xx 0 ωω xx - Natural relaxation of the no-communication assumption of full DI protocols - The appropriate space to describe quantum optics experiments is the Fock space of several quantum optical modes. In this context, it is natural to bound the average number of photons. - This is an assumption anyway made in many quantum optics experiments in which attenuated laser sources are used. - It is directly related to simple characteristics of the device components (laser power, attenuator) and robust to device imperfections. - It could be directly monitored (calibrated power meter) or enforced (optical fuse).

Outline Why semi-device-independent quantum cryptography? Motivation for our energy constraint assumption Results

No-communication assumption Qubit assumption Violation of Bell inequalities QQ > CC Violation of dimension witnesses QQ > CC Energy constraint assumption QQ > CC??

Input-output statistics PP bb xx = TTTT ρρ xx MM bb or PP bb xx = λλ pp λλ TTTT ρρ λλ λλ xx MM bb ρρ xx Equivalent to knowledge of the bias of bb given xx: EE xx = PP bb = 1 xx PP bb = 1 xx EE xx = TTTT[ρρ xx MM] or EE xx = λλ pp λλ TTTT ρρ xx λλ MM λλ Output of devices is non-trivial if bb is correlated to xx Amount of correlations can be measured by quantity EE = (EE 1 EE 2 )/2 Probability to guess correctly xx given bb is 1 2 + EE 2 bb does not depend on xx: EE = 0 bb fully correlated to xx: EE = 1

Input-output statistics PP bb xx = TTTT ρρ xx MM bb or PP bb xx = λλ pp λλ TTTT ρρ λλ λλ xx MM bb Assumption ρρ xx Energy constraint: 0 λλ pp λλ ρρ xx λλ 0 ww xx Equivalent to knowledge of the bias of bb given xx: EE xx = PP bb = 1 xx PP bb = 1 xx EE xx = TTTT[ρρ xx MM] or EE xx = λλ pp λλ TTTT ρρ xx λλ MM λλ Output of devices is non-trivial if bb is correlated to xx Amount of correlations can be measured by quantity EE = (EE 1 EE 2 )/2 Probability to guess correctly xx given bb is 1 2 + EE 2 bb does not depend on xx: EE = 0 bb fully correlated to xx: EE = 1

Input-output statistics PP bb xx = TTTT ρρ xx MM bb or PP bb xx = λλ pp λλ TTTT ρρ λλ λλ xx MM bb Assumption ρρ xx Energy constraint: 0 λλ pp λλ ρρ xx λλ 0 ww xx or pp λλ TTTT HHρρ λλ xx λλ 1 ww xx Equivalent to knowledge of the bias of bb given xx: EE xx = PP bb = 1 xx PP bb = 1 xx EE xx = TTTT[ρρ xx MM] or EE xx = λλ pp λλ TTTT ρρ xx λλ MM λλ Output of devices is non-trivial if bb is correlated to xx Amount of correlations can be measured by quantity EE = (EE 1 EE 2 )/2 Probability to guess correctly xx given bb is 1 2 + EE 2 bb does not depend on xx: EE = 0 bb fully correlated to xx: EE = 1

Maximal value for EE given ww 1 = ww 2 = ww? ww = 1 EE = (EE 1 EE 2 )/2 = 0 1 ww = 1/2 ρρ 1,2 = ( 0 ± 1 )/ 2 EE = (EE 1 EE 2 )/2 = 1 1 ww 1 arbitrary 2 ρρ 1 = ww 0 + 1 ww φφ 1 ρρ 2 = ww 0 + 1 ww φφ 2 ρρ 2 ρρ 1 Scalar product minimal if φφ 1 = φφ 2 = 1 ρρ 1,2 = ww 0 ± 1 ww 1 Best distinguishing measurement: MM = σσ xx We find the inequality EE = EE 1 EE 2 2 2 ww(1 ww)

According to quantum strategies: EE = EE 1 EE 2 Maximal value for classical strategies? 2 2 ww 1 ww = Q max How to define classical strategies? One possibility: classical strategies = deterministic strategies (or convex combinations thereof) EE xx = λλ pp λλ EE xx λλ with EE xx λλ = ±1 Let s be more conservative and compare QQ max to strategies where only EE 1 is deterministic EE 1 = λλ pp λλ EE 1 λλ with EE 1 λλ = ±1, no constraint on EE 2 If QQ max > DD max the output of xx = 1 is random (even to adversary with arbitrary knowledge of the devices)

EE 1 = ρρ 1 MM ρρ 1 = 1 MM = 2 ρρ 1 ρρ 1 II 1 EE 2 = ρρ 2 MM ρρ 2 = 2 ρρ 2 ρρ 1 2 1 EE = EE 1 EE 2 2 = 2 2 ρρ 2 ρρ 1 2 Minimal value of ρρ 2 ρρ 1 2 given w ρρ 2 ρρ 1 EE 4ww 1 ww = DD max

EE = EE 1 EE 2 2 If EE 1 is deterministic, we have the Bell inequality EE 4ww 1 ww = DD max Assumption According to a general quantum strategy EE 2 ww 1 ww = QQ max = DD max > D max Energy constraint: 0 λλ pp λλ ρρ xx λλ 0 ww xx

Given this characterization, one can also put rigorous bounds on the output entropy given EE 1, EE 2 straightforward to build a RNG protocol where amount of randomness produced is evaluated assuming only the energy bound, but no other assumption on the devices. More generally, it is possible to characterize completely the set of allowed values (EE 1, EE 2 ) for given energy bounds (ww 1, ww 2 ) One nice way to do it: QQ DD xx = 1,2 yy = MM EE xx = TTTT ρρ xx MM ww xx = TTTT[ρρ XX VV] ρρ XX bb = ±1 xx = ρρ XX φφ + yy = MM, VV AA xx MM = EE xx AA xx VV = ww xx aa = ±1 bb = ±1

How to produce non-deterministic correlations in the lab? QQ DD A practical implementation with gaussian states and homodyne measurements: Source prepares: Measurement: Homodyne measurement of X quadrature with b = sign(x)

A simpler implementation with a slightly stronger assumption xx {1,2} ρρ 1 ρρ 2 ρρ 2 ρρ 1 ρρ 1 QQ DD DD bb {0,1} Average energy constraint: 0 λλ pp λλ ρρ xx λλ 0 ww xx Peak energy constraint 0 ρρ xx λλ 0 ww xx for all λλ

Summary We propose to use a bound on the energy of optical signals as a unique assumption on which to prove the security of prepare-and-measure quantum cryptography protocol (with no other assumptions on the devices) We have shown that there is a gap between what can be achieved with very simple quantum implementations and deterministic strategies. This is equivalent to the violation of Bell inequalities in full DI protocols. These results immediately imply the existence of RNG protocols where the amount of randomness produced can be certified without making any assumptions about the devices except the energy assumption.

Open question Is the energy assumption sufficient to prove the security of a QKD protocol? We implicitly assumed that the preparation and measurement device did not share prior entanglement. Can this be relaxed? One extra motivation for the energy assumption is that it is in principle compatible with CV protocols for which no DI or semi-di implementations have been introduced. Can we analyze the security of a genuinely CV protocol in a DI setting using the energy assumption?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback