A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich, CH) Ivan Damgård, Louis Salvail (University of Århus, DK) QIP 2008, Delhi, India Thursday, December 20 th 2007
41
Embed
A Tight High-Order Entropic Quantum Uncertainty Relation with Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL) Renato Renner (ETH Zürich,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A Tight High-Order Entropic Quantum Uncertainty Relationwith Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL)
Renato Renner (ETH Zürich, CH)
Ivan Damgård, Louis Salvail (University of Århus, DK)
QIP 2008, Delhi, India
Thursday, December 20th 2007
Serge Fehr, Christian Schaffner (CWI Amsterdam, NL)
Ivan Damgård, Louis Salvail (University of Århus, DK)
Secure Identification and QKD in the Bounded-Quantum-Storage Model
QIP 2008, Delhi, India
Thursday, December 20th 2007
3 / 42
~1970: Birth of Quantum Cryptography
…
4 / 42
1-2 Oblivious Transfer
SC
S0;S1C 2 f0;1g
complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model
1-2OT
5 / 42
(Randomized) 1-2 Oblivious Transfer
Rand1-2OT SC
S0;S1C 2 f0;1g
complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model
6 / 42
Outline
Motivation and Notation
Quantum Uncertainty Relations
Secure Identification
Man-In-The-Middle Attacks
Conclusion
7 / 42
Quantum Mechanics Notation
Measurements:
+ basis
£ basis
j0i+ j1i+
j1i£j0i£
EPR pairs:
8 / 42
get X'
0
0
1
1
0
Quantum 1-2 OT ProtocoljX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
S1 = ?S0
C = 0£ 0= +n
Correctness
Receiver-Security against Dishonest Alice
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
9 / 42
Sender-Security?jX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
get
½
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
Sender-Security: one of the strings looks completely random to dishonest Bob
# qubits < n=4
10 / 42
get
Entanglement-Based Protocol
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
½
epr n
# qubits < n=4
Sender-Security: One of the strings looks completely random to dishonest Bob
£ 2R X 2R sendf+;£gn f0;1gn
?
?
?
?
?
11 / 42
get
Entanglement-Based ProtocoljX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
½
# qubits < n=4
Sender-Security: One of the strings looks completely random to dishonest Bob
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
12 / 42
Sender-Security: One of the strings looks completely random to dishonest Bob
£ 2R X 2R sendf+;£gn f0;1gn
?
?
?
?
?
Let Bob Act First
F1 2R F 1F0 2R F 0
½
£ ;F0;F1
getepr n
//...
# qubits < n=4
S0;S1
13 / 42
Sender-Security: One of the strings looks completely random to dishonest Bob
Privacy Amplification:
get£ 2R X 2R send
f+;£gn f0;1gn
?
?
?
?
?
Sender-Security Uncertainty Relation
F1 2R F 1F0 2R F 0
½
£ ;F0;F1
epr n
//...
# qubits < n=4
[Renner KÄonig 05, Renner 06]
H1 (X j £ ) ¸ ?S0;S1
H1 (X j £)| {z }
¸ ?
> # qubits| {z }
<n=4
14 / 42
Outline
Motivation and Notation
Quantum Uncertainty Relations
Secure Identification
Man-In-The-Middle Attacks
Conclusion
15 / 42
M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,
H(X i j £ i ) = 12
¡H(X i j £ i = +) + H(X i j £ i = £)| {z }
¸ 1
¢¸ 1
2:
Entropic Uncertainty Relation for One Qubit
16 / 42
In general: H(¢) ¸ H1 (¢)
) H"1 (X n j £ )
n! 1¼ n ¢H(X i j £ i ) ¸ n=2
£ 2R statef+;£gn ½
...
Quantum Uncertainty Relation needed
//
H1 (X j £) ¸ ?
X i independent
H(X i j £ i ) ¸ 12
M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,
H(X i j £ i ) = 12
¡H(X i j £ i = +) + H(X i j £ i = £)| {z }
¸ 1
¢¸ 1
2:
except with prob · "
X i := X 1 : : :X i
17 / 42
£ 2R statef+;£gn ½
...
Main Result
//
H1 (X j £) ¸ ?
X i dependent
H(X i j £ i ) ¸ 12
Quantum Uncertainty R elation: LetX = (X 1; : : : ;X n) be the outcome. Then,
H"1 (X j £ ) & n=2
with " negligible in n.
H(X i j £ i ;X i ¡ 1 = xi ¡ 1;£ i ¡ 1 = µi ¡ 1) ¸ 12
M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,
H(X i j £ i ) = 12
¡H(X i j £ i = +) + H(X i j £ i = £)| {z }
¸ 1
¢¸ 1
2:
18 / 42
Main Technical Lemma
Z1; : : : ;Zn (dependent) random variables
Then, H"1 (Z) & n ¢h with " negligible in n
with H(Zi j Z i ¡ 1 = zi ¡ 1) ¸ h.
P roof:
² information theory
² generalized Cherno®bound (A zuma inequality)
19 / 42
conjugate coding / BB84:£ 2R state
f+;£gn ½
...
classical technical lemma:
instantiate it for various quantum codings:
High-Order Entropic Uncertainty Relations
H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn
//
H"1 (X j £) & n=2
20 / 42
conjugate coding / BB84:
three bases / six-state:
…
classical technical lemma:
instantiate it for various quantum codings:
High-Order Entropic Uncertainty Relations
//
//
£ 2R statef+;£;ª gn ½
...
H"1 (X j £) & n=2
H"1 (X j £) & 2
3n
H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn
21 / 42
Outline
Motivation and Notation
Quantum Uncertainty Relation
Secure Identification
Man-In-The-Middle Attacks
Conclusion
22 / 42
Why Secure Identification?
I’m Alice my PIN is IMAB52
I want $25
Alright Alice, here you go.
23 / 42
Why Secure Identification?
I’m Alice my PIN is IMAB52
I want $25
Sorry, I’m out of order
Alice: IMAB52
24 / 42
Why Secure Identification?Alice: IMAB52
I’m Alice my PIN is IMAB52I want $25,000,000
Alright Alice, here you go.
25 / 42
Secure Evaluation of the Equality
PIN-based identification scheme should be a secure evaluation of the equality function
A dishonest player can exclude only one possible password
=?WA WB
WA?= WBWA
?= WB
26 / 42
get X'
0
0
1
1
0
Recall: Quantum 1-2 OT ProtocoljX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
S1 = ?S0
C = 0£ 0= +n
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
27 / 42
C(0) X' C(1) X '
0 0
0 1
1 1
1 0
0 0
0 0
1 0
1 1
0 1
0 0
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
0
1
1
1
0
Quantum 1-m OT ProtocoljX i£
W 2 W
C(W)
Code C:W ! f+;£gn
28 / 42
C(0) X' C(1) X '
0 0
0 1
1 1
1 0
0 0
0 0
1 0
1 1
0 1
0 0
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
0
1
1
1
0
Quantum 1-m OT ProtocoljX i£
S0
W 2 W
C(W)
Code C:W ! f+;£gn
S0
£ ;F0
29 / 42
C(0) X' C(1) X '
0 0
0 1
1 1
1 0
0 0
0 0
1 0
1 1
0 1
0 0
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
0
1
1
1
0
Quantum 1-m OT ProtocoljX i£
S0
W 2 W
C(W)
S1
£ ;F0;F1; : : :
S0;S1; : : :
Code C:W ! f+;£gn
£ ;F0;F1; : : :
31 / 42
Idea
correct
dishonest Bob can learn at most one SW and compare it with