![Page 1: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/1.jpg)
Randomness Extraction and Privacy Amplification
with quantum eavesdroppers
Thomas Vidick
UC Berkeley
Based on joint work with Christopher Portmann, Anindya De, and Renato Renner
![Page 2: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/2.jpg)
Outline
1. Privacy amplification and randomness extraction
2. A one-bit extractor
3. Trevisan’s construction
![Page 3: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/3.jpg)
Quantum Key Distribution
Two phases:
1. Quantum communication
2. Classical communication– Parameter estimation: bound Eve’s knowledge– Error correction: A, B compute identical n-bit strings – Privacy amplification: A, B share identical private m-bit strings
Final shared string to be used in subsequent protocol:require universally composable security:
Goals: Security (bound Eve’s knowledge)+Efficiency (bitrate)
quantum channel
classical channel
Eve
![Page 4: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/4.jpg)
Privacy amplification [BBR’88]
• Goal: given Eve’s (bounded) knowledge about , appears close to uniform: – minimize communication + complexity of applying
• Additional rand. necessary: no deterministic process will work
• Alice chooses random function from family, tells Bob
bits
bits
Classical communication
Eve
F
![Page 5: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/5.jpg)
Examples
• Output single position:
• Output random XOR:
(Repeat the above for different positions/XORs.)
• Random function,
• Apply random 2-universal hash function
All are “strong randomness extractors!”
bits
bits
Classical communication F
![Page 6: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/6.jpg)
Aside: randomness extraction (1)
• Fundamental concept from TCS [NZ’96]• Weak randomness is “readily” available
• Many applications require “perfect” randomness
• Can we convert one to the other?
x
PX(x)
x
PX(x)• Randomized algorithms• Crypto• Modeling
x
PU(x)
x
PX(x)
Public source X:
Ideal uniformsource:
Ext?
![Page 7: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/7.jpg)
Aside: randomness extraction (2)
• Obvious restriction: • Still, even extracting one bit is impossible in this setting!– No single function will work for every distribution
• Need extra randomness to get started: seed
• extractor: such thatfor every X with is -close to
• Strong extractor: is -close to for
• Goals: short seed, large output, efficient construction.
x
PU(x)
x
PX(x)Ext?
+x
PY(x)
![Page 8: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/8.jpg)
Extractors for privacy amplification
• A,B share X. Classical eavesdropper holds E– Suppose . Then ) large for most – If is strong extractor then Ext(,) -close to uniform– Security of strong extractor = requirement for privacy ampl.
[Lu02]!
• Quantum eavesdropper: no such – Can still define , and [KRS’09]– [Renner’05] appropriate measure of extractable randomness– Usual definition of strong extractor no longer sufficient
bits
bits
Classical communication F
![Page 9: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/9.jpg)
Example: the perfect matching extractor
x1x3
xn-1
x2x4
xn
),,,( 41231 xxxxxx nn
• Classical adversary: cannot do better than birthday paradox → need ≈ √n bits of information about x
• Quantum adversary: • on seeing x, store
• when matching revealed, measure in
→ only need ≈ log n qubits!
in
n
i
xx
i
1)1(
1
41
2
1,,23
2
1,1
2
1nn
X: n-bit string Y: perfect matching chosen among n2
Ext
Ext: {0,1}n x {0,1}2log n → {0,1}n/2
Output is uniformly random
[GKKRW’07]
![Page 10: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/10.jpg)
Summary of known constructions
Seed Output Ref.
Inner-product n 1 [Ben-Or ’02]
2-universal hashing n [KMR’05]
One-bit extractors log n 1 [KT’06]
-biased masking n [FS’07]
Almost 2-universal hashing
m [TSSR’10]
Trevisan’s extractor [T-S’09],[DV’10], [DPRV’11]
![Page 11: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/11.jpg)
Outline
1. Privacy amplification and randomness extraction
2. A one-bit extractor
3. Trevisan’s construction
![Page 12: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/12.jpg)
A one-bit extractor• , seed ,
• Classical security proof– Given random Y, Eve can distinguish from uniform:
she can predict a random k-XOR with advantage
– Query Eve on every Y: recover string which agrees with k-XOR encoding of X in fraction of positions
– List of all k-XORs is list-decodable encoding of X narrows X down to list of possibilities
– Extractor is secure as long as
• Proof based on reconstruction argument: recover X from Eve’s information impossible as long as large enough
![Page 13: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/13.jpg)
Quantum eavesdroppers• … cannot be repeated!• Unclear how to recover X from Eve’s state – Same problem arises in analysis of RAC
• Thm [DV10,J11]: is strong extractor for any
– [BRdW’07] proved weaker result in bounded storage model– Proof follows from [KT’06]– Argument constructive, based on Pretty-Good Measurement:
Given seed y, Eve has to distinguish from
PGM is almost-optimal. By linearity, equiv. to:measure using , get ,output
– Reduces Eve to being classical
![Page 14: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/14.jpg)
Outline
1. Privacy amplification and randomness extraction
2. A one-bit extractor
3. Trevisan’s construction
![Page 15: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/15.jpg)
Trevisan’s construction (1)• How do we extract more bits?• Repeating m times works, but uses a lot of seed!• Idea: make more efficient use of the seed
• Combinatorial design: subsets with small pairwise intersections. – Partition seed into overlapping
sets, so bits can be re-used(Use to compute -th output.)
– Ex [HR03]: for prime ,
where ranges over polynomials of degree get subsets of of size small pairwise intersection
– Design can be pre-computed and stored
𝑺𝟏 𝑺𝟐𝑺𝟑
0 0 0 01 1 1y
![Page 16: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/16.jpg)
• Introduced in [T99]; breakthrough construction building on work on pseudo-random generators
• Fix a design and one-bit extractor
• Polyvalent: use any design; many possible one-bit extractors – Can focus on efficiency or optimality
• Near-optimal in all parameters (seed&output length, efficiency)
𝑺𝟏 𝑺𝟐𝑺𝟑
0 0 0 01 1 1y
x+
Trevisan’s construction (2)
![Page 17: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/17.jpg)
Some parameters• Input length , seed length , output length , min-entropy
• Construction based on k-XOR – , seed – Extracts bits from entropy– Locally computable
• Optimal seed length – Extract bits from entropy
• Optimal output length – Seed , extracts from any
• Can also extract from weakly uniform seed• All constructions “efficient” (polynomial)
![Page 18: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/18.jpg)
Overview of security proof
• By contradiction: assume eavesdropper E can distinguish output from uniform with success ɛ.
• First step: using E, construct an eavesdropper E’ such that E’ has access to the same side information as E E’ has some additional classical information over m bits E’ breaks the one-bit extractor with success prob. ½+ɛ/m
Based on hybrid argument + properties of comb. design
• Second step: such an E’ cannot exist!– We already know is secure against quantum eavesdroppers
: log n bits
0 0 0 01 1 1y: t bits+
x: n bits
![Page 19: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/19.jpg)
Summary• Privacy amplification is an important step in QKD• Well-understood classically, but quantum eavesdropper is
a challenge• Some constructions proved to carry over– 2-universal hashing most often used: efficient (matrix
multiplication), extracts most key. – All previous const. require as many “fresh” random bits as
length of key
• Trevisan’s construction has many advantages– Efficient (local XOR computation)– Extracts longest possible key, only polylog random bits required
• Proof of security based on reconstruction argument + [KT’06]
![Page 20: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/20.jpg)
Open problems
• Can we do even better? Extract many bits with a logarithmic seed?– Trevisan’s extractor only extracts , for any – Classical constructions exist, but based on different ideas.
• Could all reasonable extractors be secure against quantum eavesdroppers?– Hidden matching is not, but really bad extractor– Could still have generic proof with small loss in parameters
• How much information is there in a quantum state?– Similar questions asked in comm. compl., but in worst-case
![Page 21: Randomness Extraction and Privacy Amplification with quantum eavesdroppers Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya](https://reader038.vdocument.in/reader038/viewer/2022103015/551c35e15503467b488b459c/html5/thumbnails/21.jpg)
Thank you!