![Page 1: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/1.jpg)
Short seed extractors against quantum storage
Amnon Ta-ShmaTel-Aviv University
1
![Page 2: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/2.jpg)
Privacy amplification [BB]
Alice and Bob share information that is partially secret towards an eavesdropper Eve.
• Their goal is to extract a shorter string that is completely secret.
• They may use a short, public random string.
![Page 3: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/3.jpg)
More formally:
Alice and Bob share x {0,1}n. x has a-priori distribution X that has a lot of
entropy. H(X) ≥ k
a Pr[X=a] ≤ 2-k
Eve holds a random variable W on {0,1}b that holds partial information about x.
3
![Page 4: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/4.jpg)
A (k,b,) extractor - classical case
E:{0,1}n{0,1}t{0,1}m is a (k,b,) extractor, if: For every X with H(X) ≥ k, and, For every W=W(X) distributed on {0,1}b
|Ut E(X, Ut) W(X) – Ut Um W(X) | ≤
Sample: x X, y {0,1}t
Output: y,E(x,y),W(x)Sample: x X , y {0,1}t ,u {0,1}m
Output: y,u,W(x)
4
![Page 5: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/5.jpg)
In the classical world
The problem can be solved almost optimally using extractors.
Solutions give:t=O(log(n/))
m=(k-b)
5
![Page 6: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/6.jpg)
A (k,b,) extractor - quantum case
E:{0,1}n{0,1}t{0,1}m is a (k,b,) extractor against quantum storage, if: For every X with H(X) ≥ k, and, For every =(X) on b qubits
|Ut E(X, Ut) (X) – Ut Um (X) |tr ≤
Sample: x X, y {0,1}t
Output: y,E(x,y),(x)Sample: x X , y {0,1}t ,u {0,1}m
Output: y,u,(x)6
![Page 7: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/7.jpg)
In the quantum world
Some extractors fail.[GKKRWJ] show an extractor against b bitsthat fails against polylog(b) qubits.
Some extractors work. Konig, Maurer,Renner ‘04 Fehr, Schaffner ‘08 Konig Terhal ‘08
7
![Page 8: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/8.jpg)
Previous extractors - quantum case
Technique Seed length Author
Pair-wise independence, Collisions t=(n) Konig, Maurer, Renner
Almost pair-wise independence t=(m) Variation on KMR
Z2n Fourier transform t=(b) Fehr, Schaffner
Any one-output extractor is good t=(m) Konig Terhal
Any extractor is good with error 2b t=(b) Konig Terhal
Several methods t=O(log(n)) Classical
E : {0,1}n {0,1}t {0,1}m
8
![Page 9: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/9.jpg)
Our result
A (k,b,) extractor E:{0,1}n{0,1}t{0,1}m against quantum storage , with: 2log ( / )
( )log
nt O
m
1/15( ( ) )log
km O
n b
Optimal t=O(log n) when m=n(1)
Trevisan: m=(k-b)(1)
Optimal: (k-b)
9
![Page 10: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/10.jpg)
The basic paradigm
Reconstruction algorithms
Reconstruction Extraction in the classical world [Trevisan]
Reconstruction with few queries Extraction against quantum storage.
10
![Page 11: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/11.jpg)
Distinguisher
A test is a function T : {0,1}m {0,1}
A test T -distinguishes D1 from D2 if
| Pr xD1 [T(x)=1] – Pr xD2 [T(x)=1] | ≥
11
![Page 12: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/12.jpg)
Reconstruction algorithms
A function E:{0,1}n{0,1}t {0,1}m has a reconstruction algorithm R if
For every x {0,1}n , andevery T that distinguishes Ut E(x,Ut) from Ut+m
There exists a string adv=adv(x) of a bits, s.t.
RT(adv(x))=x12
![Page 13: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/13.jpg)
Reconstruction Extraction [Tre]
Suppose E has reconstruction with a advice bits,Suppose E is not a (k,b,) extractor. Then, there exist:
X with H(X) ≥ k, Eve storing b bits of information, -distinguishing E from uniform.
B={x| Eve -dist W(x)UtE(x, Ut) from W(x)Ut+m}
|B| ≥ ε|X| 13
![Page 14: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/14.jpg)
For every x B
The test T:Gets advice W(x). Applies Eve( W(x), y, w) .-distinguishes Ut E(x, Ut) from Ut+m.
The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x.
Thus x B can be reconstructed using a+b bits.14
![Page 15: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/15.jpg)
Reconstruction Extraction [Tre]|B| ≤ 2a+b and 2k ≤ |X|≤ |B|/ . Thus, k≤a+b+log(1/).
15
![Page 16: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/16.jpg)
Extractor against quantum storage
Suppose E has reconstruction with q queries.Suppose E is not a (k,b,) extractor. Then, there exist:
X with H(X) ≥ k, Eve storing b qubits of information,
B={x| Eve -dist (x)UtE(x, Ut) from (x)Ut+m}
|B| ≥ ε|X|
16
![Page 17: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/17.jpg)
For every x B
The test T:Gets advice (x). Applies Eve( (x), y, w) .-distinguishes Ut E(x, Ut) from Ut+m.
The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x.
Thus x B can be reconstructed using a+qb bitsFor the classical advice adv(x)
For q queries to Eve
17
![Page 18: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/18.jpg)
Extractor against quantum storage
|B| ≤ 2a+qb.
Thus, 2k ≤|X| ≤ 2a+qb /.
k≤a+qb+log(1/).
18
![Page 19: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/19.jpg)
Conclusions so farA function E:{0,1}n{0,1}t {0,1}m
that has a reconstruction algorithm with
A short classical advice adv(x), and, A few queries to the distinguisher
Yields a good extractor against quantum storage.
19
![Page 20: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/20.jpg)
An extractor with reconstruction
The NW generator List decoding Trevisan’s extractor The quantum case
Trevisan’s work
20
![Page 21: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/21.jpg)
The NW Generator
NW:{0,1}n{0,1}t {0,1}m has reconstruction that is correct on average.
Given a distinguisher T, and The right advice adv(x)
RT(adv(x),i) = xi
For most i [n]21
The NW generator uses a
single query
![Page 22: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/22.jpg)
List decoding
22
![Page 23: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/23.jpg)
Trevisan’s extractorUses:
NW and its reconstruction algorithm, A code C : {0,1}n {0,1}N that is (L=poly(n),p=1/2-) list-decodable.
T(x,y)= NW( C(x), y)
23
![Page 24: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/24.jpg)
Reconstruction for Trevisan’s ext.
T(x,y)= NW( C(x), y)
• Find a word w {0,1}N that is 1/2+ close to C(x) using the NW reconstruction algorithm.• Apply list decoding. Get a List L of all code words close to w, x L. • The advice tells us which is x.
Works well, but requires N queries.
24
![Page 25: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/25.jpg)
The way around
• NW generator – learns a single bit of C(x), with one query, on average over i [N]
25
Learn the whole of x, with poly(n) queries.
Trevisan:List decoding
Learn a single bit of x,
with polylog(n) queries,
for any i [n] of our choice.
Us:Local list decoding
![Page 26: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/26.jpg)
Two questions
1. How do we achieve that?Answer: using local list decoding.
2. Does this suffice for the analysis?Answer: Yes, using lower bounds on random
access codes.
26
![Page 27: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/27.jpg)
The new extractorUses: NW generator and its reconstruction
algorithm, A code C : {0,1}n {0,1}N that is
(L=poly(n),p=1/2+) locally list-decodable with q=polylog(n) queries.
E(x,y)= NW( C(x), y)
27
![Page 28: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/28.jpg)
The AnalysisSuppose E(x,y)= NW( C(x), y) is not a (k,b,) ext, violated with X and = (X).
For any x B
Advice: a+qb qubitsWe can learn any bit of x, with succ. prob. 2/3.
|B| ≤ 2(a+qb) log n. 2k ≤|X| ≤ 2(a+qb) log n /. k≤(a+qb) log n+log(1/).
28
a RAC for B using a+qb qubits
![Page 29: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/29.jpg)
Random access code for X
RAC : X density matrix over m qubitssuch that for every x X:
• For all i [n], one can recover xi from RAC(x) with success probability at least 2/3.
• For most i [n], one can recover xi from RAC(x).
Average-case RAC
Worst-case RAC
29
![Page 30: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/30.jpg)
RAC for X
Arbitrary X X={0,1}n
(n)Worst case RAC
0 (n)Average case RAC
log | |( )log( )
X
n
30
![Page 31: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/31.jpg)
Summary
For the construction, we use: Trevisan’ extractor, with Local, list-decodable error correcting codes
For the analysis, we use: Reconstruction algorithms together with Random access codes
31
![Page 32: Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1](https://reader038.vdocuments.us/reader038/viewer/2022110304/5518d372550346b31f8b5ddd/html5/thumbnails/32.jpg)
Challenge
1. Find an extractor that• Works against quantum storage• With optimal parameters.
2. Generalize the construction to Eve that holds more qubits but has few “information” about X.