Short seed extractors against quantum storage

Amnon Ta-ShmaTel-Aviv University

1

Privacy amplification [BB]

Alice and Bob share information that is partially secret towards an eavesdropper Eve.

• Their goal is to extract a shorter string that is completely secret.

• They may use a short, public random string.

More formally:

Alice and Bob share x {0,1}n. x has a-priori distribution X that has a lot of

entropy. H(X) ≥ k

a Pr[X=a] ≤ 2-k

Eve holds a random variable W on {0,1}b that holds partial information about x.

3

A (k,b,) extractor - classical case

E:{0,1}n{0,1}t{0,1}m is a (k,b,) extractor, if: For every X with H(X) ≥ k, and, For every W=W(X) distributed on {0,1}b

|Ut E(X, Ut) W(X) – Ut Um W(X) | ≤

Sample: x X, y {0,1}t

Output: y,E(x,y),W(x)Sample: x X , y {0,1}t ,u {0,1}m

Output: y,u,W(x)

4

In the classical world

The problem can be solved almost optimally using extractors.

Solutions give:t=O(log(n/))

m=(k-b)

5

A (k,b,) extractor - quantum case

E:{0,1}n{0,1}t{0,1}m is a (k,b,) extractor against quantum storage, if: For every X with H(X) ≥ k, and, For every =(X) on b qubits

|Ut E(X, Ut) (X) – Ut Um (X) |tr ≤

Sample: x X, y {0,1}t

Output: y,E(x,y),(x)Sample: x X , y {0,1}t ,u {0,1}m

Output: y,u,(x)6

In the quantum world

Some extractors fail.[GKKRWJ] show an extractor against b bitsthat fails against polylog(b) qubits.

Some extractors work. Konig, Maurer,Renner ‘04 Fehr, Schaffner ‘08 Konig Terhal ‘08

7

Previous extractors - quantum case

Technique Seed length Author

Pair-wise independence, Collisions t=(n) Konig, Maurer, Renner

Almost pair-wise independence t=(m) Variation on KMR

Z2n Fourier transform t=(b) Fehr, Schaffner

Any one-output extractor is good t=(m) Konig Terhal

Any extractor is good with error 2b t=(b) Konig Terhal

Several methods t=O(log(n)) Classical

E : {0,1}n {0,1}t {0,1}m

8

Our result

A (k,b,) extractor E:{0,1}n{0,1}t{0,1}m against quantum storage , with: 2log ( / )

( )log

nt O

m

1/15( ( ) )log

km O

n b

Optimal t=O(log n) when m=n(1)

Trevisan: m=(k-b)(1)

Optimal: (k-b)

9

The basic paradigm

Reconstruction algorithms

Reconstruction Extraction in the classical world [Trevisan]

Reconstruction with few queries Extraction against quantum storage.

10

Distinguisher

A test is a function T : {0,1}m {0,1}

A test T -distinguishes D1 from D2 if

| Pr xD1 [T(x)=1] – Pr xD2 [T(x)=1] | ≥

11

Reconstruction algorithms

A function E:{0,1}n{0,1}t {0,1}m has a reconstruction algorithm R if

For every x {0,1}n , andevery T that distinguishes Ut E(x,Ut) from Ut+m

There exists a string adv=adv(x) of a bits, s.t.

RT(adv(x))=x12

Reconstruction Extraction [Tre]

Suppose E has reconstruction with a advice bits,Suppose E is not a (k,b,) extractor. Then, there exist:

X with H(X) ≥ k, Eve storing b bits of information, -distinguishing E from uniform.

B={x| Eve -dist W(x)UtE(x, Ut) from W(x)Ut+m}

|B| ≥ ε|X| 13

For every x B

The test T:Gets advice W(x). Applies Eve( W(x), y, w) .-distinguishes Ut E(x, Ut) from Ut+m.

The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x.

Thus x B can be reconstructed using a+b bits.14

Reconstruction Extraction [Tre]|B| ≤ 2a+b and 2k ≤ |X|≤ |B|/ . Thus, k≤a+b+log(1/).

15

Extractor against quantum storage

Suppose E has reconstruction with q queries.Suppose E is not a (k,b,) extractor. Then, there exist:

X with H(X) ≥ k, Eve storing b qubits of information,

B={x| Eve -dist (x)UtE(x, Ut) from (x)Ut+m}

|B| ≥ ε|X|

16

For every x B

The test T:Gets advice (x). Applies Eve( (x), y, w) .-distinguishes Ut E(x, Ut) from Ut+m.

The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x.

Thus x B can be reconstructed using a+qb bitsFor the classical advice adv(x)

For q queries to Eve

17

Extractor against quantum storage

|B| ≤ 2a+qb.

Thus, 2k ≤|X| ≤ 2a+qb /.

k≤a+qb+log(1/).

18

Conclusions so farA function E:{0,1}n{0,1}t {0,1}m

that has a reconstruction algorithm with

A short classical advice adv(x), and, A few queries to the distinguisher

Yields a good extractor against quantum storage.

19

An extractor with reconstruction

The NW generator List decoding Trevisan’s extractor The quantum case

Trevisan’s work

20

The NW Generator

NW:{0,1}n{0,1}t {0,1}m has reconstruction that is correct on average.

Given a distinguisher T, and The right advice adv(x)

RT(adv(x),i) = xi

For most i [n]21

The NW generator uses a

single query

List decoding

22

Trevisan’s extractorUses:

NW and its reconstruction algorithm, A code C : {0,1}n {0,1}N that is (L=poly(n),p=1/2-) list-decodable.

T(x,y)= NW( C(x), y)

23

Reconstruction for Trevisan’s ext.

T(x,y)= NW( C(x), y)

• Find a word w {0,1}N that is 1/2+ close to C(x) using the NW reconstruction algorithm.• Apply list decoding. Get a List L of all code words close to w, x L. • The advice tells us which is x.

Works well, but requires N queries.

24

The way around

• NW generator – learns a single bit of C(x), with one query, on average over i [N]

25

Learn the whole of x, with poly(n) queries.

Trevisan:List decoding

Learn a single bit of x,

with polylog(n) queries,

for any i [n] of our choice.

Us:Local list decoding

Two questions

1. How do we achieve that?Answer: using local list decoding.

2. Does this suffice for the analysis?Answer: Yes, using lower bounds on random

access codes.

26

The new extractorUses: NW generator and its reconstruction

algorithm, A code C : {0,1}n {0,1}N that is

(L=poly(n),p=1/2+) locally list-decodable with q=polylog(n) queries.

E(x,y)= NW( C(x), y)

27

The AnalysisSuppose E(x,y)= NW( C(x), y) is not a (k,b,) ext, violated with X and = (X).

For any x B

Advice: a+qb qubitsWe can learn any bit of x, with succ. prob. 2/3.

|B| ≤ 2(a+qb) log n. 2k ≤|X| ≤ 2(a+qb) log n /. k≤(a+qb) log n+log(1/).

28

a RAC for B using a+qb qubits

Random access code for X

RAC : X density matrix over m qubitssuch that for every x X:

• For all i [n], one can recover xi from RAC(x) with success probability at least 2/3.

• For most i [n], one can recover xi from RAC(x).

Average-case RAC

Worst-case RAC

29

RAC for X

Arbitrary X X={0,1}n

(n)Worst case RAC

0 (n)Average case RAC

log | |( )log( )

X

n

30

Summary

For the construction, we use: Trevisan’ extractor, with Local, list-decodable error correcting codes

For the analysis, we use: Reconstruction algorithms together with Random access codes

31

Challenge

1. Find an extractor that• Works against quantum storage• With optimal parameters.

2. Generalize the construction to Eve that holds more qubits but has few “information” about X.