spanish cryptography days, november 2011, murcia, spain antonio acín icrea professor at...
TRANSCRIPT
Spanish Cryptography Days, November 2011, Murcia, Spain
Antonio AcínICREA Professor at ICFO-Institut de Ciencies Fotoniques, Barcelona
Device-Independent Quantum Information Processing
Computational security
• Standard Classical Cryptography schemes are based on computational security.
• Assumption: eavesdropper computational power is limited.
• Even with this assumption, the security is unproven. E.g.: factoring is believed to be a hard problem.
• Quantum computers sheds doubts on the long-term applicability of these schemes, e.g. Shor’s algorithm for efficient factorization.
Quantum ComputationQuantum computer: device able to manipulate information encoded on quantum particles. These devices allow one to solve computational problems in a much more efficient way than a classical computer.
Shor’s algorithm (1994): factorization problem.
6 = 3 x 2 Easy!
30790518401361202507 = 4575351673 x 6729650659
A quantum computer allows the efficient factorization of large numbers.
Computational securityIt was easy to generate the factors and then compute the product. One-way functions: easy in one direction, hard in the opposite.
Many cryptographic schemes, such as RSA, are based on the factorization problem.
Alice Bob
Eve
Multiply Multiply
Factorize
If factorization becomes easy, the enemy can break the protocol!
Quantum Information TheoryQuantum Information Theory studies how to manipulate and transmit information encoded on quantum particles.
Quantum Mechanics: set of laws describing the Physics of the microscopic world.
(Einstein, Planck, Bohr, Schrödinger, Heisenberg,…, first half of the XX century).
Information Theory: mathematical formalism describing how information can be stored, processed and transmitted.
(Shannon, 1950).
Why now?
Quantum Information TheoryCurrent technological progress on devices miniaturization leads to a scenario where information is encoded on quantum particles, such as atoms or photons.
• Moore’s Law: information-device size decreases exponentially with time.
• Information is encoded in fewer and fewer atoms.
• It is very plausible that quantum effects will manifest in the near future.
Novel information applications become possible when using information encoded on quantum states, e.g. more powerful computers and secure communication.
What happens when we encode information in the quantum world?
Quantum Information Theory
Heisenberg Uncertainty Principle
Quantum Theory only predicts the probabilities of outcomes.
Quantum Particle
Measurement50%
50%
The measurement process modifies the state of the particle!
Heisenberg uncertainty principle: the measurement process perturbs the state of a quantum system.
Quantum Cryptography
Alice Bob
Eve
Quantum bits
The eavesdropper, Eve, when measuring the particles, introduces noise, errors, in the channel and is detected by the honest parties.
Bennett Brassard Ekert
Heisenberg uncertainty principle → Secure cryptography!
Quantum Cryptography: a new form of security
• Standard Classical Cryptography schemes are based on computational security.
• Assumption: eavesdropper computational power is limited.
• Even with this assumption, the security is unproven. E.g.: factoring is believed to be a hard problem.
• Quantum computers sheds doubts on the long-term applicability of these schemes, e.g. Shor’s algorithm for efficient factorization.
• Quantum Cryptography protocols are based on physical security.
• Assumption: Quantum Mechanics offers a correct physical description of the devices.
• No assumption is required on the eavesdropper’s power, provided it does not contradict any quantum law.
• Using this (these) assumption(s), the security of the schemes can be proven.
Quantum Cryptography: you can buy it!
• Quantum cryptography is a commercial product.
• In 2007, it was used to secure part of the vote counting in a referendum in the canton of Geneva.
• The Quantum Stadium: in 2010, in collaboration with the University of Kwazulu-Natal, South Africa, it was used to encrypt a connection in the Durban stadium during the World Cup.
Ribordy
Quantum hacking
How come?!
Quantum hacking
Single-photon source
Single-photon detector
Quantum channel
Quantum hacking attacks break the implementation, not the principle.
Attenuated laser source
Realistic APD detector
Device-Independent Quantum Information Processing
Scenario
Alice Bob
y=1,…,m
a=1,…,r b=1,…,r),,( yxbap
x=1,…,m
mmrrprrpppyxbap ,,,,1,1,,,1,12,1,1,11,1,,
Vector of m2 r2 positive components satisfying m2 normalization conditions
Distant parties performing m different measurements of r outcomes.
r
ba
yxyxbap1,
,1,,
Quantum Correlations
yb
xaAB MMtryxbap ,,
xaaa
xa
xa
a
xa
MMM
M
''
1
Assumption: the observed correlations should be compatible with the quantum formalism.
No constraint is imposed on the quantum state and measurements reproducing the observed correlations. They act on an arbitrary Hilbert space.
Standard Quantum Information applications are not device-independent: they crucially rely on the details of states and measurements used in the protocol.
Bell inequality violation
Bell inequality violation is a necessary condition for DIQIP.
If the correlations are local:
,,),,( ybqxappyxbap
The observed statistics can be reproduced by classically correlated data →
no improvement can be expected over Classical Information Theory.
Any protocol should be built from non-local correlations.
Characterization of Quantum Correlations
Motivation
Given p(a,b|x,y), does it have a quantum realization?
yb
xaAB MMtryxbap ,,
xaaa
xa
xa
a
xa
MMM
M
''
1
Example:
32,32,32,328
10,1,1,0,0,0, bapbapbap
245.0,255.0,255.0,245.01,1, bap
Hierarchy of necessary conditions
Given a probability distribution p(a,b|x,y), we have defined a hierarchy consisting of a series of tests based on semi-definite programming techniques allowing the detection of supra-quantum correlations.
01
NO NO
YES YES
NO
YES
The hierarchy is asymptotically convergent.
YES002
Convergence of the hierarchy
If some correlations satisfy all the steps in the hierarchy, then:
yb
xa MMtryxbap ,, with
a
xa
yb
xa
M
MM
1
0,
? y
bxaAB MMtryxbap ,,
Device-Independent Quantum Key Distribution
Device-Independent QKDStandard QKD protocols based their security on:1. Quantum Mechanics: any eavesdropper, however
powerful, must obey the laws of quantum physics.2. No information leakage: no unwanted classical information
must leak out of Alice's and Bob's laboratories.3. Trusted Randomness: Alice and Bob have access to local
random number generators.4. Knowledge of the devices: Alice and Bob require some
control (model) of the devices.
Are there protocols for secure QKD based on without requiring any assumption on the devices?
),,( yxbap
Motivation
• The fewer the assumptions for a cryptographic protocol → the stronger the security.
• Device-Independent QKD represents the strongest form of quantum cryptography. It is based on the minimal number of assumptions.
• It may be useful when considering practical implementations. If some correlations are observed → secure key distribution. No security loopholes related to technological issues.
Secure device-independent quantum key distribution with causally
independent measurement devices
The modelWe require that the generation of raw key elements define causally independent events.
All raw-key elements
General quantum state Measurements by Alice and Bob
The model
1x
1a
1y
1b
nx
na
ny
nb
.
.
.
• This requirement can be satisfied by performing space-like separated measurements. Secure DIQKD is, in principle, possible.• The requirement can just be assumed, either by assuming memoryless devices or some shielding ability by the honest parties (which is always necessary).• This requirement is always one of the assumptions (among many more) needed for security in standard QKD.
Bound on the key rate baHgfK exp2log
2
V-1QBER
The critical error for the CHSH inequality is of approx 5%. For the chained inequality with 3 settings, one has 7.5%. The protocols are competitive in terms of error rate.
Device-Independent Randomness Generation
Can the presence of randomness be guaranteed by any physical mechanism?
Known solutions• Classical Random Number Generators (CRNG). All of them are of
deterministic Nature.• Quantum Random Number Generators (QRNG). There exist different
solutions, but the main idea is encapsulated by the following example:
• In any case, all these solutions have three problems, which are important both from a fundamental and practical point of view.
50%
50%
T
R
Single photons are prepared and sent into a mirror with transmittivity equal to ½. The random numbers are provided by the clicks in the detectors.
Problem 1: certification
• Good randomness is usually verified by a series of statistical tests.
• There exist chaotic systems, of deterministic nature, that pass all existing randomness tests.
• Do these tests really certify the presence of randomness?
• Do these tests certify any form of quantum randomness? Classical systems pass them!
RANDURANDU is an infamous linear congruential pseudorandom number generator of the Park–Miller type, which has been used since the 1960s.
Three-dimensional plot of 100,000 values generated with RANDU. Each point represents 3 subsequent pseudorandom values. It is clearly seen that the points fall in 15 two-dimensional planes.
Problem 2: privacy• Many applications require private randomness.
• How can one be sure that the observed random numbers are also random to any other observer, possibly adversarial?
50%
50%
T
R
1r2r
nr
.
.
.
Classical Memory 1r2rnr …
Problem 3: device dependence• All the solutions crucially rely on the details of the devices used in the
generation.
• How can imperfections in the devices affect the quality of the generated numbers? Can these imperfections be exploited by an adversary?
50%
50%
T
R
Single photons are prepared and sent into a mirror with transmittivity equal to ½. The random numbers are provided by the clicks in the detectors.
Random Numbers from Bell’s Theorem
We want to explore the relation between non-locality, measured by the violation β of a Bell inequality, and local randomness, quantified by the parameter . Clearly, if β =0 → r=1. xapr xa,max
y=1,2
a=+1,-1 b=+1,-1),,( yxbap
x=1,2
Results
All the region above the curve is impossible within Quantum Mechanics.
Statement of the problem
yxbapc
Qyxbap
xapr
xyab ,,
,,
max
We have developed an asymptotically convergent series of sets approximating the quantum set.
yxbapc
yxbap
xapr
xyab
n
n
,,
,,
max
Experimental realization
• The two-box scenario is performed by two atomic particles located in two distant traps.
• Using our theoretical techniques, we can certify that 42 new random bits are generated in the experiment.
• It is the first time that randomness generation is certified without making any detailed assumption about the internal working of the devices.
Concluding Remarks
Quantum correlations
• Hierarchy of necessary condition for detecting the quantum origin of correlations.
• Each condition can be mapped into an SDP problem.
• How does this picture change if we fix the dimension of the quantum system?
• Are all finite correlations achievable measuring finite-dimensional quantum systems?
Device-Independent QKD
• Classical cryptographic is based on computational security. Quantum computers may change what we understand today as a hard problem.
• Quantum Key Distribution is based on physical laws.• Standard protocols require good control of the devices.• It seems possible to construct QKD protocols whose
security does not require any assumption on the devices.
• General security proofs? • The implementation of these protocols using current
technology is still a challenge!• Hybrid scenarios: partial control of the devices suffices.
Random Numbers from Bell’s Theorem
• Randomness can be derived from non-local quantum correlations.
• The obtained randomness is certifiable, private and device-independent.
• It represents a novel application of Quantum Information Theory, solving a task whose classical realization is, at least, unclear.
• These techniques allow quantifying the intrinsic quantum randomness generated in Bell tests.
• General security proof?• More efficient schemes for generation?