Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool :...

transcript

Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability

3. Application 1: composability of QKD4. Application 2: composability of variants of

quantum authentication + key recycling

Recitation session for the workshop 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability

Unruh’s talk, Renner’s talkUnruh’s talkUnruh’s talk, Renner’s talk

Oppenheim’s talk

Easier talk since the audience are well acquainted with the subject Can work through a couple of examples in detail The results are actually complementary !

No surprise Too repetitive for some Too brief for others

Give me hints throughout the talk which case it is.

No need to give the talk !

Michael Ben-Or 2,3 Patrick Hayden 4

Michal Horedecki 3 Debbie Leung 3,4

Dominic Mayers 2,3,4 Jonathan Oppenheim 3

MB PH DM

audience

QKD relies on authentication, auth uses a small key

Motivation : key degradation in repeated QKD (Bennett & Smolin)

Alice BobEve

k ’Bk ’A

consumed

Composability : What do we mean by “unconditional security of QKD”?

Alice Bob

kBkA kE

QKD is “unconditionally secure” :

Eve’s strategy s.t. Pr(generate key) is non-negligible k kA kB

k randomI(KE:K) negligible

- applicable only if Eve measures right after QKD to learn about k- not if she delays measurement

Alice BobEve

Uk Uk†Encryption:

Composability : A more serious example

Is “QKD + encryption” secure ??? More information may be gained from joint measurements (Peres,Wootters)

Unlocking accessible information by further classical communication DiVincenzo, (M) Horedecki, L, Smolin, Terhal 0303088, Hayden, L, Shor, Winter 0307104

Composability : A nightmare?

Uyxmeas

y nnfo on x : O(log n)

Waiting for y : extra info y – n O(log n) = , lengthy

For QKD, let x = key, x = Eve’s state right after QKD. Let y = Eve’s classical info when key is used classically . Knowing “I(kE:k) small” does not imply security of using the generated key in classical applications.

y : extra classicalinfo

x = n bits, y = O(log n) bits

Advertise:Michal’s talk

Pre-conclusions :

1. Life can be bad -- be ultra paranoid (about composability)

2. QKD is composable, fortunately(BUT REMEMBER TO USE better security criterion e.g. singlet-fidelity ...

at least until acc is “vindicated”, if at all.)

When is a crytographic primitive “safe-to-use”?Wait ... used in what?

Universal Composability

Michael Ben-Or & Dominic Mayers 02

Alternative model by Unruh & Mueller-Quade

Universal composability : general problem

Protocol

How to define security of i so that “reasonable composition” is secure ?

i : subprotocols

Notations:

: protocol

Security definition of protocols should imply secure basic composition

If & both “secure” then is “secure”

Composable security definition. Universal

: ideal task attempted by

: protocol calling as subroutine, trying to perform (imperfectly)

e.g. = perfect encryption, = perfect key distribution, = QKD or= encryption with perfect key or QKD key .

Wanted :

Security definition & security of composition: a pair of related concepts

e.g. ,

When is a protocol “secure”? If is essentially indistinguishable from

... as viewed by any adversary when used in any application

Wanted: Universal composable security definition s.t.

Env “E ” : controlling all adversarial attacks & input / output

IN OUT

z : output bit of E

Partially ordered

statistically reflects the difference between

When is a protocol “secure”? If is essentially indistinguishable from

... as viewed by any adversary when used in any application

IN OUT

z : output bit of E statistically reflects the difference between

IN OUT

-s.r. if E (applications adversaries) S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .

z : output bit of E statistically reflects the difference between

When is a protocol “secure”?

Universal composable security definition

CLAIM: using the following

will imply the basic composition

If & both “secure” then is “secure” If - s.r. and -s.r. then ( ) -s.r. .

Let be a protocol calling subprotocol , trying to perform

If - s.r. and -s.r. then ( ) -s.r. .

Proof:

Universal composable security definition secure basic composition

IN OUT

-s.r. Pr(z=0 | ) Pr(z=0 | )

differ by

Universal composable security definition secure basic composition Let be a protocol calling subprotocol , trying to perform

Proof:

IN OUT

Pr(z=0 | ) Pr(z=0 | ) Pr(z=0 | ) -s.r.

differ by

Proof:

IN OUT

differ by

IN OUT

S()S()

Pr(z=0 | ) Pr(z=0 | ) Pr(z=0 | ) -s.r.

differ by

Proof:

IN OUT

differ by

IN OUT

S()S()

differ by

Universal composability theorem : recursive basic composition

Apply above to replace i one by onefrom bottom to top.

implies security of basic composition : If - s.r. and -s.r.

then ( ) -s.r. .

implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. .

Universal composable security definition: -s.r. if Env (applications adversaries)

S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .

is secure if (i) each subprotocol satisfies universal composable security definition(ii) proper modular structure (e.g. tree)

Universal composability theorem:

Punchlines

Application 1 : composability of QKD1. Composable security definition for QKD2. Relation between composable & usual security definition3. Sufficient conditions for composable security defintion for QKD

2 & 3 QKD is composable4. Corollary: slow key degradation in repeated QKD

In the talk: privacy & uniformity condition only, omit equality condition. (See paper for full treatment.)

Michael Ben-Or, Michal Horedecki, L, Dominic Mayers, Jonathan Oppenheim 02

Renner & Konig 04 : alternative proof for composability of QKD by showing composability of quantum privacy amplicationAlso : Christandl, Renner, & Ekert 04

Application 1: Composability of QKD (security of )Auth: Ideal auth:

QKD: Ideal KD :

E Eve z

QKD: where = composable authentication (e.g. Wegman-Carter 81)

s.r if is composable (thus consider the latter)

Input : noneOutput : key k, key length m (random variable, m=0 means “fail” or “abort”)

Best application for E : just accept kAdversary: Eve (who gets k)

QKD: Ideal KD :

QKD Ideal KD :

E Eve zz

Ideal KD: Contains a “perfect-key-generating-box” PKGB An adversary inputs “m” and an m-bit key k will be distributed.

S() : “Fake” QKD that interacts with EveFrom fake QKD: discards key k’ & takes m & puts in PKGB in

QKD: Ideal KD :

QKD Ideal KD :

k”,m

E Eve zz

QKD = m pm mm m

mk”:|k”|=m pk|m k”k” k”

= m pm mm mm = k:|k|=m 2m kk tr1 m

QKD-s.r. if| Pr( z=0 | ) – Pr( z=0 | ) | || QKD ||tr

= m pm || m m ||tr

E ’s state:

composable security condition

key & Eve’s state correlated key & Eve’s state uncorrelated

QKD: Ideal KD :

mk:|k|=m pk|m kk k

m = k:|k|=m 2m kk tr1 m

QKD-s.r. ifm pm || m m ||tr

Sufficient conditions for composable security: 1. Usual security

If m pm (KE:K | M=m) , then, (2max(m)+2 )

2. Small Holevo info of EveLet Em = {pk|m , k}k:|k|=m

If m pm (Em) , then, (2 ln2 )

3. High singlet fidelity (if proof by EPP)Let m be state of Alice & Bob , m m-singlet stateIf m pm F(m ,m) 1 , then,

(assuming uniformity : pk|m 2m)

Security : correlation indistinguishable from none

equality +uniformity

QKD does provide a key that can be safely used in quantum / classical applications designed to use a perfect key !!!

Bounds for Eve’s Holevo info or singlet fidelity may be tighter in the context of composability, compared to those for mutual info

Proofs for sufficient conditions are relations between corelation measures

Punchlines

QKD relies on authentication, auth use a small key

Corollary : key degradation in repeated QKD

Alice BobEve

k ’Bk ’A

consumed

In particular, if -s.r. -s.r.

n rounds of repeated QKD is n() secure

Authentication Ideal authentication:

QKD Ideal key distribution:

Composable security of auth (using perfect key) known

Composable security of QKD (using perfect auth) to be proved

Corollary : key degradation in repeated QKD

Composability of “Quantum Auth + key recycling”

Patrick Hayden, L, Dominic Mayers 04

Oppenheim & Horodecki 03 : proof for secure key recycling via bounds on information theoretic quantities

Qenc : Ambainis, deWolf, Mosca, Tapp 00, Boykin, Roychowdhury 00, Hayden, L, Shor, Winter 03

Quantum encryption (Qenc)

Uk Uk†

Encrypting quantum comm with classical key k. , k pk (Uk Uk

†) = m

Key requirement : for m-qubit message 2m key bits if entangled or exact encryptionm+o(m) key bits if pure & approx encryption

Quantum message authentication (QA)

QA : Barnum, Crepeau, Gottesman, Smith, Tapp 02

Authenticate quantum comm with classical key : Pr( pass & ’ ) small

pass / fail

’Dk†

High fidelity between & ’ or the corresponding joint states if entangled.

Result : QA “key reuse if auth test passes (w/o privacy amplification)” is secure

Eavesdropping a quantum state disturbs it.

1. QA always requires Qenc (BCGST 02) Can we eliminate this cost?

2. Add QA to Qenc , passing the auth test suggests no eavesdropping Can we recycle the key ?

Prob(authentication passes and eavesdropped) negligible. Key recycling : intuitive (BBBW82) & obvious ? Hard to analyze joint attacks over different uses of the key.

2 interpretations ofkey recycling in QA

specific scheme in BCGST02

Main ideas: 1. Redefine BCGST02 as BCGST02+KD2. Show BCGST02+KD composable (exploiting special structures of BCGST02)

Composability of “BCGST02+KD”

1. Review BCGST02 2. “Equate” BCGST02 & TQA (auth by teleportation)3. Prove composability of TQA+KD = composability of “ebits”

For same token:1. BCGST02’ for pure states using approx encryption for half the price.2. Quantum composability of Wegman-Carter scheme

Scenario for BCGST02

Alice & Bob has : 1. Classical key2. Insecure quantum channel3. Forward classical channel (Alice → Bob) (WLOG authenticated)4. No back comm (non interactive, e.g. quantum storage)

We use 1 bit of back comm for key recycling – to tell Alice if auth passes.Still applies to quantum storage & not too interactive.

Shared keys x, z, y, t

x z eyCt Dt,yz x

BCGST02: review

pass/fail

═ bits| qubits

insecure quantum channel

if passAlice

AliceBob

m-qubit message

m-bit keys

Ct : q. code encoding m in (m+s) qubits ey : added syndrome t,y : s-bit key, s<<m

Decode Ct & meas syndrome y ’ Output : if y ≠ y ’, fail 00 else, pass decrypted state

Purity test (PT)

out = ’ passpass00 failfail

Shared keys x, z, y, t

x z eyCt Dt,yz x

BCGST02: review

pass/fail

═ bits| qubits

insecure quantum channel

if passAlice

AliceBob

m-qubit message

m-bit keys

Ct : q. code encoding m in (m+s) qubits ey : added syndrome t,y : s-bit key, s<<m

Decode Ct & meas syndrome y ’ Output : if y ≠ y ’, fail 00 else, pass decrypted state

Purity test (PT)

x z z x

pass/failinsecure q. channel + PT

if passAlice

AliceBob

if fail, Bob outputs nothingm-qubit message

m-bit keys

Security (pure for simplicity): Tr [ out ( passpassfailfail) ] , = 2-(s-1)

(m+s)/s .

Shared keys x, z, y, tBCGST02: review

TeleportationBBCJPW 93

Bell k

k kQenc

x z z x

pass/failPT

if passAlice

AliceBob

if fail, Bob outputs nothing

Shared keys x, z, y, tBCGST02: review

Reduction to teleportation with imperfect EPR pairs

pass/failPT

if pass

AliceBob

Env sees no difference between BCGST02 & TQA

same stateTeleportation

Perfect classical channel

Alice’s local

x z z x

pass/failPT

if passAlice

AliceBob

BCGST02:

PT only makes max ent state.

pass/failPT

if pass

AliceBob

TeleportationPerfect channel

PT only makes max ent state.

Reduction to teleportation with imperfect EPR pairs

pp ’xzxz pass + pf 00 fail

Telep+KD

TQA’

pp xzxz pass + pf 00 fail

Telep+KD

pass/fail

Pr( z=0|BCGST02) = Pr( z=0|TQA) and

| Pr( z=0|TQA) Pr( z=0|QA+KD) | | Pr( z=0|PT)Pr( z=0|EPR) | 1/4

Compos of PT

Composability of PT

EPR from PT Ideal EPR :

pass/fail

PT = pacc ABE acc + prej 00AB E fail

Tr [ P trE(PT) ]

for P = AB acc + AB fail

pass/fail

EPR = pacc AB E acc + prej 00AB E fail

| Pr( z=0|PT)Pr( z=0|EPR) | Tr| PTEPR | 1/4

Bonus materials: Lower bounds for QA & pure state authentication

Qenc : , k pk (Uk Uk†) = m

key size 2m bits (Ambainis,deWolf, Mosca,Tapp 00 Boykin, Roychowdhury 00)

APQenc : || (1/n) Σk Uk Uk† m ||tr ≤ ε

key size m + o(m) bits (Hayden, L, Shor, Winter 03)

APQenc Remote state preparation

┊ ┊ Qenc Teleportation

Approx Pure state

Can we replace Qenc in BCGST02 by APQenc securely?

Teleportation

k communicated to Bob after encoding

Encryption

encode Bob’s state as a random k

k shared in advance

Switching the communicated & the pre-shared

communication cost in teleportation

key size in encryption

Teleportation

k communicated to Bob after encoding

Encryption

encode Bob’s state as a random k

k shared in advance

approxpure state

n qubits

APQenc : || (1/n) Σk Uk Uk† m ||tr ≤ ε

key size m + o(m) bits (Hayden, L, Shor, Winter 03)

Approx Pure state

Bennett, Hayden, L, Shor, Winter 03

Transmits n-qubit pure state known to Alice using n+o(n) cbits comm

k = communication

Encryption

encode Bob’s state as a random Uk

k = keyk

n qubits

nonobliviouspure state Lo 99

approxpure state

Remote State Preparation

Pure state authentication: reduction to RSP with imperfect EPR pairs

“”

RSPQA :

pass/failPT

if pass

HAliceBob

Env sees little differences

approxsame stateRSP

Perfect channel

Alice’s local

pass/failPT

if passAliceBob

BCGST02 PURE,KNOWN:

“ ”

Conclusion

Composability – gives a prescription for organizing our security proofs into components, each simple and well-defined.

To achieve composable security, we find out what will make the proof work – it is a systematic method to select secure variations.

QKD & BCGST02 work better than we thought. How do the difficulties disappear?

Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool :...

Documents