Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | kimberly-crawford |
View: | 216 times |
Download: | 0 times |
Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability
3. Application 1: composability of QKD4. Application 2: composability of variants of
quantum authentication + key recycling
Recitation session for the workshop 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability
3. Application 1: composability of QKD4. Application 2: composability of variants of
quantum authentication + key recycling
Unruh’s talk, Renner’s talkUnruh’s talkUnruh’s talk, Renner’s talk
Oppenheim’s talk
Easier talk since the audience are well acquainted with the subject Can work through a couple of examples in detail The results are actually complementary !
No surprise Too repetitive for some Too brief for others
Give me hints throughout the talk which case it is.
No need to give the talk !
Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability
3. Application 1: composability of QKD4. Application 2: composability of variants of
quantum authentication + key recycling
Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability
3. Application 1: composability of QKD4. Application 2: composability of variants of
quantum authentication + key recycling
Michael Ben-Or 2,3 Patrick Hayden 4
Michal Horedecki 3 Debbie Leung 3,4
Dominic Mayers 2,3,4 Jonathan Oppenheim 3
MB PH DM
audience
QKD relies on authentication, auth uses a small key
Motivation : key degradation in repeated QKD (Bennett & Smolin)
Alice BobEve
kBkA
k ’Bk ’A
consumed
consumed
consumed
consumed
Composability : What do we mean by “unconditional security of QKD”?
QKD:
Alice Bob
kBkA kE
QKD is “unconditionally secure” :
Eve’s strategy s.t. Pr(generate key) is non-negligible k kA kB
k randomI(KE:K) negligible
Eve
- applicable only if Eve measures right after QKD to learn about k- not if she delays measurement
QKD:
Alice BobEve
kk
Uk Uk†Encryption:
Composability : A more serious example
Is “QKD + encryption” secure ??? More information may be gained from joint measurements (Peres,Wootters)
Unlocking accessible information by further classical communication DiVincenzo, (M) Horedecki, L, Smolin, Terhal 0303088, Hayden, L, Shor, Winter 0307104
Composability : A nightmare?
Uyxmeas
y nnfo on x : O(log n)
Waiting for y : extra info y – n O(log n) = , lengthy
For QKD, let x = key, x = Eve’s state right after QKD. Let y = Eve’s classical info when key is used classically . Knowing “I(kE:k) small” does not imply security of using the generated key in classical applications.
y : extra classicalinfo
ymeas
Uyx
x = n bits, y = O(log n) bits
Advertise:Michal’s talk
Pre-conclusions :
1. Life can be bad -- be ultra paranoid (about composability)
2. QKD is composable, fortunately(BUT REMEMBER TO USE better security criterion e.g. singlet-fidelity ...
at least until acc is “vindicated”, if at all.)
When is a crytographic primitive “safe-to-use”?Wait ... used in what?
Universal Composability
Michael Ben-Or & Dominic Mayers 02
Alternative model by Unruh & Mueller-Quade
Universal composability : general problem
Protocol
n
How to define security of i so that “reasonable composition” is secure ?
i : subprotocols
Notations:
: protocol
Security definition of protocols should imply secure basic composition
If & both “secure” then is “secure”
Composable security definition. Universal
: ideal task attempted by
: protocol calling as subroutine, trying to perform (imperfectly)
.....
e.g. = perfect encryption, = perfect key distribution, = QKD or= encryption with perfect key or QKD key .
Wanted :
Security definition & security of composition: a pair of related concepts
e.g. ,
When is a protocol “secure”? If is essentially indistinguishable from
... as viewed by any adversary when used in any application
Wanted: Universal composable security definition s.t.
If & both “secure” then is “secure”
Env “E ” : controlling all adversarial attacks & input / output
E
IN OUT
z
IN OUT
z
E
?
z : output bit of E
Partially ordered
statistically reflects the difference between
When is a protocol “secure”? If is essentially indistinguishable from
... as viewed by any adversary when used in any application
IN OUT
E
IN OUT
S()
zz
Env “E ” : controlling all adversarial attacks & input / output
IN OUT
E
Wanted: Universal composable security definition s.t.
If & both “secure” then is “secure”
z : output bit of E statistically reflects the difference between
IN OUT
E
IN OUT
S()
zz
Env “E ” : controlling all adversarial attacks & input / output
IN OUT
E
-s.r. if E (applications adversaries) S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .
z : output bit of E statistically reflects the difference between
When is a protocol “secure”?
Wanted: Universal composable security definition s.t.
If & both “secure” then is “secure”
Universal composable security definition
-s.r. if E (applications adversaries) S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .
CLAIM: using the following
will imply the basic composition
If & both “secure” then is “secure” If - s.r. and -s.r. then ( ) -s.r. .
Let be a protocol calling subprotocol , trying to perform
If - s.r. and -s.r. then ( ) -s.r. .
Proof:
Universal composable security definition secure basic composition
IN OUT
E z
-s.r. Pr(z=0 | ) Pr(z=0 | )
differ by
Universal composable security definition secure basic composition Let be a protocol calling subprotocol , trying to perform
If - s.r. and -s.r. then ( ) -s.r. .
Proof:
IN OUT
E z
E
IN OUT
z
S()
E
E
Pr(z=0 | ) Pr(z=0 | ) Pr(z=0 | ) -s.r.
differ by
Universal composable security definition secure basic composition Let be a protocol calling subprotocol , trying to perform
If - s.r. and -s.r. then ( ) -s.r. .
Proof:
IN OUT
E z
-s.r.
differ by
IN OUT
z
S()
E
E
IN OUT
z
S()S()
E
E
S()
Pr(z=0 | ) Pr(z=0 | ) Pr(z=0 | ) -s.r.
differ by
Universal composable security definition secure basic composition Let be a protocol calling subprotocol , trying to perform
If - s.r. and -s.r. then ( ) -s.r. .
Proof:
IN OUT
E z
-s.r.
differ by
IN OUT
zE
S()S()
differ by
Universal composability theorem : recursive basic composition
Apply above to replace i one by onefrom bottom to top.
Universal composable security definition
implies security of basic composition : If - s.r. and -s.r.
then ( ) -s.r. .
-s.r. if E (applications adversaries) S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .
Universal composable security definition
implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. .
-s.r. if E (applications adversaries) S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .
Universal composability theorem : recursive basic composition
Apply above to replace i one by onefrom bottom to top.
Universal composable security definition
implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. .
-s.r. if E (applications adversaries) S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .
Universal composability theorem : recursive basic composition
Apply above to replace i one by onefrom bottom to top.
Universal composable security definition
implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. .
-s.r. if E (applications adversaries) S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .
Universal composability theorem : recursive basic composition
Apply above to replace i one by onefrom bottom to top.
Universal composable security definition
implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. .
-s.r. if E (applications adversaries) S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .
Universal composability theorem : recursive basic composition
Apply above to replace i one by onefrom bottom to top.
Universal composable security definition: -s.r. if Env (applications adversaries)
S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .
is secure if (i) each subprotocol satisfies universal composable security definition(ii) proper modular structure (e.g. tree)
Universal composability theorem:
Punchlines
Application 1 : composability of QKD1. Composable security definition for QKD2. Relation between composable & usual security definition3. Sufficient conditions for composable security defintion for QKD
2 & 3 QKD is composable4. Corollary: slow key degradation in repeated QKD
In the talk: privacy & uniformity condition only, omit equality condition. (See paper for full treatment.)
Michael Ben-Or, Michal Horedecki, L, Dominic Mayers, Jonathan Oppenheim 02
Renner & Konig 04 : alternative proof for composability of QKD by showing composability of quantum privacy amplicationAlso : Christandl, Renner, & Ekert 04
Application 1: Composability of QKD (security of )Auth: Ideal auth:
QKD: Ideal KD :
QKD
QKD
k,m
E Eve z
k
QKD: where = composable authentication (e.g. Wegman-Carter 81)
s.r if is composable (thus consider the latter)
Input : noneOutput : key k, key length m (random variable, m=0 means “fail” or “abort”)
Best application for E : just accept kAdversary: Eve (who gets k)
k,m
Application 1: Composability of QKD (security of )Auth: Ideal auth:
QKD: Ideal KD :
QKD
QKD Ideal KD :
k,m
E Eve zz
k
m
Ideal KD: Contains a “perfect-key-generating-box” PKGB An adversary inputs “m” and an m-bit key k will be distributed.
S() : “Fake” QKD that interacts with EveFrom fake QKD: discards key k’ & takes m & puts in PKGB in
Eve
k’
E
QKD
k ’
S()
k,m
Application 1: Composability of QKD (security of )Auth: Ideal auth:
QKD: Ideal KD :
QKD
QKD Ideal KD :
k”,m
E Eve zz
k”
m
Eve
k’
E
QKD
k ’
S()
QKD = m pm mm m
mk”:|k”|=m pk|m k”k” k”
= m pm mm mm = k:|k|=m 2m kk tr1 m
QKD-s.r. if| Pr( z=0 | ) – Pr( z=0 | ) | || QKD ||tr
= m pm || m m ||tr
E ’s state:
composable security condition
key & Eve’s state correlated key & Eve’s state uncorrelated
Application 1: Composability of QKD (security of )Auth: Ideal auth:
QKD: Ideal KD :
mk:|k|=m pk|m kk k
m = k:|k|=m 2m kk tr1 m
QKD-s.r. ifm pm || m m ||tr
Sufficient conditions for composable security: 1. Usual security
If m pm (KE:K | M=m) , then, (2max(m)+2 )
2. Small Holevo info of EveLet Em = {pk|m , k}k:|k|=m
If m pm (Em) , then, (2 ln2 )
3. High singlet fidelity (if proof by EPP)Let m be state of Alice & Bob , m m-singlet stateIf m pm F(m ,m) 1 , then,
(assuming uniformity : pk|m 2m)
Security : correlation indistinguishable from none
equality +uniformity
QKD does provide a key that can be safely used in quantum / classical applications designed to use a perfect key !!!
Bounds for Eve’s Holevo info or singlet fidelity may be tighter in the context of composability, compared to those for mutual info
Proofs for sufficient conditions are relations between corelation measures
Punchlines
QKD relies on authentication, auth use a small key
Corollary : key degradation in repeated QKD
Alice BobEve
kBkA
k ’Bk ’A
consumed
consumed
consumed
consumed
. . .
. . .
. . .
In particular, if -s.r. -s.r.
n rounds of repeated QKD is n() secure
Authentication Ideal authentication:
QKD Ideal key distribution:
Composable security of auth (using perfect key) known
Composable security of QKD (using perfect auth) to be proved
Corollary : key degradation in repeated QKD
Composability of “Quantum Auth + key recycling”
Patrick Hayden, L, Dominic Mayers 04
Oppenheim & Horodecki 03 : proof for secure key recycling via bounds on information theoretic quantities
Qenc : Ambainis, deWolf, Mosca, Tapp 00, Boykin, Roychowdhury 00, Hayden, L, Shor, Winter 03
Quantum encryption (Qenc)
Uk Uk†
Encrypting quantum comm with classical key k. , k pk (Uk Uk
†) = m
Key requirement : for m-qubit message 2m key bits if entangled or exact encryptionm+o(m) key bits if pure & approx encryption
Quantum message authentication (QA)
Ek
QA : Barnum, Crepeau, Gottesman, Smith, Tapp 02
Authenticate quantum comm with classical key : Pr( pass & ’ ) small
pass / fail
’Dk†
High fidelity between & ’ or the corresponding joint states if entangled.
Result : QA “key reuse if auth test passes (w/o privacy amplification)” is secure
Eavesdropping a quantum state disturbs it.
1. QA always requires Qenc (BCGST 02) Can we eliminate this cost?
2. Add QA to Qenc , passing the auth test suggests no eavesdropping Can we recycle the key ?
Prob(authentication passes and eavesdropped) negligible. Key recycling : intuitive (BBBW82) & obvious ? Hard to analyze joint attacks over different uses of the key.
2 interpretations ofkey recycling in QA
specific scheme in BCGST02
Main ideas: 1. Redefine BCGST02 as BCGST02+KD2. Show BCGST02+KD composable (exploiting special structures of BCGST02)
Composability of “BCGST02+KD”
1. Review BCGST02 2. “Equate” BCGST02 & TQA (auth by teleportation)3. Prove composability of TQA+KD = composability of “ebits”
For same token:1. BCGST02’ for pure states using approx encryption for half the price.2. Quantum composability of Wegman-Carter scheme
Scenario for BCGST02
Alice & Bob has : 1. Classical key2. Insecure quantum channel3. Forward classical channel (Alice → Bob) (WLOG authenticated)4. No back comm (non interactive, e.g. quantum storage)
We use 1 bit of back comm for key recycling – to tell Alice if auth passes.Still applies to quantum storage & not too interactive.
Shared keys x, z, y, t
xxzz
x z eyCt Dt,yz x
xxzz
’
BCGST02: review
pass/fail
time
═ bits| qubits
insecure quantum channel
if passAlice
AliceBob
Bob
m-qubit message
m-bit keys
Qenc
Ct : q. code encoding m in (m+s) qubits ey : added syndrome t,y : s-bit key, s<<m
Decode Ct & meas syndrome y ’ Output : if y ≠ y ’, fail 00 else, pass decrypted state
Purity test (PT)
out = ’ passpass00 failfail
Shared keys x, z, y, t
xxzz
x z eyCt Dt,yz x
xxzz
’
BCGST02: review
pass/fail
time
═ bits| qubits
insecure quantum channel
if passAlice
AliceBob
Bob
m-qubit message
m-bit keys
Qenc
Ct : q. code encoding m in (m+s) qubits ey : added syndrome t,y : s-bit key, s<<m
Decode Ct & meas syndrome y ’ Output : if y ≠ y ’, fail 00 else, pass decrypted state
Purity test (PT)
out = ’ passpass00 failfail
xxzz
x z z x
xxzz
’
pass/failinsecure q. channel + PT
PT
if passAlice
AliceBob
Bob
if fail, Bob outputs nothingm-qubit message
m-bit keys
out = ’ passpass00 failfail
Security (pure for simplicity): Tr [ out ( passpassfailfail) ] , = 2-(s-1)
(m+s)/s .
Shared keys x, z, y, tBCGST02: review
TeleportationBBCJPW 93
Alice
Bell k
kBob
kk
k kQenc
kk
xxzz
x z z x
xxzz
’
pass/failPT
if passAlice
AliceBob
Bob
if fail, Bob outputs nothing
Shared keys x, z, y, tBCGST02: review
Reduction to teleportation with imperfect EPR pairs
TQA :
z x
xxzz
’
pass/failPT
if pass
H
Alice
AliceBob
Bob
Env sees no difference between BCGST02 & TQA
Bell
x
z
same stateTeleportation
Perfect classical channel
Alice’s local
xxzz
x z z x
xxzz
’
pass/failPT
if passAlice
AliceBob
Bob
if fail, Bob outputs nothing
BCGST02:
PT only makes max ent state.
TQA :
z x
xxzz
’
pass/failPT
if pass
H
Alice
AliceBob
Bob
Bell
x
z
TeleportationPerfect channel
PT only makes max ent state.
Reduction to teleportation with imperfect EPR pairs
TQAKD
CC
pp ’xzxz pass + pf 00 fail
PT
KD
Telep+KD
E
QAKD
TQA’
CC
pp xzxz pass + pf 00 fail
EPR
KD
Telep+KD
E
pass/fail
S
z z
Pr( z=0|BCGST02) = Pr( z=0|TQA) and
| Pr( z=0|TQA) Pr( z=0|QA+KD) | | Pr( z=0|PT)Pr( z=0|EPR) | 1/4
Compos of PT
PT
Composability of PT
EPR from PT Ideal EPR :
pass/fail
E zz
PT = pacc ABE acc + prej 00AB E fail
Tr [ P trE(PT) ]
for P = AB acc + AB fail
pass/fail
pass/fail
E
PT
S
EPR = pacc AB E acc + prej 00AB E fail
| Pr( z=0|PT)Pr( z=0|EPR) | Tr| PTEPR | 1/4
Bonus materials: Lower bounds for QA & pure state authentication
Qenc : , k pk (Uk Uk†) = m
key size 2m bits (Ambainis,deWolf, Mosca,Tapp 00 Boykin, Roychowdhury 00)
APQenc : || (1/n) Σk Uk Uk† m ||tr ≤ ε
key size m + o(m) bits (Hayden, L, Shor, Winter 03)
APQenc Remote state preparation
┊ ┊ Qenc Teleportation
Approx Pure state
Can we replace Qenc in BCGST02 by APQenc securely?
Teleportation
k
k communicated to Bob after encoding
Encryption
Bell
k
encode Bob’s state as a random k
k
k shared in advance
kk
Switching the communicated & the pre-shared
communication cost in teleportation
key size in encryption
Teleportation
k communicated to Bob after encoding
Encryption
Bell
k
encode Bob’s state as a random k
k shared in advance
kk
approxpure state
UkUk
n qubits
APQenc : || (1/n) Σk Uk Uk† m ||tr ≤ ε
key size m + o(m) bits (Hayden, L, Shor, Winter 03)
Approx Pure state
Bennett, Hayden, L, Shor, Winter 03
Transmits n-qubit pure state known to Alice using n+o(n) cbits comm
Uk
k = communication
Encryption
encode Bob’s state as a random Uk
Uk
k = keyk
k
n qubits
E
nonobliviouspure state Lo 99
k
approxpure state
Remote State Preparation
Pure state authentication: reduction to RSP with imperfect EPR pairs
“”
RSPQA :
kk
’
pass/failPT
if pass
HAliceBob
Env sees little differences
M
k
approxsame stateRSP
Perfect channel
Alice’s local
kk
Uk
kk
’
pass/failPT
if passAliceBob
if fail, Bob outputs nothing
BCGST02 PURE,KNOWN:
Uky
Uky
“ ”
Conclusion
Composability – gives a prescription for organizing our security proofs into components, each simple and well-defined.
To achieve composable security, we find out what will make the proof work – it is a systematic method to select secure variations.
QKD & BCGST02 work better than we thought. How do the difficulties disappear?