Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool :...

Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability

3. Application 1: composability of QKD4. Application 2: composability of variants of

quantum authentication + key recycling

Recitation session for the workshop 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability



Unruh’s talk, Renner’s talkUnruh’s talkUnruh’s talk, Renner’s talk

Oppenheim’s talk

Easier talk since the audience are well acquainted with the subject Can work through a couple of examples in detail The results are actually complementary !

No surprise Too repetitive for some Too brief for others

Give me hints throughout the talk which case it is.

No need to give the talk !







Michael Ben-Or 2,3 Patrick Hayden 4

Michal Horedecki 3 Debbie Leung 3,4

Dominic Mayers 2,3,4 Jonathan Oppenheim 3

MB PH DM

audience

QKD relies on authentication, auth uses a small key

Motivation : key degradation in repeated QKD (Bennett & Smolin)

Alice BobEve

kBkA

k ’Bk ’A

consumed

consumed

consumed

consumed

Composability : What do we mean by “unconditional security of QKD”?

QKD:

Alice Bob

kBkA kE

QKD is “unconditionally secure” :

Eve’s strategy s.t. Pr(generate key) is non-negligible k kA kB

k randomI(KE:K) negligible

Eve

- applicable only if Eve measures right after QKD to learn about k- not if she delays measurement

QKD:

Alice BobEve

kk

Uk Uk†Encryption:

Composability : A more serious example

Is “QKD + encryption” secure ??? More information may be gained from joint measurements (Peres,Wootters)

Unlocking accessible information by further classical communication DiVincenzo, (M) Horedecki, L, Smolin, Terhal 0303088, Hayden, L, Shor, Winter 0307104

Composability : A nightmare?

Uyxmeas

y nnfo on x : O(log n)

Waiting for y : extra info y – n O(log n) = , lengthy

For QKD, let x = key, x = Eve’s state right after QKD. Let y = Eve’s classical info when key is used classically . Knowing “I(kE:k) small” does not imply security of using the generated key in classical applications.

y : extra classicalinfo

ymeas

Uyx

x = n bits, y = O(log n) bits

Advertise:Michal’s talk

Pre-conclusions :

1. Life can be bad -- be ultra paranoid (about composability)

2. QKD is composable, fortunately(BUT REMEMBER TO USE better security criterion e.g. singlet-fidelity ...

at least until acc is “vindicated”, if at all.)

When is a crytographic primitive “safe-to-use”?Wait ... used in what?

Universal Composability

Michael Ben-Or & Dominic Mayers 02

Alternative model by Unruh & Mueller-Quade

Universal composability : general problem

Protocol

n

How to define security of i so that “reasonable composition” is secure ?

i : subprotocols

Notations:

: protocol

Security definition of protocols should imply secure basic composition

If & both “secure” then is “secure”

Composable security definition. Universal

: ideal task attempted by

: protocol calling as subroutine, trying to perform (imperfectly)

.....

e.g. = perfect encryption, = perfect key distribution, = QKD or= encryption with perfect key or QKD key .

Wanted :

Security definition & security of composition: a pair of related concepts

e.g. ,

When is a protocol “secure”? If is essentially indistinguishable from

... as viewed by any adversary when used in any application

Wanted: Universal composable security definition s.t.


Env “E ” : controlling all adversarial attacks & input / output

E

IN OUT

z

IN OUT

z

E

?

z : output bit of E

Partially ordered

statistically reflects the difference between

When is a protocol “secure”? If is essentially indistinguishable from

... as viewed by any adversary when used in any application

IN OUT

E

IN OUT

S()

zz


IN OUT

E



z : output bit of E statistically reflects the difference between

IN OUT

E

IN OUT

S()

zz


IN OUT

E

-s.r. if E (applications adversaries) S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .

z : output bit of E statistically reflects the difference between

When is a protocol “secure”?



Universal composable security definition


CLAIM: using the following

will imply the basic composition

If & both “secure” then is “secure” If - s.r. and -s.r. then ( ) -s.r. .

Let be a protocol calling subprotocol , trying to perform

If - s.r. and -s.r. then ( ) -s.r. .

Proof:

Universal composable security definition secure basic composition

IN OUT

E z

-s.r. Pr(z=0 | ) Pr(z=0 | )

differ by

Universal composable security definition secure basic composition Let be a protocol calling subprotocol , trying to perform


Proof:

IN OUT

E z

E

IN OUT

z

S()

E

E

Pr(z=0 | ) Pr(z=0 | ) Pr(z=0 | ) -s.r.

differ by



Proof:

IN OUT

E z

-s.r.

differ by

IN OUT

z

S()

E

E

IN OUT

z

S()S()

E

E

S()

Pr(z=0 | ) Pr(z=0 | ) Pr(z=0 | ) -s.r.

differ by



Proof:

IN OUT

E z

-s.r.

differ by

IN OUT

zE

S()S()

differ by

Universal composability theorem : recursive basic composition

Apply above to replace i one by onefrom bottom to top.


implies security of basic composition : If - s.r. and -s.r.

then ( ) -s.r. .



implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. .



















Universal composable security definition: -s.r. if Env (applications adversaries)

S() s.t. | Pr( z=0 | ) – Pr( z=0 | S() ) | .

is secure if (i) each subprotocol satisfies universal composable security definition(ii) proper modular structure (e.g. tree)

Universal composability theorem:

Punchlines

Application 1 : composability of QKD1. Composable security definition for QKD2. Relation between composable & usual security definition3. Sufficient conditions for composable security defintion for QKD

2 & 3 QKD is composable4. Corollary: slow key degradation in repeated QKD

In the talk: privacy & uniformity condition only, omit equality condition. (See paper for full treatment.)

Michael Ben-Or, Michal Horedecki, L, Dominic Mayers, Jonathan Oppenheim 02

Renner & Konig 04 : alternative proof for composability of QKD by showing composability of quantum privacy amplicationAlso : Christandl, Renner, & Ekert 04

Application 1: Composability of QKD (security of )Auth: Ideal auth:

QKD: Ideal KD :

QKD

QKD

k,m

E Eve z

k

QKD: where = composable authentication (e.g. Wegman-Carter 81)

s.r if is composable (thus consider the latter)

Input : noneOutput : key k, key length m (random variable, m=0 means “fail” or “abort”)

Best application for E : just accept kAdversary: Eve (who gets k)

k,m


QKD: Ideal KD :

QKD

QKD Ideal KD :

k,m

E Eve zz

k

m

Ideal KD: Contains a “perfect-key-generating-box” PKGB An adversary inputs “m” and an m-bit key k will be distributed.

S() : “Fake” QKD that interacts with EveFrom fake QKD: discards key k’ & takes m & puts in PKGB in

Eve

k’

E

QKD

k ’

S()

k,m


QKD: Ideal KD :

QKD

QKD Ideal KD :

k”,m

E Eve zz

k”

m

Eve

k’

E

QKD

k ’

S()

QKD = m pm mm m

mk”:|k”|=m pk|m k”k” k”

= m pm mm mm = k:|k|=m 2m kk tr1 m

QKD-s.r. if| Pr( z=0 | ) – Pr( z=0 | ) | || QKD ||tr

= m pm || m m ||tr

E ’s state:

composable security condition

key & Eve’s state correlated key & Eve’s state uncorrelated


QKD: Ideal KD :

mk:|k|=m pk|m kk k

m = k:|k|=m 2m kk tr1 m

QKD-s.r. ifm pm || m m ||tr

Sufficient conditions for composable security: 1. Usual security

If m pm (KE:K | M=m) , then, (2max(m)+2 )

2. Small Holevo info of EveLet Em = {pk|m , k}k:|k|=m

If m pm (Em) , then, (2 ln2 )

3. High singlet fidelity (if proof by EPP)Let m be state of Alice & Bob , m m-singlet stateIf m pm F(m ,m) 1 , then,

(assuming uniformity : pk|m 2m)

Security : correlation indistinguishable from none

equality +uniformity

QKD does provide a key that can be safely used in quantum / classical applications designed to use a perfect key !!!

Bounds for Eve’s Holevo info or singlet fidelity may be tighter in the context of composability, compared to those for mutual info

Proofs for sufficient conditions are relations between corelation measures

Punchlines

QKD relies on authentication, auth use a small key

Corollary : key degradation in repeated QKD

Alice BobEve

kBkA

k ’Bk ’A

consumed

consumed

consumed

consumed

. . .

. . .

. . .

In particular, if -s.r. -s.r.

n rounds of repeated QKD is n() secure

Authentication Ideal authentication:

QKD Ideal key distribution:

Composable security of auth (using perfect key) known

Composable security of QKD (using perfect auth) to be proved

Corollary : key degradation in repeated QKD

Composability of “Quantum Auth + key recycling”

Patrick Hayden, L, Dominic Mayers 04

Oppenheim & Horodecki 03 : proof for secure key recycling via bounds on information theoretic quantities

Qenc : Ambainis, deWolf, Mosca, Tapp 00, Boykin, Roychowdhury 00, Hayden, L, Shor, Winter 03

Quantum encryption (Qenc)

Uk Uk†

Encrypting quantum comm with classical key k. , k pk (Uk Uk

†) = m

Key requirement : for m-qubit message 2m key bits if entangled or exact encryptionm+o(m) key bits if pure & approx encryption

Quantum message authentication (QA)

Ek

QA : Barnum, Crepeau, Gottesman, Smith, Tapp 02

Authenticate quantum comm with classical key : Pr( pass & ’ ) small

pass / fail

’Dk†

High fidelity between & ’ or the corresponding joint states if entangled.

Result : QA “key reuse if auth test passes (w/o privacy amplification)” is secure

Eavesdropping a quantum state disturbs it.

1. QA always requires Qenc (BCGST 02) Can we eliminate this cost?

2. Add QA to Qenc , passing the auth test suggests no eavesdropping Can we recycle the key ?

Prob(authentication passes and eavesdropped) negligible. Key recycling : intuitive (BBBW82) & obvious ? Hard to analyze joint attacks over different uses of the key.

2 interpretations ofkey recycling in QA

specific scheme in BCGST02

Main ideas: 1. Redefine BCGST02 as BCGST02+KD2. Show BCGST02+KD composable (exploiting special structures of BCGST02)

Composability of “BCGST02+KD”

1. Review BCGST02 2. “Equate” BCGST02 & TQA (auth by teleportation)3. Prove composability of TQA+KD = composability of “ebits”

For same token:1. BCGST02’ for pure states using approx encryption for half the price.2. Quantum composability of Wegman-Carter scheme

Scenario for BCGST02

Alice & Bob has : 1. Classical key2. Insecure quantum channel3. Forward classical channel (Alice → Bob) (WLOG authenticated)4. No back comm (non interactive, e.g. quantum storage)

We use 1 bit of back comm for key recycling – to tell Alice if auth passes.Still applies to quantum storage & not too interactive.

Shared keys x, z, y, t

xxzz

x z eyCt Dt,yz x

xxzz

’

BCGST02: review

pass/fail

time

═ bits| qubits

insecure quantum channel

if passAlice

AliceBob

Bob

m-qubit message

m-bit keys

Qenc

Ct : q. code encoding m in (m+s) qubits ey : added syndrome t,y : s-bit key, s<<m

Decode Ct & meas syndrome y ’ Output : if y ≠ y ’, fail 00 else, pass decrypted state

Purity test (PT)

out = ’ passpass00 failfail

Shared keys x, z, y, t

xxzz

x z eyCt Dt,yz x

xxzz

’

BCGST02: review

pass/fail

time

═ bits| qubits

insecure quantum channel

if passAlice

AliceBob

Bob

m-qubit message

m-bit keys

Qenc

Ct : q. code encoding m in (m+s) qubits ey : added syndrome t,y : s-bit key, s<<m

Decode Ct & meas syndrome y ’ Output : if y ≠ y ’, fail 00 else, pass decrypted state

Purity test (PT)


xxzz

x z z x

xxzz

’

pass/failinsecure q. channel + PT

PT

if passAlice

AliceBob

Bob

if fail, Bob outputs nothingm-qubit message

m-bit keys


Security (pure for simplicity): Tr [ out ( passpassfailfail) ] , = 2-(s-1)

(m+s)/s .

Shared keys x, z, y, tBCGST02: review

TeleportationBBCJPW 93

Alice

Bell k

kBob

kk

k kQenc

kk

xxzz

x z z x

xxzz

’

pass/failPT

if passAlice

AliceBob

Bob

if fail, Bob outputs nothing

Shared keys x, z, y, tBCGST02: review

Reduction to teleportation with imperfect EPR pairs

TQA :

z x

xxzz

’

pass/failPT

if pass

H

Alice

AliceBob

Bob

Env sees no difference between BCGST02 & TQA

Bell

x

z

same stateTeleportation

Perfect classical channel

Alice’s local

xxzz

x z z x

xxzz

’

pass/failPT

if passAlice

AliceBob

Bob


BCGST02:

PT only makes max ent state.

TQA :

z x

xxzz

’

pass/failPT

if pass

H

Alice

AliceBob

Bob

Bell

x

z

TeleportationPerfect channel

PT only makes max ent state.

Reduction to teleportation with imperfect EPR pairs

TQAKD

CC

pp ’xzxz pass + pf 00 fail

PT

KD

Telep+KD

E

QAKD

TQA’

CC

pp xzxz pass + pf 00 fail

EPR

KD

Telep+KD

E

pass/fail

S

z z

Pr( z=0|BCGST02) = Pr( z=0|TQA) and

| Pr( z=0|TQA) Pr( z=0|QA+KD) | | Pr( z=0|PT)Pr( z=0|EPR) | 1/4

Compos of PT

PT

Composability of PT

EPR from PT Ideal EPR :

pass/fail

E zz

PT = pacc ABE acc + prej 00AB E fail

Tr [ P trE(PT) ]

for P = AB acc + AB fail

pass/fail

pass/fail

E

PT

S

EPR = pacc AB E acc + prej 00AB E fail

| Pr( z=0|PT)Pr( z=0|EPR) | Tr| PTEPR | 1/4

Bonus materials: Lower bounds for QA & pure state authentication

Qenc : , k pk (Uk Uk†) = m

key size 2m bits (Ambainis,deWolf, Mosca,Tapp 00 Boykin, Roychowdhury 00)

APQenc : || (1/n) Σk Uk Uk† m ||tr ≤ ε

key size m + o(m) bits (Hayden, L, Shor, Winter 03)

APQenc Remote state preparation

┊ ┊ Qenc Teleportation

Approx Pure state

Can we replace Qenc in BCGST02 by APQenc securely?

Teleportation

k

k communicated to Bob after encoding

Encryption

Bell

k

encode Bob’s state as a random k

k

k shared in advance

kk

Switching the communicated & the pre-shared

communication cost in teleportation

key size in encryption

Teleportation

k communicated to Bob after encoding

Encryption

Bell

k

encode Bob’s state as a random k

k shared in advance

kk

approxpure state

UkUk

n qubits

APQenc : || (1/n) Σk Uk Uk† m ||tr ≤ ε

key size m + o(m) bits (Hayden, L, Shor, Winter 03)

Approx Pure state

Bennett, Hayden, L, Shor, Winter 03

Transmits n-qubit pure state known to Alice using n+o(n) cbits comm

Uk

k = communication

Encryption

encode Bob’s state as a random Uk

Uk

k = keyk

k

n qubits

E

nonobliviouspure state Lo 99

k

approxpure state

Remote State Preparation

Pure state authentication: reduction to RSP with imperfect EPR pairs

“”

RSPQA :

kk

’

pass/failPT

if pass

HAliceBob

Env sees little differences

M

k

approxsame stateRSP

Perfect channel

Alice’s local

kk

Uk

kk

’

pass/failPT

if passAliceBob


BCGST02 PURE,KNOWN:

Uky

Uky

“ ”

Conclusion

Composability – gives a prescription for organizing our security proofs into components, each simple and well-defined.

To achieve composable security, we find out what will make the proof work – it is a systematic method to select secure variations.

QKD & BCGST02 work better than we thought. How do the difficulties disappear?

Date post:	28-Dec-2015
Category:	Documents
Upload:	kimberly-crawford
View:	216 times
Download:	0 times

Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool :...

Documents