1 / 56

Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure?

Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability 3. Application 1: composability of QKD 4. Application 2: composability of variants of quantum authentication + key recycling. . . . . .

marycorey
Download Presentation

Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability 3. Application 1: composability of QKD 4. Application 2: composability of variants of quantum authentication + key recycling

  2.     Give me hints throughout the talk which case it is.      Recitation session for the workshop 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability 3. Application 1: composability of QKD 4. Application 2: composability of variants of quantum authentication + key recycling Unruh’s talk, Renner’s talk Unruh’s talk Unruh’s talk, Renner’s talk Oppenheim’s talk  No need to give the talk !  Easier talk since the audience are well acquainted with the subject  Can work through a couple of examples in detail  The results are actually complementary !  No surprise  Too repetitive for some  Too brief for others

  3. Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability 3. Application 1: composability of QKD 4. Application 2: composability of variants of quantum authentication + key recycling

  4. MB PH DM Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability 3. Application 1: composability of QKD 4. Application 2: composability of variants of quantum authentication + key recycling Michael Ben-Or 2,3 Patrick Hayden 4 Michal Horedecki 3 Debbie Leung 3,4 Dominic Mayers 2,3,4 Jonathan Oppenheim 3 audience

  5. Alice Bob Eve kB kA  k’B k’A Motivation : key degradation in repeated QKD (Bennett & Smolin) QKD relies on authentication, auth uses a small key consumed consumed consumed consumed

  6. Composability : What do we mean by “unconditional security of QKD”? QKD: Alice Bob Eve kB kE kA QKD is “unconditionally secure” : Eve’s strategy s.t. Pr(generate key) is non-negligible k  kA kB k  random I(KE:K) negligible - applicable only if Eve measures right after QKD to learn about k - not if she delays measurement

  7. Composability : A more serious example QKD: Alice Bob Eve k k Encryption: Uk Uk† Is “QKD + encryption” secure ??? More information may be gained from joint measurements (Peres,Wootters)

  8. y meas meas Uy|x Uy|x Advertise:Michal’s talk Composability : A nightmare? Unlocking accessible information by further classical communication DiVincenzo, (M) Horedecki, L, Smolin, Terhal 0303088, Hayden, L, Shor, Winter 0307104 x = n bits, y = O(log n) bits y : extra classical info Iy = n Info on x : I  O(log n) Waiting for y : extra info Iy– I n >> O(log n) = I , length(y) For QKD, let x = key, rx = Eve’s state right after QKD. Let y = Eve’s classical info when key is used classically . Knowing“I(kE:k) small” does not imply security of using the generated key in classical applications.

  9. Pre-conclusions : 1. Life can be bad -- be ultra paranoid (about composability) 2. QKD is composable, fortunately (BUT REMEMBER TO USE better security criterion e.g. singlet-fidelity ... at least until Iacc is “vindicated”, if at all.)

  10. When is a crytographic primitive “safe-to-use”? Wait ... used in what?

  11. Universal Composability Michael Ben-Or & Dominic Mayers 02 Alternative model by Unruh & Mueller-Quade

  12. Protocol P sn s1 s2 s3 Universal composability : general problem si : subprotocols How to define security of si so that “reasonable composition” is secure ?

  13. P s ..... sI P+sI Notations: s: protocol sI : ideal task attempted by s P+s: protocol calling s as subroutine, trying to perform (imperfectly) PI e.g. PI = perfect encryption, sI = perfect key distribution, s = QKD P+sIorP+s= encryption with perfect key or QKD key . Wanted : e.g. s, P+sI, P+s Security definition of protocols should imply secure basic composition If s& P+sI both “secure” then P+s is “secure” P Composable security definition. Universal Security definition & security of composition: a pair of related concepts

  14. z z E E   IN OUT IN OUT s sI ? Wanted: Universal composable security definition s.t. PIf s& P+sI both “secure” then P+s is “secure” When is a protocol “secure”? If s is essentially indistinguishable from sI ... as viewed by any adversary when used in any application  Partially ordered Env “E ” : controlling all adversarial attacks & input / output z : output bit of E statistically reflects the difference between s, sI

  15. Wanted: Universal composable security definition s.t. PIf s& P+sI both “secure” then P+s is “secure” When is a protocol “secure”? If s is essentially indistinguishable from sI ... as viewed by any adversary when used in any application  z z E E   IN OUT IN OUT s S(s) sI IN OUT s Env “E ” : controlling all adversarial attacks & input / output z : output bit of E statistically reflects the difference between s, sI

  16. Wanted: Universal composable security definition s.t. PIf s& P+sI both “secure” then P+s is “secure” When is a protocol “secure”? se-s.r.sI if E(applications +adversaries)  S(s) s.t. | Pr( z=0 | s) – Pr( z=0 | sI+S(s) ) |  e . z z E E   IN OUT IN OUT s S(s) sI IN OUT s Env “E ” : controlling all adversarial attacks & input / output z : output bit of E statistically reflects the difference between s, sI

  17. CLAIM: using the following Universal composable security definition se-s.r.sI if E(applications +adversaries)  S(s) s.t. | Pr( z=0 | s) – Pr( z=0 | sI+S(s) ) |  e . will imply the basic composition If s& P+sI both “secure” then P+s is “secure” If P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI .

  18. z E  IN OUT P s Universal composable security definition  secure basic composition Let P+s be a protocol calling subprotocol s, trying to perform PI If P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI . Proof:

  19. z z E E   IN OUT IN OUT P P Es Es s sI S(s) Universal composable security definition  secure basic composition Let P+s be a protocol calling subprotocol s, trying to perform PI If P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI . Proof: ses-s.r. sI Pr(z=0 | P+s) Pr(z=0 | P+sI) differ by  es

  20. z E  IN OUT PI S(P(sI)) S(s) Universal composable security definition  secure basic composition Let P+s be a protocol calling subprotocol s, trying to perform PI If P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI . Proof: z z E E   IN OUT IN OUT P P EP+sI EP+sI s sI S(s) ses-s.r. sI P+sIeP-s.r. PI Pr(z=0 | P+s) Pr(z=0 | P+sI) Pr(z=0 | PI ) differ by  es differ by  e1

  21. S(P(sI)) Universal composable security definition  secure basic composition Let P+s be a protocol calling subprotocol s, trying to perform PI If P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI . Proof: z z E E   IN OUT IN OUT P PI s S(s) S(P+s) ses-s.r. sI P+sIeP-s.r. PI Pr(z=0 | P+s) Pr(z=0 | P+sI) Pr(z=0 | PI ) differ by  es differ by  eP differ by  es+eP

  22. s1 s4 s3 s2 s6 s5 s5 s3 s2 s1 s6 s4 I Universal composable security definition implies security of basic composition : PIf P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI . se-s.r.sI if E(applications +adversaries)  S(s) s.t. | Pr( z=0 | s) – Pr( z=0 | sI+S(s) ) |  e . Universal composability theorem : recursive basic composition Apply above to replace si one by one from bottom to top. P

  23. s6 s2 s1 s5 s4 s3 s3 s1 s4 s5 s6 s2 I I I Universal composable security definition implies security of basic composition : If P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI . se-s.r.sI if E(applications +adversaries)  S(s) s.t. | Pr( z=0 | s) – Pr( z=0 | sI+S(s) ) |  e . Universal composability theorem : recursive basic composition Apply above to replace si one by one from bottom to top. P

  24. s1 s2 s3 s4 s5 s6 s1 s2 s3 I Universal composable security definition implies security of basic composition : If P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI . se-s.r.sI if E(applications +adversaries)  S(s) s.t. | Pr( z=0 | s) – Pr( z=0 | sI+S(s) ) |  e . Universal composability theorem : recursive basic composition Apply above to replace si one by one from bottom to top. P

  25. s1 s2 s3 s4 s5 s6 s1 s2 s3 I I Universal composable security definition implies security of basic composition : If P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI . se-s.r.sI if E(applications +adversaries)  S(s) s.t. | Pr( z=0 | s) – Pr( z=0 | sI+S(s) ) |  e . Universal composability theorem : recursive basic composition Apply above to replace si one by one from bottom to top. P

  26. s1 s2 s3 s4 s5 s6 s1 I Universal composable security definition implies security of basic composition : If P+sIeP -s.r. PI and ses-s.r. sI then P+s (eP+es)-s.r. PI . se-s.r.sI if E(applications +adversaries)  S(s) s.t. | Pr( z=0 | s) – Pr( z=0 | sI+S(s) ) |  e . Universal composability theorem : recursive basic composition Apply above to replace si one by one from bottom to top. P

  27. s1 s3 s4 s5 s6 s2 Punchlines Universal composable security definition: se-s.r. sI if Env (applications + adversaries)  S(s) s.t. | Pr( z=0 | s) – Pr( z=0 | sI+S(s) ) |  e . Universal composability theorem: P is secure if (i) each subprotocol satisfies universal composable security definition (ii) proper modular structure (e.g. tree)

  28. Application 1 : composability of QKD 1. Composable security definition for QKD 2. Relation between composable & usual security definition 3. Sufficient conditions for composable security defintion for QKD 2 & 3  QKD is composable 4. Corollary: slow key degradation in repeated QKD Michael Ben-Or, Michal Horedecki, L, Dominic Mayers, Jonathan Oppenheim 02 Renner & Konig 04 : alternative proof for composability of QKD by showing composability of quantum privacy amplication Also : Christandl, Renner, & Ekert 04 In the talk: privacy & uniformity condition only, omit equality condition. (See paper for full treatment.)

  29. QKD k+aI z E Eve  rk k,m QKD Auth: a Ideal auth: aI QKD: k Ideal KD : kI Application 1: Composability of QKD (security of k+aI) QKD: k+a where a= composable authentication (e.g. Wegman-Carter 81) k+as.r k+aI if a is composable (thus consider the latter) Input : none Output : key k, key length m (random variable, m=0 means “fail” or “abort”) Best application for E : just accept k Adversary: Eve (who gets rk)

  30. Auth: a Ideal auth: aI QKD: k Ideal KD : kI Application 1: Composability of QKD (security of k+aI) QKD k+aI Ideal KD : kI z z E E Eve Eve   rk’ rk k,m k,m k ’ QKD QKD m kI S(k+aI) Ideal KD: Contains a “perfect-key-generating-box” PKGB An adversary inputs “m” and an m-bit key k will be distributed. S(k+aI) : “Fake” QKD that interacts with Eve From fake QKD: discards key k’ & takes m & puts in PKGB in kI

  31. Auth: a Ideal auth: aI QKD: k Ideal KD : kI Application 1: Composability of QKD (security of k+aI) QKD k+aI Ideal KD : kI z z E E Eve Eve   rk’ rk” k,m k”,m k ’ QKD QKD m kI S(k+aI) E ’s state: rkI = Sm pm|mm| gIm gIm = Sk:|k|=m2-m|kk|  tr1 gm rQKD = Sm pm|mm| gm gm = Sk”:|k”|=m pk|m|k”k”|  rk” key & Eve’s state uncorrelated key & Eve’s state correlated composable security condition QKD ek-s.r. kI if | Pr( z=0 | k+aI) – Pr( z=0 | kI) |  || rQKD-rkI ||tr = Sm pm|| gm-gIm ||tr  ek

  32. Auth: a Ideal auth: aI QKD: k Ideal KD : kI Application 1: Composability of QKD (security of k+aI) gm = Sk:|k|=m pk|m|kk|  rk gIm = Sk:|k|=m2-m|kk|  tr1 gm Security : correlation indistinguishable from none QKD ek-s.r. kI ifSm pm|| gm-gIm ||tr  ek Sufficient conditions for composable security: 1. Usual security If Sm pm I(KE:K | M=m)  m , then, ek  (2max(m)+2m)1/2 2. Small Holevo info of Eve Let Em = {pk|m , rk}k:|k|=m If Sm pm c(Em)  m , then, ek  (2 ln2 m)1/2 3. High singlet fidelity (if proof by EPP) Let hm be state of Alice & Bob , Fm m-singlet state If Sm pm F(hm ,Fm) 1-m , then, ek  m1/2 (assuming uniformity : pk|m 2-m) equality + uniformity

  33. Punchlines QKD does provide a key that can be safely used in quantum / classical applications designed to use a perfect key !!! Bounds for Eve’s Holevo info or singlet fidelity may be tighter in the context of composability, compared to those for mutual info Proofs for sufficient conditions are relations between corelation measures

  34. Alice Bob Eve kB kA  k’B k’A Corollary : key degradation in repeated QKD QKD relies on authentication, auth use a small key consumed consumed consumed consumed

  35. . . . . . . . . . k k k a a a k k kI a aI kI Corollary : key degradation in repeated QKD Authentication a Ideal authentication: aI QKD k Ideal key distribution: kI In particular, if a+kI ea-s.r. aI k+aI ek-s.r. kI n rounds of repeated QKD is n(ea+ek) secure   Composable security of QKD (using perfect auth) to be proved Composable security of auth (using perfect key) known

  36. Composability of “Quantum Auth + key recycling” Patrick Hayden, L, Dominic Mayers 04 Oppenheim & Horodecki 03 : proof for secure key recycling via bounds on information theoretic quantities

  37. Quantum encryption (Qenc) Qenc: Ambainis, deWolf, Mosca, Tapp 00, Boykin, Roychowdhury 00, Hayden, L, Shor, Winter 03 r Uk Uk† Encrypting quantum comm with classical key k. r ,Skpk (Uk r Uk†) = I/2m Key requirement : for m-qubit message 2m key bits if r entangled or exact encryption m+o(m) key bits if r pure & approx encryption

  38. Quantum message authentication (QA) QA : Barnum, Crepeau, Gottesman, Smith, Tapp 02 pass / fail r Ek Dk† r’ Authenticate quantum comm with classical key : Pr( pass & rr’) small High fidelity between r & r’ or the corresponding joint states if r entangled.

  39. Eavesdropping a quantum state disturbs it. 1. QA always requires Qenc (BCGST 02) Can we eliminate this cost? 2. Add QA to Qenc , passing the auth test suggests no eavesdropping Can we recycle the key ? Prob(authentication passes and eavesdropped) negligible. Key recycling : intuitive (BBBW82) & obvious ? Hard to analyze joint attacks over different uses of the key. 2 interpretations of key recycling in QA Result : QA +“key reuse if auth test passes (w/o privacy amplification)” is secure specific scheme in BCGST02 Main ideas: 1. Redefine BCGST02 as BCGST02+KD 2. Show BCGST02+KD composable (exploiting special structures of BCGST02)

  40. Composability of “BCGST02+KD” 1. Review BCGST02 2. “Equate” BCGST02 & TQA (auth by teleportation) 3. Prove composability of TQA+KD = composability of “ebits” For same token: 1. BCGST02’ for pure states using approx encryption for half the price. 2. Quantum composability of Wegman-Carter scheme

  41. Scenario for BCGST02 Alice & Bob has : 1. Classical key 2. Insecure quantum channel 3. Forward classical channel (Alice → Bob) (WLOG authenticated) 4. No back comm (non interactive, e.g. quantum storage) We use 1 bit of back comm for key recycling – to tell Alice if auth passes. Still applies to quantum storage & not too interactive.

  42.  time ═ bits | qubits BCGST02: review Shared keys x, z, y, t if pass x x z z r’ Alice x x z z r Bob Alice Bob Purity test (PT) sx sz sz sx ey Ct Dt,y m-bit keys pass/fail Qenc insecure quantum channel m-qubit message Ct : q. code encoding m in (m+s) qubits ey : added syndrome t,y : s-bit key, s<<m Decode Ct & meas syndrome y ’ Output : if y ≠ y ’, fail |00| else, pass  decrypted state rout = r’  |passpass| + |00|  |failfail|

  43.  time ═ bits | qubits BCGST02: review Shared keys x, z, y, t if pass x x z z r’ Alice x x z z r Bob Alice Bob Purity test (PT) sx sz sz sx ey Ct Dt,y m-bit keys pass/fail Qenc insecure quantum channel m-qubit message Ct : q. code encoding m in (m+s) qubits ey : added syndrome t,y : s-bit key, s<<m Decode Ct & meas syndrome y ’ Output : if y ≠ y ’, fail |00| else, pass  decrypted state rout = r’  |passpass| + |00|  |failfail|

  44. BCGST02: review Shared keys x, z, y, t if pass x x z z r’ Alice x x z z r Bob Alice Bob sx sz sz sx m-bit keys PT pass/fail insecure q. channel + PT if fail, Bob outputs nothing m-qubit message rout = r’  |passpass| + |00|  |failfail| Security (pure r for simplicity): Tr [ rout (r |passpass| + I  |failfail|) ]  1-e , e = 2-(s-1) (m+s)/s .

  45. Qenc j sk sk j k Bell Alice skjsk F+ Bob sk Teleportation BBCJPW 93 j skjsk

  46. BCGST02: review Shared keys x, z, y, t if pass x x z z r’ Alice x x z z r Bob Alice Bob sx sz sz sx PT pass/fail if fail, Bob outputs nothing

  47. H Reduction to teleportation with imperfect EPR pairs Env sees no difference between BCGST02 & TQA BCGST02: if pass x x z z r’ Alice x x z z r Bob Alice Bob sx sz sz sx PT pass/fail Alice’s local same state TQA : if fail, Bob outputs nothing Teleportation if pass Perfect classical channel x r x x z z r’ Alice |0 |0 |0 |0 r Bob Bell z Alice Bob |0 sz sx PT only makes max ent state. PT pass/fail

  48. E  r ppr |xzxz| pass + pf|00|  fail H S TQA’ Telep+KD CCI QAI+KDI pass/fail EPR KDI Reduction to teleportation with imperfect EPR pairs z z E  r ppr’|xzxz| pass + pf|00|  fail Telep+KD PT TQA+KDI CCI KDI TQA : Teleportation if pass Perfect channel x r x x z z r’ Alice |0 |0 |0 |0 r Bob Bell z Alice Bob |0 sz sx PT only makes max ent state. PT pass/fail

  49. Pr( z=0|BCGST02) = Pr( z=0|TQA) and | Pr( z=0|TQA) - Pr( z=0|QAI+KDI) |  | Pr( z=0|PT)-Pr( z=0|EPR) |  e1/4 Compos of PT

  50.  | Pr( z=0|PT)-Pr( z=0|EPR) |  Tr| hPT-hEPR | e1/4 Composability of PT Ideal EPR : F EPR from PT z z E E F pass/fail pass/fail S PT PT pass/fail hEPR = paccFAB rE acc + prej|00|AB rE fail hPT = paccrABE  acc + prej|00|AB rE fail Tr [ P trE(hPT) ]  1-e for P = FAB  acc + IAB  fail

More Related