a tight high-order entropic quantum uncertainty relation with applications serge fehr, christian...
Post on 19-Dec-2015
236 views
TRANSCRIPT
A Tight High-Order Entropic Quantum Uncertainty Relationwith Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL)
Renato Renner (University of Cambridge, UK)
Ivan Damgård, Louis Salvail (University of Århus, DK)
Crypto-Workshop Dagstuhl
Thursday, September 20th 2007
3 / 24
(Randomized) 1-2 Oblivious Transfer
Rand1-2OT
S0;S1C 2 f0;1g
complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model
SC
5 / 24
Quantum Mechanics
with prob. 1 yields 1
with prob. ½ yields 0
Measurements:
with prob. ½ yields 1
+ basis
£ basis
j0i+ j1i+
j1i£j0i£
6 / 24
get X'
0
0
1
1
0
Quantum 1-2 OT ProtocoljX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
S1 = ?S0
C = 0£ 0= +n
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
Correctness
Receiver-Security against Dishonest Alice
7 / 24
Sender-Security?jX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
get
½
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
Sender-Security: one of the strings looks completely random to dishonest Bob
# qubits < n=4
8 / 24
Quantum Mechanics II
+ basis
£ basis
j0i+ j1i+
j1i£j0i£
EPR pairs:prob. ½ : 0 prob. ½ : 1
prob. ½ : 0prob. ½ : 1
prob. 1 : 0
9 / 24
get
Entanglement-Based Protocol
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
½
epr n
# qubits < n=4
Sender-Security: One of the strings looks completely random to dishonest Bob
£ 2R X 2R sendf+;£gn f0;1gn
?
?
?
?
?
10 / 24
get
Entanglement-Based ProtocoljX i£
S0;S1
F1 2R F 1F0 2R F 0
£ ;F0;F1
½
# qubits < n=4
Sender-Security: One of the strings looks completely random to dishonest Bob
£ 2R X 2R sendf+;£gn f0;1gn
0
1
1
1
0
11 / 24
£ 2R X 2R sendf+;£gn f0;1gn
?
?
?
?
?
Let Bob Act First
F1 2R F 1F0 2R F 0
½
£ ;F0;F1
getepr n
//...
# qubits < n=4
Sender-Security: One of the strings looks completely random to dishonest Bob
S0;S1 2 f0;1g̀
[Renner KÄonig 05, Renner 06]
PA : 2̀ ¼H1 (X j £;½)
12 / 24
get£ 2R X 2R send
f+;£gn f0;1gn
?
?
?
?
?
Sender-Security Uncertainty Relation
F1 2R F 1F0 2R F 0
½
£ ;F0;F1
epr n
//...
# qubits < n=4
Sender-Security: One of the strings looks completely random to dishonest Bob
S0;S1 2 f0;1g̀
[Renner KÄonig 05, Renner 06]
PA : 2̀ ¼H1 (X j £;½) ¸ H1 (X j £)| {z }
¸ ?
¡ # qubits| {z }
<n=4
H1 (X j £ ) ¸ ?
14 / 24
Quantum Uncertainty Relation needed
j0i+
j1i+j1i£ j0i£
qubit as unit vector in C2
®
Pr[X = 0] = j®j2
Pr[X = 1] = 1¡ j®j2
Pr[X = 0] = j¯ j2
Pr[X = 1] = 1¡ j¯ j2
¯
15 / 24
M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,
H(X i j £ i ) = 12
¡H(X i j £ i = +) + H(X i j £ i = £)| {z }
¸ 1
¢¸ 1
2:
Uncertainty Relation for One Qubit
j0i+
j1i+j1i£ j0i£
Pr[X = 0] = 1Pr[X = 1] = 0
Pr[X = 0] = 1=2Pr[X = 1] = 1=2
16 / 24
) H"1 (X n j £ )
n! 1¼ n ¢H(X i j £ i ) ¸ n=2
£ 2R statef+;£gn ½
...
Quantum Uncertainty Relation needed
//
H1 (X j £) ¸ ?
X i independent
X i := X 1; : : : ;X i
X := X n = X 1; : : : ;X n
H(X i j £ i ) ¸ 12
M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,
H(X i j £ i ) = 12
¡H(X i j £ i = +) + H(X i j £ i = £)| {z }
¸ 1
¢¸ 1
2:
except with prob · "
17 / 24
£ 2R statef+;£gn ½
...
Main Result
//
H1 (X j £) ¸ ?
M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,
H(X i j £ i ) = 12
¡H(X i j £ i = +) + H(X i j £ i = £)| {z }
¸ 1
¢¸ 1
2:
X i dependent
H(X i j £ i ) ¸ 12
Quantum Uncertainty R elation: LetX = (X 1; : : : ;X n) be the outcome. Then,
H"1 (X j £ ) & n=2
with " negligible in n.
H(X i j £ i ;X i ¡ 1 = xi ¡ 1;£ i ¡ 1 = µi ¡ 1) ¸ 12
18 / 24
Main Technical Lemma
Z1; : : : ;Zn (dependent) random variables
Then, H"1 (Z) & n ¢h with " negligible in n
with H(Zi j Z i ¡ 1 = zi ¡ 1) ¸ h.
P roof:
² information theory
² generalized Cherno®bound (A zuma inequality)
19 / 24
£ 2R statef+;£gn ½
...
Proof of Quantum Uncertainty Relation
Zi := (X i ;£ i )
M U : ½1-qubit state: H(X 0 j £ 0) ¸ 12
//
T hm: H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn
Quantum Uncertainty R elation: LetX = (X 1; : : : ;X n) be the outcome. Then,
H"1 (X j £ ) & n=2
with " negligible in n.
H(Zi j Z i ¡ 1 = z) = H(X i j £ i ;Z i ¡ 1 = z) +H(£ i j Z i ¡ 1 = z)
¸ 12
+1=: h:
H"1 (X j £) ¼H"
1 (Zn) ¡ H0(£ ) & n=2+n ¡ n:
20 / 24
Tight?M U : ½1-qubit state: H(X 0 j £ 0) ¸ 1
2
H(X j £ ) = 12
¡H(X j £ = +)| {z }
=0
+H(X j £ = £)| {z }
=1
¢= 1
2:
£ 2R statef+;£gn ½
...
//
Quantum Uncertainty R elation: LetX = (X 1; : : : ;X n) be the outcome. Then,
H"1 (X j £ ) & n=2
with " negligible in n.
For the pure state j0i n, the X are independent and we know
that H"1 (X j £ )
n! 1¼ H(X j £ ) = n=2.
22 / 24
conjugate coding / BB84:£ 2R state
f+;£gn ½
...
classical general lemma:
instantiate it for various quantum codings:
Contributions I: Uncertainty Relations
H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn
//
H"1 (X j £) ¸ n=2
23 / 24
conjugate coding / BB84:
three bases / six-state:
…
classical general lemma:
instantiate it for various quantum codings:
Contributions I: Uncertainty Relations
H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn
H"1 (X j £) ¸ n=2
//
//
£ 2R statef+;£;ª gn ½
...H"
1 (X j £) ¸ 23n
24 / 24
Bounded-Quantum-Storage Model:Non-interactive, practical protocols for 1-2 OT and BC secure according new composable security definitions.
Quantum Key Distribution: Security proofs in realistic setting of a quantum-memory bounded eavesdropper. Tolerate higher error rates than against unbounded adversaries.
Composition of certain Quantum Ciphers: key-uncertainty adds up in terms of min-entropy.
Contributions II: Applications