Download Slides

Ekert
Barrett
Hardy
Kent
Winter
Acín
Cryptography
and Non-Locality
Wolf
Hänggi
Brunner
Gisin
Massar
Valerio Scarani
Centre for Quantum Technologies
National University of Singapore
Masanes
Pironio
Outline
• Part 1: Motivation
– Secure communication based only on
compulsory assumptions and observation
• Part 2: Tools
– From cryptography
– From non-locality
• Part 3: Results
– Security against quantum Eve
– Security against post-quantum Eve
Part 1
Motivation
The task: Key Distribution
M=0101110010100011
Alice
KP=
0101110010100011=M
Bob
P=MK=1101010001010110
K=1000100011110101
Sent: sum mod 2:
Contains NO info
on M!
K=1000100011110101
Unbreakable… unless the eavesdropper Eve knows the key!!!
 Key-Distribution Problem: How to distribute the key among the partners?
Goal: secure distribution of a key between distant partners.
Quantum crypto: code the bits of the key in quantum states
Phenomenology
We adopt an entanglement-based scenario:
1x0
Alice
Eve
…but knows neither
the settings x,y nor
the results a,b
1x0
Alice
N times
(3)
distributes
the signal…
a
1y0
Bob
(2)
1y0
Bob
(1)
b
Public communication: estimate P(a,b|x,y)
Laws of physics: P(a,b|x,y)  bound on Eve’s information.
Assumptions for Security
RNG
M
Raw key
C2
r?AB
C2
Blue = Trusted
Red = Untrusted
M
RNG
Raw key
 No leakage out of Alice’s and Bob’s Labs

• Raw key: never
•
Choice of M: not as long as Eve can act on the state
 The choices of the M are really random

 Security of classical post-processing, authentication…

 Eve is constrained by the laws of physics

Proofs based on
 Dimensionality of the Q-system under control
 Measurement devices under control
Koashi 2005,
Beaudry-Morodernon-locality
allow
Lutkenhaus 2008
black-box
The whole of QM, or just a subset of laws?
“No-cloning”
Wootters-Zurek etc. 1982
• It is impossible to make a
perfect copy of an
unknown quantum state.
• If a basis is perfectly
copied, all superposition
states will not.
Bennett-Brassard 1984
• Eve cannot make a
perfect copy of Bob’s
quantum state and
simulate exactly his
measurement.
• Any interaction that gives
Eve some information will
modify Bob’s state, thus
introducing errors.
Drawback: no-cloning cannot be “observed”.
“No local variables” (“Non-locality”)
Bell 1964
Ekert 1991
Measurement on entangled
states  correlations:
• If the results were not available
before the measurement, in
particular they were not
available to Eve
• Cannot be ascribed to
communication
• Cannot be ascribed to preestablished agreement (“local
variables”, “shared
randomness”)
• QM: the results are really
created by the measurement,
were not available before it.
• On data that can be
ascribed neither to
communication nor to
pre-established
agreement, an
eavesdropper can only
have limited information.
Non-locality can be observed from P(a,b|x,y): violation of
a “Bell-type inequality”.
Equivalence under “no-signaling”
No-signaling:
 P ( a , b | x, y )  P ( a | x, y )
b  0 ,1
 P(a, b | x, y)  P(b | x, y)
a  0 ,1
Indeed, “signaling” = Alice’s choice changes what Bob sees (and viceversa)
In particular, Q-measurements give rise to no-signaling P(a,b|x,y)
Thm: No-signaling & Non-locality  No-cloning
Masanes, Acín, Gisin PRA 2006; Barnum, Barrett, Leifer, Wilce q-ph/06
The two “foundations” of cryptography are equivalent for
no-signaling theories – and non-locality can be observed
Motivation: summary
We want to guarantee the security of key
distribution based on:
• assumptions: only the compulsory ones;
• bound on Eve’s information: non-locality
of P(a,b|x,y), i.e. only inputs/outputs




No leakage out of Alice’s and Bob’s Labs
Random choice of the input
Security of classical procedures
Eve is constrained by the laws of physics
 Quantum physics, just no-signaling, or any
intermediate set of laws
Part 2
Tools
Tools of cryptography
Figure of merit: secret key rate
From N exchanged signals (raw key) to a secret key of length l:
(assuming 1-way communication):
N
n
EC
nleak
PA
l=Nr
m
Information Theory 
Achievable secret key rate r (asymptotic N):
r  S ( A | E )  H ( A | B)
 I ( A : B)  I Eve
“Eve’s uncertainty minus Bob’s
uncertainty on Alice’s string”
“Capacity of the A-B channel
minus Eve’s knowledge”
Tools of cryptography
Classes of Attacks
• Individual
– Eve sends i.i.d. signals
– and tries to guess each bit of the raw key
• Collective
– Eve sends i.i.d signals
– and tries to guess the final key
• General
“Unconditional security”
– Eve sends the most general signals
– And tries to guess the final key
Tools of Non-locality
Bell-CHSH inequality
(Clauser, Horne, Shimony, Holt 1969)
Hypothesis: correlations from a pre-established strategy:
  {x  ax }X  { y  by }Y
Then: let’s take two choices for x and for y, and binary outcomes:
x, y  {0,1} a, b {1,1}
For all  it holds:
S ( )  a0  a1 b0  a0  a1 b1  2
(recall:  is not known)
E (a0b0 )  E (a0b1 )  E (a1b0 )  E (a1b1 )  S  2
Any correlation that can be distributed using a pre-established strategy
must respect this inequality.
QM: S can reach up to 22
Tools of Non-locality
The Popescu-Rohrlich (PR) box
x
x
y
a  b  xy
b
a
1
P(a | x)  P(b | y ) 
2
No-signaling
Non-deterministic
( a, b)
y
0
0

0
1

1
0

1 1

(0,0)
a  b :
 (1,1)
(0,0)
a  b :
 (1,1)
(0,0)
a  b :
 (1,1)
(0,1)
a  b :
(1,0)
CHSH  E(a0b0 )  E(a0b1 )  E(a1b0 )  E(a1b1 )  4
1
1
15
1
1
2 2
Tools of Non-locality
No-Cloning of the PR-box
x
y
a  b  xy
~
a  b  x~
y
a  b  xy
a
?
x
b

Can B duplicate his
channel?
~
b  b  x( y  ~
y)
y
~
y
~
(a  b  xy) & (a  b  x~
y)
a
b
~
b
B learns A’s input 
signaling!
No-cloning
Tools of Non-locality
Probability Space
Local correlations
Quantum region
No-signalling
Polytope
Convex, no polytope
Polytope
PR-box
Measurement
on singlet
CHSH
P ( a , b | x, y )
1
  ( a  b  xy)
2
1
c 1 
 1  (1)

4
2
c  a  b  xy
 P(a | x) P (b | y )
  (a  x) (b  0)
Part 3
Results
Suitable Protocols
Not all protocols can be proved secure using non-locality!
E.g., the expected
P(a,b|x,y) for BB84 is
LOCAL even for zero error
P(0,0 | A  B)  P(1,1 | A  B)  1 / 2
P ( a, b | A  B )  1 / 4
A possible protocol (Acín, Massar, Pironio 2006):
Alice: 3 settings x=0,1,k
Bob: 2 settings y=0,1
Raw key: (aK, b0); in particular error rate Q=Prob(aK  b0)
Eve’s info estimated from: S=CHSH(a0,a1,b0,b1)
• Modified version of Ekert 1991 protocol
• Feature 1: CHSH is measured;
• Feature 2: one outcome (b0) is used for both the key and CHSH;
Known security bounds
NL, Laws=
no-signaling
I Eve  2  S / 2
1
0.8
NL, Laws=QM
Individual attacks
I Eve
0.6
 1  ( S / 2) 2  1 

 h


2


Collective attacks
r
Usual QKD:
I Eve  h(Q  S / 2 2 )
0.4
General attacks
(equivalent to BB84)
0.2
0
2.8
2.6
2.4
S
2.2
2
Status of security proofs
• Laws of physics = quantum
– Collective attacks: secure
• Acín, Brunner, Gisin, Massar, Pironio & VS, PRL 2007
• Laws of physics = only no-signaling
– Individual attacks: secure
• Acín, Gisin & Masanes PRL 2005; VS et al., PRA 2006;
Acín, Massar & Pironio New J. Phys. 2006
– General attacks: insecure
• Barrett, Hardy, Kent PRL 2005: 1 secure bit for error=0
• Hänggi & Wolf, submitted
• Laws of physics = no-signaling + something
– General attacks: conditions under study
• Masanes & Winter, in preparation
Detection loophole
Alice
1y0
Bob
1x0
If she chooses
x=0, I don’t
answer
Firing of the detector correlated to the choice of the measurement??
• In our labs, we know this is not the case because we understand the
physics of our devices…
• … but in a black-box scenario against an adversarial Eve, it becomes
a very reasonable assumption 
As of today, with photons one cannot close the loophole  non-locality cannot
be observed in a black-box scenario  these proofs cannot be used yet.
 Practical motivation to close the detection loophole!
Side-issues
Individual attacks on the CHSH protocol, NS
CHSH
PPR
4
1
PR-Box
22
21
1-way, no pp
2.76
0.38
1-way, pp
2.48
2.4
0.24
0.2
2.18
2
0.09
0
2-way, no pp
2-way, pp
CHSH
Better procedures or
bipartite bound information?
Conclusions
Summary
• Goal: security of key distribution from
– Compulsory assumptions;
– Inputs & Outputs: the non-locality of P(a,b|x,y)
• Among the assumptions: “Eve is
constrained by the laws of physics”
– Can be the whole of quantum physics…
– …or a restricted set of laws.
• Several open issues
– Minimal set of laws for security
– Unconditional security against quantum Eve
– Related: close the detection loophole