* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Slides
Survey
Document related concepts
Quantum computing wikipedia , lookup
Renormalization group wikipedia , lookup
Quantum group wikipedia , lookup
Quantum machine learning wikipedia , lookup
Many-worlds interpretation wikipedia , lookup
Interpretations of quantum mechanics wikipedia , lookup
History of quantum field theory wikipedia , lookup
Canonical quantization wikipedia , lookup
Measurement in quantum mechanics wikipedia , lookup
Quantum entanglement wikipedia , lookup
Quantum state wikipedia , lookup
Hidden variable theory wikipedia , lookup
EPR paradox wikipedia , lookup
Bell's theorem wikipedia , lookup
Quantum teleportation wikipedia , lookup
Transcript
Ekert Barrett Hardy Kent Winter Acín Cryptography and Non-Locality Wolf Hänggi Brunner Gisin Massar Valerio Scarani Centre for Quantum Technologies National University of Singapore Masanes Pironio Outline • Part 1: Motivation – Secure communication based only on compulsory assumptions and observation • Part 2: Tools – From cryptography – From non-locality • Part 3: Results – Security against quantum Eve – Security against post-quantum Eve Part 1 Motivation The task: Key Distribution M=0101110010100011 Alice KP= 0101110010100011=M Bob P=MK=1101010001010110 K=1000100011110101 Sent: sum mod 2: Contains NO info on M! K=1000100011110101 Unbreakable… unless the eavesdropper Eve knows the key!!! Key-Distribution Problem: How to distribute the key among the partners? Goal: secure distribution of a key between distant partners. Quantum crypto: code the bits of the key in quantum states Phenomenology We adopt an entanglement-based scenario: 1x0 Alice Eve …but knows neither the settings x,y nor the results a,b 1x0 Alice N times (3) distributes the signal… a 1y0 Bob (2) 1y0 Bob (1) b Public communication: estimate P(a,b|x,y) Laws of physics: P(a,b|x,y) bound on Eve’s information. Assumptions for Security RNG M Raw key C2 r?AB C2 Blue = Trusted Red = Untrusted M RNG Raw key No leakage out of Alice’s and Bob’s Labs • Raw key: never • Choice of M: not as long as Eve can act on the state The choices of the M are really random Security of classical post-processing, authentication… Eve is constrained by the laws of physics Proofs based on Dimensionality of the Q-system under control Measurement devices under control Koashi 2005, Beaudry-Morodernon-locality allow Lutkenhaus 2008 black-box The whole of QM, or just a subset of laws? “No-cloning” Wootters-Zurek etc. 1982 • It is impossible to make a perfect copy of an unknown quantum state. • If a basis is perfectly copied, all superposition states will not. Bennett-Brassard 1984 • Eve cannot make a perfect copy of Bob’s quantum state and simulate exactly his measurement. • Any interaction that gives Eve some information will modify Bob’s state, thus introducing errors. Drawback: no-cloning cannot be “observed”. “No local variables” (“Non-locality”) Bell 1964 Ekert 1991 Measurement on entangled states correlations: • If the results were not available before the measurement, in particular they were not available to Eve • Cannot be ascribed to communication • Cannot be ascribed to preestablished agreement (“local variables”, “shared randomness”) • QM: the results are really created by the measurement, were not available before it. • On data that can be ascribed neither to communication nor to pre-established agreement, an eavesdropper can only have limited information. Non-locality can be observed from P(a,b|x,y): violation of a “Bell-type inequality”. Equivalence under “no-signaling” No-signaling: P ( a , b | x, y ) P ( a | x, y ) b 0 ,1 P(a, b | x, y) P(b | x, y) a 0 ,1 Indeed, “signaling” = Alice’s choice changes what Bob sees (and viceversa) In particular, Q-measurements give rise to no-signaling P(a,b|x,y) Thm: No-signaling & Non-locality No-cloning Masanes, Acín, Gisin PRA 2006; Barnum, Barrett, Leifer, Wilce q-ph/06 The two “foundations” of cryptography are equivalent for no-signaling theories – and non-locality can be observed Motivation: summary We want to guarantee the security of key distribution based on: • assumptions: only the compulsory ones; • bound on Eve’s information: non-locality of P(a,b|x,y), i.e. only inputs/outputs No leakage out of Alice’s and Bob’s Labs Random choice of the input Security of classical procedures Eve is constrained by the laws of physics Quantum physics, just no-signaling, or any intermediate set of laws Part 2 Tools Tools of cryptography Figure of merit: secret key rate From N exchanged signals (raw key) to a secret key of length l: (assuming 1-way communication): N n EC nleak PA l=Nr m Information Theory Achievable secret key rate r (asymptotic N): r S ( A | E ) H ( A | B) I ( A : B) I Eve “Eve’s uncertainty minus Bob’s uncertainty on Alice’s string” “Capacity of the A-B channel minus Eve’s knowledge” Tools of cryptography Classes of Attacks • Individual – Eve sends i.i.d. signals – and tries to guess each bit of the raw key • Collective – Eve sends i.i.d signals – and tries to guess the final key • General “Unconditional security” – Eve sends the most general signals – And tries to guess the final key Tools of Non-locality Bell-CHSH inequality (Clauser, Horne, Shimony, Holt 1969) Hypothesis: correlations from a pre-established strategy: {x ax }X { y by }Y Then: let’s take two choices for x and for y, and binary outcomes: x, y {0,1} a, b {1,1} For all it holds: S ( ) a0 a1 b0 a0 a1 b1 2 (recall: is not known) E (a0b0 ) E (a0b1 ) E (a1b0 ) E (a1b1 ) S 2 Any correlation that can be distributed using a pre-established strategy must respect this inequality. QM: S can reach up to 22 Tools of Non-locality The Popescu-Rohrlich (PR) box x x y a b xy b a 1 P(a | x) P(b | y ) 2 No-signaling Non-deterministic ( a, b) y 0 0 0 1 1 0 1 1 (0,0) a b : (1,1) (0,0) a b : (1,1) (0,0) a b : (1,1) (0,1) a b : (1,0) CHSH E(a0b0 ) E(a0b1 ) E(a1b0 ) E(a1b1 ) 4 1 1 15 1 1 2 2 Tools of Non-locality No-Cloning of the PR-box x y a b xy ~ a b x~ y a b xy a ? x b Can B duplicate his channel? ~ b b x( y ~ y) y ~ y ~ (a b xy) & (a b x~ y) a b ~ b B learns A’s input signaling! No-cloning Tools of Non-locality Probability Space Local correlations Quantum region No-signalling Polytope Convex, no polytope Polytope PR-box Measurement on singlet CHSH P ( a , b | x, y ) 1 ( a b xy) 2 1 c 1 1 (1) 4 2 c a b xy P(a | x) P (b | y ) (a x) (b 0) Part 3 Results Suitable Protocols Not all protocols can be proved secure using non-locality! E.g., the expected P(a,b|x,y) for BB84 is LOCAL even for zero error P(0,0 | A B) P(1,1 | A B) 1 / 2 P ( a, b | A B ) 1 / 4 A possible protocol (Acín, Massar, Pironio 2006): Alice: 3 settings x=0,1,k Bob: 2 settings y=0,1 Raw key: (aK, b0); in particular error rate Q=Prob(aK b0) Eve’s info estimated from: S=CHSH(a0,a1,b0,b1) • Modified version of Ekert 1991 protocol • Feature 1: CHSH is measured; • Feature 2: one outcome (b0) is used for both the key and CHSH; Known security bounds NL, Laws= no-signaling I Eve 2 S / 2 1 0.8 NL, Laws=QM Individual attacks I Eve 0.6 1 ( S / 2) 2 1 h 2 Collective attacks r Usual QKD: I Eve h(Q S / 2 2 ) 0.4 General attacks (equivalent to BB84) 0.2 0 2.8 2.6 2.4 S 2.2 2 Status of security proofs • Laws of physics = quantum – Collective attacks: secure • Acín, Brunner, Gisin, Massar, Pironio & VS, PRL 2007 • Laws of physics = only no-signaling – Individual attacks: secure • Acín, Gisin & Masanes PRL 2005; VS et al., PRA 2006; Acín, Massar & Pironio New J. Phys. 2006 – General attacks: insecure • Barrett, Hardy, Kent PRL 2005: 1 secure bit for error=0 • Hänggi & Wolf, submitted • Laws of physics = no-signaling + something – General attacks: conditions under study • Masanes & Winter, in preparation Detection loophole Alice 1y0 Bob 1x0 If she chooses x=0, I don’t answer Firing of the detector correlated to the choice of the measurement?? • In our labs, we know this is not the case because we understand the physics of our devices… • … but in a black-box scenario against an adversarial Eve, it becomes a very reasonable assumption As of today, with photons one cannot close the loophole non-locality cannot be observed in a black-box scenario these proofs cannot be used yet. Practical motivation to close the detection loophole! Side-issues Individual attacks on the CHSH protocol, NS CHSH PPR 4 1 PR-Box 22 21 1-way, no pp 2.76 0.38 1-way, pp 2.48 2.4 0.24 0.2 2.18 2 0.09 0 2-way, no pp 2-way, pp CHSH Better procedures or bipartite bound information? Conclusions Summary • Goal: security of key distribution from – Compulsory assumptions; – Inputs & Outputs: the non-locality of P(a,b|x,y) • Among the assumptions: “Eve is constrained by the laws of physics” – Can be the whole of quantum physics… – …or a restricted set of laws. • Several open issues – Minimal set of laws for security – Unconditional security against quantum Eve – Related: close the detection loophole