Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1

Privacy amplification [BB] Alice and Bob share information that is partially secret towards an eavesdropper Eve. Their goal is to extract a shorter string that is completely secret. They may use a short, public random string.

More formally: Alice and Bob share x {0,1} n. x has a-priori distribution X that has a lot of entropy. H (X) k a Pr[X=a] 2 -k Eve holds a random variable W on {0,1} b that holds partial information about x. 3

A (k,b, ) extractor - classical case E:{0,1} n {0,1} t {0,1} m is a (k,b, ) extractor, if: For every X with H (X) k, and, For every W=W(X) distributed on {0,1} b |U t E(X, U t ) W(X) – U t U m W(X) | Sample: x X, y {0,1} t Output: y,E(x,y),W(x) Sample: x X, y {0,1} t,u {0,1} m Output: y,u,W(x) 4

In the classical world The problem can be solved almost optimally using extractors. Solutions give: t=O(log(n/ )) m= (k-b) 5

A (k,b, ) extractor - quantum case E:{0,1} n {0,1} t {0,1} m is a (k,b, ) extractor against quantum storage, if: For every X with H (X) k, and, For every = (X) on b qubits |U t E(X, U t ) (X) – U t U m (X) | tr Sample: x X, y {0,1} t Output: y,E(x,y), (x) Sample: x X, y {0,1} t,u {0,1} m Output: y,u, (x) 6

In the quantum world Some extractors fail. [GKKRWJ] show an extractor against b bits that fails against polylog(b) qubits. Some extractors work. Konig, Maurer,Renner 04 Fehr, Schaffner 08 Konig Terhal 08 7

Previous extractors - quantum case TechniqueSeed lengthAuthor Pair-wise independence, Collisionst= (n)Konig, Maurer, Renner Almost pair-wise independencet= (m)Variation on KMR Z 2 n Fourier transformt= (b)Fehr, Schaffner Any one-output extractor is goodt= (m)Konig Terhal Any extractor is good with error 2 b t= (b)Konig Terhal Several methodst=O(log(n))Classical E : {0,1} n {0,1} t {0,1} m 8

Our result A (k,b, ) extractor E:{0,1} n {0,1} t {0,1} m against quantum storage, with: Optimal t=O(log n) when m=n (1) Trevisan: m=(k-b) (1) Optimal: (k-b) 9

The basic paradigm Reconstruction algorithms Reconstruction Extraction in the classical world [Trevisan] Reconstruction with few queries Extraction against quantum storage. 10

Distinguisher A test is a function T : {0,1} m {0,1} A test T -distinguishes D 1 from D 2 if | Pr x D1 [T(x)=1] – Pr x D2 [T(x)=1] | 11

Reconstruction algorithms A function E:{0,1} n {0,1} t {0,1} m has a reconstruction algorithm R if For every x {0,1} n, and every T that distinguishes U t E(x,U t ) from U t+m There exists a string adv=adv(x) of a bits, s.t. R T (adv(x))=x 12

Reconstruction Extraction [Tre] Suppose E has reconstruction with a advice bits, Suppose E is not a (k,b, ) extractor. Then, there exist: X with H (X) k, Eve storing b bits of information, -distinguishing E from uniform. B={x| Eve -dist W(x) U t E(x, U t ) from W(x) U t+m } |B| ε|X| 13

For every x B The test T: Gets advice W(x). Applies Eve( W(x), y, w). -distinguishes U t E(x, U t ) from U t+m. The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x. Thus x B can be reconstructed using a+b bits. 14

Reconstruction Extraction [Tre] |B| 2 a+b and 2 k |X| |B|/. Thus, ka+b+log(1/ ). 15

Extractor against quantum storage Suppose E has reconstruction with q queries. Suppose E is not a (k,b, ) extractor. Then, there exist: X with H (X) k, Eve storing b qubits of information, B={x| Eve -dist (x) U t E(x, U t ) from (x) U t+m } |B| ε|X| 16

For every x B The test T: Gets advice (x). Applies Eve( (x), y, w). -distinguishes U t E(x, U t ) from U t+m. The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x. Thus x B can be reconstructed using a+qb bits For the classical advice adv(x) For q queries to Eve 17

Extractor against quantum storage |B| 2 a+qb. Thus, 2 k |X| 2 a+qb /. ka+qb+log(1/ ). 18

Conclusions so far A function E:{0,1} n {0,1} t {0,1} m that has a reconstruction algorithm with A short classical advice adv(x), and, A few queries to the distinguisher Yields a good extractor against quantum storage. 19

An extractor with reconstruction The NW generator List decoding Trevisans extractor The quantum case Trevisans work 20

The NW Generator NW:{0,1} n {0,1} t {0,1} m has reconstruction that is correct on average. Given a distinguisher T, and The right advice adv(x) R T (adv(x),i) = x i For most i [n] 21 The NW generator uses a single query

List decoding 22

Trevisans extractor Uses: NW and its reconstruction algorithm, A code C : {0,1} n {0,1} N that is (L=poly(n),p=1/2- ) list-decodable. T(x,y)= NW( C(x), y) 23

Reconstruction for Trevisans ext. T(x,y)= NW( C(x), y) Find a word w {0,1} N that is 1/2+ close to C(x) using the NW reconstruction algorithm. Apply list decoding. Get a List L of all code words close to w, x L. The advice tells us which is x. Works well, but requires N queries. 24

The way around NW generator – learns a single bit of C(x), with one query, on average over i [N] 25 Learn the whole of x, with poly(n) queries. Trevisan: List decoding Learn a single bit of x, with polylog(n) queries, for any i [n] of our choice. Us: Local list decoding

Two questions 1.How do we achieve that? Answer: using local list decoding. 2. Does this suffice for the analysis? Answer: Yes, using lower bounds on random access codes. 26

The new extractor Uses: NW generator and its reconstruction algorithm, A code C : {0,1} n {0,1} N that is (L=poly(n),p=1/2+ ) locally list-decodable with q=polylog(n) queries. E(x,y)= NW( C(x), y) 27

The Analysis Suppose E(x,y)= NW( C(x), y) is not a (k,b, ) ext, violated with X and = (X). For any x B Advice: a+qb qubits We can learn any bit of x, with succ. prob. 2/3. |B| 2 (a+qb) log n. 2 k |X| 2 (a+qb) log n /. k(a+qb) log n+log(1/ ). 28 a RAC for B using a+qb qubits

Random access code for X RAC : X density matrix over m qubits such that for every x X: For all i [n], one can recover x i from RAC(x) with success probability at least 2/3. For most i [n], one can recover x i from RAC(x). Average-case RAC Worst-case RAC 29

RAC for X Arbitrary XX={0,1} n (n) Worst case RAC 0 (n) Average case RAC 30

Summary For the construction, we use: Trevisan extractor, with Local, list-decodable error correcting codes For the analysis, we use: Reconstruction algorithms together with Random access codes 31

Local decoding A code C:{0,1} n {0,1} N has (q,, ) a local Decoding algorithm D, if For every x {0,1} n, y {0,1} N, d(y,C(x)) N For every i [n] Pr [ D y (i)=x i ] 1- and D makes at most q queries to y. 32

Challenge 1.Find an extractor that Works against quantum storage With optimal parameters. 2. Generalize the construction to Eve that holds more qubits but has few information about X.

List decoding A code C:{0,1} n {0,1} N is (L,p) list-decodable, if for every w {0,1} N there are at most L codewords that are p-close to w. |{i | y i =w i }| pN 34

Unique decoding 35