Spanish Cryptography Days, November 2011, Murcia, Spain Antonio Acín ICREA Professor at ICFO-Institut de Ciencies Fotoniques, Barcelona Device-Independent Quantum Information Processing
Computational security Standard Classical Cryptography schemes are based on computational security. Assumption: eavesdropper computational power is limited. Even with this assumption, the security is unproven. E.g.: factoring is believed to be a hard problem. Quantum computers sheds doubts on the long-term applicability of these schemes, e.g. Shor’s algorithm for efficient factorization.
Quantum Computation Quantum computer: device able to manipulate information encoded on quantum particles. These devices allow one to solve computational problems in a much more efficient way than a classical computer. Shor’s algorithm (1994): factorization problem. 6 = 3 x 2Easy! = x A quantum computer allows the efficient factorization of large numbers.
Computational security It was easy to generate the factors and then compute the product. One-way functions: easy in one direction, hard in the opposite. Many cryptographic schemes, such as RSA, are based on the factorization problem. AliceBob Eve Multiply Factorize If factorization becomes easy, the enemy can break the protocol!
Quantum Information Theory Quantum Information Theory studies how to manipulate and transmit information encoded on quantum particles. Quantum Mechanics: set of laws describing the Physics of the microscopic world. (Einstein, Planck, Bohr, Schrödinger, Heisenberg,…, first half of the XX century). Information Theory: mathematical formalism describing how information can be stored, processed and transmitted. (Shannon, 1950). Why now?
Quantum Information Theory Current technological progress on devices miniaturization leads to a scenario where information is encoded on quantum particles, such as atoms or photons. Moore’s Law: information-device size decreases exponentially with time. Information is encoded in fewer and fewer atoms. It is very plausible that quantum effects will manifest in the near future.
Novel information applications become possible when using information encoded on quantum states, e.g. more powerful computers and secure communication. What happens when we encode information in the quantum world? Quantum Information Theory
Heisenberg Uncertainty Principle Quantum Theory only predicts the probabilities of outcomes. Quantum Particle Measurement 50% The measurement process modifies the state of the particle! Heisenberg uncertainty principle: the measurement process perturbs the state of a quantum system.
Quantum Cryptography AliceBob Eve Quantum bits The eavesdropper, Eve, when measuring the particles, introduces noise, errors, in the channel and is detected by the honest parties. BennettBrassard Ekert Heisenberg uncertainty principle → Secure cryptography!
Quantum Cryptography: a new form of security Standard Classical Cryptography schemes are based on computational security. Assumption: eavesdropper computational power is limited. Even with this assumption, the security is unproven. E.g.: factoring is believed to be a hard problem. Quantum computers sheds doubts on the long-term applicability of these schemes, e.g. Shor’s algorithm for efficient factorization. Quantum Cryptography protocols are based on physical security. Assumption: Quantum Mechanics offers a correct physical description of the devices. No assumption is required on the eavesdropper’s power, provided it does not contradict any quantum law. Using this (these) assumption(s), the security of the schemes can be proven.
Quantum Cryptography: you can buy it! Quantum cryptography is a commercial product. In 2007, it was used to secure part of the vote counting in a referendum in the canton of Geneva. The Quantum Stadium: in 2010, in collaboration with the University of Kwazulu-Natal, South Africa, it was used to encrypt a connection in the Durban stadium during the World Cup. Ribordy
Quantum hacking How come?!
Quantum hacking Single-photon source Single-photon detector Quantum channel Quantum hacking attacks break the implementation, not the principle. Attenuated laser source Realistic APD detector
Device-Independent Quantum Information Processing
Scenario Alice Bob y=1,…,m a=1,…,r b=1,…,r x=1,…,m Vector of m 2 r 2 positive components satisfying m 2 normalization conditions Distant parties performing m different measurements of r outcomes.
Quantum Correlations Assumption: the observed correlations should be compatible with the quantum formalism. No constraint is imposed on the quantum state and measurements reproducing the observed correlations. They act on an arbitrary Hilbert space. Standard Quantum Information applications are not device-independent: they crucially rely on the details of states and measurements used in the protocol.
Bell inequality violation Bell inequality violation is a necessary condition for DIQIP. If the correlations are local: The observed statistics can be reproduced by classically correlated data → no improvement can be expected over Classical Information Theory. Any protocol should be built from non-local correlations.
Characterization of Quantum Correlations
Motivation Given p(a,b|x,y), does it have a quantum realization? Example:
Hierarchy of necessary conditions Given a probability distribution p(a,b|x,y), we have defined a hierarchy consisting of a series of tests based on semi-definite programming techniques allowing the detection of supra-quantum correlations. NO YES NO YES The hierarchy is asymptotically convergent. YES
Convergence of the hierarchy If some correlations satisfy all the steps in the hierarchy, then: with ?
Device-Independent Quantum Key Distribution
Device-Independent QKD Standard QKD protocols based their security on: 1.Quantum Mechanics: any eavesdropper, however powerful, must obey the laws of quantum physics. 2.No information leakage: no unwanted classical information must leak out of Alice's and Bob's laboratories. 3.Trusted Randomness: Alice and Bob have access to local random number generators. 4.Knowledge of the devices: Alice and Bob require some control (model) of the devices. Are there protocols for secure QKD based on without requiring any assumption on the devices?
Motivation The fewer the assumptions for a cryptographic protocol → the stronger the security. Device-Independent QKD represents the strongest form of quantum cryptography. It is based on the minimal number of assumptions. It may be useful when considering practical implementations. If some correlations are observed → secure key distribution. No security loopholes related to technological issues.
Secure device-independent quantum key distribution with causally independent measurement devices
The model We require that the generation of raw key elements define causally independent events. All raw-key elements General quantum state Measurements by Alice and Bob
The model This requirement can be satisfied by performing space-like separated measurements. Secure DIQKD is, in principle, possible. The requirement can just be assumed, either by assuming memoryless devices or some shielding ability by the honest parties (which is always necessary). This requirement is always one of the assumptions (among many more) needed for security in standard QKD.
Bound on the key rate The critical error for the CHSH inequality is of approx 5%. For the chained inequality with 3 settings, one has 7.5%. The protocols are competitive in terms of error rate.
Device-Independent Randomness Generation
Can the presence of randomness be guaranteed by any physical mechanism?
Known solutions Classical Random Number Generators (CRNG). All of them are of deterministic Nature. Quantum Random Number Generators (QRNG). There exist different solutions, but the main idea is encapsulated by the following example: In any case, all these solutions have three problems, which are important both from a fundamental and practical point of view. Single photons are prepared and sent into a mirror with transmittivity equal to ½. The random numbers are provided by the clicks in the detectors.
Problem 1: certification Good randomness is usually verified by a series of statistical tests. There exist chaotic systems, of deterministic nature, that pass all existing randomness tests. Do these tests really certify the presence of randomness? Do these tests certify any form of quantum randomness? Classical systems pass them!
RANDU RANDU is an infamous linear congruential pseudorandom number generator of the Park–Miller type, which has been used since the 1960s. Three-dimensional plot of 100,000 values generated with RANDU. Each point represents 3 subsequent pseudorandom values. It is clearly seen that the points fall in 15 two-dimensional planes.
Problem 2: privacy Many applications require private randomness. How can one be sure that the observed random numbers are also random to any other observer, possibly adversarial? Classical Memory …
Problem 3: device dependence All the solutions crucially rely on the details of the devices used in the generation. How can imperfections in the devices affect the quality of the generated numbers? Can these imperfections be exploited by an adversary? Single photons are prepared and sent into a mirror with transmittivity equal to ½. The random numbers are provided by the clicks in the detectors.
Random Numbers from Bell’s Theorem We want to explore the relation between non-locality, measured by the violation β of a Bell inequality, and local randomness, quantified by the parameter. Clearly, if β =0 → r=1. y=1,2 a=+1,-1 b=+1,-1 x=1,2
Results All the region above the curve is impossible within Quantum Mechanics.
Statement of the problem We have developed an asymptotically convergent series of sets approximating the quantum set.
Experimental realization The two-box scenario is performed by two atomic particles located in two distant traps. Using our theoretical techniques, we can certify that 42 new random bits are generated in the experiment. It is the first time that randomness generation is certified without making any detailed assumption about the internal working of the devices.
Concluding Remarks
Quantum correlations Hierarchy of necessary condition for detecting the quantum origin of correlations. Each condition can be mapped into an SDP problem. How does this picture change if we fix the dimension of the quantum system? Are all finite correlations achievable measuring finite-dimensional quantum systems?
Device-Independent QKD Classical cryptographic is based on computational security. Quantum computers may change what we understand today as a hard problem. Quantum Key Distribution is based on physical laws. Standard protocols require good control of the devices. It seems possible to construct QKD protocols whose security does not require any assumption on the devices. General security proofs? The implementation of these protocols using current technology is still a challenge! Hybrid scenarios: partial control of the devices suffices.
Random Numbers from Bell’s Theorem Randomness can be derived from non-local quantum correlations. The obtained randomness is certifiable, private and device-independent. It represents a novel application of Quantum Information Theory, solving a task whose classical realization is, at least, unclear. These techniques allow quantifying the intrinsic quantum randomness generated in Bell tests. General security proof? More efficient schemes for generation?