Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability 3. Application 1: composability of QKD 4. Application 2: composability of variants of quantum authentication + key recycling
Recitation session for the workshop 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability 3. Application 1: composability of QKD 4. Application 2: composability of variants of quantum authentication + key recycling Unruh’s talk, Renner’s talk Unruh’s talk Unruh’s talk, Renner’s talk Oppenheim’s talk Easier talk since the audience are well acquainted with the subject Can work through a couple of examples in detail The results are actually complementary ! No surprise Too repetitive for some Too brief for others Give me hints throughout the talk which case it is. No need to give the talk !
Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability 3. Application 1: composability of QKD 4. Application 2: composability of variants of quantum authentication + key recycling
Application of quantum universal composability theorem 1. Motivation : e.g. is QKD secure? 2. Tool : universal composability 3. Application 1: composability of QKD 4. Application 2: composability of variants of quantum authentication + key recycling Michael Ben-Or 2,3 Patrick Hayden 4 Michal Horedecki 3 Debbie Leung 3,4 Dominic Mayers 2,3,4 Jonathan Oppenheim 3 MB PH DM audience
QKD relies on authentication, auth uses a small key Motivation : key degradation in repeated QKD (Bennett & Smolin) Alice Bob Eve kBkB kAkA k ’Bk ’B k ’Ak ’A consumed
Composability : What do we mean by “unconditional security of QKD”? QKD: Alice Bob kBkB kAkA kEkE QKD is “unconditionally secure” : Eve’s strategy s.t. Pr(generate key) is non-negligible k k A k B k random I (K E :K) negligible Eve - applicable only if Eve measures right after QKD to learn about k - not if she delays measurement
QKD: Alice Bob Eve k k UkUk Uk†Uk† Encryption: Composability : A more serious example Is “QKD + encryption” secure ??? More information may be gained from joint measurements (Peres,Wootters)
Unlocking accessible information by further classical communication DiVincenzo, (M) Horedecki, L, Smolin, Terhal , Hayden, L, Shor, Winter Composability : A nightmare? UyxUyx meas y n nfo on x : O(log n) Waiting for y : extra info y – n O(log n) = , length y For QKD, let x = key, x = Eve’s state right after QKD. Let y = Eve’s classical info when key is used classically. Knowing “ I (k E :k) small” does not imply security of using the generated key in classical applications. y : extra classical info y meas UyxUyx x = n bits, y = O(log n) bits Advertise:Michal’s talk
Pre-conclusions : 1. Life can be bad -- be ultra paranoid (about composability) 2. QKD is composable, fortunately (BUT REMEMBER TO USE better security criterion e.g. singlet-fidelity... at least until acc is “vindicated”, if at all.)
When is a crytographic primitive “safe-to-use”? Wait... used in what?
Universal Composability Michael Ben-Or & Dominic Mayers 02 Alternative model by Unruh & Mueller-Quade
Universal composability : general problem Protocol nn How to define security of i so that “reasonable composition” is secure ? i : subprotocols
Notations: : protocol Security definition of protocols should imply secure basic composition If & both “secure” then is “secure” Composable security definition. Universal : ideal task attempted by : protocol calling as subroutine, trying to perform (imperfectly) ..... e.g. = perfect encryption, = perfect key distribution, = QKD or = encryption with perfect key or QKD key. Wanted : Security definition & security of composition: a pair of related concepts e.g. ,
When is a protocol “secure”? If is essentially indistinguishable from ... as viewed by any adversary when used in any application Wanted: Universal composable security definition s.t. If & both “secure” then is “secure” Env “ E ” : controlling all adversarial attacks & input / output E IN OUT z z E ? z : output bit of E Partially ordered statistically reflects the difference between
When is a protocol “secure”? If is essentially indistinguishable from ... as viewed by any adversary when used in any application IN OUT E S( ) z z Env “ E ” : controlling all adversarial attacks & input / output IN OUT E Wanted: Universal composable security definition s.t. If & both “secure” then is “secure” z : output bit of E statistically reflects the difference between
IN OUT E S( ) z z Env “ E ” : controlling all adversarial attacks & input / output IN OUT E -s.r. if E (applications adversaries) S( ) s.t. | Pr( z=0 | ) – Pr( z=0 | S( ) ) | . z : output bit of E statistically reflects the difference between When is a protocol “secure”? Wanted: Universal composable security definition s.t. If & both “secure” then is “secure”
Universal composable security definition -s.r. if E (applications adversaries) S( ) s.t. | Pr( z=0 | ) – Pr( z=0 | S( ) ) | . CLAIM: using the following will imply the basic composition If & both “secure” then is “secure” If - s.r. and -s.r. then ( ) -s.r. .
Let be a protocol calling subprotocol , trying to perform If - s.r. and -s.r. then ( ) -s.r. . Proof: Universal composable security definition secure basic composition IN OUT E z
-s.r. Pr(z=0 | )Pr(z=0 | ) differ by Universal composable security definition secure basic composition Let be a protocol calling subprotocol , trying to perform If - s.r. and -s.r. then ( ) -s.r. . Proof: IN OUT E z EE z S( ) E EE
Pr(z=0 | )Pr(z=0 | ) Pr(z=0 | ) -s.r. differ by Universal composable security definition secure basic composition Let be a protocol calling subprotocol , trying to perform If - s.r. and -s.r. then ( ) -s.r. . Proof: IN OUT E z -s.r. differ by IN OUT z S( ) E E IN OUT z S( ) S( ) E E
S( ) Pr(z=0 | )Pr(z=0 | ) Pr(z=0 | ) -s.r. differ by Universal composable security definition secure basic composition Let be a protocol calling subprotocol , trying to perform If - s.r. and -s.r. then ( ) -s.r. . Proof: IN OUT E z -s.r. differ by IN OUT z E S( ) S( ) differ by
Universal composability theorem : recursive basic composition Apply above to replace i one by one from bottom to top. Universal composable security definition implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. . -s.r. if E (applications adversaries) S( ) s.t. | Pr( z=0 | ) – Pr( z=0 | S( ) ) | .
Universal composable security definition implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. . -s.r. if E (applications adversaries) S( ) s.t. | Pr( z=0 | ) – Pr( z=0 | S( ) ) | . Universal composability theorem : recursive basic composition Apply above to replace i one by one from bottom to top.
Universal composable security definition implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. . -s.r. if E (applications adversaries) S( ) s.t. | Pr( z=0 | ) – Pr( z=0 | S( ) ) | . Universal composability theorem : recursive basic composition Apply above to replace i one by one from bottom to top.
Universal composable security definition implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. . -s.r. if E (applications adversaries) S( ) s.t. | Pr( z=0 | ) – Pr( z=0 | S( ) ) | . Universal composability theorem : recursive basic composition Apply above to replace i one by one from bottom to top.
Universal composable security definition implies security of basic composition : If - s.r. and -s.r. then ( ) -s.r. . -s.r. if E (applications adversaries) S( ) s.t. | Pr( z=0 | ) – Pr( z=0 | S( ) ) | . Universal composability theorem : recursive basic composition Apply above to replace i one by one from bottom to top.
Universal composable security definition: -s.r. if Env (applications adversaries) S( ) s.t. | Pr( z=0 | ) – Pr( z=0 | S( ) ) | . is secure if (i) each subprotocol satisfies universal composable security definition (ii) proper modular structure (e.g. tree) Universal composability theorem: Punchlines
Application 1 : composability of QKD 1. Composable security definition for QKD 2. Relation between composable & usual security definition 3. Sufficient conditions for composable security defintion for QKD 2 & 3 QKD is composable 4. Corollary: slow key degradation in repeated QKD In the talk: privacy & uniformity condition only, omit equality condition. (See paper for full treatment.) Michael Ben-Or, Michal Horedecki, L, Dominic Mayers, Jonathan Oppenheim 02 Renner & Konig 04 : alternative proof for composability of QKD by showing composability of quantum privacy amplication Also : Christandl, Renner, & Ekert 04
Application 1: Composability of QKD (security of ) Auth: Ideal auth: QKD: Ideal KD : QKD QKD k,m E Eve z kk QKD: where = composable authentication (e.g. Wegman-Carter 81) s.r if is composable (thus consider the latter) Input : none Output : key k, key length m (random variable, m=0 means “fail” or “abort”) Best application for E : just accept k Adversary: Eve (who gets k )
k,m Application 1: Composability of QKD (security of ) Auth: Ideal auth: QKD: Ideal KD : QKD QKD Ideal KD : k,m E Eve zz kk m Ideal KD: Contains a “perfect-key-generating-box” PKGB An adversary inputs “m” and an m-bit key k will be distributed. S( ) : “Fake” QKD that interacts with Eve From fake QKD: discards key k’ & takes m & puts in PKGB in Eve k’ E QKD k ’ S( )
k,m Application 1: Composability of QKD (security of ) Auth: Ideal auth: QKD: Ideal KD : QKD QKD Ideal KD : k”,m E Eve zz k” m Eve k’ E QKD k ’ S( ) QKD = m p m m m m m k”:|k”|=m p k|m k” k” k” = m p m m m m m = k:|k|=m 2 m k k tr 1 m QKD -s.r. if | Pr( z=0 | ) – Pr( z=0 | ) | || QKD || tr = m p m || m m || tr E ’s state: composable security condition key & Eve’s state correlated key & Eve’s state uncorrelated
Application 1: Composability of QKD (security of ) Auth: Ideal auth: QKD: Ideal KD : m k:|k|=m p k|m k k k m = k:|k|=m 2 m k k tr 1 m QKD -s.r. if m p m || m m || tr Sufficient conditions for composable security: 1. Usual security If m p m (K E :K | M=m) , then, (2 max(m)+2 ) 2. Small Holevo info of Eve Let E m = {p k|m, k } k:|k|=m If m p m ( E m ) , then, (2 ln2 ) 3. High singlet fidelity (if proof by EPP) Let m be state of Alice & Bob, m m-singlet state If m p m F( m, m ) 1 , then, (assuming uniformity : p k|m 2 m ) Security : correlation indistinguishable from none equality + uniformity
QKD does provide a key that can be safely used in quantum / classical applications designed to use a perfect key !!! Bounds for Eve’s Holevo info or singlet fidelity may be tighter in the context of composability, compared to those for mutual info Proofs for sufficient conditions are relations between corelation measures Punchlines
QKD relies on authentication, auth use a small key Corollary : key degradation in repeated QKD Alice Bob Eve kBkB kAkA k ’Bk ’B k ’Ak ’A consumed
... In particular, if -s.r. -s.r. n rounds of repeated QKD is n( ) secure Authentication Ideal authentication: QKD Ideal key distribution: Composable security of auth (using perfect key) known Composable security of QKD (using perfect auth) to be proved Corollary : key degradation in repeated QKD
Composability of “Quantum Auth + key recycling” Patrick Hayden, L, Dominic Mayers 04 Oppenheim & Horodecki 03 : proof for secure key recycling via bounds on information theoretic quantities
Q enc : Ambainis, deWolf, Mosca, Tapp 00, Boykin, Roychowdhury 00, Hayden, L, Shor, Winter 03 Quantum encryption (Q enc ) UkUk Uk†Uk† Encrypting quantum comm with classical key k. , k p k (U k U k † ) = m Key requirement : for m-qubit message 2m key bits if entangled or exact encryption m+o(m) key bits if pure & approx encryption
Quantum message authentication (QA) EkEk QA : Barnum, Crepeau, Gottesman, Smith, Tapp 02 Authenticate quantum comm with classical key : Pr( pass & ’ ) small pass / fail ’’ Dk†Dk† High fidelity between & ’ or the corresponding joint states if entangled.
Result : QA “key reuse if auth test passes (w/o privacy amplification)” is secure Eavesdropping a quantum state disturbs it. 1. QA always requires Q enc (BCGST 02) Can we eliminate this cost? 2. Add QA to Q enc, passing the auth test suggests no eavesdropping Can we recycle the key ? Prob(authentication passes and eavesdropped) negligible. Key recycling : intuitive (BBBW82) & obvious ? Hard to analyze joint attacks over different uses of the key. 2 interpretations of key recycling in QA specific scheme in BCGST02 Main ideas: 1. Redefine BCGST02 as BCGST02+KD 2. Show BCGST02+KD composable (exploiting special structures of BCGST02)
Composability of “BCGST02+KD” 1. Review BCGST02 2. “Equate” BCGST02 & TQA (auth by teleportation) 3. Prove composability of TQA+KD = composability of “ebits” For same token: 1. BCGST02’ for pure states using approx encryption for half the price. 2. Quantum composability of Wegman-Carter scheme
Scenario for BCGST02 Alice & Bob has : 1. Classical key 2. Insecure quantum channel 3. Forward classical channel (Alice → Bob) (WLOG authenticated) 4. No back comm (non interactive, e.g. quantum storage) We use 1 bit of back comm for key recycling – to tell Alice if auth passes. Still applies to quantum storage & not too interactive.
Shared keys x, z, y, t xxzzxxzz xx zz eyey CtCt D t,y zz xx xxzz’xxzz’ BCGST02: review pass/fail time ═ bits | qubits insecure quantum channel if pass Alice Bob m-qubit message m-bit keys Q enc C t : q. code encoding m in (m+s) qubits e y : added syndrome t,y : s-bit key, s<<m Decode C t & meas syndrome y ’ Output : if y ≠ y ’, fail 0 0 else, pass decrypted state Purity test (PT) out = ’ pass pass 0 0 fail fail
Shared keys x, z, y, t xxzzxxzz xx zz eyey CtCt D t,y zz xx xxzz’xxzz’ BCGST02: review pass/fail time ═ bits | qubits insecure quantum channel if pass Alice Bob m-qubit message m-bit keys Q enc C t : q. code encoding m in (m+s) qubits e y : added syndrome t,y : s-bit key, s<<m Decode C t & meas syndrome y ’ Output : if y ≠ y ’, fail 0 0 else, pass decrypted state Purity test (PT) out = ’ pass pass 0 0 fail fail
xxzzxxzz xx zz zz xx xxzz’xxzz’ pass/fail insecure q. channel + PT PT if pass Alice Bob if fail, Bob outputs nothing m-qubit message m-bit keys out = ’ pass pass 0 0 fail fail Security (pure for simplicity): Tr [ out ( pass pass fail fail ) ] , = 2 -(s-1) (m+s) / s. Shared keys x, z, y, t BCGST02: review
Teleportation BBCJPW 93 Alice Bell k kk Bob k k kk kk Q enc k k
xxzzxxzz xx zz zz xx xxzz’xxzz’ pass/fail PT if pass Alice Bob if fail, Bob outputs nothing Shared keys x, z, y, t BCGST02: review
Reduction to teleportation with imperfect EPR pairs TQA : zz xx xxzz’xxzz’ pass/fail PT if pass H Alice Bob Env sees no difference between BCGST02 & TQA Bell x z same state Teleportation Perfect classical channel Alice’s local xxzzxxzz xx zz zz xx xxzz’xxzz’ pass/fail PT if pass Alice Bob if fail, Bob outputs nothing BCGST02: PT only makes max ent state.
TQA : zz xx xxzz’xxzz’ pass/fail PT if pass H Alice Bob Bell x z Teleportation Perfect channel PT only makes max ent state. Reduction to teleportation with imperfect EPR pairs TQA KD CC p p ’ xz xz pass + p f 0 0 fail PT KD Telep+KD E QA KD TQA’ CC p p xz xz pass + p f 0 0 fail EPR KD Telep+KD E pass/fail S z z
Pr( z=0|BCGST02) = Pr( z=0|TQA) and | Pr( z=0|TQA) Pr( z=0|QA +KD ) | | Pr( z=0|PT) Pr( z=0|EPR) | 1/4 Compos of PT
PT Composability of PT EPR from PT Ideal EPR : pass/fail E zz PT = p acc ABE acc + p rej 0 0 AB E fail Tr [ P tr E ( PT ) ] for P = AB acc + AB fail pass/fail E PT S EPR = p acc AB E acc + p rej 0 0 AB E fail | Pr( z=0|PT) Pr( z=0|EPR) | Tr| PT EPR | 1/4
Bonus materials: Lower bounds for QA & pure state authentication Q enc : , k p k (U k U k † ) = m key size 2m bits (Ambainis,deWolf, Mosca,Tapp 00 Boykin, Roychowdhury 00) APQ enc : || (1/n) Σ k U k U k † m || tr ≤ ε key size m + o(m) bits (Hayden, L, Shor, Winter 03) APQ enc Remote state preparation ┊┊ Q enc Teleportation Approx Pure state Can we replace Q enc in BCGST02 by APQ enc securely?
Teleportation kk k communicated to Bob after encoding Encryption Bell k encode Bob’s state as a random k kk k shared in advance k k Switching the communicated & the pre-shared communication cost in teleportation key size in encryption
Teleportation k communicated to Bob after encoding Encryption Bell k encode Bob’s state as a random k k shared in advance k k approx pure state UkUk UkUk n qubits APQ enc : || (1/n) Σ k U k U k † m || tr ≤ ε key size m + o(m) bits (Hayden, L, Shor, Winter 03) Approx Pure state
Bennett, Hayden, L, Shor, Winter 03 Transmits n-qubit pure state known to Alice using n+o(n) cbits comm UkUk k = communication Encryption encode Bob’s state as a random U k UkUk k = key k k n qubits EE nonoblivious pure state Lo 99 k approx pure state Remote State Preparation
Pure state authentication: reduction to RSP with imperfect EPR pairs “ ” RSP QA : kk’kk’ pass/fail PT if pass H Alice Bob Env sees little differences MM k approx same state RSP Perfect channel Alice’s local kkkk UkUk kk’kk’ pass/fail PT if pass Alice Bob if fail, Bob outputs nothing BCGST02 PURE,KNOWN : UkyUky UkyUky “ ”
Conclusion Composability – gives a prescription for organizing our security proofs into components, each simple and well-defined. To achieve composable security, we find out what will make the proof work – it is a systematic method to select secure variations. QKD & BCGST02 work better than we thought. How do the difficulties disappear?