Composing Quantum Protocols Dominic Mayers Université de Sherbrooke Joint Work with Michael Ben-Or
Overview Basic Quantum Mechanics Models for quantum protocols and attacks. Canetti`s security definition and composability theorem in the quantum world Composability of Quantum Key Distribution ( joint work with Michael Ben-Or, Michal Horodecki, Debbie Leung and Jonathan Oppenheim) Generalization of Ideal protocols (pro and con) X Briefly mention application to relativistic bit commitment X
Basic Quantum Mechanics Classically, we believe that, in principle, if we are very careful, we can always extract a property of a system without disturbing the system. If we have two properties (e.g. momemtum and position), we can make a measurement to extract the first property and another measurement to extract the second property. Quantum Mechanics uses the non abelian properties of operators on Hilbert space to model the fact that two measurements are not always compatible. The execution of one measurement (say momemtum) fundamentally interfers with the other (say position).
State Space = Hilbert Space For our purpose, it will be sufficient to consider that an elementary system is a photon, in fact, the polarisation of this photon. Its state space is represented by a two dimensional Hilbert Space. |0 represents |1 represents |+ = |0 + |1 represents |- = |0 - |1 represents Computational basis Complementary basis 2 1/2 For our purpose, it will be sufficient to consider that an elementary system is a photon, in fact, the polarisation of this photon. Its state space is represented by a two dimensional Hilbert Space. 2 1/2
General state and transformation Global phase (multiplication by a complex number) does not change the physical state. The valid transformations are unitary transformations on the Hilbert space. This extends to tensor products of Hilbert Space. For example, |00 |01 |10 |11 is a basis for two photons. The general state is |0 + |1 where and are complex numbers with | | 2 + | | 2 = 1.
Classical Vs Quantum Many quantum observable have a classical counterpart. The polarisation of a photon is an example. Its classical counterpart is the polarisation of a classical laser beam. The polarisation of a classical laser beam can be observed without disturbing it. This is not true for the (quantum) polarisation of a photon.
Orthogonal Measurement = Basis We can measure in the computational basis using a beam splitter that is vertically oriented. Beam Splitter Occurs with probability | | 2 Occurs with probability | | 2 |0 + |1 |1 |0 This generalises to any basis in any tensor product space.
Models for Quantum Protocols A protocol is specified by an initial state for each party and a sequence of quantum circuits: where each circuit is controled by a single party. Communication occurs through registers that are transferred from one party to another. This is not enough. We also need to specify what is a sub- protocol and how communication occurs between a protocol and its sub-protocols.
Subprotocols (I) A protocol contains layers. The top layer is the protocol which call subprotocols in the layer below, and so on, recursively. Every circuit U i belongs to one party and one protocol. It belongs to a protocol if it uses only registers in the top layer of the protocol and I/O registers in between this layer and an adjacent layer (parent or child).
Coin Flipping(Alice, Bob) H a Commit b Open I/O H b` Sub- protocol a` I/O a b` a` b For simplicity, we omitted that Commit should informs Bob of a success, Alice should be informed of a succesful reception of b`, etc. Internal registers Internal registers
CoinFlipping(A,B) BAB B B A AA = Not used in this case Alice and Bob ouput bits CommitOpen Internal Registers B A Internal Registers Alice picks a random bit and sends it to Commit
Registers and Communication A protocol also contains internal registers and I/O registers: Every I/O register (two colours) belongs to a single party and is for communication in between a protocol and only one of its sub-protocol. Only the circuits U i that are controlled by this party in the protocol or the subprotocol can access this I/O register. Every internal register (one colour) belongs to the top layer of a single (sub)protocol. Control over this register passes from one party to another: at the end of every circuit, the party (who just executed this circuit) can « transmit » some of his internal registers to other parties.
The honest environment of a protocol Protocol B The environment Z The environment Z of a protocol B is the complementary set of circuits. The entire protocol is denoted Z(B). BA AAB B B I/O
An honest environment Internal BAB B B A A AA B BAB B A B B A BC CCB B B I/O A tree structure corresponds to the fact that we cannot use common subprotocol. A A Coin Flipping AA
The (dishonest) environment (Later we will consider restricted classes) The environment has access to internal communication in the protocol and can corrupt parties. A A is corrupted in this example BAB B B A A AA B BAB B A B B A A A AA = the protocol +
The environment to Coin FlippingZ B B B B The circuits in the attack can be anything. They can access the I/O registers of the honest parties in the protocol (as even an honest environment is allowed to do) and all the internal registers of the protocol and subprotocols when they are transmitted. B
Quantum Universal Security Definition (I) Z Z(B) Z Z( ,S) Basic Idea B s.r if, for all environment Z, there exists a simulator S such that Z(B) Z( ,S) Real Protocol B A protocol that defines the ideal (quantum) task S Ideal Protocol Simulator
How does it work? B s.r. G( ) s.r. G(B) s.r. G B Z Z S(G(B)) We want to prove s.r. = securely realises
The top layer G of G(B) is in the environment of B. G B = B Z G Z Diagram 1Diagram 2
So, we can use the security of B, B Z G Z G S(B) Diagram 2Diagram 3
and take back G from the environment Z G S(B) = Z G Diagram 3Diagram 4
and, finally, use the security of G( ). Z S(B) G Z S(G( )) Diagram 4Diagram 5
So, we have a simulator for G(B) Z S(B) = S(G( )) Z S(B) S(G( )) = S(G(B))
We also want to prove B s.r. B (m) s.r. (m) Z Z S( B (m) ) s.r. = securely realises 11 … mm B (m) = m copies of B B1B1 … BmBm
A key point in the proof Z At some point in the proof, the environment that is considered contains ideal protocols i with the simulator S i for B i and some real protocol B i. B1B1 … j+1 … mm B j-1 BjBj S j+1 So Z + the B j + the simulators S j must be a valid environment.
Quantum Universal Security Definition (II) For any two random binary variables Y, Y` let us write. Y e Y` if | Pr( Y = 0 ) - Pr( Y` = 0 )| e. P Let P be the set of all polynomial functions. P) Definition. A protocol B for an ideal functionality is secure, if for any environment Z there exists a simulator S such that ( d P) ( n 0 ) ( n > n 0 ) Z(B) e Z( , S) where e = 1/d(n). Dominic Mayers: The essential difference with definition 3 is that we moved the ( S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term n c to every machine. Dominic Mayers: The essential difference with definition 3 is that we moved the ( S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term n c to every machine.
Quantum Universal Security Definition (III) The simulator S must have a polynomial complexity c P that depends only on B (i.e. not on Z or n 0 ). Also, n 0 can only depend on d and on the respective polynomial complexity c, c` of S and Z (not on their actual circuits). The actual circuit of S, not its complexity, can depend on n and on the circuit of Z. For every c P, let T(c) be the set of programs of complexity c. Formally, the order for the quantifiers is: PPP) ( c P)( c’ P)( d P) ( n 0 )( n > n 0 ) ( Z T(c’))( S T(c)) Z(B) e Z( , S) where e = 1/d(n). About the Computational Setting Dominic Mayers: The essential difference with definition 3 is that we moved the ( S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term n c to every machine. Dominic Mayers: The essential difference with definition 3 is that we moved the ( S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term n c to every machine.
Nested protocols (more than 2 layers) For formal simplicity, we consider each layer as a single protocol. B1B1 B2B2 BmBm B m-1 Z Z 1 S(B 1 (..B m ))
Basic step of the proof (I) = B1B1 B2B2 BmBm B m-1 Z B1B1 B2B2 BmBm Z
Basic step of the proof (II) B1B1 B2B2 mm B m-1 Z B1B1 B2B2 BmBm Z SmSm
Basic step of the proof (III) = B1B1 B2B2 mm B m-1 Z SmSm B1B1 B2B2 mm Z SmSm
Basic step of the proof (III) B1B1 B2B2 mm B m-1 Z S m (B m ) B1B1 B2B2 m-1 Z S m (B m ) S ( B m-1 ( m )) Etc…
A composability question What about the security of an authentication protocol when a real QKD protocol, not an ideal one, is used as a resource (sub-protocol). Does the real QKD protocol provides what is promised? QKD k K Authentication k K m m
Key Degradation QKD k Authentication QKD k k K K Authentication k K K A negative answer could mean an important degradation of the key after a few repetitions. KK QKD Ben-Or, Michal Horodecki, Leung, Mayers and Oppenheim (in progress) Dominic Mayers: An interesting example of a composability question. This question was brought to our attention half a decade ago by Bennett and Smolin. Reversed Order (bottom-up)
Ideal QKD Protocol Ideal QKD Jam kk Eve In our ideal QKD protocol, the participants in the environment interact directly with an ideal party which provides the random key. In other ideal protocols, dummy parties are used. If Jam = 1, k = fail. If Jam = 0, k R {0,1} m
Back to Basic Quantum Mechanics A distribution of probability p(i) over (possibly non orthogonal) states | (i) can be represented without loss of physical information by the operator The probability of the outcome j in basis { |j | j = 1,…,m} is given by
Real versus Ideal QKD Real QKD Ideal Private QKD The real protocol -securely realises the ideal private QKD if
How comes there is a single key k for Alice and Bob on the real side? The known security results for QKD give us that Alice`s key and Bob’s key are almost always identical. For simplicity, we will assume that we are only interested about the privacy of Alice`s key.
Uniformity Vs Privacy The security of QKD is not only a small mutual information. We must also require a priori uniformity, i.e., in the ideal case, for all k, p(k | Jam = 0) = 2 -m.
Security of QKD in terms of Simulators and Environments Real k Ideal QKD Ideal ? AliceBob QKD k kk Authentication Jam Simu- lator
Using Privacy We can show that where I acc ( k | Jam) = max I(k;Y| Jam) and m is the length of the key. (We omit the proof here). The large factor 2 m looks bad, but actually it is not so bad because the bound on I acc respects where n can be taken arbitrarily large, independently of m.
What about the known QKD protocols Mayers and Shor-Preskill security proofs can be adapted for composability without the large factor 2 m. We do not know if B92 is composable without this large factor (since there is no security proof).
Generalisation of Ideal Protocols The essential of the composability proof did not use any particular definition of an ideal protocol. This suggests that we can obtain variation on the concept of composability by looking for variations on the notion of ideal protocols. The currently used concept is: S Ideal Protocol Simulator
Format of the protocol Alice`s Dummy Program Bob`s Dummy Program Alice Bob Ideal Functionality (also called a trusted party) InputOutputInputOutput Ideal Internal Channels They just forward the input and the output
A possible variation (I) First, note that simulator depends on the environment. So, in the view point that we have adopted, we already accepted the principle that the ideal protocol can depend on the environment. An ideal protocol is any protocol, including protocols that use unrestricted circuits. However, the final state after every circuit in the ideal protocol should be with high fidelity close to a state that would be obtained with a valid circuit.
A possible variation (II) Of course, we must also specify which properties are satisfied by this « ideal protocol ». For example, there might be measurements that compute the inputs of the corrupted parties in a way that is perfectly consistent with the desired task and the input/output of the honest parties, and commutes with the measurement of these honest input/output.
Composable relativistic bit commitment We have obtained a “composable” relativistic bit commitmen in the the following sense: If Alice is corrupted, there exists a measurement that computes the bit that will be open later in the opening phase. This measurement needs only to access the registers that are used by Alice in the commit phase. In particular, this measurement cannot access the register that are kept private by Bob until after the commit phase. The protocol is perfectly concealing against Bob.
Conclusion The quantum composability theorem is useful to provide an adequate angle to prove the security of quantum protocols with subprotocols. The key degradation problem is an example. Many quantum protocols will not respect the “standard” univeral security definition (the one based on simulator and trusted party). Yet, variations on this standard definition can still provide a useful angle.