What are the minimal assumptions needed for infinite randomness expansion? Henry Yuen (MIT) Stellenbosch, South Africa 27 October 2015.

Slides:

Advertisements

Similar presentations

Dov Gordon & Jonathan Katz University of Maryland.

Advertisements

How Much Information Is In Entangled Quantum States? Scott Aaronson MIT |

The Learnability of Quantum States Scott Aaronson University of Waterloo.

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.

Limitations of Quantum Advice and One-Way Communication Scott Aaronson UC Berkeley IAS Useful?

How Much Information Is In A Quantum State? Scott Aaronson MIT |

Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.

QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.

Oracles Are Subtle But Not Malicious Scott Aaronson University of Waterloo.

The Equivalence of Sampling and Searching Scott Aaronson MIT.

Parallel Repetition of Two Prover Games Ran Raz Weizmann Institute and IAS.

Robust device independent randomness amplification with few devices F.G.S.L Brandao 1, R. Ramanathan 2 A. Grudka 3, K. 4, M. 5,P. 6 Horodeccy 1 Department.

QCRYPT 2011, Zurich, September 2011 Lluis Masanes 1, Stefano Pironio 2 and Antonio Acín 1,3 1 ICFO-Institut de Ciencies Fotoniques, Barcelona 2 Université.

Shortest Vector In A Lattice is NP-Hard to approximate

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Robust Randomness Expansion Upper and Lower Bounds Matthew Coudron, Thomas Vidick, Henry Yuen arXiv:

P LAYING ( QUANTUM ) GAMES WITH OPERATOR SPACES David Pérez-García Universidad Complutense de Madrid Bilbao 8-Oct-2011.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

The Unique Games Conjecture with Entangled Provers is False Julia Kempe Tel Aviv University Oded Regev Tel Aviv University Ben Toner CWI, Amsterdam.

How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

Some Limits on Non-Local Randomness Expansion Matt Coudron and Henry Yuen /12/12 God does not play dice. --Albert Einstein Einstein, stop telling.

Outline 1.Introduction 2.The Framework of Untrusted-Device Extraction. 3.Our results 4.Proof Techniques: Miller-Shi 5.Proof Techniques: Chung-Shi-Wu 6.Further.

Quantum Computing MAS 725 Hartmut Klauck NTU

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

Oblivious Transfer based on the McEliece Assumptions

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

BB84 Quantum Key Distribution 1.Alice chooses (4+  )n random bitstrings a and b, 2.Alice encodes each bit a i as {|0>,|1>} if b i =0 and as {|+>,|->}

Lo-Chau Quantum Key Distribution 1.Alice creates 2n EPR pairs in state each in state |  00 >, and picks a random 2n bitstring b, 2.Alice randomly selects.

Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Quantum Cryptography.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

Is Communication Complexity Physical? Samuel Marcovitch Benni Reznik Tel-Aviv University arxiv

Feynman Festival, Olomouc, June 2009 Antonio Acín N. Brunner, N. Gisin, Ll. Masanes, S. Massar, M. Navascués, S. Pironio, V. Scarani Quantum correlations.

A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.

Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Quantum Cryptography (III)

Monogamy of non- signalling correlations Aram Harrow (MIT) Simons Institute, 27 Feb 2014 based on joint work with Fernando Brandão (UCL) arXiv:

Physical Randomness Extractor Xiaodi Wu (MIT) device ……. Ext(x,s i ) Ext(x,0) Decouple ……. Z1Z1 ZiZi Z i+1 Eve Decouple ……. x uniform-to-all uniform-to-device.

QCCC07, Aschau, October 2007 Miguel Navascués Stefano Pironio Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Cryptographic properties of.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:

A limit on nonlocality in any world in which communication complexity is not trivial IFT6195 Alain Tapp.

1 Experimenter‘s Freedom in Bell‘s Theorem and Quantum Cryptography Johannes Kofler, Tomasz Paterek, and Časlav Brukner Non-local Seminar Vienna–Bratislava.

Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.

Black-box Tomography Valerio Scarani Centre for Quantum Technologies & Dept of Physics National University of Singapore.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

Nawaf M Albadia

The question Can we generate provable random numbers? …. ?

Randomness Extraction Beyond the Classical World Kai-Min Chung Academia Sinica, Taiwan 1 Based on joint works with Xin Li, Yaoyun Shi, and Xiaodi Wu.

Feb 18 th, 2014 IQI Seminar, Caltech Kai-Min Chung IIS, Sinica,Taiwan Yaoyun Shi University of Michigan Xiaodi Wu MIT/UC Berkeley device ……. Ext(x,s i.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

Quantum Cryptography Antonio Acín

Utility Dependence in Correct and Fair Rational Secret Sharing Gilad Asharov Yehuda Lindell Bar-Ilan University, Israel.

New Results of Quantum-proof Randomness Extractors Xiaodi Wu (MIT) 1 st Trustworthy Quantum Information Workshop Ann Arbor, USA 1 based on work w/ Kai-Min.

Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.

Secret keys and random numbers from quantum non locality Serge Massar.

Cryptography and Non-Locality Valerio Scarani Centre for Quantum Technologies National University of Singapore Ph.D. and post-doc positions available Barrett.

The device-independent outlook on quantum physics Definitions Part 1: History Part 2: self-testing Valerio Scarani.

Derandomization & Cryptography

Complexity-Theoretic Foundations of Quantum Supremacy Experiments

Simulating entanglement without communication

Pseudorandomness when the odds are against you

Certified Randomness from Quantum Supremacy Inimitability

When are Fuzzy Extractors Possible?

How to Delegate Computations: The Power of No-Signaling Proofs

When are Fuzzy Extractors Possible?

Scott Aaronson (UT Austin) UNM, Albuquerque, October 18, 2018

Presentation transcript:

What are the minimal assumptions needed for infinite randomness expansion? Henry Yuen (MIT) Stellenbosch, South Africa 27 October 2015

Certified randomness expansion is an answer to the following question: How do we know we have seen randomness?

Like all non-trivial epistemological questions, the answer must rely on some underlying assumptions. “I think, therefore I am (… but that’s about it)”

Certified randomness expansion is an answer to the following question: How do we know we have seen randomness? Goal : derive the most interesting answers to this, while minimizing our assumptions.

The hierarchy of randomness expansion Nothing. Exponential expansion Strong security against eavesdroppers Infinite randomness expansion ∞ ∞ Assumptions ? ? ? ?

Cannot a priori certify whether outputs are random or not. Need additional assumptions!

If we assume: Initial seed randomness Boxes are not able to communicate. Then randomness certification becomes possible.

Clauser-Horne-Shimony-Holt game : 1.Experimenter chooses random bits x, y 1.Sends x to 1 st box and y to 2 nd box simultaneously 2.1 st box answers with bit a, 2 nd box answers with bit b 3.Experimenter checks if a + b = x ∧ y Optimal deterministic success probability: 75% Suppose boxes win CHSH with > 75% chance. Conclusion : a, b must be random!

Spooky action at a distance Boxes with success probability > 75% exist in a world governed by (at least) QM. Optimal quantum strategy: ≈ 85.4%

Expanding randomness 1.Use m-bit seed to generate CHSH inputs (x 1,y 1 ), …, (x N,y N ), with N >> m. 2.Play CHSH N times, getting outputs (a 1,b 1 ), …, (a N,b N ). 3.Accept if boxes win ≥ 85% of games. 4.Post-process outputs using randomness extractor to produce (z 1,..,z N’ ) Theorem : If Pr[boxes pass] > , then (z 1,…,z N’ ) is  -close to uniform on N’ bits. x 1,x 2,..,x N y 1,y 2,..,y N

Theorem : If Pr[boxes pass] > , then (z 1,…,z N’ ) is  -close to uniform on N’ bits. Roger Colbeck PhD thesis, 2009 Obtained N =  (m) Linear expansion Pironio, Acin, Massar, et al. Nature 2010 Obtained N =  (m 2 ) Quadratic expansion Vazirani, Vidick STOC 2012 Obtained N = exp(  (m 1/3 )) Exponential expansion Assumptions : Seed randomness Boxes cannot communicate

The hierarchy of randomness expansion Nothing. Exponential expansion Assumptions 1. Initial randomness 2. No signaling No assumptions

Security against eavesdroppers

Device-independent paradigm: can certify randomness even if RNG devices are adversarial! Next goal: Certify randomness that is secure against eavesdroppers.

Security against eavesdroppers Possible if we assume quantum mechanics! Assume there is an underlying quantum state, and outcome probabilities are described by local measurements on the state.

Security against eavesdroppers Possible if we assume quantum mechanics! [Vazirani, Vidick STOC 2012]: Exponential randomness expansion with quantum security. [Miller, Shi STOC 2014]: Simpler, robust protocol, and with much stronger parameters.

Security against eavesdroppers Key enabler of quantum security: “monogamy of entanglement” Basic idea: Optimal quantum strategy for CHSH Outputs are independent of the rest of the universe! Assumption:

Strong security against eavesdroppers Outputs are secure even when inputs are prepared by adversary! Assumption: [Coudron, Y. STOC 2014]: Gave a strong randomness expansion protocol. [Chung, Shi, Wu QIP 2014]: Equivalence Lemma shows all secure expansion protocols are automatically strongly secure! Note: not possible with classical randomness extractors!

Strong security against eavesdroppers Assumptions : 1.Initial seed is uncorrelated with boxes 2.Boxes and adversary are mutually non-signaling 3.Boxes and adversary obey quantum mechanics. Do we really need this?

Strong security against eavesdroppers Can we only assume non- signaling? Not known yet. It’s plausible that this is impossible: there are limitations on, e.g. privacy amplification in the non- signaling model [Arnon-Friedman, Hanggi, Ta-Shma]

The hierarchy of randomness expansion Nothing. Exponential expansion Strong security against eavesdroppers Assumptions 1. Initial randomness 2. No signaling No assumptions 1. Initial randomness 2. No signaling 3. Quantum mechanics

Infinite randomness expansion

The infinite randomness expansion question Is there a protocol P involving a fixed number of boxes, using m ≥ m 0 bits of seed, that can certify N bits of (approximately) uniform randomness, for any N?

P = e.g. Vazirani-Vidick or Miller-Shi exponential expansion protocol P m-bit seed PPPP ….. 2m2m 2m2m 2 2m2m 2 2 2m2m m2m Output length

P m-bit seed Can we do it non-adaptively? N-bit output Unlikely [Coudron-Vidick-Y. 2013]: For a wide class of protocols, there is a limit f(m) = exp(exp(m)) in the amount of certifiable randomness! Limitation applies to all non-adaptive protocols we know of! Idea : if seed is too small, after too many rounds, the input patterns become predictable and the players can recycle answers, producing no additional randomness.

P m-bit seed Adaptive protocols, take #1 f(m)-bit output P = randomness expansion protocol

P f(m)-bit seed Adaptive protocols, take #1 f(f(m))-bit output P = randomness expansion protocol …ad infinitum Unclear this works. The boxes in P could memorize their outputs and take advantage of that in the next iteration!

P m-bit seed Adaptive protocols, take #2 f(m)-bit output P = randomness expansion protocol P f(f(m))-bit output

P Adaptive protocols, take #2 f(f(f(m)))- bit output P = randomness expansion protocol P f(f(m))-bit output This output is secure against 1 st because of strong security! P

P Adaptive protocols, take #2 f(f(f(m)))- bit output P = randomness expansion protocol P After i iterations, conditioned on not aborting, the output of this protocol is f (i) (m) bits that is  1 +  2 +  3 + … ≤  close to uniform in statistical distance. Number of boxes : 4 … [Coudron-Y, Miller-Shi, Chung-Shi-Wu 2014] Infinite randomness expansion is possible!

m0m0 [Gross, Aaronson 2014]: Using the Miller-Shi expansion protocol,

m0m0 715,000 bits of uniform seed are sufficient to “jump start” infinite randomness expansion, to get output within distance  = to uniform. [arxiv: ]

Revisiting the non-signaling assumption Adaptivity means we can’t rely on spatial separation to enforce non-signaling. PP By triangle inequality, distance from P1  P2 is less than P1  Experimenter  P2. So if the protocol is adaptive, P1 could signal to P2, in principle!

Revisiting the non-signaling assumption This was also a problem for “non-adaptive” randomness expansion, because the experimenter wanted to use the randomness for e.g., cryptography. PE Maybe we should just assume Faraday cages suffice for enforcing non- signaling…

Revisiting the non-signaling assumption This was also a problem for “non-adaptive” randomness expansion, because the experimenter wanted to use the randomness for e.g., cryptography. PE Maybe we should just assume Faraday cages suffice for enforcing non- signaling… I’m not ready to call it quits just yet…

Crazy Idea No. 1 Let’s assume General Relativity! Can we manipulate the geometry of space and time to control the propagation of information? – i.e. can we simulate “secure lines of communication”?

Crazy Idea No. 1 PP

PP

PP

Crazy Idea No. 2 Use ideas from relativistic bit commitment? Commit phase

Crazy Idea No. 2 Use ideas from relativistic bit commitment? Sustain phase

Crazy Idea No. 2 Use ideas from relativistic bit commitment? Open phase

The hierarchy of randomness expansion Nothing. Exponential expansion Strong security against eavesdroppers Infinite randomness expansion ∞ ∞ Assumptions 1. Initial randomness 2. No signaling No assumptions 1. Initial randomness 2. No signaling 3. Quantum mechanics 1. Initial randomness 2. (Enforced) No signaling 3. Quantum mechanics

The hierarchy of randomness expansion Nothing. Exponential expansion Strong security against eavesdroppers Infinite randomness expansion ∞ ∞ Assumptions 1. Initial randomness 2. No signaling No assumptions 1. Initial randomness 2. No signaling 3. Quantum mechanics 1. Initial randomness 2. General relativity? 3. Quantum mechanics

Open questions Can we prove non-signaling security of randomness expansion protocols? Can we replace “enforced no-signaling” with assuming General Relativity, or use some scheme like sustained relativistic bit commitment? Minimum requirements on initial seed randomness?

Open questions Can we prove non-signaling security of randomness expansion protocols? Can we replace “enforced no-signaling” with assuming General Relativity, or use some scheme like sustained relativistic bit commitment? Minimum requirements on initial seed randomness? Thanks!