quantum key distribution - biu
TRANSCRIPT
![Page 1: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/1.jpg)
Quantum Key Distribution BIU Winter School on Quantum Cryptography | February 15, 2021
Rotem Arnon-Friedman | Weizmann Institute of Science
![Page 2: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/2.jpg)
Quantum Cryptography
Quantum cryptography Post-quantum cryptography
![Page 3: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/3.jpg)
Quantum Key Distribution (QKD)
Quantum cryptography Post-quantum cryptography
![Page 4: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/4.jpg)
Quantum Key Distribution (QKD)
Quantum cryptography
‣ Quantum protocol
‣ Quantum adversary (information theoretic)
‣ Composable quantum security definition
‣ Security proofs based on the laws of quantum physics
We have a lot to learn…. :)
![Page 5: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/5.jpg)
Outline
▸ Lecture 1:
▸ Introduction
▸ BB84 and Ekert91 protocols
▸ Lecture 2:
▸ QKD security definition
▸ Quantum-proof randomness extractors
▸ Lecture 3:
▸ Security proof (the main parts)
▸ Device-independent quantum key distribution
![Page 6: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/6.jpg)
Introduction1. The task 2. It’s alive
![Page 7: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/7.jpg)
The Task
▸ Two honest parties: Alice and Bob
▸ Goal: Create a secret key
▸ Resources:
▸ Local quantum devices
▸ Public quantum communication channel
▸ Public authenticated classical communication channel
(Not a quantum computer)
Alice
01100101…
Bob
01100101…
Authenticated classical channel
![Page 8: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/8.jpg)
The Task
▸ Two honest parties: Alice and Bob
▸ Goal: Create a secret key
▸ One dishonest party: Eve
▸ Eve’s goal: gain as much information as possible about the key
▸ Information theoretic security
▸ High key rate
▸ Expansion rather than distribution
▸ “Everlasting security”
Alice
01100101…
Bob
01100101…
Authenticated classical channel
Eve
![Page 9: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/9.jpg)
The Task
▸ Structure of a general QKD protocol:
1. Generation of the classical raw data using the quantum devices
2. Classical processing of the data (post-quantum cryptography)
Eve
![Page 10: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/10.jpg)
▸ Types of protocols:
▸ Prepare and measure protocols
▸ Entanglement based protocols
▸ Discrete-variable protocols
▸ Continues-variable protocols
▸ Device-independent protocols
▸ Semi-device-independent
▸ One-way classical processing
▸ Two-way classical processing
▸ …
Continues-Variable QKD
▸ Some examples:
▸ BB84 protocol
▸ Six-state protocol
▸ Ekert 91 protocol
▸ COW protocol
▸ Satellite-based protocols
▸ Ping-pong protocol
▸ Twin-field protocol
▸ …
▸ Quantum hacking
It’s Alive
![Page 11: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/11.jpg)
It’s Alive
![Page 12: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/12.jpg)
It’s Alive
![Page 13: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/13.jpg)
Getting Started
1. BB84 protocol 2. Intuition 3. Ekert 91 protocol 4. Intuition
Security reduction
![Page 14: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/14.jpg)
BB84: Prepare and Measure
1. Alice prepares one of the 4 states at random and sends to Bob.
Prepare Measure
Alice Bob
(Honest and noiseless case)
Same as choosing a basis / and an eigenstate in that basis
: standard basis: diagonal basis
![Page 15: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/15.jpg)
BB84: Prepare and Measure
1. Alice prepares one of the 4 states at random and sends to Bob.
2. Bob chooses at random whether to measure the received qubit at the or basis.
▸ He measures and records the outcome.
Prepare Measure
Alice Bob
(Honest and noiseless case)
Reminder:(w.p. 1/2)
![Page 16: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/16.jpg)
BB84: Prepare and Measure
1. Alice prepares one of the 4 states at random and sends to Bob.
2. Bob chooses at random whether to measure the received qubit at the or basis.
3. Alice and Bob publicly announce their chosen bases.
Prepare Measure
Alice Bob
(Honest and noiseless case)
![Page 17: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/17.jpg)
BB84: Prepare and Measure
1. Alice prepares one of the 4 states at random and sends to Bob.
2. Bob chooses at random whether to measure the received qubit at the or basis.
3. Alice and Bob publicly announce their chosen bases.
4. The “ -outputs” construct the key.
Prepare Measure
Alice Bob
(Honest and noiseless case)
![Page 18: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/18.jpg)
BB84: Prepare and Measure
Prepare Measure
Alice Bob
(Honest and noiseless case)
Notice: The measurement basis does not reveal any information about the key bit!
Questions?
![Page 19: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/19.jpg)
BB84: Prepare and Measure
Let’s add the adversary (and/or noise) into the picture!
▸ Eve’s goal: gain as much information as possible about the key
▸ … without being detected
▸ The protocol should abort when detecting too much interference/noise
![Page 20: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/20.jpg)
BB84: Intuition
Prepare
Alice
Measure
Bob
Public (insecure) quantum channel
Eve
▸ There are many ways for Eve to interact with the state on the channel but…
▸ No-cloning
Keep a copy for herself?
![Page 21: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/21.jpg)
BB84: Intuition
Prepare
Alice
Measure
Bob
Public (insecure) quantum channel
Eve
▸ There are many ways for Eve to interact with the state on the channel but…
Measure
![Page 22: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/22.jpg)
BB84: Intuition
Prepare
Alice
Measure
Bob
Public (insecure) quantum channel
Eve
▸ There are many ways for Eve to interact with the state on the channel but…
▸ Measurement disturbance
▸ The protocol needs to include a test for errors and abort if too many are observed (and otherwise correct them)
Measure
Introduction of errors
![Page 23: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/23.jpg)
BB84: Intuition
Prepare
Alice
Measure
Bob
Public (insecure) quantum channel
Eve
▸ There are many ways for Eve to interact with the state on the channel but…
▸ The protocol needs to include a privacy amplification step
Measure
![Page 24: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/24.jpg)
BB84: Intuition
Prepare
Alice
Measure
Bob
Public (insecure) quantum channel
Eve
▸ Eve can do a lot more, e.g., entangle the qubit to her qubits…
▸ Think many rounds :o
▸ We’ll need to deal with all of this
???
Questions?
![Page 25: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/25.jpg)
BB84: Prepare and Measure
1. Alice prepares one of the 4 states at random and sends to Bob.
2. Bob chooses at random a basis to measure and records the outcome.
3. Sifting: Alice and Bob publicly announce their chosen bases and keep only the rounds in which they chose the same basis.
4. Testing for errors: Alice and Bob check on how many of the rounds in which they both chose the -basis their outcomes are not identical. If the error rate is too high they abort.
5. Classical post-processing: Alice and Bob apply error correction and privacy amplification on the remaining bits.
Questions?
![Page 26: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/26.jpg)
Getting Started
1. BB84 protocol 2. Intuition 3. Ekert 91 protocol 4. Intuition
Security reduction
![Page 27: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/27.jpg)
Entanglement-Based Protocols
▸ The BB84 protocol is a “prepare and measure protocol”
▸ Entanglement based protocols:
▸ Instead of sending quits over a channel Alice and Bob use entangled states
Prepare Measure
Measure Measure
![Page 28: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/28.jpg)
Entanglement-Based Protocols
▸ The BB84 protocol is a “prepare and measure protocol”
▸ Entanglement based protocols:
▸ Instead of sending quits over a channel Alice and Bob use entangled states
▸ Gives us a different point of view
Prepare Measure
Measure Measure
![Page 29: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/29.jpg)
▸ Maximally entangled state (EPR state) shared between Alice and Bob
▸ When measuring in the same basis, Alice and Bob get the same outcomes
Entanglement-Based Protocols
Same statistics as in
the BB84 protocol!
Can’t be done without entanglement
![Page 30: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/30.jpg)
▸ Ekert 91 protocol: same as BB84 but using distribution of entanglement
1. Alice and Bob get their share of the entangled state
2. They each choose a basis to measure at random
3. Sifting
4. Testing for errors
5. Classical post-processing
Ekert 91 Protocol
Measure Measure
![Page 31: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/31.jpg)
Ekert 91: Intuition
Measure Measure▸ Honest noiseless case:
▸ Distribution of the maximally entangled state
▸ Each outcomes achieved w.p. 0.5
▸ Pure state
▸ Any purification takes the form
▸ Completely independent of the rest of the world (including Eve)
![Page 32: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/32.jpg)
Ekert 91: Intuition
▸ Let’s bring Eve into the picture
Measure Measure
Eve
![Page 33: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/33.jpg)
Ekert 91: Intuition
▸ Let’s bring Eve into the picture
▸ Alice, Bob and Eve share a tripartite state
▸ Alice and Bob’s state (density matrix; partial trace)
▸ Eve is holding the purification = most powerful adversary
Measure Measure
Eve
Compare to:
Questions?
![Page 34: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/34.jpg)
Ekert 91: Intuition
▸ Alice, Bob and Eve share a tripartite state
▸ Ideally
▸ Quantum “features” of entanglement:
▸ Monogamy of entanglement
▸ Uncertainty relations (third lecture)
Measure Measure
Eve
![Page 35: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/35.jpg)
Security Reduction
Measure Measure
Eve
Prepare Measure
???
Eve
BB84
Ekert 91
Security reduction
Questions?Adversary is stronger Mathematically cleaner
![Page 36: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/36.jpg)
In the Following Lectures
▸ QKD security definition
▸ What does it mean to prove security?
▸ Quantum abstract cryptography framework
▸ Security proof
▸ Quantum-proof extractors
▸ Where the laws of quantum physics help us
▸ A different model for QKD— device-independent QKD (stronger adversary)
![Page 37: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/37.jpg)
Quantum Key Distribution BIU Winter School on Quantum Cryptography | February 15, 2021
Rotem Arnon-Friedman | Weizmann Institute of Science
![Page 38: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/38.jpg)
▸ Lecture 1:
▸ Introduction
▸ BB84 and Ekert91 protocols
▸ Lecture 2:
▸ QKD security definition
▸ Quantum-proof randomness extractors
▸ Lecture 3:
▸ Security proof (the main parts)
▸ Device-independent quantum key distribution
Outline
![Page 39: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/39.jpg)
Security Definition (Informal)
▸ What does it mean to prove security?
▸ If “things go sufficiently well”— we would like to produce a key:
▸ Identical keys for Alice and Bob
▸ Unknown to Eve
▸ If “things don’t go well” (too much noise / too active adversary)— we would like to detect it and abort
▸ The protocol can be implemented Completeness (noise-tolerance)
Correctness
SecrecySoundness
![Page 40: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/40.jpg)
How do we make this formal?
Quantum compassable security
P1Secure
P2Secure
P1+P2 Secure
These can be entangled
Security Definition (Informal)
![Page 41: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/41.jpg)
Security Definition1. Composable security 2. Equivalence to trace distance definition
![Page 42: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/42.jpg)
Composable Security
▸ Abstract cryptography framework
▸ Complete mathematical framework
▸ Important “steps”:
1. Model the ideal system
2. Identify the resources and model the real system
3. Quantum distinguisher— try to distinguish the real from ideal
▸ Gives a precise description of what we achieve
▸ (In the past a weaker security definition was used without anyone noticing!)
![Page 43: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/43.jpg)
Ideal System
Ideal key distribution resource
Eve
Alice BobKey
![Page 44: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/44.jpg)
Ideal System
Ideal key distribution resource
Eve
Alice BobKey
![Page 45: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/45.jpg)
Real System
‣ Resources (our building blocks):
‣ Authenticated classical channel
‣ Insecure quantum channelEve
Alice Bob
Eve
Alice Bob
![Page 46: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/46.jpg)
Real System
Eve
Alice Bob
Classical authenticated channel
Insecure quantum channel
![Page 47: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/47.jpg)
Distinguisher▸ The real system is secure if it’s indistinguishable from the ideal system
▸ Distinguishing advantage
Real
Distinguisher
Ideal
Distinguisher
1. Quantum distinguisher (“quantum combs”) 2. No “division” to parties (crucial for composability) 3. Everything is finite (no “poly”, “neg”…)
![Page 48: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/48.jpg)
Distinguisher▸ The real system is secure if it’s indistinguishable from the ideal system
▸ Distinguishing advantage
▸ Security:
▸ (Sort of…)
Real
Distinguisher
Ideal
Distinguisher
![Page 49: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/49.jpg)
Distinguisher
Key
Real systemIdeal system
![Page 50: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/50.jpg)
Distinguisher
Key
Real systemIdeal system
Simulator
‣ The protocol is secure if there exists a simulator such that
‣ It’s clear what we’re proving
‣ As it turns out, it’s equivalent to another statement Questions?
![Page 51: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/51.jpg)
Security Definition
▸ The definitions that arise from the composable security framework were shown to be equivalent to another widely-used definition
▸ Recall our informal definition:
▸ If “things go sufficiently well”— we would like to produce a key:
▸ Identical keys for Alice and Bob
▸ Unknown to Eve
▸ If “things don’t go well” we would like to detect it and abort
▸ The protocol can be implemented
Correctness
SecrecySoundness
Completeness (noise-tolerance)
![Page 52: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/52.jpg)
Security Definition
▸ Def. [Correctness]: A protocol is -correct, if
▸ Def. [Secrecy]: A protocol is -secret if
If we almost always abort, the key is trivially secret
![Page 53: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/53.jpg)
Security Definition
▸ Def. [Correctness]: A protocol is -correct, if
▸ Def. [Secrecy]: A protocol is -secret if
Trace distance between two states: the real and ideal
(want this to be small)
![Page 54: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/54.jpg)
Security Definition
▸ Def. [Correctness]: A protocol is -correct, if
▸ Def. [Secrecy]: A protocol is -secret if
Real state of Alice and Eve at the end
of the protocol (when not aborting)
Uniform key Eve’s quantum state
![Page 55: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/55.jpg)
Security Definition
▸ Def. [Correctness]: A protocol is -correct, if
▸ Def. [Secrecy]: A protocol is -secret if
▸ If a protocol is -correct and -secret, then it is -correct-and-secret
▸ Def. [Security]: A protocol is -secure if:
1. (Soundness) The protocols is -correct-and-secret
2. (Completeness) There exists a quantum apparatus that implements the protocol such that the probability of aborting is at most
![Page 56: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/56.jpg)
Security Definition
▸ Def. [Correctness]: A protocol is -correct, if
▸ Def. [Secrecy]: A protocol is -secret if
▸ If a protocol is -correct and -secret, then it is -correct-and-secret
▸ Def. [Security]: A protocol is -secure if:
1. (Soundness) The protocols is -correct-and-secret
2. (Completeness) There exists a quantum apparatus that implements the protocol such that the probability of aborting is at most
‣ This security definition of QKD was proven to be equivalent to the composable security definition we’ve seen before
‣ Justifies using this definition
‣ Things can go wrong otherwise…
![Page 57: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/57.jpg)
Security Definition
▸ Def. [Secrecy]: A protocol is -secret if
▸ To make this small we use a privacy amplification step in the protocols
Trace distance between two states: the real and ideal
(want this to be small)
Questions?
![Page 58: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/58.jpg)
Quantum-Proof Randomness ExtractorsPrivacy Amplification
Post-quantum cryptography Information-theoretic
![Page 59: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/59.jpg)
QKD
▸ Data generation
▸ Measuring the quantum states
▸ Sifting
▸ Test (check for errors) and abort if needed
▸ Classical post-processing
▸ Classical error correction
▸ Privacy amplification
Measure Measure
Eve
![Page 60: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/60.jpg)
▸ Data generation
▸ Measuring the quantum states
▸ Sifting
▸ Test (check for errors) and abort if needed
▸ Classical post-processing
▸ Classical error correction
▸ Privacy amplification
QKD
Measure Measure
Eve
Alice and Bob are exchanging classical information in the presence
of a quantum adversary
![Page 61: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/61.jpg)
Privacy Amplification
▸ We have some correlations between Alice’s raw key and Eve’s quantum system
▸ Privacy amplification: get rid of these correlations!
▸ Tool: Quantum-proof randomness extractors
EveAlice’s raw key: 0 1 0 1 0 0 0 1 0 0 1 1 0 0 1 1 1 0 1 1 0 …
Classical-quantum state:
Want to get:Perfect (ideal) key
![Page 62: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/62.jpg)
Randomness Extractors
Weak source of randomness Min-entropy:
▸ Want to transform a large but weak source of randomness into a shorter uniform distribution
▸ Cryptography; Pseudo-randomness; Combinatorics
![Page 63: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/63.jpg)
Randomness Extractors
Weak source of randomness Uniform distribution
✘
▸ Want to transform a large but weak source of randomness into a shorter uniform distribution
▸ Impossible to achieve deterministically
![Page 64: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/64.jpg)
Randomness Extractors
Weak source of randomness Uniform distribution
▸ Want to transform a large but weak source of randomness into a shorter uniform distribution
▸ Impossible to achieve deterministically
▸ Possible with an additional short random seed
![Page 65: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/65.jpg)
▸ Def. [Randomness extractor]: A function is called a strong -randomness extractor if for
1.
2. any with
we have
(Strong extractor: the seed is made public during the QKD protocol)
Uniform keyOutput of the extractor
Randomness Extractors
Eve?
![Page 66: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/66.jpg)
▸ Def. [Randomness extractor]: A function is called a classical-proof strong -randomness extractor if for
1.
2. any with
we have
“Classical-Proof” Randomness Extractors
Eve?
Classical side information (E) is kind of trivial when considering extractors…
![Page 67: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/67.jpg)
▸ Def. [Randomness extractor]: A function is called a quantum-proof strong -randomness extractor if for
1.
2. any with
Quantum-Proof Randomness Extractors
Eve?
![Page 68: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/68.jpg)
▸ Def. [Randomness extractor]: A function is called a quantum-proof strong -randomness extractor if for
1.
2. any with
Quantum-Proof Randomness Extractors
Eve?
Guessing prob. with access to a quantum system
![Page 69: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/69.jpg)
▸ Def. [Randomness extractor]: A function is called a quantum-proof strong -randomness extractor if for
1.
2. any with
we have
Quantum-Proof Randomness Extractors
Eve?
Guessing prob. with an access to a quantum system
Eve’s system is kept quantum! Crucial for composability!
‣ The quantum case doesn’t follow from the classical one… :( / :)
Questions?
![Page 70: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/70.jpg)
Why did I tell you all of that…?
![Page 71: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/71.jpg)
‣ For the extractor to work we need to have a sufficiently high min-entropy in Alice’s outputs
‣ The main challenge in proving the security of QKD protocols is to lower-bound the min-entropy
‣ This is what we’re going to look at next
Using an extractor
![Page 72: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/72.jpg)
Quantum Key Distribution BIU Winter School on Quantum Cryptography | February 15, 2021
Rotem Arnon-Friedman | Weizmann Institute of Science
![Page 73: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/73.jpg)
▸ Lecture 1:
▸ Introduction
▸ BB84 and Ekert91 protocols
▸ Lecture 2:
▸ QKD security definition
▸ Quantum-proof randomness extractors
▸ Lecture 3:
▸ Security proof (the main parts)
▸ Device-independent quantum key distribution
Outline
![Page 74: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/74.jpg)
‣ For the extractor to work we need to have a sufficiently high min-entropy in Alice’s outputs
‣ The main challenge in proving the security of QKD protocols is to lower-bound the min-entropy
‣ This is what we’re going to look at next
![Page 75: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/75.jpg)
Recap
▸ We need to lower-bound of the state in the end of the execution of the protocol:
▸ After that, a quantum-proof extractor does the work
EveAlice’s raw key : 0 1 0 1 0 0 0 1 0 …
Alice Bob
.
.
.
.
.
.
![Page 76: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/76.jpg)
Security Proof (Somewhat informal, just presenting the main statements)
1. Quantum-proof extractors 2. Reduction to IID 3. Uncertainty relation
(Computer science)(Information theory)(Quantum physics)
![Page 77: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/77.jpg)
Entropy Accumulation
▸ We need to lower-bound of the state in the end of the execution of the protocol
▸ , for the number of rounds in the protocol
▸ How do we analyze Eve’s actions over rounds?
▸ Adaptive strategies, global operation :(
▸ Entropy doesn’t need to be produced in every round
Alice Bob
.
.
.
.
.
.
![Page 78: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/78.jpg)
Reduction to IID
▸ Wishful thinking: Eve uses the same strategy in each round, independently of all other rounds
▸ The initial state is an “independently and identically distributed” (IID) state
▸ Intuitively: we only need to understand what happens in one round
Alice Bob
.
.
.
.
.
.
![Page 79: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/79.jpg)
(Quantum) Asymptotic Equipartition Property
▸ A property of entropy of IID states :
Many different entropies… All describe some form of uncertainty, lack of knowledge
![Page 80: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/80.jpg)
(Quantum) Asymptotic Equipartition Property
▸ A property of entropy of IID states :
▸ Tells us that for IID states we now need to find a single-round quantity
Smooth min-entropy Closely related to the min-entropy Good for the extractors (Crucial and better)
von Neumann entropy Quantum version of the Shannon entropy (Always larger than the min-entropy)
![Page 81: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/81.jpg)
Reduction to IID
▸ Of course, that was only a wishful thinking. But…
▸ A theorem called “the entropy accumulation theorem” tells us that under certain conditions still holds, with defined via some optimization problem
▸ (Roughly, is the state that minimizes over all states that are compatible with the data that Alice and Bob observe throughout the execution of the protocol)
▸ Reduction to IID (not black box)
![Page 82: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/82.jpg)
Reduction to IID
Asymptotic equipartition
property
Entropy accumulation
theoremUnder certain conditions
![Page 83: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/83.jpg)
Reduction to IID
▸ Eve uses the same strategy in each round, independently of all other rounds
▸
▸ Our goal is now to lower-bound the amount of von Neumann entropy produced in one round
Alice Bob
.
.
.
.
.
.
Questions?
![Page 84: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/84.jpg)
Security Proof (Somewhat informal, just presenting the main statements)
1. Quantum-proof extractors 2. Reduction to IID 3. Uncertainty relation
(Computer science)(Information theory)(Quantum physics)
![Page 85: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/85.jpg)
Uncertainty Relation▸ Tripartite quantum state
▸ Alice is measuring either in the basis or the basis
▸ Incompatible bases— can’t guess both outcomes with certainty
Notation: the outcome of measuring the system in the given basis
![Page 86: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/86.jpg)
Uncertainty Relation▸ Tripartite quantum state
▸ Alice is measuring either in the basis or the basis
▸ Incompatible bases— can’t guess both outcomes with certainty
Raw key Testing
![Page 87: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/87.jpg)
Uncertainty Relation▸ Tripartite quantum state
▸ Alice is measuring either in the basis or the basis
▸ Incompatible bases— can’t guess both outcomes with certainty
▸ Given access to Bob’s state one can do better
Negative when Alice and Bob are entangled!
![Page 88: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/88.jpg)
Uncertainty Relation▸ Tripartite quantum state
▸ Alice is measuring either in the basis or the basis
▸ Using some entropic relations, can be rewritten as
Eve’s uncertainty regarding the raw key bit
What we need in order to lower-bound the total
amount of entropy
![Page 89: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/89.jpg)
Uncertainty Relation▸ Tripartite quantum state
▸ Alice is measuring either in the basis or the basis
▸ Using some entropic relations, can be rewritten as
“Error rate”
Can be estimated from the observed data during the execution of the protocol
![Page 90: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/90.jpg)
Uncertainty Relation▸ Tripartite quantum state
▸ Alice is measuring either in the basis or the basis
▸ Using some entropic relations, can be rewritten as
▸ Example: perfect correlations (no errors) imply 1 bit of entropy per round
▸ Take-home message: quantum physics allows us to bound Eve’s knowledge using Alice and Bob’s observed data (replaces computational assumptions)
Questions?
![Page 91: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/91.jpg)
Security Proof
1. Uncertainty relation
2. Entropy accumulation (Reduction to IID)
3. Quantum-proof extractors
4. Secrecy
5. Security (Secrecy + correctness + completeness)Questions?
![Page 92: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/92.jpg)
Device-Independent QKD
1. Motivation 2. Non-local games 3. Security
![Page 93: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/93.jpg)
Motivation
▸ Ekert 91
▸ Uncertainty relation
▸ What if the measurements are not exact…?
▸ What if we don’t know the dimension…? (Side channels)
▸ What if…
Measure Measure
Eve
![Page 94: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/94.jpg)
Motivation
▸ Ekert 91
▸ Device-independent
▸ Paranoid cryptographers; Realistic physicists; Fundamental physics
Measure Measure
Eve
Eve
![Page 95: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/95.jpg)
▸ How can we create keys this way?
▸ There’s one thing we do know (can enforce)— the partition to Alice and Bob
▸ Similar to a multi-prover setting
How Can That Be?
Eve
![Page 96: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/96.jpg)
Non-Local Games
(Multi-prover proof system)
Alice Bob CHSH Game:
![Page 97: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/97.jpg)
Non-Local Games
▸ Best classical strategy: 75% winning probability
▸ Best quantum strategy: ~85% winning probability
Shared randomness
Alice Bob CHSH Game:
![Page 98: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/98.jpg)
Non-Local Games
▸ Best classical strategy: 75% winning probability
▸ Best quantum strategy: ~85% winning probability
Alice Bob CHSH Game:
Quantum advantage
Cannot be simulated classically!
![Page 99: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/99.jpg)
Non-Local Games
▸ Best classical strategy: 75% winning probability
▸ Best quantum strategy: ~85% winning probability
Alice Bob
Quantum advantage
▸ Standard proof system: check if
![Page 100: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/100.jpg)
Non-Local Games
▸ Best classical strategy: 75% winning probability
▸ Best quantum strategy: ~85% winning probability
Alice Bob
Quantum advantage
▸ Standard proof system: check if
▸ Non-local game: check if the device is quantum
▸ In fact— a certification of the production of entropy
![Page 101: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/101.jpg)
Correlation Space
▸ The devices are described by a correlation
▸ No assumption regarding the measurements/state/dimension
▸ Correlation space:
Non-local game (Bell inequality)
The membership in the quantum set problem is undecidable!
![Page 102: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/102.jpg)
Correlation Space
▸ The devices are described by a correlation
▸ No assumption regarding the measurements/state/dimension
▸ Correlation space:
Classical deterministic strategy (75%)
Non-local game (Bell inequality)
![Page 103: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/103.jpg)
Correlation Space
▸ The devices are described by a correlation
▸ No assumption regarding the measurements/state/dimension
▸ Correlation space:
Optimal quantum strategy (~85%)
Non-local game (Bell inequality)
![Page 104: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/104.jpg)
Certification of Entropy
0.76 0.78 0.8 0.82 0.840
0.2
0.4
0.6
0.8
1
!
H(A
|XYE)
Winning prob. in the CHSH game
▸ Take-home message: quantum physics allows us to bound Eve’s knowledge using Alice and Bob’s observed data
Questions?
![Page 105: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/105.jpg)
DI Security Proof
1. Winning a non-local game
2. Entropy accumulation (Reduction to IID)
3. Quantum-proof extractors
4. Secrecy
5. Security* (Secrecy + correctness + completeness)
![Page 106: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/106.jpg)
“Disclaimers”
▸ This sequence of steps doesn’t always work
▸ There are QKD protocols whose security we don’t know how to prove
▸ Among them protocols that are of high relevance in practice
▸ Looking for new protocols
▸ Two-way classical post-processing (“advantage distillation”)
▸ Many “intermediate” models that we need to learn to analyze
![Page 107: Quantum Key Distribution - BIU](https://reader030.vdocuments.site/reader030/viewer/2022012723/61b50be9e3657d23474c6ce1/html5/thumbnails/107.jpg)
QKD Take-Home Messages
▸ In QKD everything goes quantum
▸ Composable security definitions (delicate!)
▸ Entropies (delicate!)
▸ Quantum-proof extractors (delicate!)
▸ The laws of quantum physics allow us to bound Eve’s knowledge from the data that Alice and Bob observe during the execution of the protocol
▸ Quantitative bounds matter! Thank you!