Composing Quantum Protocols Dominic Mayers Université de Sherbrooke Joint Work with Michael Ben-Or

Composing Quantum Protocols

Dominic Mayers

Université de Sherbrooke

Joint Work with Michael Ben-Or

Overview

• Basic Quantum Mechanics

• Models for quantum protocols and attacks.

• Canetti`s security definition and composability theorem in the quantum world

• Composability of Quantum Key Distribution (joint work with Michael Ben-Or, Michal Horodecki, Debbie Leung and Jonathan Oppenheim)

• Generalization of Ideal protocols (pro and con) X

• Briefly mention application to relativistic bit commitment X

Basic Quantum Mechanics

Classically, we believe that, in principle, if we are very careful, we can always extract a property of a system without disturbing the system. If we have two properties (e.g. momemtum and position), we can make a measurement to extract the first property and another measurement to extract the second property.

Quantum Mechanics uses the non abelian properties of operators on Hilbert space to model the fact that two measurements are not always compatible. The execution of one measurement (say momemtum) fundamentally interfers with the other (say position).

State Space = Hilbert SpaceFor our purpose, it will be sufficient to consider that an elementary system is a photon, in fact, the polarisation of this photon. Its state space is represented by a two dimensional Hilbert Space.

|0 represents

|1 represents

|+ = |0 + |1 represents

|- = |0 - |1 represents

Computationalbasis

Complementarybasis

21/2

For our purpose, it will be sufficient to consider that an elementary system is a photon, in fact, the polarisation of this photon. Its state space is represented by a two dimensional Hilbert Space.

21/2

21/2

General state and transformation

Global phase (multiplication by a complex number) does not change the physical state.

The valid transformations are unitary transformations on the Hilbert space.

This extends to tensor products of Hilbert Space. For example, |00 |01 |10 |11 is a basis for two photons.

The general state is |0 + |1 where and are complex numbers with ||2 + ||2 = 1.

Classical Vs Quantum

Many quantum observable have a classical counterpart. The polarisation of a photon is an example. Its classical counterpart is the polarisation of a classical laser beam.

The polarisation of a classical laser beam can be observed without disturbing it. This is not true for the (quantum) polarisation of a photon.

Orthogonal Measurement = Basis

We can measure in the computational basis using a beam splitter that is vertically oriented.

BeamSplitter

Occurs with probability ||2

Occurs with probability ||2

|0 + |1

|1

|0

This generalises to any basis in any tensor product space.

Models for Quantum Protocols

123121 UUUUUUUU iinnn

A protocol is specified by an initial state for each party and a sequence of quantum circuits:

where each circuit is controled by a single party. Communication occurs through registers that are transferred from one party to another.

This is not enough. We also need to specify what is a sub-protocol and how communication occurs between a protocol and its sub-protocols.

Subprotocols (I)

A protocol contains layers. The top layer is the protocol which call subprotocols in the layer below, and so on, recursively. Every circuit Ui belongs to one party and one protocol. It belongs to a protocol if it uses only registers in the top layer of the protocol and I/O registers in between this layer and an adjacent layer (parent or child).

Coin Flipping(Alice, Bob)Ha

Commit

b

Open

I/O

I/O

H

b`

Sub-protocol

a`

I/O

I/O

a b`

a` b

For simplicity, we omitted that Commit should informs Bob of a success, Alice should be informed of a succesful reception of b`, etc.

Internalregisters

Internalregisters

CoinFlipping(A,B)

BB AABB

BB

BBAA

AA AA

= Not usedin this case

Alice and Bobouput bits

Commit Open

InternalRegisters

BBAA

InternalRegisters

Alice picks a randombit and sends it toCommit

Registers and Communication

A protocol also contains internal registers and I/O registers:

• Every I/O register (two colours) belongs to a single party and is for communication in between a protocol and only one of its sub-protocol. Only the circuits Ui that are controlled by this party in the protocol or the subprotocol can access this I/O register.

• Every internal register (one colour) belongs to the top layer of a single (sub)protocol. Control over this register passes from one party to another: at the end of every circuit, the party (who just executed this circuit) can « transmit » some of his internal registers to other parties.

The honest environment of a protocol

Protocol B

The environment Z

The environment Z of a protocol B is the complementary set of circuits. The entire protocol is denoted Z(B).

BBAA

AA AA BBBB

BB

I/O

An honest environment

Internal

BB AABB

BB

BB

AA

AA

AA AABB

BBAABB

BBAABB

BB

AA

BBCC

CC CC BBBB

BB

I/O

A tree structure corresponds to the fact that we cannot use common subprotocol.

AA

AA

Coin Flipping

AA AA

The (dishonest) environment(Later we will consider restricted classes)

The environment has access to internal communication in the protocol and can corrupt parties.

AA is corrupted in this example

BB AABB

BB

BB

AA

AA

AA AABB

BBAABB

BBAABB

BB

AA

AA

AA

AA AA= the protocol+

The environment to Coin FlippingZZ

BB BB

BB

BB

The circuits in the attack can be anything. They can access the I/O registers of the honest parties in the protocol (as even an honest environment is allowed to do) and all the internal registers of the protocol and subprotocols when they are transmitted.

BB

Quantum Universal Security Definition (I)

Z

Z(B)

Z

Z(,S)

Basic Idea

B s.r if, for all environment Z, there exists a simulator S such that Z(B) Z(,S)

Real Protocol

BA protocol that defines the ideal (quantum) task

S

Ideal Protocol

Simulator

How does it work?

B s.r. G() s.r.   G(B) s.r.

G

B

Z Z

S(G(B))

We want to prove

s.r. = securely realises

The top layer G of G(B) is in the environment of B.

G

B

=

B

ZGZ

Diagram 1 Diagram 2

So, we can use the security of B,

B

ZG ZG

S(B)

Diagram 2 Diagram 3

and take back G from the environment

ZG

S(B)

=

Z S(B)

G

Diagram 3 Diagram 4

and, finally, use the security of G().

Z S(B)

G

Z S(B)

S(G())

Diagram 4 Diagram 5

So, we have a simulator for G(B)

Z S(B)=

S(G())

Z

S(B)

S(G())

= S(G(B))

We also want to prove

B s.r. B(m) s.r. (m)

Z Z

S(B(m) )

s.r. = securely realises

1… m

B(m) = m copies of B

B1 … Bm

A key point in the proof

Z

At some point in the proof, the environment that is considered contains ideal protocols i with the simulator Si for Bi and some real protocol Bi.

B1 … j+1… m

Bj-1

Bj

Sj+1 Sj+1

So Z + the Bj + the simulators Sj must be a valid environment.

Quantum Universal Security Definition (II)

For any two random binary variables Y, Y` let us write

Y e Y` if | Pr( Y = 0 ) - Pr( Y` = 0 )| e. .

Let PP be the set of all polynomial functions.

Definition. A protocol B for an ideal functionality is secure, if for any environment Z there exists a simulator S such that (d P) P) ( n0 ) ( n > n0)

Z(B) e Z(, S)

where e = 1/d(n).

Dominic Mayers:

The essential difference with definition 3 is that we moved the (S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term nc to every machine.

Dominic Mayers:

The essential difference with definition 3 is that we moved the (S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term nc to every machine.

Quantum Universal Security Definition (III)

The simulator S must have a polynomial complexity c P that depends only on B (i.e. not on Z or n0). Also, n0 can only depend on d and on the respective polynomial complexity c, c` of S and Z (not on their actual circuits). The actual circuit of S, not its complexity, can depend on n and on the circuit of Z.

For every c P, let T(c) be the set of programs of complexity c. Formally, the order for the quantifiers is:

( c PP)(c’ PP)(d P) P) ( n0 )( n > n0)(Z T(c’))( S T(c))

Z(B) e Z(, S)

where e = 1/d(n).

About the Computational Setting

Dominic Mayers:

The essential difference with definition 3 is that we moved the (S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term nc to every machine.

Dominic Mayers:

The essential difference with definition 3 is that we moved the (S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term nc to every machine.

Nested protocols (more than 2 layers)

For formal simplicity, we consider each layer as a single protocol.

B1

B2

Bm

Bm-1

Z

Z

1S(B1(..Bm))

Basic step of the proof (I)

=B1

B2

Bm

Bm-1

Z

B1

B2

Bm

Bm-1

Z

Basic step of the proof (II)

B1

B2

m

Bm-1

Z

B1

B2

Bm

Bm-1

Z

Sm

Basic step of the proof (III)

=B1

B2

m

Bm-1

Z

Sm

B1

B2

m

Bm-1

Z

Sm

Basic step of the proof (III)

B1

B2

m

Bm-1

Z

Sm(Bm)

B1

B2

m-1

Z

Sm(Bm)

S(Bm-1(m))Etc…

A composability question

What about the security of an authentication protocol when a real QKD protocol, not an ideal one, is used as a resource (sub-protocol). Does the real QKD protocol provides what is promised?

QKD

k

K

Authenticationk

K

m m

Key Degradation

QKD

kAuthentication

QKD

k

kK

K

Authenticationk

K

K

A negative answer could mean an important degradation of the key after a few repetitions.

KK QKDBen-Or, Michal Horodecki, Leung, Mayers and Oppenheim (in progress)

Dominic Mayers: An interesting example of a composability question. This question was brought to our attention half a decade ago by Bennett and Smolin.

Dominic Mayers: An interesting example of a composability question. This question was brought to our attention half a decade ago by Bennett and Smolin.

Reversed Order (bottom-up)

Ideal QKD Protocol

Ideal QKDJam

k k

Eve

In our ideal QKD protocol, the participants in the environment interact directly with an ideal party which provides the random key.

In other ideal protocols, dummy parties are used.

If Jam = 1, k = fail.

If Jam = 0, k R{0,1}m

Back to Basic Quantum Mechanics

A distribution of probability p(i) over (possibly non orthogonal) states |(i) can be represented without loss of physical information by the operator

i

iiip )()()(

The probability of the outcome j in basis { |j | j = 1,…,m} is given by

i

i

ijip

jiijipjj

))(|Pr()(

)()()(

Real versus Ideal QKD

Real QKD

k

kkkkp )(1

Ideal Private QKD

k

m kk 2ˆ0

k

km 2 where

)ˆ,ˆ( 10SD

The real protocol -securely realises the ideal private QKD if

)}2/1,ˆ(),2/1,ˆ{( E whereI)ˆ,ˆ( 1010 accSD

fail1,0 mk

How comes there is a single key k for Alice and Bob on the real side?

The known security results for QKD give us that Alice`s key and Bob’s key are almost always identical.

For simplicity, we will assume that we are only interested about the privacy of Alice`s key.

Uniformity Vs Privacy

The security of QKD is not only a small mutual information. We must also require a priori uniformity, i.e., in the ideal case, for all k, p(k | Jam = 0) = 2-m.

Security of QKD in terms of Simulators and Environments

Real fail1,0 mk

k

Ideal QKD

Idealfail1Jam k

?

Alice Bob

QKD

k k

Authentication

Jam

Simu-lator

Using PrivacyWe can show that

mkacc

mSD 2Jam)|(2)ˆ,ˆ( 10 I

where Iacc(k | Jam) = max I(k;Y| Jam) and m is the length of the key. (We omit the proof here).

The large factor 2m looks bad, but actually it is not so bad because the bound on Iacc respects

where n can be taken arbitrarily large, independently of m.

n 2

What about the known QKD protocols

• Mayers and Shor-Preskill security proofs can be adapted for composability without the large factor 2m.

• We do not know if B92 is composable without this large factor (since there is no security proof).

Generalisation of Ideal ProtocolsThe essential of the composability proof did not use any particular definition of an ideal protocol. This suggests that we can obtain variation on the concept of composability by looking for variations on the notion of ideal protocols. The currently used concept is:

S

Ideal Protocol

Simulator

Format of the protocol

Alice`s Dummy Program

Bob`s Dummy Program

Alice Bob

Ideal Functionality(also called a trusted party)

Input Output Input Output

Ideal Internal Channels

They justforwardthe inputand the output

A possible variation (I)

First, note that simulator depends on the environment. So, in the view point that we have adopted, we already accepted the principle that the ideal protocol can depend on the environment.

An ideal protocol is any protocol, including protocols that use unrestricted circuits. However, the final state after every circuit in the ideal protocol should be with high fidelity close to a state that would be obtained with a valid circuit.

A possible variation (II)

Of course, we must also specify which properties are satisfied by this « ideal protocol ». For example, there might be measurements that compute the inputs of the corrupted parties in a way that is perfectly consistent with the desired task and the input/output of the honest parties, and commutes with the measurement of these honest input/output.

Composable relativistic bit commitment

We have obtained a “composable” relativistic bit commitmen in the the following sense:

If Alice is corrupted, there exists a measurement that computes the bit that will be open later in the opening phase. This measurement needs only to access the registers that are used by Alice in the commit phase. In particular, this measurement cannot access the register that are kept private by Bob until after the commit phase.

The protocol is perfectly concealing against Bob.

Conclusion

The quantum composability theorem is useful to provide an adequate angle to prove the security of quantum protocols with subprotocols. The key degradation problem is an example.

Many quantum protocols will not respect the “standard” univeral security definition (the one based on simulator and trusted party). Yet, variations on this standard definition can still provide a useful angle.