Upload
clemence-foster
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
A Few Simple Applications to Cryptography
Louis SalvailBRICS, Aarhus University
102344578911
QKD: An “Application” of Non-Cloning
• First, a digression:
Wiesner’s unforgeable quantum cash
0 0 1 1 1 1 0 0 1 1 0 1 0 1
102344578907 +x++xx+xx++x++ 10100010010110102344578908 x++x+x++x+x+xx 10010110001110102344578909 ++xx+xx+x+++x+ 11010111001010102344578910 x+xxx++x+x+++x 01101010011000102344578911 +x++xx+x+x+xx+ 00111100110101102344578912 x+xx++x+x++x++ 10101101110100102344578913 xx+x++x+x+++x+ 01010010011101102344578914 +x+x+++xx+x++x 01010111101000102344578915 x+++xx+x+x+++x 10110101010111
2nd attack:
1st attack:pick random bases, measure and store the outcome.
0 0 1 0 1 1 0 0 1 1 0 0 0 1 0 0 1 0 1 0 0 0 1 1 0 1 0 1
BB84
01101010
01111011
Quantum Channel
quantum
classical
OK
1,3,5,6,7-----((1,0),(7,1))
OK,f
Verify that not 2-many
errors occured.
If OK then choose f
randomly from U2 class.
K=f(110)K=f(110)
Return good positionsand a random sample.
error-correction
0*1*101*
0*1*101*
110
110
HardwareThis is how a QKD set-up looked like a few years ago.
photodetector:
photon sourceAnd now:
Purified BB84This EPR pair is a singlet:
11011100
11010100
Encrypting Qubits• Suppose we want to encrypt a qubit
under a classical secret-key K, such that:
• The cipher state alone does not reveal any information on the state of the qubit.
Using K, the qubit can be perfectly reconstructed from the cipher state.
Encryption/Decryption
• We suppose that encryption is performed by a family of unitary transforms {UK}K indexed by secret-key K.
• The simplest form is that upon qubit |φ>, the cipher state is generated as:
• |eK(φ)> = UK |φ>.
Decryption is performed by running UK backward (its complex conjugate transposed).
Privacy• Privacy means that given only the cipher
state |eK(φ)>, no information can be extracted about the state |φ>.
• This can be captured by enforcing that the quantum state produced by an encryption under a uniform and random choice for K is independent of |φ> .
This would mean that an eavesdropper ignorant of K always sees the same state. No measurement can therefore distinguish the encryptions of any 2 states.
The State Available to the
EavesdropperAs we have seen, the state available to the adversary when |φ> is encrypted is the mixed state corresponding to the encryption of |φ> over all keys:
An encryption scheme is therefore said to be private if:
Back to Teleportation
(x,z)
with prob. 1/4:(0,0)
with prob. 1/4:(0,1)
with prob. 1/4:(1,0)
with prob. 1/4:(1,1)
Encryption/DecryptionSuppose Alice and Bob share K ∈ {0,1}×{0,1}:
If K=(0,0)
If K=(0,1)
If K=(1,0)
If K=(1,1)
Since XX=ZZ=-YY=I, Bob decrypts by applying the same transform indicated by K:
In General• It can be shown that 2 classical bits are
necessary in order to encrypt with perfect privacy (and with perfect decryption) an arbitrary qubit.
• If the possible states of the qubit are restricted to some special sets then 1 classical could be sufficient.
For the encryption of qubits with only statistical privacy and almost perfect descryption, a single classical bit per qubit is asymptotically sufficient.
First Special CaseSuppose the possible states of the qubit are { |0>, |1> }. The situation is now classical and the one-time-pad (one bit per qubit) provides perfect privacy.
Notice that the encryption of these 2 states using X with probability 1/2 is exactly the same as the one-time-pad.
Second Special Case
Suppose the qubit to encrypt is of the form |φ> = a|0> + b|1> where a, b are real numbers.
Now, observe that:
So, only complex amplitude states require 2 bits of key.
Committing a Qubit
• Teleportation also allows to see how one can commit on a qubit given only a classical commitment scheme.
Suppose the scheme allows for committing on a pair of classical bits.
Encrypt |φ> using a
random key K.
classical commitment of K
Encrypting Classical Messages in Quantum
States• Consider the symmetric encryption of
classical messages in quantum states.
• We’ll get a simple encryption scheme that resists “better” to known plaintext attacks than any classical scheme.
It is based upon what is called an uncertainty relations.
Hadamard TransformRemember that:
Let’s define the following 2 Von Neumann measurements on n qubits (computational & diagonal basis):
Associated to |φ>, we can define the 2 probability distributions for the outcomes of M+ and Mx when applied to |φ>:
Uncertainty Relation
• The following uncertainty relation has been shown by Maassen and Uffink.
• We shall denote by H(pφ) and H(qφ) the Shannon entropy for distributions pφ(x) and qφ(x) respectively.
Theorem: For any n-qubit state |φ>, it is the case that
H(pφ) + H(qφ) ≥ n.
An equivalent uncertainty relation
• Suppose that a source S sends a quantum state chosen as follows:
• Pick x in {0,1}n at random,
• With prob. 1/2 send |x>,
• With prob. 1/2 send H⊗n|x>.Theorem: Let X be the random variable describing the choice made by S above. Let Y be the random variable for the outcome of an arbitrary measurement applied to the state sent by S. Then, for any outcome y:
H(X|Y=y) ≥ n/2.
Encryption Scheme• The key K=(p,h) where p ∈ {0,1}n and h
∈ {0,1}.
• The encryption of message m is done the following way:
• c := m ⊕ p
• If h=0 then send |c>
• Else send H⊗n|c>.Notice that the scheme is private since the message m is one-time-padded.
This is a (n,n+1)-encryption scheme: it encrypts n-bit messages using n+1 bit of keys.
This is called the Hn-cipher
Known Plaintext AttacksIn a known plaintext attack, the adversary gets the ciphertext(cipherstate), the plaintext and wants to extract as much information as possible on the secret-key.
Theorem: Any classical (n,n+1)-cipher is such that H(K| c,m) ≤1.Theorem: The (n,n+1)-quantum cipher Hn is such that
H((p,h) | (H⊗n)h | |m⊕p>,m)≥ n/2.Proof sketch: Given m and the situation is equivalent to distinguishing among {|p>,H⊗n|p>}p∈{0,1}
n . We have seen that the entropy on p is
at least n/2. In addition, it can be shown that the extra bit of key h is perfectly hidden. It follows that:
H((p,h) | View) ≥ n/2+1.
Secure Evaluation of an AND gate
AND
x ∈{0,1} y ∈{0,1}
a b
a⊕b = xyTheorem: Even with shared randomness, Alice and Bob cannot implement the AND gate without communication such that with probability better 3/4 Alice and Bob end up with a correct output for all possible inputs.
Quantum Crypto-AND gate
x y
B1(0)
B1(1)
A0(0)
A0(1) A1(0
)A1(1
)
B0(0)
B0(1)
The interpretation: Given x, Alice measures her half EPR-pair in
basis {Ax(0),Ax(1)},Given y, Bob measures his half EPR-pair in basis
{By(0),By(1)}.
Why it WorksLet p(x,y) be the error-probability when Alice inputs x and Bob inputs y:
Conclusion• With shared-EPR pairs, Alice and Bob can
end up with an additive sharing for the AND of their bits without communication and with probability cos2(π/8)≈0.85.
• This is significantly better than what is achievable by any classical strategy using shared randomness.
• Quantum entanglement is therefore more than classical shared randomness!!
This was originally shown by Bell using a different method called the Bell inequalities.