A Tight High-Order Entropic Quantum Uncertainty Relationwith Applications Serge Fehr, Christian Schaffner (CWI Amsterdam, NL)

Renato Renner (University of Cambridge, UK)

Ivan Damgård, Louis Salvail (University of Århus, DK)

Crypto-Workshop Dagstuhl

Thursday, September 20th 2007

2 / 24

1970:

3 / 24

(Randomized) 1-2 Oblivious Transfer

Rand1-2OT

S0;S1C 2 f0;1g

complete for 2-party computation impossible in the plain (quantum) model possible in the Bounded-Quantum-Storage Model

SC

4 / 24

Outline

Motivation and Notation

Quantum Uncertainty Relation

Contributions

5 / 24

Quantum Mechanics

with prob. 1 yields 1

with prob. ½ yields 0

Measurements:

with prob. ½ yields 1

+ basis

£ basis

j0i+ j1i+

j1i£j0i£

6 / 24

get X'

0

0

1

1

0

Quantum 1-2 OT ProtocoljX i£

S0;S1

F1 2R F 1F0 2R F 0

£ ;F0;F1

S1 = ?S0

C = 0£ 0= +n

£ 2R X 2R sendf+;£gn f0;1gn

0

1

1

1

0

Correctness

Receiver-Security against Dishonest Alice

7 / 24

Sender-Security?jX i£

S0;S1

F1 2R F 1F0 2R F 0

£ ;F0;F1

get

½

£ 2R X 2R sendf+;£gn f0;1gn

0

1

1

1

0

Sender-Security: one of the strings looks completely random to dishonest Bob

# qubits < n=4

8 / 24

Quantum Mechanics II

+ basis

£ basis

j0i+ j1i+

j1i£j0i£

EPR pairs:prob. ½ : 0 prob. ½ : 1

prob. ½ : 0prob. ½ : 1

prob. 1 : 0

9 / 24

get

Entanglement-Based Protocol

S0;S1

F1 2R F 1F0 2R F 0

£ ;F0;F1

½

epr n

# qubits < n=4

Sender-Security: One of the strings looks completely random to dishonest Bob

£ 2R X 2R sendf+;£gn f0;1gn

?

?

?

?

?

10 / 24

get

Entanglement-Based ProtocoljX i£

S0;S1

F1 2R F 1F0 2R F 0

£ ;F0;F1

½

# qubits < n=4

Sender-Security: One of the strings looks completely random to dishonest Bob

£ 2R X 2R sendf+;£gn f0;1gn

0

1

1

1

0

11 / 24

£ 2R X 2R sendf+;£gn f0;1gn

?

?

?

?

?

Let Bob Act First

F1 2R F 1F0 2R F 0

½

£ ;F0;F1

getepr n

//...

# qubits < n=4

Sender-Security: One of the strings looks completely random to dishonest Bob

S0;S1 2 f0;1g̀

[Renner KÄonig 05, Renner 06]

PA : 2̀ ¼H1 (X j £;½)

12 / 24

get£ 2R X 2R send

f+;£gn f0;1gn

?

?

?

?

?

Sender-Security Uncertainty Relation

F1 2R F 1F0 2R F 0

½

£ ;F0;F1

epr n

//...

# qubits < n=4

Sender-Security: One of the strings looks completely random to dishonest Bob

S0;S1 2 f0;1g̀

[Renner KÄonig 05, Renner 06]

PA : 2̀ ¼H1 (X j £;½) ¸ H1 (X j £)| {z }

¸ ?

¡ # qubits| {z }

<n=4

H1 (X j £ ) ¸ ?

13 / 24

Outline

Motivation and Notation

Quantum Uncertainty Relation

Contributions

14 / 24

Quantum Uncertainty Relation needed

j0i+

j1i+j1i£ j0i£

qubit as unit vector in C2

®

Pr[X = 0] = j®j2

Pr[X = 1] = 1¡ j®j2

Pr[X = 0] = j¯ j2

Pr[X = 1] = 1¡ j¯ j2

¯

15 / 24

M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,

H(X i j £ i ) = 12

¡H(X i j £ i = +) + H(X i j £ i = £)| {z }

¸ 1

¢¸ 1

2:

Uncertainty Relation for One Qubit

j0i+

j1i+j1i£ j0i£

Pr[X = 0] = 1Pr[X = 1] = 0

Pr[X = 0] = 1=2Pr[X = 1] = 1=2

16 / 24

) H"1 (X n j £ )

n! 1¼ n ¢H(X i j £ i ) ¸ n=2

£ 2R statef+;£gn ½

...

Quantum Uncertainty Relation needed

//

H1 (X j £) ¸ ?

X i independent

X i := X 1; : : : ;X i

X := X n = X 1; : : : ;X n

H(X i j £ i ) ¸ 12

M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,

H(X i j £ i ) = 12

¡H(X i j £ i = +) + H(X i j £ i = £)| {z }

¸ 1

¢¸ 1

2:

except with prob · "

17 / 24

£ 2R statef+;£gn ½

...

Main Result

//

H1 (X j £) ¸ ?

M aassen U±nk 88: Let ½i be a 1-qubit state.£ i 2R f+;£g, X i the outcome of measuring ½i in basis £ i . Then,

H(X i j £ i ) = 12

¡H(X i j £ i = +) + H(X i j £ i = £)| {z }

¸ 1

¢¸ 1

2:

X i dependent

H(X i j £ i ) ¸ 12

Quantum Uncertainty R elation: LetX = (X 1; : : : ;X n) be the outcome. Then,

H"1 (X j £ ) & n=2

with " negligible in n.

H(X i j £ i ;X i ¡ 1 = xi ¡ 1;£ i ¡ 1 = µi ¡ 1) ¸ 12

18 / 24

Main Technical Lemma

Z1; : : : ;Zn (dependent) random variables

Then, H"1 (Z) & n ¢h with " negligible in n

with H(Zi j Z i ¡ 1 = zi ¡ 1) ¸ h.

P roof:

² information theory

² generalized Cherno®bound (A zuma inequality)

19 / 24

£ 2R statef+;£gn ½

...

Proof of Quantum Uncertainty Relation

Zi := (X i ;£ i )

M U : ½1-qubit state: H(X 0 j £ 0) ¸ 12

//

T hm: H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn

Quantum Uncertainty R elation: LetX = (X 1; : : : ;X n) be the outcome. Then,

H"1 (X j £ ) & n=2

with " negligible in n.

H(Zi j Z i ¡ 1 = z) = H(X i j £ i ;Z i ¡ 1 = z) +H(£ i j Z i ¡ 1 = z)

¸ 12

+1=: h:

H"1 (X j £) ¼H"

1 (Zn) ¡ H0(£ ) & n=2+n ¡ n:

20 / 24

Tight?M U : ½1-qubit state: H(X 0 j £ 0) ¸ 1

2

H(X j £ ) = 12

¡H(X j £ = +)| {z }

=0

+H(X j £ = £)| {z }

=1

¢= 1

2:

£ 2R statef+;£gn ½

...

//

Quantum Uncertainty R elation: LetX = (X 1; : : : ;X n) be the outcome. Then,

H"1 (X j £ ) & n=2

with " negligible in n.

For the pure state j0i n, the X are independent and we know

that H"1 (X j £ )

n! 1¼ H(X j £ ) = n=2.

21 / 24

Outline

Motivation and Notation

Quantum Uncertainty Relation

Contributions

22 / 24

conjugate coding / BB84:£ 2R state

f+;£gn ½

...

classical general lemma:

instantiate it for various quantum codings:

Contributions I: Uncertainty Relations

H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn

//

H"1 (X j £) ¸ n=2

23 / 24

conjugate coding / BB84:

three bases / six-state:

…

classical general lemma:

instantiate it for various quantum codings:

Contributions I: Uncertainty Relations

H(Zi j Z i ¡ 1 = z) ¸ h ) H"1 (Zn) & hn

H"1 (X j £) ¸ n=2

//

//

£ 2R statef+;£;ª gn ½

...H"

1 (X j £) ¸ 23n

24 / 24

Bounded-Quantum-Storage Model:Non-interactive, practical protocols for 1-2 OT and BC secure according new composable security definitions.

Quantum Key Distribution: Security proofs in realistic setting of a quantum-memory bounded eavesdropper. Tolerate higher error rates than against unbounded adversaries.

Composition of certain Quantum Ciphers: key-uncertainty adds up in terms of min-entropy.

Contributions II: Applications