Upload
others
View
28
Download
0
Embed Size (px)
Citation preview
Infinite Randomness Expansion and Amplification with a Constant
Number of Devices
Matthew Coudron, Henry Yuen
MIT EECS
arXiv 1310.6755
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
0
y
0
a
1
b
1
b = 1 a = 1
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
1
0
y
0
0
a
0
1
b
0
1
b = 0 a = 0
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
0
1
0
y
1
0
0
a
0
0
1
b
0
0
1
b = 0 a = 0
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
1
0
1
0
y
1
1
0
0
a
1
0
0
1
b
1
0
0
1
b = 1 a = 1
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
O = Output
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
Test
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
O = Output
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
Test
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
O has high Min-Entropy (high “randomness”)
O = Output
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
Test
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
Abort Protocol
O has high Min-Entropy (high “randomness”)
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
E O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸 𝜌𝑂𝐸 ≈ 𝜌𝑈⊗ 𝜌𝐸
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
E O = Output
Questions
1) What is the greatest possible rate of randomness expansion? Exponential? Higher?
2) How does the expansion rate depend on # of devices used?
Questions
1) What is the greatest possible rate of randomness expansion? Exponential? Higher?
2) How does the expansion rate depend on # of devices used?
Our Result:
Infinite randomness expansion with 8 devices. (We can also do 6)
EXTRACTOR
Compose?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
Input Seed
A B
O
EXTRACTOR
Compose?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
Input Seed
A B
O
EXTRACTOR
Compose?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
Input Seed
A B
O
EXTRACTOR
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
O
E
EXTRACTOR
Compose?
Secure Against Eavesdropper
S1
A B
O1
Group 1
S2
A B
O2
Group 2
𝜌𝑆1𝐺1𝐺2 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1𝐺2 𝜌𝑂1𝐺2 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
“Extractor Seed Problem” [Fehr, Gelles, Schaffner, PRA 2013]
Input Security
• Provably input secure randomness expansion protocol Infinite randomness expansion.
• Can we obtain input security in a randomness expansion protocol?
• Randomness Extractors are provably not input secure.
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
Secure Against Q. Eavesdropper “Input Secure”
Input Security
• Provably input secure randomness expansion protocol Infinite randomness expansion.
• Can we obtain input security in a randomness expansion protocol?
• Randomness Extractors are provably not input secure.
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
Secure Against Q. Eavesdropper “Input Secure”
Input Security
• Provably input secure randomness expansion protocol Infinite randomness expansion.
• Can we obtain input security in a randomness expansion protocol?
• Randomness Extractors are provably not input secure.
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
Secure Against Q. Eavesdropper “Input Secure”
Input Security
• Provably input secure randomness expansion protocol Infinite randomness expansion.
• Can we obtain input security in a randomness expansion protocol?
• Randomness Extractors are provably not input secure.
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
Secure Against Q. Eavesdropper “Input Secure”
A New Tool [Reichardt, Unger, Vazirani 2012]
“RUV” Protocol
• Device Independent protocol
• Certifies that devices are measuring an EPR pair in certain rounds.
• Employs CHSH Rigidity
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
A New Tool [Reichardt, Unger, Vazirani 2012]
“RUV” Protocol
• Device Independent protocol
• Certifies that devices are measuring an EPR pair in certain rounds.
• Employs CHSH Rigidity
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
A New Tool [Reichardt, Unger, Vazirani 2012]
“RUV” Protocol
• Device Independent protocol
• Certifies that devices are measuring an EPR pair in certain rounds.
• Employs CHSH Rigidity
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
A New Tool [Reichardt, Unger, Vazirani 2012]
“RUV” Protocol
• Device Independent protocol
• Certifies that devices are measuring an EPR pair in certain rounds.
• Employs CHSH Rigidity
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
The RUV protocol seems Input Secure!
.
Input Secure?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
The RUV protocol seems Input Secure!
.
Input Secure?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
The RUV protocol seems Input Secure!
.
Input Secure? E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
The RUV protocol seems Input Secure!
.
Input Secure?
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
“Input Secure”
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
The RUV protocol seems Input Secure!
However:
1) Not randomness expanding.
Input Secure?
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
“Input Secure”
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Obtaining Expansion
• VV
– Exponential Expansion
– Q. Secure
• RUV:
– Polynomial Contraction
• Net:
– Exponential Expansion
This RUV protocol seems Input Secure!
However:
1) Not randomness expanding.
2) Not input secure conditioned on passing.
Input Secure?
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
“Input Secure”
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security revisited • We only use the output of RUV in the
event that the protocol passes
• In general conditioning on this event can reveal output information to the eavesdropper
• This would invalidate the Input Security gained from RUV
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security revisited • We only use the output of RUV in the
event that the protocol passes
• In general conditioning on this event can reveal output information to the eavesdropper
• This would invalidate the Input Security gained from RUV
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security revisited • We only use the output of RUV in the
event that the protocol passes
• In general conditioning on this event can reveal output information to the eavesdropper
• This would invalidate the Input Security gained from RUV
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
• Divide the output X into blocks
• On average each block will be nearly unentangled with the combined system FE
• Output a random block
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
• Divide the output X into blocks
• On average each block will be nearly unentangled with the combined system FE
• Output a random block
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
• Divide the output X into blocks
• On average each block will be nearly unentangled with the combined system FE
• Output a random block
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
• Divide the output X into blocks
• On average each block will be nearly unentangled with the combined system FE
• Output a random block
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
𝐼 𝑋: 𝐸 ≈ 0
𝐼 𝑋:𝐹𝐸 ≤ 2 𝐻 𝐹 ≤ 2
2 ≥ 𝐼 𝑋:𝐹𝐸 = 𝐼 𝑋𝑖 : 𝐹𝐸 𝑋<𝑖𝑖
≥ 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
𝐼 𝑋: 𝐸 ≈ 0
𝐼 𝑋:𝐹𝐸 ≤ 2 𝐻 𝐹 ≤ 2
2 ≥ 𝐼 𝑋:𝐹𝐸 = 𝐼 𝑋𝑖 : 𝐹𝐸 𝑋<𝑖𝑖
≥ 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
𝐼 𝑋: 𝐸 ≈ 0
𝐼 𝑋:𝐹𝐸 ≤ 2 𝐻 𝐹 ≤ 2
2 ≥ 𝐼 𝑋:𝐹𝐸 = 𝐼 𝑋𝑖 : 𝐹𝐸 𝑋<𝑖𝑖
≥ 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
𝐼 𝑋: 𝐸 ≈ 0
𝐼 𝑋:𝐹𝐸 ≤ 2 𝐻 𝐹 ≤ 2
2 ≥ 𝐼 𝑋:𝐹𝐸 = 𝐼 𝑋𝑖 : 𝐹𝐸 𝑋<𝑖𝑖
≥ 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)𝑖 ≤
1
𝑁 𝐼(𝑋: 𝐹𝐸) ≤
2
𝑁
Pinsker’s Inequality
1
𝑁 || 𝜌𝑋𝑖𝐹𝐸 − 𝜌𝑋𝑖⊗𝜌𝐹𝐸 ||
2
𝑖
≤1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
≤2
𝑁
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)𝑖 ≤
1
𝑁 𝐼(𝑋: 𝐹𝐸) ≤
2
𝑁
Pinsker’s Inequality
1
𝑁 || 𝜌𝑋𝑖𝐹𝐸 − 𝜌𝑋𝑖⊗𝜌𝐹𝐸 ||
2
𝑖
≤1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
≤2
𝑁
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)𝑖 ≤
1
𝑁 𝐼(𝑋: 𝐹𝐸) ≤
2
𝑁
Pinsker’s Inequality
1
𝑁 || 𝜌𝑋𝑖𝐹𝐸 − 𝜌𝑋𝑖⊗𝜌𝐹𝐸 ||
2
𝑖
≤1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
≤2
𝑁
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)𝑖 ≤
1
𝑁 𝐼(𝑋: 𝐹𝐸) ≤
2
𝑁
Pinsker’s Inequality
1
𝑁 || 𝜌𝑋𝑖𝐹𝐸 − 𝜌𝑋𝑖⊗𝜌𝐹𝐸 ||
2
𝑖
≤1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
≤2
𝑁
Selecting Random Blocks • Our solution selects output
blocks at random….
….using an input seed unknown to the devices
• But could the seed be correlated with the position of “bad” blocks?
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Selecting Random Blocks • Our solution selects output
blocks at random….
….using an input seed unknown to the devices
• But could the seed be correlated with the position of “bad” blocks?
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Selecting Random Blocks • Our solution selects output
blocks at random….
….using an input seed unknown to the devices
• But could the seed be correlated with the position of “bad” blocks?
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Selecting Random Blocks • Such adversarial
correlations can be ruled out using a purification and simulation argument.
• This implies full input security for this composition of VV and RUV.
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Selecting Random Blocks • Such adversarial
correlations can be ruled out using a purification and simulation argument.
• This implies full input security for this composition of VV and RUV.
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Infinite Randomness Expansion
• Approximately Input Secure steps (composable) • Exponential Expansion at each step
VV
B A
RUV
B A
VV
B A
RUV
B A
S = Input Seed
Infinite Randomness Expansion
• Accumulated error converges
• Output is 1
𝑒𝑥𝑝( 𝑆 ) -close to uniform and secure against quantum eavesdropper.
VV
B A
RUV
B A
VV
B A
RUV
B A
S = Input Seed