Embed Size (px)
Citation preview
Infinite Randomness Expansion and Amplification with a Constant
Number of Devices
Matthew Coudron, Henry Yuen
MIT EECS
arXiv 1310.6755
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
b = 1 a = 1
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
0
y
0
a
1
b
1
b = 1 a = 1
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
1
0
y
0
0
a
0
1
b
0
1
b = 0 a = 0
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
0
1
0
y
1
0
0
a
0
0
1
b
0
0
1
b = 0 a = 0
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
1
0
1
0
y
1
1
0
0
a
1
0
0
1
b
1
0
0
1
b = 1 a = 1
S = Input Seed
A B
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
O = Output
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
Test
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
O = Output
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
Test
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
O has high Min-Entropy (high “randomness”)
O = Output
Randomness Expansion
• Roger Colbeck – PhD Thesis, 2006
• Serial rounds
“Query and Response”
Test
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
Abort Protocol
O has high Min-Entropy (high “randomness”)
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
E O = Output
VV Protocol [Vazirani, Vidick ‘11]
• Exponential expansion
n bit seed -> O has 2 𝑛3
Min Entropy
• Secure against quantum eavesdropper
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸 𝜌𝑂𝐸 ≈ 𝜌𝑈⊗ 𝜌𝐸
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
Randomness Expansion
A B
E O = Output
Questions
1) What is the greatest possible rate of randomness expansion? Exponential? Higher?
Questions
1) What is the greatest possible rate of randomness expansion? Exponential? Higher?
2) How does the expansion rate depend on # of devices used?
Questions
1) What is the greatest possible rate of randomness expansion? Exponential? Higher?
2) How does the expansion rate depend on # of devices used?
Our Result:
Infinite randomness expansion with 8 devices. (We can also do 6)
EXTRACTOR
Compose?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
Input Seed
A B
O
EXTRACTOR
Compose?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
Input Seed
A B
O
EXTRACTOR
Compose?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
Input Seed
A B
O
EXTRACTOR
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
O
EXTRACTOR
Compose?
S1
A B
O1
Group 1
S2
A B
O2
Group 2
EXTRACTOR
Compose?
Secure Against Eavesdropper
S1
A B
O1
Group 1
S2
A B
O2
Group 2
E
EXTRACTOR
Compose?
Secure Against Eavesdropper
S1
A B
O1
Group 1
S2
A B
O2
Group 2
E
EXTRACTOR
Compose?
Secure Against Eavesdropper
S1
A B
O1
Group 1
S2
A B
O2
Group 2
𝜌𝑆1𝐺1𝐺2 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1𝐺2 𝜌𝑂1𝐺2 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2
EXTRACTOR
Alternate?
S2
A B
Group 1
A B
O2
Group 2 EXTRACTOR
EXTRACTOR
Alternate?
S2
A B
Group 1
A B
O2
Group 2 EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2 EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
EXTRACTOR
Compose?
S1
A B
O1
Group 1
S2
A B
O2
Group 2
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
EXTRACTOR
Alternate?
Secure Against Eavesdropper
S2
A B
Group 1
A B
O2
Group 2
E
𝜌𝑆2𝐺2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺2𝐺1 𝜌𝑂2𝐺1 ≈ 𝜌𝑈 ⊗ 𝜌𝐺1
EXTRACTOR
“Extractor Seed Problem” [Fehr, Gelles, Schaffner, PRA 2013]
Input Security
• Provably input secure randomness expansion protocol Infinite randomness expansion.
• Can we obtain input security in a randomness expansion protocol?
• Randomness Extractors are provably not input secure.
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
Secure Against Q. Eavesdropper “Input Secure”
Input Security
• Provably input secure randomness expansion protocol Infinite randomness expansion.
• Can we obtain input security in a randomness expansion protocol?
• Randomness Extractors are provably not input secure.
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
Secure Against Q. Eavesdropper “Input Secure”
Input Security
• Provably input secure randomness expansion protocol Infinite randomness expansion.
• Can we obtain input security in a randomness expansion protocol?
• Randomness Extractors are provably not input secure.
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
Secure Against Q. Eavesdropper “Input Secure”
Input Security
• Provably input secure randomness expansion protocol Infinite randomness expansion.
• Can we obtain input security in a randomness expansion protocol?
• Randomness Extractors are provably not input secure.
𝜌𝑆𝐷𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐷𝐸
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
Secure Against Q. Eavesdropper “Input Secure”
A New Tool [Reichardt, Unger, Vazirani 2012]
“RUV” Protocol
• Device Independent protocol
• Certifies that devices are measuring an EPR pair in certain rounds.
• Employs CHSH Rigidity
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
A New Tool [Reichardt, Unger, Vazirani 2012]
“RUV” Protocol
• Device Independent protocol
• Certifies that devices are measuring an EPR pair in certain rounds.
• Employs CHSH Rigidity
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
A New Tool [Reichardt, Unger, Vazirani 2012]
“RUV” Protocol
• Device Independent protocol
• Certifies that devices are measuring an EPR pair in certain rounds.
• Employs CHSH Rigidity
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
A New Tool [Reichardt, Unger, Vazirani 2012]
“RUV” Protocol
• Device Independent protocol
• Certifies that devices are measuring an EPR pair in certain rounds.
• Employs CHSH Rigidity
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
S = Input Seed
A B
The RUV protocol seems Input Secure!
.
Input Secure?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
The RUV protocol seems Input Secure!
.
Input Secure?
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
The RUV protocol seems Input Secure!
.
Input Secure? E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
The RUV protocol seems Input Secure!
.
Input Secure?
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
“Input Secure”
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
The RUV protocol seems Input Secure!
However:
1) Not randomness expanding.
Input Secure?
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
“Input Secure”
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Obtaining Expansion
• VV
– Exponential Expansion
– Q. Secure
• RUV:
– Polynomial Contraction
• Net:
– Exponential Expansion
This RUV protocol seems Input Secure!
However:
1) Not randomness expanding.
2) Not input secure conditioned on passing.
Input Secure?
𝜌𝑆𝐷 ≈ 𝜌𝑈 ⊗ 𝜌𝐷
𝜌𝑂𝐸 ≈ 𝜌𝑈 ⊗ 𝜌𝐸
“Input Secure”
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security revisited • We only use the output of RUV in the
event that the protocol passes
• In general conditioning on this event can reveal output information to the eavesdropper
• This would invalidate the Input Security gained from RUV
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security revisited • We only use the output of RUV in the
event that the protocol passes
• In general conditioning on this event can reveal output information to the eavesdropper
• This would invalidate the Input Security gained from RUV
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security revisited • We only use the output of RUV in the
event that the protocol passes
• In general conditioning on this event can reveal output information to the eavesdropper
• This would invalidate the Input Security gained from RUV
E
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
• Divide the output X into blocks
• On average each block will be nearly unentangled with the combined system FE
• Output a random block
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
• Divide the output X into blocks
• On average each block will be nearly unentangled with the combined system FE
• Output a random block
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
• Divide the output X into blocks
• On average each block will be nearly unentangled with the combined system FE
• Output a random block
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
• Divide the output X into blocks
• On average each block will be nearly unentangled with the combined system FE
• Output a random block
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
𝐼 𝑋: 𝐸 ≈ 0
𝐼 𝑋:𝐹𝐸 ≤ 2 𝐻 𝐹 ≤ 2
2 ≥ 𝐼 𝑋:𝐹𝐸 = 𝐼 𝑋𝑖 : 𝐹𝐸 𝑋<𝑖𝑖
≥ 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
𝐼 𝑋: 𝐸 ≈ 0
𝐼 𝑋:𝐹𝐸 ≤ 2 𝐻 𝐹 ≤ 2
2 ≥ 𝐼 𝑋:𝐹𝐸 = 𝐼 𝑋𝑖 : 𝐹𝐸 𝑋<𝑖𝑖
≥ 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
𝐼 𝑋: 𝐸 ≈ 0
𝐼 𝑋:𝐹𝐸 ≤ 2 𝐻 𝐹 ≤ 2
2 ≥ 𝐼 𝑋:𝐹𝐸 = 𝐼 𝑋𝑖 : 𝐹𝐸 𝑋<𝑖𝑖
≥ 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
𝐼 𝑋: 𝐸 ≈ 0
𝐼 𝑋:𝐹𝐸 ≤ 2 𝐻 𝐹 ≤ 2
2 ≥ 𝐼 𝑋:𝐹𝐸 = 𝐼 𝑋𝑖 : 𝐹𝐸 𝑋<𝑖𝑖
≥ 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)𝑖 ≤
1
𝑁 𝐼(𝑋: 𝐹𝐸) ≤
2
𝑁
Pinsker’s Inequality
1
𝑁 || 𝜌𝑋𝑖𝐹𝐸 − 𝜌𝑋𝑖⊗𝜌𝐹𝐸 ||
2
𝑖
≤1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
≤2
𝑁
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)𝑖 ≤
1
𝑁 𝐼(𝑋: 𝐹𝐸) ≤
2
𝑁
Pinsker’s Inequality
1
𝑁 || 𝜌𝑋𝑖𝐹𝐸 − 𝜌𝑋𝑖⊗𝜌𝐹𝐸 ||
2
𝑖
≤1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
≤2
𝑁
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)𝑖 ≤
1
𝑁 𝐼(𝑋: 𝐹𝐸) ≤
2
𝑁
Pinsker’s Inequality
1
𝑁 || 𝜌𝑋𝑖𝐹𝐸 − 𝜌𝑋𝑖⊗𝜌𝐹𝐸 ||
2
𝑖
≤1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
≤2
𝑁
Input Security: The Solution
X
X1
X3
X2 E F Pass Fail
F = 1 F = 0
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)𝑖 ≤
1
𝑁 𝐼(𝑋: 𝐹𝐸) ≤
2
𝑁
Pinsker’s Inequality
1
𝑁 || 𝜌𝑋𝑖𝐹𝐸 − 𝜌𝑋𝑖⊗𝜌𝐹𝐸 ||
2
𝑖
≤1
𝑁 𝐼(𝑋𝑖: 𝐹𝐸)
𝑖
≤2
𝑁
Selecting Random Blocks • Our solution selects output
blocks at random….
….using an input seed unknown to the devices
• But could the seed be correlated with the position of “bad” blocks?
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Selecting Random Blocks • Our solution selects output
blocks at random….
….using an input seed unknown to the devices
• But could the seed be correlated with the position of “bad” blocks?
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Selecting Random Blocks • Our solution selects output
blocks at random….
….using an input seed unknown to the devices
• But could the seed be correlated with the position of “bad” blocks?
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Selecting Random Blocks • Such adversarial
correlations can be ruled out using a purification and simulation argument.
• This implies full input security for this composition of VV and RUV.
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Selecting Random Blocks • Such adversarial
correlations can be ruled out using a purification and simulation argument.
• This implies full input security for this composition of VV and RUV.
X
X1
X3
X2
x
0
1
1
0
1
0
1
0
y
0
0
1
0
1
1
0
0
a
1
0
0
1
1
0
0
1
b
0
1
1
0
1
0
0
1
b = 0 a = 1
A B
E
Our Protocol
EXTRACTOR
VV
B A
RUV
B A
EXTRACTOR
VV
B A
RUV
B A
S = Input Seed
Our Protocol
EXTRACTOR
VV
B A
RUV
B A
EXTRACTOR
VV
B A
RUV
B A
S = Input Seed
Our Protocol
EXTRACTOR
VV
B A
RUV
B A
EXTRACTOR
VV
B A
RUV
B A
S = Input Seed
Our Protocol
EXTRACTOR
VV
B A
RUV
B A
EXTRACTOR
VV
B A
RUV
B A
S = Input Seed
Our Protocol
EXTRACTOR
VV
B A
RUV
B A
EXTRACTOR
VV
B A
RUV
B A
S = Input Seed
Infinite Randomness Expansion
• Approximately Input Secure steps (composable) • Exponential Expansion at each step
VV
B A
RUV
B A
VV
B A
RUV
B A
S = Input Seed
Infinite Randomness Expansion
• Accumulated error converges
• Output is 1
𝑒𝑥𝑝( 𝑆 ) -close to uniform and secure against quantum eavesdropper.
VV
B A
RUV
B A
VV
B A
RUV
B A
S = Input Seed
Open Questions
• Robust protocols [Miller, Shi], [Chung, Shi, Wu] • Optimal Parameters? • Protocols other than Randomness Expansion [Reichardt, Unger, Vazirani 2012]
VV
B A
RUV
B A
VV
B A
RUV
B A
S = Input Seed
