Composing Quantum Protocols
Dominic Mayers
Université de Sherbrooke
Joint Work with Michael Ben-Or
Overview
• Basic Quantum Mechanics
• Models for quantum protocols and attacks.
• Canetti`s security definition and composability theorem in the quantum world
• Composability of Quantum Key Distribution (joint work with Michael Ben-Or, Michal Horodecki, Debbie Leung and Jonathan Oppenheim)
• Generalization of Ideal protocols (pro and con) X
• Briefly mention application to relativistic bit commitment X
Basic Quantum Mechanics
Classically, we believe that, in principle, if we are very careful, we can always extract a property of a system without disturbing the system. If we have two properties (e.g. momemtum and position), we can make a measurement to extract the first property and another measurement to extract the second property.
Quantum Mechanics uses the non abelian properties of operators on Hilbert space to model the fact that two measurements are not always compatible. The execution of one measurement (say momemtum) fundamentally interfers with the other (say position).
State Space = Hilbert SpaceFor our purpose, it will be sufficient to consider that an elementary system is a photon, in fact, the polarisation of this photon. Its state space is represented by a two dimensional Hilbert Space.
|0 represents
|1 represents
|+ = |0 + |1 represents
|- = |0 - |1 represents
Computationalbasis
Complementarybasis
21/2
For our purpose, it will be sufficient to consider that an elementary system is a photon, in fact, the polarisation of this photon. Its state space is represented by a two dimensional Hilbert Space.
21/2
21/2
General state and transformation
Global phase (multiplication by a complex number) does not change the physical state.
The valid transformations are unitary transformations on the Hilbert space.
This extends to tensor products of Hilbert Space. For example, |00 |01 |10 |11 is a basis for two photons.
The general state is |0 + |1 where and are complex numbers with ||2 + ||2 = 1.
Classical Vs Quantum
Many quantum observable have a classical counterpart. The polarisation of a photon is an example. Its classical counterpart is the polarisation of a classical laser beam.
The polarisation of a classical laser beam can be observed without disturbing it. This is not true for the (quantum) polarisation of a photon.
Orthogonal Measurement = Basis
We can measure in the computational basis using a beam splitter that is vertically oriented.
BeamSplitter
Occurs with probability ||2
Occurs with probability ||2
|0 + |1
|1
|0
This generalises to any basis in any tensor product space.
Models for Quantum Protocols
123121 UUUUUUUU iinnn
A protocol is specified by an initial state for each party and a sequence of quantum circuits:
where each circuit is controled by a single party. Communication occurs through registers that are transferred from one party to another.
This is not enough. We also need to specify what is a sub-protocol and how communication occurs between a protocol and its sub-protocols.
Subprotocols (I)
A protocol contains layers. The top layer is the protocol which call subprotocols in the layer below, and so on, recursively. Every circuit Ui belongs to one party and one protocol. It belongs to a protocol if it uses only registers in the top layer of the protocol and I/O registers in between this layer and an adjacent layer (parent or child).
Coin Flipping(Alice, Bob)Ha
Commit
b
Open
I/O
I/O
H
b`
Sub-protocol
a`
I/O
I/O
a b`
a` b
For simplicity, we omitted that Commit should informs Bob of a success, Alice should be informed of a succesful reception of b`, etc.
Internalregisters
Internalregisters
CoinFlipping(A,B)
BB AABB
BB
BBAA
AA AA
= Not usedin this case
Alice and Bobouput bits
Commit Open
InternalRegisters
BBAA
InternalRegisters
Alice picks a randombit and sends it toCommit
Registers and Communication
A protocol also contains internal registers and I/O registers:
• Every I/O register (two colours) belongs to a single party and is for communication in between a protocol and only one of its sub-protocol. Only the circuits Ui that are controlled by this party in the protocol or the subprotocol can access this I/O register.
• Every internal register (one colour) belongs to the top layer of a single (sub)protocol. Control over this register passes from one party to another: at the end of every circuit, the party (who just executed this circuit) can « transmit » some of his internal registers to other parties.
The honest environment of a protocol
Protocol B
The environment Z
The environment Z of a protocol B is the complementary set of circuits. The entire protocol is denoted Z(B).
BBAA
AA AA BBBB
BB
I/O
An honest environment
Internal
BB AABB
BB
BB
AA
AA
AA AABB
BBAABB
BBAABB
BB
AA
BBCC
CC CC BBBB
BB
I/O
A tree structure corresponds to the fact that we cannot use common subprotocol.
AA
AA
Coin Flipping
AA AA
The (dishonest) environment(Later we will consider restricted classes)
The environment has access to internal communication in the protocol and can corrupt parties.
AA is corrupted in this example
BB AABB
BB
BB
AA
AA
AA AABB
BBAABB
BBAABB
BB
AA
AA
AA
AA AA= the protocol+
The environment to Coin FlippingZZ
BB BB
BB
BB
The circuits in the attack can be anything. They can access the I/O registers of the honest parties in the protocol (as even an honest environment is allowed to do) and all the internal registers of the protocol and subprotocols when they are transmitted.
BB
Quantum Universal Security Definition (I)
Z
Z(B)
Z
Z(,S)
Basic Idea
B s.r if, for all environment Z, there exists a simulator S such that Z(B) Z(,S)
Real Protocol
BA protocol that defines the ideal (quantum) task
S
Ideal Protocol
Simulator
How does it work?
B s.r. G() s.r. G(B) s.r.
G
B
Z Z
S(G(B))
We want to prove
s.r. = securely realises
The top layer G of G(B) is in the environment of B.
G
B
=
B
ZGZ
Diagram 1 Diagram 2
So, we can use the security of B,
B
ZG ZG
S(B)
Diagram 2 Diagram 3
and take back G from the environment
ZG
S(B)
=
Z S(B)
G
Diagram 3 Diagram 4
and, finally, use the security of G().
Z S(B)
G
Z S(B)
S(G())
Diagram 4 Diagram 5
So, we have a simulator for G(B)
Z S(B)=
S(G())
Z
S(B)
S(G())
= S(G(B))
We also want to prove
B s.r. B(m) s.r. (m)
Z Z
S(B(m) )
s.r. = securely realises
1… m
B(m) = m copies of B
B1 … Bm
A key point in the proof
Z
At some point in the proof, the environment that is considered contains ideal protocols i with the simulator Si for Bi and some real protocol Bi.
B1 … j+1… m
Bj-1
Bj
Sj+1 Sj+1
So Z + the Bj + the simulators Sj must be a valid environment.
Quantum Universal Security Definition (II)
For any two random binary variables Y, Y` let us write
Y e Y` if | Pr( Y = 0 ) - Pr( Y` = 0 )| e. .
Let PP be the set of all polynomial functions.
Definition. A protocol B for an ideal functionality is secure, if for any environment Z there exists a simulator S such that (d P) P) ( n0 ) ( n > n0)
Z(B) e Z(, S)
where e = 1/d(n).
Dominic Mayers:
The essential difference with definition 3 is that we moved the (S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term nc to every machine.
Dominic Mayers:
The essential difference with definition 3 is that we moved the (S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term nc to every machine.
Quantum Universal Security Definition (III)
The simulator S must have a polynomial complexity c P that depends only on B (i.e. not on Z or n0). Also, n0 can only depend on d and on the respective polynomial complexity c, c` of S and Z (not on their actual circuits). The actual circuit of S, not its complexity, can depend on n and on the circuit of Z.
For every c P, let T(c) be the set of programs of complexity c. Formally, the order for the quantifiers is:
( c PP)(c’ PP)(d P) P) ( n0 )( n > n0)(Z T(c’))( S T(c))
Z(B) e Z(, S)
where e = 1/d(n).
About the Computational Setting
Dominic Mayers:
The essential difference with definition 3 is that we moved the (S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term nc to every machine.
Dominic Mayers:
The essential difference with definition 3 is that we moved the (S) at the very end which makes the definition easier to achieve. It was also convenient to attach a polynome in n instead of a single term nc to every machine.
Nested protocols (more than 2 layers)
For formal simplicity, we consider each layer as a single protocol.
B1
B2
Bm
Bm-1
Z
Z
1S(B1(..Bm))
Basic step of the proof (I)
=B1
B2
Bm
Bm-1
Z
B1
B2
Bm
Bm-1
Z
Basic step of the proof (II)
B1
B2
m
Bm-1
Z
B1
B2
Bm
Bm-1
Z
Sm
Basic step of the proof (III)
=B1
B2
m
Bm-1
Z
Sm
B1
B2
m
Bm-1
Z
Sm
Basic step of the proof (III)
B1
B2
m
Bm-1
Z
Sm(Bm)
B1
B2
m-1
Z
Sm(Bm)
S(Bm-1(m))Etc…
A composability question
What about the security of an authentication protocol when a real QKD protocol, not an ideal one, is used as a resource (sub-protocol). Does the real QKD protocol provides what is promised?
QKD
k
K
Authenticationk
K
m m
Key Degradation
QKD
kAuthentication
QKD
k
kK
K
Authenticationk
K
K
A negative answer could mean an important degradation of the key after a few repetitions.
KK QKDBen-Or, Michal Horodecki, Leung, Mayers and Oppenheim (in progress)
Dominic Mayers: An interesting example of a composability question. This question was brought to our attention half a decade ago by Bennett and Smolin.
Dominic Mayers: An interesting example of a composability question. This question was brought to our attention half a decade ago by Bennett and Smolin.
Reversed Order (bottom-up)
Ideal QKD Protocol
Ideal QKDJam
k k
Eve
In our ideal QKD protocol, the participants in the environment interact directly with an ideal party which provides the random key.
In other ideal protocols, dummy parties are used.
If Jam = 1, k = fail.
If Jam = 0, k R{0,1}m
Back to Basic Quantum Mechanics
A distribution of probability p(i) over (possibly non orthogonal) states |(i) can be represented without loss of physical information by the operator
i
iiip )()()(
The probability of the outcome j in basis { |j | j = 1,…,m} is given by
i
i
ijip
jiijipjj
))(|Pr()(
)()()(
Real versus Ideal QKD
Real QKD
k
kkkkp )(1
Ideal Private QKD
k
m kk 2ˆ0
k
km 2 where
)ˆ,ˆ( 10SD
The real protocol -securely realises the ideal private QKD if
)}2/1,ˆ(),2/1,ˆ{( E whereI)ˆ,ˆ( 1010 accSD
fail1,0 mk
How comes there is a single key k for Alice and Bob on the real side?
The known security results for QKD give us that Alice`s key and Bob’s key are almost always identical.
For simplicity, we will assume that we are only interested about the privacy of Alice`s key.
Uniformity Vs Privacy
The security of QKD is not only a small mutual information. We must also require a priori uniformity, i.e., in the ideal case, for all k, p(k | Jam = 0) = 2-m.
Security of QKD in terms of Simulators and Environments
Real fail1,0 mk
k
Ideal QKD
Idealfail1Jam k
?
Alice Bob
QKD
k k
Authentication
Jam
Simu-lator
Using PrivacyWe can show that
mkacc
mSD 2Jam)|(2)ˆ,ˆ( 10 I
where Iacc(k | Jam) = max I(k;Y| Jam) and m is the length of the key. (We omit the proof here).
The large factor 2m looks bad, but actually it is not so bad because the bound on Iacc respects
where n can be taken arbitrarily large, independently of m.
n 2
What about the known QKD protocols
• Mayers and Shor-Preskill security proofs can be adapted for composability without the large factor 2m.
• We do not know if B92 is composable without this large factor (since there is no security proof).
Generalisation of Ideal ProtocolsThe essential of the composability proof did not use any particular definition of an ideal protocol. This suggests that we can obtain variation on the concept of composability by looking for variations on the notion of ideal protocols. The currently used concept is:
S
Ideal Protocol
Simulator
Format of the protocol
Alice`s Dummy Program
Bob`s Dummy Program
Alice Bob
Ideal Functionality(also called a trusted party)
Input Output Input Output
Ideal Internal Channels
They justforwardthe inputand the output
A possible variation (I)
First, note that simulator depends on the environment. So, in the view point that we have adopted, we already accepted the principle that the ideal protocol can depend on the environment.
An ideal protocol is any protocol, including protocols that use unrestricted circuits. However, the final state after every circuit in the ideal protocol should be with high fidelity close to a state that would be obtained with a valid circuit.
A possible variation (II)
Of course, we must also specify which properties are satisfied by this « ideal protocol ». For example, there might be measurements that compute the inputs of the corrupted parties in a way that is perfectly consistent with the desired task and the input/output of the honest parties, and commutes with the measurement of these honest input/output.
Composable relativistic bit commitment
We have obtained a “composable” relativistic bit commitmen in the the following sense:
If Alice is corrupted, there exists a measurement that computes the bit that will be open later in the opening phase. This measurement needs only to access the registers that are used by Alice in the commit phase. In particular, this measurement cannot access the register that are kept private by Bob until after the commit phase.
The protocol is perfectly concealing against Bob.
Conclusion
The quantum composability theorem is useful to provide an adequate angle to prove the security of quantum protocols with subprotocols. The key degradation problem is an example.
Many quantum protocols will not respect the “standard” univeral security definition (the one based on simulator and trusted party). Yet, variations on this standard definition can still provide a useful angle.