Trevisan's extractor in the presence of quantum side information

Trevisan's extractor in the presence of quantum side information Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya De, and Renato Renner arXiv:0912.5514

Outline • Classical extractors: definitions and application • Extractors in the presence of side information • One-bit extractors • Main result: “any extractor based on Trevisan’s construction paradigm is secure against quantum storage” • Proof of security

Different types of randomness PX(x) PX(x) Public source X: • Weak randomness is “readily” available • Many applications require “perfect” randomness • Can we convert one to the other? • Obvious restriction: • Still, even extracting one bit is impossible in this setting! x x • Randomized algorithms • Crypto • Modeling Ideal uniform source: PX(x) PU(x) x x Ext?

Extracting perfect from weak randomness PX(x) PX(x) PY(x) • Possible under additional assumptions • Source has special structure (e.g. “affine” source) • Two (or more) independent sources • Additional short uniform seed x x x Uniform over structured subset PU(x) PU(x) PU(x) PX(x) + x x x x PY(x) + x

Extractors PY(x) Ext + x 2-K Defn. Ext: {0,1}N x {0,1}t→ {0,1}m is a (K,ɛ) extractor if for all X with min-entropy ≥ K we have || Ext(X,Y) ) - Z ||1 ≤ ɛ (where Y,Z are uniformly distributed) Moreover, Ext is a strong extractor if || (Y,Ext(X,Y) ) - (Y,Z) ||1 ≤ ɛ(where Y,Z are uniformly distributed) PX(x) x PU(x) • Parameters: • K could be .01N, √N, N.01, or even smaller • t should be as small as possible: t = O(log N) or t = O(polylog N) • Output length m ≈ K (want to extract almost all the randomness) • In order to achieve strong security, dependence on the error • should be poly-logarithmic. • Best parameters are all simultaneously achievable: [Tr’99], • [LRVW’03] (and subsequent work) x

Application to privacy amplification PY(x) Ext + 2-K PX(x) x Output: m bits, statistically close to uniform Source: N bits min-entropy > K Seed: t bits uniform x • Security: output appears uniform to any adversary, i.e. his information • about the extracted bits is close to 0. • Power of the adversary: • Has some limited knowledge S about X: • Can also learn the seed (but S must be independent from it) • Ex: bounded storage model. Adversary only has b qubits of storage. Then • . This is a special case. • → If we only have 2., then a strong extractor will work. What about 1.? PU(x) x

Extractors in the bounded-storage model PY(x) Ext + 2-K x Defn. Ext: {0,1}N x {0,1} t→ {0,1}m is a (K,ɛ) strong extractor against quantum adversaries if for all sources X and quantum systems S such that , we have || (S,Y,Ext(X,Y) ) – (S,Y,Z ) ||tr ≤ ɛ where Y, Z uniformly distributed. PX(x) Defn. Ext: {0,1}N x {0,1} t→ {0,1}m is a (K,ɛ) strong extractor if for all sources X such that , we have || (Y,Ext(X,Y) ) – (Y,Z ) ||tr ≤ ɛ where Y, Z uniformly distributed. x PU(x) x • [R’05]: exactly quantifies the amount of • randomness one can extract from X in the presence of S

[Lu’02]: Strong extractors are secure in the presence of classical side information • Assume adversary’s side information S is such that • For most values of s, the conditional distribution [X|S(X)=s] has min-entropy at least K → Applying a (K,ɛ) strong extractor suffices to obtain an output ɛ-close to uniform, even given the adversary’s storage s • Strong extractors give security against classical bounded-storage adversaries. • No longer true if the adversary’s side information S is quantum! • Cannot condition on the value taken by a quantum state: the marginal distributions are not defined

[GKKRW’07]: Some strong extractors are insecure against quantum adversaries • Give Ext: {0,1}n x {0,1}2log n → {0,1}n/2 such that • There is no classical adversary using less than √n bits of storage • There is a quantum adversary using only log n qubits x1 x2 x3 x4 source: n-bit string seed: perfect matching chosen among n2 Ext xn-1 xn Ext is a (K,ɛ) strong extractor for K=n • Classical adversary: cannot do better than birthday paradox • → need ≈ √n bits of information about x • Quantum adversary: • on seeing x, store • when matching revealed, measure in

Previous work on extractors against quantum • No general equivalence possible: focus on proving security of specific constructions. • [KMR’05]: 2-universal hashing works. • Seed length is ≈ N • [KT’06]: any classical 1-bit extractor is also secure against quantum adversaries • [FS’07]: construction based on pair-wise independence • Seed length is ≈ m • [T-S’09]: variant of Trevisan’s extractor, based on locally list-decodable codes • First construction to achieve logarithmic seed length • Only proved secure in the bounded-storage model • Weak output length (K/b)1/15 : gives nothing for b linear in K

One-bit extractors: a general construction ½-ɛ • C: {0,1}N → {0,1}M a (ɛ,L) list-decodable code E1: {0,1}N x {0,1} log M→ {0,1} ( x , y ) → C(x)y Claim: E1 is a (K,ɛ) strong extractor for K= log L+log(1/ ɛ) • Suppose there exists an adversary A • Given a random y, A can predict C(x)y with success prob. ½+ɛ • Run A on all M y’s → recover string z which is at relative distance ≈ ½-ɛ from C(x) → x is one among L possibilities. Impossible as long as K >> log L • Immediately extends to security against classical storage. What about quantum? ≤L ½-ɛ

[KT] One-bit extractors are safe(against quantum adversaries) • Assume adversary has side information S(x) about x • His task: given y, predict E1(x,y) = C(x)y • Measure S(x) • Measurement depends on y: hard to use information-theoretic bound • Adversary has to distinguish between states S(x) such that C(x)y = 0 and states such that C(x)y = 1 → State discrimination problem: PGM does close to optimal! • Use linearity to show that A’s measurement is independent of y → He is using his his quantum storage as if classical! → We know classical adversaries don’t exist

Trevisan’s extractor construction paradigm • E1 a “good” one-bit extractor {0,1}N x {0,1}d → {0,1}, d = O(log N) • Example: think E1(x,y) = C(x)y , where C is a good list-decodable code • Repeating E1 m times independently extracts m bits… but uses (m x t) bits of seed! • Idea: use tools from pseudo-randomness theory to save some bits of seed • Seed-expansion function g:{0,1}t → ({0,1}d )m (think t=O(d2 log m) for instance) • Extractor parameters depend on specifics of E1 and g x 0 1 0 1 0 1 1 0 • E1(x,y1),….,E1(x,ym) g y

Our results • Any classical extractor based on Trevisan’s paradigm is also secure against quantum adversaries • Can extract almost all the entropy: m = K-o(K) bits with seed length t = O(log3N) • Seed length can be made t=O(log n), with slightly worse output length m=Ω(K.99) • The extractor can be made locally computable for sources with linear min-entropy • Construction is very general • Trevisan’s proof technique shows how to make an efficient multi-bit extractor from any one-bit extractor • We extend this to the quantum adversary setting

Overview of security proof • By contradiction: assume adversary A can distinguish output from uniform with success ɛ. • First step: using A, construct an adversary A’ such that • A’ has access to the same side information as A • A’ has some additional classical information over m bits • A’ breaks the one-bit extractor E1 with success prob. ½+ɛ/m • Second step: such an A’ cannot exist! • We assumed E1 was a good classical strong extractor • [KT] implies that E1 is also secure against quantum adversaries • E is secure as long as K - m > K1 → K > m+log(m/ɛ)

Summary • Trevisan’s extractor makes any one-bit extractor into an m-bit extractor, while still using a small seed • Original proof based on “reconstruction paradigm” • Show how x can be reconstructed from ρx • Adapting this to the quantum setting was a challenge • Quantum states are destroyed when measured once… • Main bottleneck in Ta-Shma’s analysis • Key result from [KT’06] shows strong limitation on the power of the quantum adversary • Conceptual issue at heart is the amount of information that can be encoded in a quantum state • As a by-product, we obtain very strong lower bounds for any encoding x→ρx from which one can recover arbitrary codeword positions C(x)y • Strengthens a bound from [BRW07] for the special case of the XOR code

Open questions • Is it possible to extract (almost) all the initial entropy with a logarithmic seed? • Trevisan’s extractor only extracts Kδ, for any δ>0 • Classical constructions exist, but based on different ideas. • What about other types of extractors? • Two-source extractors • Affine extractors • Other applications to cryptography? • Trevisan’s extractor can be made very efficient • Security is composable, so it should be widely applicable

Thank you!

Trevisan's extractor in the presence of quantum side information

Trevisan's extractor in the presence of quantum side information

Presentation Transcript

Quantum Information

Cryptography in The Presence of Continuous Side-Channel Attacks

Quantum information

Quantum Information

Quantum Information and the simulation of quantum systems

Quantum Information

THE ALMOST IMPOSSIBLE WORLDS IN QUANTUM INFORMATION

Quantum Information Theory in Quantum Hamiltonian Complexity

Trevisan’s extractor in the presence of quantum side information

Quantum computation and quantum information

QUANTUM INFORMATION

Entanglement in Quantum Information Science

Quantum information in bright colors

Quantum Hall effect in the presence of magnetic impurities

The World of Quantum Information

The Promise of Quantum Information

In the Presence of God

Julius Information Extractor

Quantum Control in the Presence of Relaxation

Best b2b information extractor from Linkedin | Linkedin Company Extractor