280 likes | 470 Views
Trevisan's extractor in the presence of quantum side information. Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann , Anindya De, and Renato Renner arXiv:0912.5514. Outline. Classical extractors: definitions and application
E N D
Trevisan's extractor in the presence of quantum side information Thomas Vidick UC Berkeley Based on joint work with Christopher Portmann, Anindya De, and Renato Renner arXiv:0912.5514
Outline • Classical extractors: definitions and application • Extractors in the presence of side information • One-bit extractors • Main result: “any extractor based on Trevisan’s construction paradigm is secure against quantum storage” • Proof of security
Outline • Classical extractors: definitions and application • Extractors in the presence of side information • One-bit extractors • Main result: “any extractor based on Trevisan’s construction paradigm is secure against quantum storage” • Proof of security
Different types of randomness PX(x) PX(x) Public source X: • Weak randomness is “readily” available • Many applications require “perfect” randomness • Can we convert one to the other? • Obvious restriction: • Still, even extracting one bit is impossible in this setting! x x • Randomized algorithms • Crypto • Modeling Ideal uniform source: PX(x) PU(x) x x Ext?
Extracting perfect from weak randomness PX(x) PX(x) PY(x) • Possible under additional assumptions • Source has special structure (e.g. “affine” source) • Two (or more) independent sources • Additional short uniform seed x x x Uniform over structured subset PU(x) PU(x) PU(x) PX(x) + x x x x PY(x) + x
Extractors PY(x) Ext + x 2-K Defn. Ext: {0,1}N x {0,1}t→ {0,1}m is a (K,ɛ) extractor if for all X with min-entropy ≥ K we have || Ext(X,Y) ) - Z ||1 ≤ ɛ (where Y,Z are uniformly distributed) Moreover, Ext is a strong extractor if || (Y,Ext(X,Y) ) - (Y,Z) ||1 ≤ ɛ(where Y,Z are uniformly distributed) PX(x) x PU(x) • Parameters: • K could be .01N, √N, N.01, or even smaller • t should be as small as possible: t = O(log N) or t = O(polylog N) • Output length m ≈ K (want to extract almost all the randomness) • In order to achieve strong security, dependence on the error • should be poly-logarithmic. • Best parameters are all simultaneously achievable: [Tr’99], • [LRVW’03] (and subsequent work) x
Outline • Classical extractors: definitions and application • Extractors in the presence of side information • One-bit extractors • Main result: “any extractor based on Trevisan’s construction paradigm is secure against quantum storage” • Proof of security
Application to privacy amplification PY(x) Ext + 2-K PX(x) x Output: m bits, statistically close to uniform Source: N bits min-entropy > K Seed: t bits uniform x • Security: output appears uniform to any adversary, i.e. his information • about the extracted bits is close to 0. • Power of the adversary: • Has some limited knowledge S about X: • Can also learn the seed (but S must be independent from it) • Ex: bounded storage model. Adversary only has b qubits of storage. Then • . This is a special case. • → If we only have 2., then a strong extractor will work. What about 1.? PU(x) x
Extractors in the bounded-storage model PY(x) Ext + 2-K x Defn. Ext: {0,1}N x {0,1} t→ {0,1}m is a (K,ɛ) strong extractor against quantum adversaries if for all sources X and quantum systems S such that , we have || (S,Y,Ext(X,Y) ) – (S,Y,Z ) ||tr ≤ ɛ where Y, Z uniformly distributed. PX(x) Defn. Ext: {0,1}N x {0,1} t→ {0,1}m is a (K,ɛ) strong extractor if for all sources X such that , we have || (Y,Ext(X,Y) ) – (Y,Z ) ||tr ≤ ɛ where Y, Z uniformly distributed. x PU(x) x • [R’05]: exactly quantifies the amount of • randomness one can extract from X in the presence of S
[Lu’02]: Strong extractors are secure in the presence of classical side information • Assume adversary’s side information S is such that • For most values of s, the conditional distribution [X|S(X)=s] has min-entropy at least K → Applying a (K,ɛ) strong extractor suffices to obtain an output ɛ-close to uniform, even given the adversary’s storage s • Strong extractors give security against classical bounded-storage adversaries. • No longer true if the adversary’s side information S is quantum! • Cannot condition on the value taken by a quantum state: the marginal distributions are not defined
[GKKRW’07]: Some strong extractors are insecure against quantum adversaries • Give Ext: {0,1}n x {0,1}2log n → {0,1}n/2 such that • There is no classical adversary using less than √n bits of storage • There is a quantum adversary using only log n qubits x1 x2 x3 x4 source: n-bit string seed: perfect matching chosen among n2 Ext xn-1 xn Ext is a (K,ɛ) strong extractor for K=n • Classical adversary: cannot do better than birthday paradox • → need ≈ √n bits of information about x • Quantum adversary: • on seeing x, store • when matching revealed, measure in
Previous work on extractors against quantum • No general equivalence possible: focus on proving security of specific constructions. • [KMR’05]: 2-universal hashing works. • Seed length is ≈ N • [KT’06]: any classical 1-bit extractor is also secure against quantum adversaries • [FS’07]: construction based on pair-wise independence • Seed length is ≈ m • [T-S’09]: variant of Trevisan’s extractor, based on locally list-decodable codes • First construction to achieve logarithmic seed length • Only proved secure in the bounded-storage model • Weak output length (K/b)1/15 : gives nothing for b linear in K
Outline • Classical extractors: definitions and application • Extractors in the presence of side information • One-bit extractors • Main result: “any extractor based on Trevisan’s construction paradigm is secure against quantum storage” • Proof of security
One-bit extractors: a general construction ½-ɛ • C: {0,1}N → {0,1}M a (ɛ,L) list-decodable code E1: {0,1}N x {0,1} log M→ {0,1} ( x , y ) → C(x)y Claim: E1 is a (K,ɛ) strong extractor for K= log L+log(1/ ɛ) • Suppose there exists an adversary A • Given a random y, A can predict C(x)y with success prob. ½+ɛ • Run A on all M y’s → recover string z which is at relative distance ≈ ½-ɛ from C(x) → x is one among L possibilities. Impossible as long as K >> log L • Immediately extends to security against classical storage. What about quantum? ≤L ½-ɛ
[KT] One-bit extractors are safe(against quantum adversaries) • Assume adversary has side information S(x) about x • His task: given y, predict E1(x,y) = C(x)y • Measure S(x) • Measurement depends on y: hard to use information-theoretic bound • Adversary has to distinguish between states S(x) such that C(x)y = 0 and states such that C(x)y = 1 → State discrimination problem: PGM does close to optimal! • Use linearity to show that A’s measurement is independent of y → He is using his his quantum storage as if classical! → We know classical adversaries don’t exist
Outline • Classical extractors: definitions and application • Extractors in the presence of side information • One-bit extractors • Main result: “any extractor based on Trevisan’s construction paradigm is secure against quantum storage” • Proof of security
Trevisan’s extractor construction paradigm • E1 a “good” one-bit extractor {0,1}N x {0,1}d → {0,1}, d = O(log N) • Example: think E1(x,y) = C(x)y , where C is a good list-decodable code • Repeating E1 m times independently extracts m bits… but uses (m x t) bits of seed! • Idea: use tools from pseudo-randomness theory to save some bits of seed • Seed-expansion function g:{0,1}t → ({0,1}d )m (think t=O(d2 log m) for instance) • Extractor parameters depend on specifics of E1 and g x 0 1 0 1 0 1 1 0 • E1(x,y1),….,E1(x,ym) g y
Our results • Any classical extractor based on Trevisan’s paradigm is also secure against quantum adversaries • Can extract almost all the entropy: m = K-o(K) bits with seed length t = O(log3N) • Seed length can be made t=O(log n), with slightly worse output length m=Ω(K.99) • The extractor can be made locally computable for sources with linear min-entropy • Construction is very general • Trevisan’s proof technique shows how to make an efficient multi-bit extractor from any one-bit extractor • We extend this to the quantum adversary setting
Outline • Classical extractors: definitions and application • Extractors in the presence of side information • One-bit extractors • Main result: “any extractor based on Trevisan’s construction paradigm is secure against quantum storage” • Proof of security
Overview of security proof • By contradiction: assume adversary A can distinguish output from uniform with success ɛ. • First step: using A, construct an adversary A’ such that • A’ has access to the same side information as A • A’ has some additional classical information over m bits • A’ breaks the one-bit extractor E1 with success prob. ½+ɛ/m • Second step: such an A’ cannot exist! • We assumed E1 was a good classical strong extractor • [KT] implies that E1 is also secure against quantum adversaries • E is secure as long as K - m > K1 → K > m+log(m/ɛ)
Summary • Trevisan’s extractor makes any one-bit extractor into an m-bit extractor, while still using a small seed • Original proof based on “reconstruction paradigm” • Show how x can be reconstructed from ρx • Adapting this to the quantum setting was a challenge • Quantum states are destroyed when measured once… • Main bottleneck in Ta-Shma’s analysis • Key result from [KT’06] shows strong limitation on the power of the quantum adversary • Conceptual issue at heart is the amount of information that can be encoded in a quantum state • As a by-product, we obtain very strong lower bounds for any encoding x→ρx from which one can recover arbitrary codeword positions C(x)y • Strengthens a bound from [BRW07] for the special case of the XOR code
Open questions • Is it possible to extract (almost) all the initial entropy with a logarithmic seed? • Trevisan’s extractor only extracts Kδ, for any δ>0 • Classical constructions exist, but based on different ideas. • What about other types of extractors? • Two-source extractors • Affine extractors • Other applications to cryptography? • Trevisan’s extractor can be made very efficient • Security is composable, so it should be widely applicable