Post on 30-Mar-2015
Short seed extractors against quantum storage
Amnon Ta-ShmaTel-Aviv University
1
Privacy amplification [BB]
Alice and Bob share information that is partially secret towards an eavesdropper Eve.
• Their goal is to extract a shorter string that is completely secret.
• They may use a short, public random string.
More formally:
Alice and Bob share x {0,1}n. x has a-priori distribution X that has a lot of
entropy. H(X) ≥ k
a Pr[X=a] ≤ 2-k
Eve holds a random variable W on {0,1}b that holds partial information about x.
3
A (k,b,) extractor - classical case
E:{0,1}n{0,1}t{0,1}m is a (k,b,) extractor, if: For every X with H(X) ≥ k, and, For every W=W(X) distributed on {0,1}b
|Ut E(X, Ut) W(X) – Ut Um W(X) | ≤
Sample: x X, y {0,1}t
Output: y,E(x,y),W(x)Sample: x X , y {0,1}t ,u {0,1}m
Output: y,u,W(x)
4
In the classical world
The problem can be solved almost optimally using extractors.
Solutions give:t=O(log(n/))
m=(k-b)
5
A (k,b,) extractor - quantum case
E:{0,1}n{0,1}t{0,1}m is a (k,b,) extractor against quantum storage, if: For every X with H(X) ≥ k, and, For every =(X) on b qubits
|Ut E(X, Ut) (X) – Ut Um (X) |tr ≤
Sample: x X, y {0,1}t
Output: y,E(x,y),(x)Sample: x X , y {0,1}t ,u {0,1}m
Output: y,u,(x)6
In the quantum world
Some extractors fail.[GKKRWJ] show an extractor against b bitsthat fails against polylog(b) qubits.
Some extractors work. Konig, Maurer,Renner ‘04 Fehr, Schaffner ‘08 Konig Terhal ‘08
7
Previous extractors - quantum case
Technique Seed length Author
Pair-wise independence, Collisions t=(n) Konig, Maurer, Renner
Almost pair-wise independence t=(m) Variation on KMR
Z2n Fourier transform t=(b) Fehr, Schaffner
Any one-output extractor is good t=(m) Konig Terhal
Any extractor is good with error 2b t=(b) Konig Terhal
Several methods t=O(log(n)) Classical
E : {0,1}n {0,1}t {0,1}m
8
Our result
A (k,b,) extractor E:{0,1}n{0,1}t{0,1}m against quantum storage , with: 2log ( / )
( )log
nt O
m
1/15( ( ) )log
km O
n b
Optimal t=O(log n) when m=n(1)
Trevisan: m=(k-b)(1)
Optimal: (k-b)
9
The basic paradigm
Reconstruction algorithms
Reconstruction Extraction in the classical world [Trevisan]
Reconstruction with few queries Extraction against quantum storage.
10
Distinguisher
A test is a function T : {0,1}m {0,1}
A test T -distinguishes D1 from D2 if
| Pr xD1 [T(x)=1] – Pr xD2 [T(x)=1] | ≥
11
Reconstruction algorithms
A function E:{0,1}n{0,1}t {0,1}m has a reconstruction algorithm R if
For every x {0,1}n , andevery T that distinguishes Ut E(x,Ut) from Ut+m
There exists a string adv=adv(x) of a bits, s.t.
RT(adv(x))=x12
Reconstruction Extraction [Tre]
Suppose E has reconstruction with a advice bits,Suppose E is not a (k,b,) extractor. Then, there exist:
X with H(X) ≥ k, Eve storing b bits of information, -distinguishing E from uniform.
B={x| Eve -dist W(x)UtE(x, Ut) from W(x)Ut+m}
|B| ≥ ε|X| 13
For every x B
The test T:Gets advice W(x). Applies Eve( W(x), y, w) .-distinguishes Ut E(x, Ut) from Ut+m.
The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x.
Thus x B can be reconstructed using a+b bits.14
Reconstruction Extraction [Tre]|B| ≤ 2a+b and 2k ≤ |X|≤ |B|/ . Thus, k≤a+b+log(1/).
15
Extractor against quantum storage
Suppose E has reconstruction with q queries.Suppose E is not a (k,b,) extractor. Then, there exist:
X with H(X) ≥ k, Eve storing b qubits of information,
B={x| Eve -dist (x)UtE(x, Ut) from (x)Ut+m}
|B| ≥ ε|X|
16
For every x B
The test T:Gets advice (x). Applies Eve( (x), y, w) .-distinguishes Ut E(x, Ut) from Ut+m.
The reconstruction algorithm: Makes oracle calls to T. Gets additional a bits of advice adv(x). Reconstructs x.
Thus x B can be reconstructed using a+qb bitsFor the classical advice adv(x)
For q queries to Eve
17
Extractor against quantum storage
|B| ≤ 2a+qb.
Thus, 2k ≤|X| ≤ 2a+qb /.
k≤a+qb+log(1/).
18
Conclusions so farA function E:{0,1}n{0,1}t {0,1}m
that has a reconstruction algorithm with
A short classical advice adv(x), and, A few queries to the distinguisher
Yields a good extractor against quantum storage.
19
An extractor with reconstruction
The NW generator List decoding Trevisan’s extractor The quantum case
Trevisan’s work
20
The NW Generator
NW:{0,1}n{0,1}t {0,1}m has reconstruction that is correct on average.
Given a distinguisher T, and The right advice adv(x)
RT(adv(x),i) = xi
For most i [n]21
The NW generator uses a
single query
List decoding
22
Trevisan’s extractorUses:
NW and its reconstruction algorithm, A code C : {0,1}n {0,1}N that is (L=poly(n),p=1/2-) list-decodable.
T(x,y)= NW( C(x), y)
23
Reconstruction for Trevisan’s ext.
T(x,y)= NW( C(x), y)
• Find a word w {0,1}N that is 1/2+ close to C(x) using the NW reconstruction algorithm.• Apply list decoding. Get a List L of all code words close to w, x L. • The advice tells us which is x.
Works well, but requires N queries.
24
The way around
• NW generator – learns a single bit of C(x), with one query, on average over i [N]
25
Learn the whole of x, with poly(n) queries.
Trevisan:List decoding
Learn a single bit of x,
with polylog(n) queries,
for any i [n] of our choice.
Us:Local list decoding
Two questions
1. How do we achieve that?Answer: using local list decoding.
2. Does this suffice for the analysis?Answer: Yes, using lower bounds on random
access codes.
26
The new extractorUses: NW generator and its reconstruction
algorithm, A code C : {0,1}n {0,1}N that is
(L=poly(n),p=1/2+) locally list-decodable with q=polylog(n) queries.
E(x,y)= NW( C(x), y)
27
The AnalysisSuppose E(x,y)= NW( C(x), y) is not a (k,b,) ext, violated with X and = (X).
For any x B
Advice: a+qb qubitsWe can learn any bit of x, with succ. prob. 2/3.
|B| ≤ 2(a+qb) log n. 2k ≤|X| ≤ 2(a+qb) log n /. k≤(a+qb) log n+log(1/).
28
a RAC for B using a+qb qubits
Random access code for X
RAC : X density matrix over m qubitssuch that for every x X:
• For all i [n], one can recover xi from RAC(x) with success probability at least 2/3.
• For most i [n], one can recover xi from RAC(x).
Average-case RAC
Worst-case RAC
29
RAC for X
Arbitrary X X={0,1}n
(n)Worst case RAC
0 (n)Average case RAC
log | |( )log( )
X
n
30
Summary
For the construction, we use: Trevisan’ extractor, with Local, list-decodable error correcting codes
For the analysis, we use: Reconstruction algorithms together with Random access codes
31
Challenge
1. Find an extractor that• Works against quantum storage• With optimal parameters.
2. Generalize the construction to Eve that holds more qubits but has few “information” about X.