Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is...
Transcript of Randomness: between faith and realityweb.eecs.umich.edu/~shiyy/random/QRandom.pdf · Randomness is...
Randomness: between faith and reality
Yaoyun Shi University of Michigan
joint works with Carl Miller (arXiv:1402.0489&1411.6608), Kai-Min Chung and Xiaodi Wu (arXiv:1402.4797)
Kai-Min Chung Xiaodi WuCarl Miller
Randomness is a faith
Randomness is a faith“[We assume] that
the developer understands the behavior of the entropy source
and has made a good faith effort to
produce a consistent source
of entropy.”
Randomness is impossible to test directly
• All randomness test can be easily fooled
• A test program is a Boolean function TEST()
• Fix an input x such that TEST(x) = ACCEPT
• Always outputting x passes the test
Randomness may not exist at all
• Could the world be deterministic?
• Possible even when quantum theory is correct (but not complete)
• We’d never know
Randomness = Secrecy
?
Perfect secrecy/ random
?Almost perfect secrecy/random
?
Randomness is indispensable in reality
• Random Number Generators (RNGs) provide the mother secret for cryptography
• RNGs are in all computers/smart phones
• Hardware generator: Intel’s on-chip generator RdRand/RdSeed
• Software generator: Linux’s /dev/random
• 100 T bits/day worldwide?
• Each computer process uses randomness in starting: Address space layout randomization
• We trust that they are doing their jobs
Blind faith is dangerous• Lack of entropy causes weak cryptography keys
[Heninger+, Lenstra+]
• Backdoors may be in government standards for RNGs [Snowden]
• Hardware may be maliciously modified
• [Becker+’13]: Changing the dopant-level in Intel’s RNG can essentially remove the output randomness
How much of blind faith is necessary for ensuring
true randomness?
Necessary blind faith: Randomness exits
• Min-entropy source: Weakest form of randomness?
• A (n, k)-source consists of n bits, which the adversary can guess correctly by no more than 2-k probability
• A Santha-Vazirani source is a (n, cn) source for a constant c, thus highly random
Faith required by classical approach
• Randomness extractors [since 1980’s]: transform input weak sources to output true randomness
• Requires two independent sources
• Single-source extraction is impossible
deterministicweak randomness sources
true randomness
Independence is impossible to test
• Uniform (x, x) is maximumly correlated
• but is a convex combination of independent distributions
Put faith in quantum theory• Randomness is postulated in quantum theory
• Measuring |0>+|1> state yields a perfect coin
• Thus faith in both the correctness and the completeness of quantum theory implies the existence of unlimited perfect randomness
• Correctness: consistent with experiments
• Completeness: adversary has no better than quantum strategy to cheat
Knowing that it exists does not mean knowing that you have it
We cannot verify quantum states and quantum operations directly
Is the faith in the device necessary?
Imperfect and completely untrusted quantum devices
• Mayers-Yao’98: what if the quantum device is imperfect?
• Trusting certain “self-testing” procedure
• Completely untrusted devices [Barrett-Hardy-Kent’05, Colbeck’06, Colbeck-Renner’12]
• This talk focuses on quantum devices
• Entanglement among the device components and the adversary
Adversary
Faiths on the user
• Can interact with the device classically
• Can restrict communications among the device components and the adversary
• Necessary for all cryptography
Results [Miller-Shi’14,’15, Chung-Shi-Wu’14]
• Start with a single (n, k)-source
• Arbitrary output length
• Failure chance “close” to best possible (≧2-k)
• Failure: reject on honest device or accept and output is not random enough
• Full quantum security
• Robust: device error can approach maximum (for CHSH, .751 suffices)
deterministic
(n, k) source
Adversary
arbitrary length
error=exp(-kc)
Step 1: reduction of seedless extraction to seeded extraction [CSW’14]
• Seeded:input is uniform; seedless:input is weak
• From weak source create “somewhere” randomness
• Most blocks are (almost) uniform
• Decoupling: each seeded extraction transform uniform-to-device input to global uniform output
≅uniform to device
≅uniform to adversary
X
Input X
Ext
seed=10 · · · 0· · · · · ·Ext
seed=00 · · · 0Ext
seed=11 · · · 1
PExtseed· · · · · ·PExtseed PExtseed
�
Output Z if no more than ⌘ fraction of PExtseed reject.
X X
X
S00···0 S11···1S10···0
Z00···0 Z11···1
Z10···0
Figure 2: Our Physical Randomness Extractor PExt with parameters Ext, PExtseed, and ⌘. Ext is a
quantum-proof strong extractor 30 and PExtseed a seeded-PRE whose input length equals the output
length of Ext. For each distinct seed value i of Ext, run an instance of Ext with that seed value and
X as the source. Use the output Si as the input to a separate instance of PExtseed. Output the XOR
of the Zi’s, or abort if � ⌘ fraction of PExtseed aborted.
15
Step 2: seeded extraction (randomness expansion introduced by Colbeck’06)
[MS’14,’15]• Faith: globally uniform input
• Match Vazirani-Vidick’12: 2 components, exponential expanding, quantum security (Classical/restricted security by [Pironio+’10,Pironio-Massar’13, Fehr+’13, Coudron+’13])
• Cryptographic security: failure prob. is negligible
• Robustness
• Can be used for QKD (first robust QKD proved by Vazirani-Vidick’13)
• Other properties:Unit-size quantum memory, flexible building block, new proof technique
error: exp(-logtN)for any ts < μ
μ ∈[.5, 1] a universal constant
deterministicuniform
k bits
∼N rounds
N=exp(ks) bits
Adversary
Step 3: Unbounded expansion [MS-CSW’14]
• Any two expansion protocols can cross-feed securely for unbounded expansion
• First proved for a specific construction by Coudron-Yuen’14
Key insights: many pieces fit together
Equivalence Lemma
Strong self-testing
Forcing TrustSchatten-
norm Uncertainty
Principle
Amortizing randomness generation
Quantifying randomness
Equivalence Lemma [CSW’14]
• Secure under global uniform input if and only if secure under uniform-to-device input
• Enables decoupling and unbounded expansion
Adversary
X: global uniform
Adversary=X:
uniform to device
EL enables generating private randomness from public randomness
• NIST’s Randomness Beacon project: broadcasting public randomness
• Can be used for Miller-Shi input
• Faith: NIST randomness is uniform to your device
Have we minimized faith?• Chung-Shi-Wu is not cryptographically secure (Miller-Shi
is)
• Too many device components are used
• Open problem: minimal faith for cryptographic randomness
• ? Possible: single weak source, 2 device-components, cryptographic level of security, robustness
• Weakening faith on physics: Non-signaling security?
Conclusions• Faith is necessary to be assured of true randomness
• All current RNGs are “trusted” solutions: you must have faith on them
• Unlimited true randomness can be obtained on the faiths of
• A weak source, quantum theory, restriction of communication
• Cryptographic randomness can be obtained on
• A short seed, quantum theory, restriction of communication
• Such a RNG delivers assured randomness and is trustworthy
• Assurance: you know that you are getting it
• Trustworthiness: the hardware proves its integrity to you
June 28 – July 2, 2015 University of Michigan, Ann Arbor, Michigan, USA!
Trustworthy Quantum Information !
1 s t I n t e r n a t i o n a l W o r k s h o p o n
Registration: tyqi.org!