Tags :
extractor source
secure entropy
source
extractor
entropy
secure
ext
side
strong
quantum
info
extractors
multi
amp
model
hmin
min

Download Presentation

Download Presentation - The PPT/PDF document "New Results of Quantum-proof Randomness" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

New Results of Quantum-proof Randomness Extractors

Xiaodi Wu (MIT)1st Trustworthy Quantum Information Workshop Ann Arbor, USA

1

b

ased on work w/ Kai-Min Chung and Xin Li,

arXiv

: 1411.2315 and

work w/Kai-Min Chung,

in

preparation

Slide2Randomness Extractor: Seeded

[SV84,Vaz85,VV85,CG85,Vaz87,CW89,Zuc90,Zuc91,…] A deterministic function converts indep. weak random sources with entropy to almost-uniform

randomness

2

seed

source

uniform output

X

U

d

Z

Slide3Randomness Extractor: Multi-source

[CG85, BIK04, Raz, Rao, Bourgain, Li ……] A deterministic function converts

indep. weak random

sources with entropy to

almost-uniform

randomness

3

weak random

source

uniform output

w

eak random source

X

1

X

t

Z

Slide4

Applications beyond randomness

Classical TCSCryptography, Derandomization [Sis88, NZ93,…], Distributed algorithms [WZ95], Data structures [Ta02], Hardness of Approximation [Zuc93,…]Quantum InformationPrivacy amplification (QKD)

[BB84,

BBR

…]

,

device-independent

crypto

[VV12, MS14, CSW14, B+, …]Bounded-storage model [DFSS08,…]4

Slide55

This talk: Q

. Seeded

Extractors with

O

ptimal Parameters:

(Chung, W, in preparation)

* a new construction optimal w/ inverse poly rate source * new techniques for quantum-proof condensers

Q. Side

Info Model for Multi-source Extraction: (Chung, Li, W, arXiv

: 1411.2315)

* a proposal naturally unifying and extending existing models

* q. multi-source extractors w/ matching paras to classical

Slide66

Q. Seeded

Extractors with

O

ptimal Parameters:

(Chung, W, in preparation)

* a new construction

optimal

w/ inverse poly rate source * new techniques for quantum-proof condensers

Slide7Quantum Side Info

: seeded extractionSource: a cq-state

Entropy measure: cond. min-entropy

H

min

(X|E)

= log ( 1/Pr[guess X correctly given E] )

Def: is a

k-source if Hmin(X|E)

> k

Characterize amount of extractable randomness [KMR05]Distance measure: trace distance |

|tr: max advantage to distinguish and

Def:

X, Y is -close if |

|tr <

7

Slide8Seeded Extractors against Side Info [R05,KMR05,KT08,DV10,T11,DPVR11]

is

quantum-secure

(k

,

)

-extractor if

k

-source ,

is

-close to

Um is quantum-secure (k,

)

-strong extractor if k-source ,

is

-close to

U

m 8

seed

source

uniform output

Seeded Randomness Extractor

X

U

d

Z

adversary

classical-secure

classical-secure

marginal-secure

marginal-secure

f

or classical side-info

f

or no side-info

Slide9What do we want?

Extraction from low min-entropy sourcesk = polylog(n) or

for

(0,1)

Minimize seed length

：

d

= O(log n)Maximize output length

： m kMinimize

the error:

(2

-k)Classical Ext: extract

0.99k bits with O(log n/) seed for all k, >0 [LRVW,GUV]

9Quantum Ext: (only when k=

)

Trevisan

[T, DV, DPVR]m=k0.98d=O(log(n))=1/poly(n)

Left-over hashing[KMR, TSSR]m~=k

d=O(m+log(n/))

Trevisan[T, DV, DPVR]

m=k0.98d=O(log(n))Left-over hashing[KMR,

TSSR]m~=k

Slide1010

What GUV requires?GUV:

Very

Good

Condenser

Block

Extraction

& Composition

Partial

Progress: Cond. Inv. polyExtends to quantum setting

Q.

Extractor: (new even classically)

Main Thm: quantum-secure extractor

Ext : {0,1}

n x {0,1}

d -> {0,1}m, s.t., for any (n,k) source, k=na, w/ seed length

O(log(n/)), output length m=0.99k

, =(2-k^0.99).

Optimal! Remark:

inverse-poly rate sources are good for most applications!Our Contribution:

Slide11Our strategy

Refer to Chung’s talk for technique limitationsResort

to extractor paradigm

[NZ,SZ

,

Zuc

]

before Trevisian, based on block-sampling & block-extraction. Our Observation

: A) this paradigm extends to

the quantum setting B) A new

condenser/extractor

in this paradigm

11

(n,k

) sourceSampling a subset:

Hope

:

min-entropy rate remainsNon-trivial to prove classically

(e.g, Zuc97, Vad03).

The quantum version by Koenig & Renner 11

However, this does not

condense! Block-Sampling!

Slide12Block Sampling

& Extraction [NZ,SZ,Zuc]12

(

n,k

)

source

Block-

Sampling

(one by

one)

:

Structure Entropywhile keeping the rate

Block-

Extraction (one by one): Competing Parameters: 1) able to sample

2) able to extract => optimal paras for const

entropy-rate

sources

[Zuc]

Exp.

increase Seed length Our

Contribution: this construction is also quantum-proof.

Observation:

w

ell,

it

does

not

need

to

be

able

to

sample

&

extract

at

the

same

time!

When

fails

to

sample,

it

condenses!

A

win-win

argument!

Slide13

Condenser:

1/poly rate -> const rate (Win-Win argument)

13

(

n,k

)

Sampling (

if success -> extraction, otherwise condensing

)

E

1

E

2

Sample again on a shorter input

……

E

3

C

0

length k……

const Rounds(C0, E1,E2,…) -> const rate source

Quantum: 1) sampling [KR] 2) remaining analysis & comp.

Slide14Summary:

14Zuckerman’s Extractor

Win-Win

Condenser

Main

Thm

:

quantum-secure extractor Ext : {0,1}n x {0,1}d

-> {0,1}m, s.t., for any (

n,k) source,

k=na, w/

seed length O(log(n/)), output length m=0.99k , =(2-k^0.99).

Optimal!

Slide1515

Q. Side Info Model for Multi-source Extraction:

(Chung, Li, W, arXiv

: 1411.2315)

* a proposal naturally

unifying

and

extending existing models * q. multi-source extractors w/ matching paras to classical

Slide16Multi-source Extractors [BIW04]

is

(

t,k

,

)

-extractor if

indep k

-sources X1,…, Xt,

Z is

-close to Um

is XS-strong if (Z, XS) is -close to (Um, XS)

16

source

uniform output

source

X

1

X

t

Z

Multi-source

Extractor

Slide17Side Info.

of multiple sources?17Want: a general definition of entropy

& sufficient entropy => extractability

.

adversary

Possible:

side info E=

any

function of

?

then entropy = some conditional min-entropy on E?

No!

Consider E= the 1st bit of Ext

, a reasonable entropy should be large. Fail on the extractor

Ext

.

Restriction on E is necessary!

Slide18Simple Models

Independent Adversary (IA): each source leaks own

side information

However,

IA

fails

to consider the entanglement

/correlation. Bounded Storage

Adv (BS): allow entangle; one-round leaking

[KK12]

May

break independence; non-trivial even for classical side info

20

source

uniform output

source

X

1

X

2

Z

Two-source

Extractor

adversary

adversary

A

2

E

2

A

1

E

1

Slide19Kasher &

Kempe 1219The [DEOR04] extractor works with comparable parameters in both IA &

BS models

,

although

side

info breaks independence. ISSUEs:No

unified model & No unified entropy measure

Technique-wise very specific to

the

[DEOR04] extractor

Our Contribution:A Unified & Generalized Model: General Entangled (GE) model

Take

the one-round leaking model [KK12] + right entropy measure Prove most existing two-/multi-source

extractors are GE-securee.g.,

Raz

, Bourgain

, Li, BRSW, Rao, …. Remarks on the model:1. Could refer to a practical scenario of generating side-info: when parties are far apart from each other & leaking procedure is short!2. Unclear about extension to multiple rounds. Could fall into the previous counter-example .

Slide20Entropy measure: problematic

[KK12]A natural def of (k1,k2

)-source

H

min

(X

1

|E

1

E

2)

> k

1 and Hmin(X

2|E1E2) > k2 A classical counter-example: Ext, (X

1,X

2,E1,E2) s.t. Hmin(X1|E1E2)

=Hmin(X2|E1

E2

)

> n-4, but, Ext(X1,X2) is determined given E1, E2Allow interference between sources: X

1 = X2

(W1 W2)Allow double counting entropy:

Hmin(X1X2|W1W2

) = n < Hmin(X1|W1W2

) + Hmin(X2|W1W2

)

Slide21

Allow general entanglement; new way to measure

entropy, avoid interferenceMeasure entropy of Xi right after receiving E

i

k

i

=

H

min(Xi|EiA-i)

No interference: entropy of X-i don’t go to Xi

E

t

Contribution I: General Entangled (GE) Model21

adversary

X

2

X

t

X

1

A

1

A

t

E

1

A

2

E

2

A

1

A

t

Slide22Allow general entanglement

; new way to measure entropy, avoid interferenceMeasure entropy of Xi right after receiving E

i

k

i

=

H

min(Xi|EiA-i)

No interference: entropy of X-i don’t go to Xi

No double counting entropy: Hmin(X1…X

t

|E1…Et)

[KK12]’s example in GE Model: no entropy k

1 =

Hmin(X1|E1A2) = Hmin(X1|W1R) = 0

General Entangled (GE) Model

22

Slide23Allow general entanglement

; new way to measure entropyMeasure entropy of Xi right after receiving Ei k

i = H

min

(

X

i

|E

iA-i)Def:

is a GE-

(t,k)-source if ki

= H

min(Xi|EiA

-i) k for every i [t]IA =

GE with independent

Ai’sBS = GE with bounded size Ei’s

General Entangled (GE) Model23

Slide24GE-secure Multi-source Extractors

is

GE

-secure

(

t,k

,

)

-extractor if

GE

-(t,k)-source

,

is

-close to Um

is X

S-strong if is -close to Um

24

source

uniform output

source

X

1

X

t

Z

Multi-source

Extractor

adversary

Slide25Existing

Two-source Extractors (e.g.,

Raz,

Bourgain

,

existential

ones) are GE-secure.Any Multi-source

Extractors (e.g., Li, BRSW, Rao)

can be upgraded to

be

GE-secure. Both w/

matching parameters. 25Contribution II: GE-secure extractors

GE-

Strong OA Security Equivalence! Obtain Strong OA

Security: XOR, +1 source, block-source

Omitted!

Slide26Only get side info from a single sourceat adversary’s choice (without seeing the sources)

Weaker than IA & GEOA-sources & OA-secure extractors defined similarlyOne-sided Adversary (OA

) Model

26

adversary

X

i

X

t

X

1

A

i

E

i

Slide27

Strong OA-

GE Security EquivalenceThm: For any S [t] with

|S|=t-1,if

Ext

is

X

S

-strong

OA-secure (t,k,)-extractor,

Ext is XS-strong GE-secure (

t,k,)-extractor.

27

MOAIABS

GE

classical

side-info

no side-info

strong ext.

Slide28Strong OA-

GE Security EquivalenceThm: Let S [t-1],if

Ext is X

S

-strong

OA

-secure

(

t,k,)-extractor,

Ext is XS-strong GE-secure (t,k,

)-extractor.

28

Et

adversary

X

2

X

t

X

1

A

1

A

t

E

1

A

2

E

2

A

1

A

2

Apply

Ext

S

Leaking

on X

S

Slide29

Proof: simulation b/c

29Apply OA Ext Leaking

on XS

COMMUTE

(strong)

Leaking

on

Xt, Leaking on X

S, Apply Ext Leaking on X

t, Apply Ext , Leaking on XS

=

Apply OA security w/ sufficient entropy

Slide30Summary

GE multi-source side info modelavoid interference in measuring entropyStrong OA-GE security equivalenceSimple techniques to obtain strong OA-security

Handle quantum side info

for free

!

30

M

OA

IA

BS

GE

strong ext.

Slide3131

Conclusions: Q.

Seeded Extractor

optimal

w/ inv

.

poly rate sources

Q. Multi-source: side

info model &

extractors

Open

Questions: Better Q. Extractor/Condenser? Optimal Parameters for any source?

Alternative/General

Side Info Model allowing extraction?

Slide32Thanks!Questions?

32

Slide33Obtain Strong OA

-security (I): +1 sourceThm: M-secure (t,k,

)-multi-source extractor +

Q

-secure

(k,

)

-strong seeded extractor OA-secure X[t]

-strong (t+1,k,2)-multi-source extractor

33

X

1

X

t

Y

X

t+1

Z

LIFT

: marginal uniform + seeded quantum extractor

-> quantum-proof uniform

Slide34Obtain Strong OA-security (II):

M OA

Thm: Any

M

-secure extractor outputs

m

-bits with error

is OA-secure with error

Generic: holds for seeded/two/multi-source extractorsBased on techniques in [KK12] (in turn based on

[KT08])OA-secure two-source extractors with “same” paramsExtract m=

(k)

bits with = 2-m

Raz/Bourgain/DEOR extractors are GE-secureDo not yield better seeded extractors 34

Slide35Entropy measure: problematic

[KK12]A natural def of (k1,k2)

-source

H

min

(X

1

|E

1

E

2)

> k

1 and Hmin(X2

|E1E2) > k2 A classical counter example: Ext, (X1,X2

,E

1,E2) s.t. Ext(X1,X2) is far from uniform given E1, E2Ext(X1,X2) =

X1 X

2 --- inner product extractor

[CG88]

Hmin(X1|W1W2) = n Hmin(X1|E

1E2) > n-4X1

X2 = (1/2) (B1 + B2

- |W1 W2| mod 4)

35

X

1

X

2

adversary

B

1

= |X

1

| mod 4

E

1

= (W

1

,B

1

)

B

2

= |X

2

| mod 4

E

2

= (W

2

,B

2

)

: uniform

: Hamming weight

© 2020 docslides.com Inc.

All rights reserved.