security proofs for continuous variable quantum key
play

Security proofs for continuous-variable quantum key distribution - PowerPoint PPT Presentation

Feb 06, 2024 •375 likes •711 views

Security proofs for continuous-variable quantum key distribution Anthony Leverrier Inria Paris QCrypt 2020 - virtual 10 August 2020 Anthony Leverrier (Inria) QCrypt 2020 1 / 24 Disclaimer there wont be any COVID joke, sorry! I

  1. Security proofs for continuous-variable quantum key distribution Anthony Leverrier Inria Paris QCrypt 2020 - virtual 10 August 2020 Anthony Leverrier (Inria) QCrypt 2020 1 / 24

  2. Disclaimer ◮ there won’t be any COVID joke, sorry! ◮ I won’t really talk about experimental stuff ◮ I won’t talk about the zillion CVQKD protocols out there, only about a couple that are ◮ simple to describe AND ◮ simple to implement ◮ the talk might contain controversial 1 statements such as: "sure, BB84 is a fine protocol, but it’s high time we move to CV protocols!" 1 but nothing too provocative! e.g. I won’t talk about the quantum Internet Anthony Leverrier (Inria) QCrypt 2020 2 / 24

  3. Outline Discrete versus continuous variables ◮ BB84 vs CVQKD State-of-the-art for security proofs ◮ Gaussian vs discrete modulation of coherent states Next steps, open questions ◮ finite size setting, general attacks Anthony Leverrier (Inria) QCrypt 2020 3 / 24

  4. Discrete versus continuous variables Anthony Leverrier (Inria) QCrypt 2020 4 / 24

  5. Two natural/simple qkd protocols BB84 ◮ so natural that it would have been discovered eventually (much later?), even without B & B ◮ distribute copies of | 00 � + | 11 � ◮ measure with ✶ = 1 2 ( | 0 �� 0 | + | 1 �� 1 | + | + �� + | + |−��−| ) CVQKD = THE ∞ -dim generalization a † ˆ b † | vacuum � ◮ distribute copies of | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · = e λ ˆ ❈ | α �� α | d α , with coherent state | α � = e −| α | 2 / 2 ∑ ∞ α k ◮ measure with ✶ = 1 a † | vacuum � � = e α ˆ √ k ! | k � k = 0 π a.k.a. coherent detection , heterodyne measurement, or double-homodyne measurement alternative for CVQKD ◮ measure the quadratures (homodyne detection) = ⇒ the setup of the EPR paper from 1935! 2 2 formalized much later: Ralph (99), Reid (00), Cerf & al. (01), Grosshans-Grangier (02), Weedbrook & al. (03)... Anthony Leverrier (Inria) QCrypt 2020 5 / 24

  6. Two natural/simple qkd protocols BB84 ◮ so natural that it would have been discovered eventually (much later?), even without B & B ◮ distribute copies of | 00 � + | 11 � ◮ measure with ✶ = 1 2 ( | 0 �� 0 | + | 1 �� 1 | + | + �� + | + |−��−| ) CVQKD = THE ∞ -dim generalization a † ˆ b † | vacuum � ◮ distribute copies of | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · = e λ ˆ ❈ | α �� α | d α , with coherent state | α � = e −| α | 2 / 2 ∑ ∞ α k ◮ measure with ✶ = 1 a † | vacuum � � = e α ˆ √ k ! | k � k = 0 π a.k.a. coherent detection , heterodyne measurement, or double-homodyne measurement alternative for CVQKD ◮ measure the quadratures (homodyne detection) = ⇒ the setup of the EPR paper from 1935! 2 2 formalized much later: Ralph (99), Reid (00), Cerf & al. (01), Grosshans-Grangier (02), Weedbrook & al. (03)... Anthony Leverrier (Inria) QCrypt 2020 5 / 24

  7. Two natural/simple qkd protocols BB84 ◮ so natural that it would have been discovered eventually (much later?), even without B & B ◮ distribute copies of | 00 � + | 11 � ◮ measure with ✶ = 1 2 ( | 0 �� 0 | + | 1 �� 1 | + | + �� + | + |−��−| ) CVQKD = THE ∞ -dim generalization a † ˆ b † | vacuum � ◮ distribute copies of | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · = e λ ˆ ❈ | α �� α | d α , with coherent state | α � = e −| α | 2 / 2 ∑ ∞ α k ◮ measure with ✶ = 1 a † | vacuum � � = e α ˆ √ k ! | k � k = 0 π a.k.a. coherent detection , heterodyne measurement, or double-homodyne measurement alternative for CVQKD ◮ measure the quadratures (homodyne detection) = ⇒ the setup of the EPR paper from 1935! 2 2 formalized much later: Ralph (99), Reid (00), Cerf & al. (01), Grosshans-Grangier (02), Weedbrook & al. (03)... Anthony Leverrier (Inria) QCrypt 2020 5 / 24

  8. Theory vs practice BB84 in practice: NOT SO SIMPLE! ◮ single photons are usually prepared via | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · and heralding ◮ experimentally-friendlier version of BB84 relies on (phase-randomized) coherent states = ⇒ same states as in CVQKD! requires to tweak completely redo the analysis (multi-photon pulses) ◮ photon counters hard to implement replaced by threshold detectors ⇒ infinite-dimensional Fock space, same as CVQKD! = CVQKD: pretty much as advertised ◮ same states, same measurement as specified (modulo a finite precision issue) ◮ P & M version: Alice prepares | α � with α ∼ N ❈ ( 0 , σ 2 ) (or α from finite set) ◮ implementations today closely match the original protocols my personal (provocative) view: BB84 was nice to launch the field of quantum crypto, but the future belongs to CV! Anthony Leverrier (Inria) QCrypt 2020 6 / 24

  9. Theory vs practice BB84 in practice: NOT SO SIMPLE! ◮ single photons are usually prepared via | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · and heralding ◮ experimentally-friendlier version of BB84 relies on (phase-randomized) coherent states = ⇒ same states as in CVQKD! requires to tweak completely redo the analysis (multi-photon pulses) ◮ photon counters hard to implement replaced by threshold detectors ⇒ infinite-dimensional Fock space, same as CVQKD! = CVQKD: pretty much as advertised ◮ same states, same measurement as specified (modulo a finite precision issue) ◮ P & M version: Alice prepares | α � with α ∼ N ❈ ( 0 , σ 2 ) (or α from finite set) ◮ implementations today closely match the original protocols my personal (provocative) view: BB84 was nice to launch the field of quantum crypto, but the future belongs to CV! Anthony Leverrier (Inria) QCrypt 2020 6 / 24

  10. Theory vs practice BB84 in practice: NOT SO SIMPLE! ◮ single photons are usually prepared via | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · and heralding ◮ experimentally-friendlier version of BB84 relies on (phase-randomized) coherent states = ⇒ same states as in CVQKD! requires to tweak completely redo the analysis (multi-photon pulses) ◮ photon counters hard to implement replaced by threshold detectors ⇒ infinite-dimensional Fock space, same as CVQKD! = CVQKD: pretty much as advertised ◮ same states, same measurement as specified (modulo a finite precision issue) ◮ P & M version: Alice prepares | α � with α ∼ N ❈ ( 0 , σ 2 ) (or α from finite set) ◮ implementations today closely match the original protocols my personal (provocative) view: BB84 was nice to launch the field of quantum crypto, but the future belongs to CV! Anthony Leverrier (Inria) QCrypt 2020 6 / 24

  11. ok... are there any drawbacks to CVQKD? of course not! More challenging theory 3 ◮ ∞ dimension (same is kind of true for implementations of DVQKD) ◮ continuous-valued AND unbounded measurement operators ◮ quality of the correlations measured via covariance matrix (unbounded) , not QBER or CHSH score = ⇒ conceptual difficulties, but rather clean problems Experimental performance: seems less robust to loss than DV ◮ losses are filtered out for DV: discard the no-click events 4 ◮ all pulses are there for CV, but noisier = ⇒ harder to estimate the channel parameters precisely ◮ very large blocks required for long distance 3 modern DVQKD protocols are also very complex! 4 modulo some assumptions on the detectors (as demonstrated by Vadim Makarov!) Anthony Leverrier (Inria) QCrypt 2020 7 / 24

  12. ok... are there any drawbacks to CVQKD? of course not! More challenging theory 3 ◮ ∞ dimension (same is kind of true for implementations of DVQKD) ◮ continuous-valued AND unbounded measurement operators ◮ quality of the correlations measured via covariance matrix (unbounded) , not QBER or CHSH score = ⇒ conceptual difficulties, but rather clean problems Experimental performance: seems less robust to loss than DV ◮ losses are filtered out for DV: discard the no-click events 4 ◮ all pulses are there for CV, but noisier = ⇒ harder to estimate the channel parameters precisely ◮ very large blocks required for long distance 3 modern DVQKD protocols are also very complex! 4 modulo some assumptions on the detectors (as demonstrated by Vadim Makarov!) Anthony Leverrier (Inria) QCrypt 2020 7 / 24

  13. P & M version of CVQKD ◮ Alice sends | α 1 � , · · · | α n � ◮ α k either Gaussian variable or element from a finite set (e.g. {± α , ± i α } ) ◮ Bob measures with heterodyne detection: gets β 1 , · · · , β n ∈ ❈ . ◮ typical model: β = t α + γ with fixed attenuation t and Gaussian noise γ ∼ N ❈ ( 0 , 1 + t 2 ξ ) ◮ t ∼ 0 . 1 at 100km ◮ ξ is the excess noise : 10 − 3 − 10 − 2 in implementations = ⇒ hard to mesure precisely ◮ classical postprocessing (essentially identical to DV) ◮ key map: from Bob’s data (reverse reconcilation 5 ) β 1 , · · · β n → x 1 , · · · x N ∈ { 0 , 1 } ◮ parameter estimation: covariance matrix of α , β (informally, want to estimate t, ξ ) = ⇒ the most challenging part ◮ privacy amplification 5 actually same for BB84 due to discarding no-click events Anthony Leverrier (Inria) QCrypt 2020 8 / 24

Recommend

Spacetime Replication of Continuous Variable Quantum Information Grant Salton Stanford

Spacetime Replication of Continuous Variable Quantum Information Grant Salton Stanford

Spacetime Replication of Continuous Variable Quantum Information Grant Salton Stanford University With: Patrick Hayden, Sepehr Nezami, and Barry Sanders arXiv: 1501.#### Quantum Error Correction 2014 Outline Part 1: Replicating

809 views • 24 slides
Continuous-variable quantum computing: scalable designs and fault tolerance Nicolas C

Continuous-variable quantum computing: scalable designs and fault tolerance Nicolas C

Continuous-variable quantum computing: scalable designs and fault tolerance Nicolas C Menicucci RIT Jul 2020 (Comic sans forever!) My group https://www.qurmit.org/ 2 ARC Centre of Excellence https://www.cqc2t.org/ 3 What is

1.53k views • 135 slides
Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1 Post Quantum Cryptography

1.22k views • 86 slides
Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10 - 12 September 2016, Hamburg) Gyesik Lee Hankyong National University 1 Overview 1. Verification of proofs 2. Hales proof of the Kepler

651 views • 43 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
continuous random variables Continuous random variable: takes values in an uncountable set, e.g.

continuous random variables Continuous random variable: takes values in an uncountable set, e.g.

continuous random variables Discrete random variable: takes values in a finite or countable set, e.g. X {1,2, ..., 6} with equal probability X is positive integer i with probability 2 -i continuous random variables Continuous random variable:

763 views • 10 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
How Quantum Computing This Lower Bound Is . . . Can Help With (Continuous) How Quantum . . .

How Quantum Computing This Lower Bound Is . . . Can Help With (Continuous) How Quantum . . .

Known Advantages of . . . Need to Consider . . . We Consider Only . . . Non-Quantum Lower . . . How Quantum Computing This Lower Bound Is . . . Can Help With (Continuous) How Quantum . . . Auxiliary Quantum . . . Optimization Main

285 views • 24 slides
continuous random variables continuous random variables Discrete random variable: takes values in

continuous random variables continuous random variables Discrete random variable: takes values in

continuous random variables continuous random variables Discrete random variable: takes values in a finite or countable set, e.g. X {1,2, ..., 6} with equal probability X is positive integer i with probability 2 -i Continuous random variable:

464 views • 23 slides
Continuous Random Variables Recall: A continuous random variable X satisfies: its range is the

Continuous Random Variables Recall: A continuous random variable X satisfies: its range is the

ST 380 Probability and Statistics for the Physical Sciences Continuous Random Variables Recall: A continuous random variable X satisfies: its range is the union of one or more real number intervals; 1 P ( X = c ) = 0 for every c in the range of

410 views • 12 slides
The real story of the film so far... X a continuous random variable : for all x , { X x } is an

The real story of the film so far... X a continuous random variable : for all x , { X x } is an

The real story of the film so far... X a continuous random variable : for all x , { X x } is an Mathematics for Informatics 4a event and P ( X = x ) = 0 (Some) continuous random variables have probability density functions f such that Jos e

336 views • 6 slides
Continuous Random Variables For a discrete variable X, the cumulative distribution function , F(x)

Continuous Random Variables For a discrete variable X, the cumulative distribution function , F(x)

Introduction to Statistics Continuous Random Variables For a discrete variable X, the cumulative distribution function , F(x) = P(X x) , is a step function: F(x) = i:xi x P(X=x i ) For a continuous variable, the cdf is a smooth, non

646 views • 15 slides
CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT JULIEN VEHENT MOZILLA SECURITY MOZILLA SECURITY

724 views • 49 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
Continuous Random Variables Recall that when a random variable takes values in an entire interval,

Continuous Random Variables Recall that when a random variable takes values in an entire interval,

ST 370 Probability and Statistics for Engineers Continuous Random Variables Recall that when a random variable takes values in an entire interval, the variable is called continuous . Example: Flash unit recharge time The time that a flash unit

430 views • 19 slides
DISCRETIZE: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental

DISCRETIZE: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental

DISCRETIZE: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental Variable Estimation DISCRETIZE: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental Variable Estimation Federico Curci,

876 views • 22 slides
DISCRETIZ: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental

DISCRETIZ: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental

DISCRETIZ: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental Variable Estimation DISCRETIZ: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental Variable Estimation ebastien Fontenay 2

341 views • 21 slides
Proofs and Computations Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen 22.

Proofs and Computations Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen 22.

Proofs and Computations Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen 22. August 2010 Helmut Schwichtenberg Proofs and Computations Computing with partial continuous functionals Proofs in mathematics: on abstract,

331 views • 22 slides
NON-MARKOVIAN CONTINUOUS QUANTUM MEASUREMENT OF RETARDED OVSERVABLES Lajos Di osi, Budapest

NON-MARKOVIAN CONTINUOUS QUANTUM MEASUREMENT OF RETARDED OVSERVABLES Lajos Di osi, Budapest

1 NON-MARKOVIAN CONTINUOUS QUANTUM MEASUREMENT OF RETARDED OVSERVABLES Lajos Di osi, Budapest Contrary to longstanding doubts, diffusive non-Markovian quantum tra- jectories are single system trajectories and correspond to the true con-

373 views • 9 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum Communications Hub Director: Professor Tim Spiller New Quantum Technologies Quantum technologies form a whole new technology sector. These technologies

222 views • 11 slides
On the quantum complexity of the continuous hidden subgroup problem Koen de Boer, Lo Ducas,

On the quantum complexity of the continuous hidden subgroup problem Koen de Boer, Lo Ducas,

On the quantum complexity of the continuous hidden subgroup problem Koen de Boer, Lo Ducas, Serge Fehr 1 / 20 Paper: https://eprint.iacr.org/2019/716.pdf Overview Introduction Problem statement Quantum algorithm Error analysis

855 views • 20 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides

More recommend