What does random mean? Random - Something or a group of things - PowerPoint PPT Presentation

What does “random” mean? Random - “Something or a group of things that follow no criteria or pattern. A word often misused by morons who don’t know very many other words.” -- supaDISC

What does “random” mean? “Please people, use it when something really is random. See example below. ” -- Madi (from www.urbandictionary.com) Sorry your hamster British rail should died, Bob. watch out for flying man-eating deckchairs!

Why it matters Security of protocols like RSA fails if keys are not random enough. [ Lenstra+ 12, Heninger+ 12] P,Q P,Q (primes)

Why it matters Info security professionals rely on tests like these. “[We assume] that the developer understands the behavior of the entropy source and has made a good- faith effort to produce a consistent source of entropy.” Can we do better than this?

Bell inequalities certify quantumness Suppose Alice plays the CHSH game N times and calculates the avg. Input The CHSH Game score. O 1 Å O 2 = 1 Score if Score if Inputs O 1  O 2 = 0 O 1  O 2 = 1 0 1 00 +1 -1 0 0 0 1 01 +1 -1 10 +1 -1 11 -1 +1 1 0 1 0 0 1 … …

Bell inequalities certify quantumness Suppose Alice plays the CHSH game N times and calculates the avg. score. 0 1 0 0 N=5 0 1 0.72 1 0 0.5 1 0 0 1 … …

Bell inequalities certify quantumness Suppose Alice plays the CHSH game N times and calculates the avg. score. 0 1 0 0 N=500 0 1 0.72 1 0 0.5 1 0 0 1 … …

Bell inequalities certify quantumness Suppose Alice plays the CHSH game N times and calculates the avg. score. 0 1 0 0 N=100000 0 1 0.72 1 0 0.5 1 0 0 1 … …

Bell inequalities certify quantumness Suppose Alice plays the CHSH game N times and calculates the avg. score. If it’s > 0.501, she assumes outputs were partially random, and applies a randomness extractor . [Colbeck 2006] 0 1 0 0 N=100000 0 1 0.72 1 0 0.5 1 0 0 1 … …

Bell inequalities certify quantumness Does this work? Yes – from the perspective of any classical adversary. [Pironio+ 10, Pironio+ 13, Fehr+ 13, Coudron+ 13]. 0 1 0 0 N=100000 0 1 0.72 1 0 0.5 1 0 0 1 … …

Quantum adversaries are stronger What about an entangled adversary? Problem: Quantum information can be locked – accessible only to entangled adversaries. [E.g., DiVincenzo+ 04] 0 1 0 0 0 1 1 0 1 0 0 1 … …

Quantum adversaries are stronger If we can require perfect performance, [Vazirani-Vidick 12] proves entangled security. QIP 2014: We proved entangled security allowing error 0.028 . 0 1 0 0 Quantum security 0 1 1 0 1 0 0 1 … … Classical security

Quantum adversaries are stronger If we can require perfect performance, [Vazirani-Vidick 12] proves entangled security. QIP 2014: We proved entangled security allowing error 0.028 . Our new results: 0 1 0 0 Quantum security The two thresholds 0 1 are in fact the same. Any Bell inequality can be used. 1 0 1 0 0 1 … … Classical security

Randomness from Trusted Measurements Randomness Expansion At each iteration, the device locates a 0 [Several authors]: Security proof against an unentangled adversary. 0 qubit. If input = 0, it measures along 1 0 {|+>, |->}; if input = 1, along {|0>, |1>}. 0 Small resources, high rate 0 0 0 Not fully secure 1 0 0 + + 11011 - 1010010001011101010001011101101010001111111010100010 …. 0 1

Randomness from Trusted Measurements Randomness Expansion Idea: We want the device to prepare an 0 [Several authors]: Security proof against an unentangled adversary. 0 approximate |0> state and measure 1 0 along {|+>, |->}. 0 Small resources, high rate 0 0 0 Protocol adapted from CVY13, VV12. Not fully secure 1 1. Give the device N biased (1 – d, d ) 0 0 coin flips. 2. If output “1” has occurred more than (1-C) d N times, abort. + 3. Apply randomness extractor. + 11011 - 1010010001011101010001011101101010001111111010100010 …. 0 Is this secure? +

Randomness from Trusted Measurements Randomness Expansion Initial adversary state: 0 [Several authors]: Security proof against an unentangled adversary. r 0 1 0 0 Small resources, high rate After 1 iteration: 0 0 ( 1 – d) r +  ( 1 – d) r -  d r 0  d r 1 0 State = r Not fully secure 1 0 0 After N iterations: ( 1 – d) N r ++..+  ( 1 – d) N r ++..-  ...  d N r 11..1 + At the end we exclude “abort” states. + 11011 - Is the result random? 1010010001011101010001011101101010001111111010100010 …. 0 +

A New Uncertainty Principle for Tr[X c ] Randomness Expansion Theorem: 0 [Several authors]: Security proof against an unentangled adversary. 0 Let 1 0 0 Small resources, high rate 0 0 0 State = r Not fully secure 1 0 0 0 Then (X,Y) must fit in this region: (1,1) (0,1) + + 11011 (1,1- e ) (0,1- e ) - 1010010001011101010001011101101010001111111010100010 …. 0 +

A New Uncertainty Principle for Tr[X c ] Randomness Expansion By an inductive argument, the protocol is 0 [Several authors]: Security proof against an unentangled adversary. secure provided the abort threshold (C) is > 0.5. 0 1 0 0 Small resources, high rate 0 0 0 State = r Not fully secure 1 0 0 + + 11011 - 1010010001011101010001011101101010001111111010100010 …. 0 Classical threshold = quantum threshold! +

Randomness Expansion Randomness from Noncommuting Measurements Change the device to a general non- 0 [Several authors]: Security proof against an unentangled adversary. 0 commuting device. 1 A device whose 0 0 measurements {A 0 , Small resources, high rate 0 By similar proof, the protocol is secure 0 A 1 } and {B 0 , B 1 } 0 provided C > T. Not fully secure 1 always satisfy 0 0 Classical threshold = quantum threshold again! + + 11011 - 1010010001011101010001011101101010001111111010100010 …. 0 +

Randomness Expansion Randomness from Untrusted Devices Insight (generalizing 0 0 our previous work): Random input Nonlocal games simulate noncommuting - OR - CHSH measurements. Output Output

Randomness Expansion Randomness from Untrusted Devices Protocol from CVY13, VV12. 0 0 [Several authors]: Security proof against an unentangled adversary. 0 0 1. Run the device N times. During 1 1 0 0 “game rounds,” play a nonlocal 0 0 Small resources, high rate 0 game. Otherwise, just input (0,0). 0 Game rounds 0 0 2. If the average score during game 0 0 occur with Not fully secure 1 0 probability e. rounds was < C, abort. 0 0 0 0 3. Apply randomness extractor. By simulation, classical threshold = 1 0 quantum threshold. 1 1 11011 0 1 1 1 1010010001011101010001011101101010001111111010100010 ….

Randomness Expansion Randomness from Kochen-Specker Inequalities Horodecki+ 10, Abbott+ 12, Deng+ 13, Um+ 13 A B In a contextuality game , the device makes [Several authors]: Security proof against an unentangled adversary. A B C simultaneous measurements assumed to D A B be consistent and commuting. A B Small resources, high rate A B A A B C A B Not fully secure E A A E B A B D Klyachko+ 08 B 1 0 1 1 11011 0 1 Classical threshold = quantum threshold. 1 1 1010010001011101010001011101101010001111111010100010 ….

Randomness Expansion Randomness from Kochen-Specker Inequalities Horodecki+ 10, Abbott+ 12, Deng+ 13, Um+ 13 MISSION ACCOMPLISHED A B In a contextuality game , the device makes [Several authors]: Security proof against an unentangled adversary. A B C simultaneous measurements assumed to D Any Bell inequality (or K-S inequality) can be used to A B be consistent and commuting. A B Small resources, high rate A B produce true random numbers. A A B C A B Not fully secure E A A E B A B D Klyachko+ 08 B 1 0 1 1 11011 0 1 Classical threshold = quantum threshold. 1 1 1010010001011101010001011101101010001111111010100010 ….

Open Problems What are the best resource tradeoffs? Entanglement . Quality of seed. 011110000010000100000111111111110111100000 01111000010100001110100000000001111101000… # of devices. Expansion rate. Exponential, unbounded …

Open Problems What is the best 0.03 QIP 2015 rate curve for 0 CHSH? 0.72 0.5 Important for 1.0 QKD. QIP 2014 0

The Schatten norm Our uncertainty principle relies on the uniform convexity of the (1+ e )-Schatten norm [Ball+ 94]. U r U * r 11011 r +  r - 1010010001011101010001011101101010001111111010100010 …. What else can we learn from the geometry of this norm?