# Cryptography in the Bounded-Quantum-Storage Model.

**ABSTRACT** We initiate the study of two-party cryptographic primitives with unconditional security, assuming that the adversary's quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, whereas an adversarial player needs quantum memory of size at least $n/2$ in order to break the protocol, where $n$ is the number of qubits transmitted. This is in sharp contrast to the classical bounded-memory model, where we can only tolerate adversaries with memory of size quadratic in honest players' memory size. Our protocols are efficient and noninteractive and can be implemented using today's technology. On the technical side, a new entropic uncertainty relation involving min-entropy is established.

**0**Bookmarks

**·**

**99**Views

- [Show abstract] [Hide abstract]

**ABSTRACT:**Fundamental primitives such as bit commitment and oblivious transfer serve as building blocks for many other two-party protocols. Hence, the secure implementation of such primitives is important in modern cryptography. Here we present a bit commitment protocol that is secure as long as the attacker's quantum memory device is imperfect. The latter assumption is known as the noisy-storage model. We experimentally executed this protocol by performing measurements on polarization-entangled photon pairs. Our work includes a full security analysis, accounting for all experimental error rates and finite size effects. This demonstrates the feasibility of two-party protocols in this model using real-world quantum devices. Finally, we provide a general analysis of our bit commitment protocol for a range of experimental parameters.Nature Communications 12/2012; 3:1326. · 10.02 Impact Factor -
##### Article: Long term confidentiality: a survey

[Show abstract] [Hide abstract]

**ABSTRACT:**Sensitive electronic data may be required to remain confidential for long periods of time. Yet encryption under a computationally secure cryptosystem cannot provide a guarantee of long term confidentiality, due to potential advances in computing power or cryptanalysis. Long term confidentiality is ensured by information theoretically secure ciphers, but at the expense of impractical key agreement and key management. We overview known methods to alleviate these problems, whilst retaining some form of information theoretic security relevant for long term confidentiality.Designs Codes and Cryptography 06/2014; · 0.78 Impact Factor - [Show abstract] [Hide abstract]

**ABSTRACT:**In this paper, we propose a practical quantum all-or-nothing oblivious transfer protocol. Its security is based on technological limitations on non-demolition measurements and long-term quantum memory, and it has the capabilities of loss-tolerance and error-correction.Quantum Information Processing 02/2013; · 1.75 Impact Factor

Page 1

arXiv:quant-ph/0508222v2 14 Jul 2006

Cryptography in the

Bounded Quantum-Storage Model∗

Ivan B. Damg˚ ard†‡

Serge Fehr§

Louis Salvail†‡¶

Christian Schaffner†?

February 1, 2008

Abstract

We initiate the study of two-party cryptographic primitives with

unconditional security, assuming that the adversary’s quantum mem-

ory is of bounded size. We show that oblivious transfer and bit com-

mitment can be implemented in this model using protocols where hon-

est parties need no quantum memory, whereas an adversarial player

needs quantum memory of size at least n/2 in order to break the pro-

tocol, where n is the number of qubits transmitted. This is in sharp

contrast to the classical bounded-memory model, where we can only

tolerate adversaries with memory of size quadratic in honest players’

memory size. Our protocols are efficient, non-interactive and can be

implemented using today’s technology. On the technical side, a new

entropic uncertainty relation involving min-entropy is established.

1 Introduction

It is well known that non-trivial 2-party cryptographic primitives cannot

be securely implemented if only error-free communication is available and

there is no limitation assumed on the computing power and memory of

the players. Fundamental examples of such primitives are bit commitment

(BC) and oblivious transfer (OT). In BC, a committer C commits himself to

∗A preliminary version of this paper appeared in the proceedings of FOCS 2005 [10].

†Basic Research in Computer Science (BRICS), funded by the Danish Na-

tional Research Foundation, Department of Computer Science, University of ˚ Arhus,

{ivan|salvail|chris}@brics.dk.

‡FICS, Foundations in Cryptography and Security, funded by the Danish Natural Sci-

ences Research Council.

§Center for Mathematics and Computer Science (CWI), Amsterdam, Netherlands,

fehr@cwi.nl

¶Supported in part by the European project PROSECCO.

?Supported by the European project SECOQC.

1

Page 2

a choice of a bit b by exchanging information with a verifier V. We want that

V does not learn b (we say the commitment is hiding), yet C can later chose

to reveal b in a convincing way, i.e., only the value fixed at commitment time

will be accepted by V (we say the commitment is binding). In (Rabin) OT,

a sender S sends a bit b to a receiver R by executing some protocol in such

a way that R receives b with probability1

yet S does not learn what was received.

Informally, BC is not possible with unconditional security since hiding

means that when 0 is committed, exactly the same information exchange

could have happened when committing to a 1. Hence, even if 0 was actually

committed to, C could always compute a complete view of the protocol

consistent with having committed to 1, and pretend that this was what he

had in mind originally. A similar type of argument shows that OT is also

impossible in this setting.

One might hope that allowing the protocol to make use of quantum com-

munication would make a difference. Here, information is stored in qubits,

i.e., in the state of two-level quantum mechanical systems, such as the polar-

ization state of a single photon. It is well known that quantum information

behaves in a way that is fundamentally different from classical information,

enabling, for instance, unconditionally secure key exchange between two

honest players. However, in the case of two mutually distrusting parties, we

are not so fortunate: even with quantum communication, unconditionally

secure BC and OT remain impossible [18, 21].

There are, however, several scenarios where these impossibility results

do not apply, namely:

2and nothing with probability1

2,

• if the computing power of players is bounded,

• if the communication is noisy,

• if the adversary is under some physical limitation, e.g., the size of the

available memory is bounded.

The first scenario is the basis of many well known solutions based on

plausible but unproven complexity assumptions, such as hardness of factor-

ing or discrete logarithms. The second scenario has been used to construct

both BC and OT protocols in various models for the noise [6, 8, 11]. The

third scenario is our focus here. In this model, OT and BC can be done

using classical communication assuming, however, quite restrictive bounds

on the adversary’s memory size [3, 12], namely it can be at most quadratic

in the memory size of honest players. Such an assumption is on the edge of

being realistic, it would clearly be more satisfactory to have a larger sepa-

ration between the memory size of honest players and that of the adversary.

However, this was shown to be impossible [15].

In this paper, we study for the first time what happens if instead we

consider protocols where quantum communication is used and we place a

2

Page 3

bound on the adversary’s quantum memory size. There are two reasons

why this may be a good idea: first, if we do not bound the classical memory

size, we avoid the impossibility result of [15]. Second, the adversary’s typical

goal is to obtain a certain piece of classical information that we want to keep

hidden from him. However, if he cannot store all the quantum information

that is sent, he must convert some of it to classical information by measuring.

This may irreversibly destroy information, and we may be able to arrange

it such that the adversary cannot afford to lose information this way, while

honest players can.

It turns out that this is indeed possible: we present protocols for both

BC and OT in which n qubits are transmitted, where honest players need no

quantum memory, but where the adversary must store at least n/2 qubits

to break the protocol. We emphasize that no bound is assumed on the

adversary’s computing power, nor on his classical memory. This is clearly

much more satisfactory than the classical case, not only from a theoretical

point of view, but also in practice: while sending qubits and measuring

them immediately as they arrive is well within reach of current technology,

storing even a single qubit for more than a fraction of a second is a formidable

technological challenge. Furthermore, we show that our protocols also work

in a non-ideal setting where we allow the quantum source to be imperfect

and the quantum communication to be noisy.

We emphasize that what makes OT and BC possible in our model is

not so much the memory bound per se, rather it is the loss of information

it implies on the part of the adversary. Indeed, our results also hold if

the adversary’s memory device holds an arbitrary number of qubits, but is

imperfect is certain ways. This is discussed in more detail in Section 5.

Our protocols are non-interactive, only one party sends information when

doing OT, commitment or opening. Furthermore, the commitment protocol

has the interesting property that the only message is sent to the commit-

ter, i.e., it is possible to commit while only receiving information. Such a

scheme clearly does not exist without a bound on the committer’s memory,

even under computational assumptions and using quantum communication:

a corrupt committer could always store (possibly quantumly) all the infor-

mation sent, until opening time, and only then follow the honest committer’s

algorithm to figure out what should be sent to convincingly open a 0 or a 1.

Note that in the classical bounded-storage model, it is known how to do

time-stamping that is non-interactive in our sense: a player can time-stamp

a document while only receiving information [22]. However, no reasonable

BC or protocol that time-stamps a bit exist in this model. It is straight-

forward to see that any such protocol can be broken by an adversary with

classical memory of size twice that of an honest player, while our proto-

col requires no memory for the honest players and remains secure against

any adversary not able to store more than half the size of the quantum

transmission.

3

Page 4

We also note that it has been shown earlier that BC is possible using

quantum communication, assuming a different type of physical limitation,

namely a bound on the size of coherent measurement that can be imple-

mented [25]. This limitation is incomparable to ours: it does not limit the

total size of the memory, instead it limits the number of bits that can be

simultaneously operated on to produce a classical result. Our adversary

has a limit on the total memory size, but can measure all of it coherently.

The protocol from [25] is interactive, and requires a bound on the maximal

measurement size that is sub-linear in n.

On the technical side, we derive a new type of uncertainty relation in-

volving the min-entropy of a quantum encoding (Theorem 3.7 and Corol-

lary 3.8). The relation is in a suitable form to apply privacy amplification

against quantum adversaries as introduced by Renner and K¨ onig [23].

2Preliminaries

2.1Notation

For a set I = {i1,i2,...,iℓ} ⊆ {1,...,n} and a n-bit string x ∈ {0,1}n,

we define x|I:= xi1xi2···xiℓ. For x,y ∈ {0,1}n, x · y ∈ {0,1} denotes the

(standard) in-product of x and y. For a probability distribution Q over n-

bit strings and a set L ⊆ {0,1}n, we abbreviate the (overall) probability of

L with Q(L) :=?

p) · log(1 − p)?. We denote by negl(n) any function of n smaller than any

for the set of all n-bit strings at Hamming distance at most δn from x. Note

that the number of elements in Bδn(x) is the same for all x, we denote it by

Bδn:= |Bδn(x)|. It is well known that Bδn≤ 2nh(δ).

The pair {|0?,|1?} denotes the computational or rectilinear or “+” basis

for the 2-dimensional complex Hilbert space C2. The diagonal or “×” basis

is defined as {|0?×,|1?×} where |0?×=

Measuring a qubit in the +-basis (resp. ×-basis) means applying the mea-

surement described by projectors |0??0| and |1??1| (resp. projectors |0?×?0|×

and |1?×?1|×). When the context requires it, we write |0?+and |1?+instead

of |0? respectively |1?; and for any x ∈ {0,1}nand r ∈ {+,×}, we write

|x?r=?n

x∈LQ(x). All logarithms in this paper are to base two.

We denote by h(p) the binary entropy function h(p) := −?p · logp + (1 −

polynomial provided n is sufficiently large. For x ∈ {0,1}n, we write Bδn(x)

1

√2(|0?+|1?) and |1?×=

1

√2(|0?−|1?).

i=1|xi?r. If we want to choose the + or ×-basis according to the

bit b ∈ {0,1}, we write {+,×}[b].

2.2 Quantum Probability Theory

As basis for the security definitions and proofs of our protocols, we are

using the formalism introduced in [23], which we briefly summarize here.

A random state ρ is a random variable, with distribution Pρ, whose range

4

Page 5

is the set of density operators of a fixed Hilbert space. The view of an

observer (which is ignorant of the value of ρ) is given by the quantum

system described by the density operator [ρ] :=?

classical random variable X, with joint distribution PXρ, we also write ρx

instead of [ρ|X = x]. Note that ρxis a density operator (for any fixed x)

whereas ρX is again a random state. The overall quantum system is then

given by [{X} ⊗ ρ] =?

[{X} ⊗ ρ] = [{X}] ⊗ [ρ] if and only if ρX is independent of X, where the

latter in particular implies that no information on X can be learned by

observing only ρ. Furthermore, if [{X} ⊗ ρ] and [{X}] ⊗ [ρ] are ε-close in

terms of their trace distance δ(ρ,σ) =

[{X}⊗ρ] “behaves” as the ideal system [{X}]⊗[ρ] except with probability

ε [23] in that for any evolution of the system no observer can distinguish the

real from the ideal one with advantage greater than ε. Henceforth, we use

unif to denote a random variable with range {0,1}, uniformly distributed

and independent of anything else, and, as in [23], we use d(X|ρ) as a short

hand for δ?[{X} ⊗ ρ],[{unif}] ⊗ [ρ]?.

α of a random variable X [24], as well as its generalization to the R´ enyi

entropy Sα(ρ) of a state ρ [23]. It holds that Sα([{X}]) = Hα(X) and

Sα([{X}]) ≤ Sβ([{X}]) if α ≥ β. The cases that are relevant for us are

the classical min-entropy H∞(X) = −log(maxxPX(x)) as well as the max

and the collision Von Neumann entropy S0(ρ) = log(rank(ρ)) respectively

S2(ρ) = −log??

2.3Bounded Quantum Storage and Privacy Amplification

ρPρ(ρ)ρ. In general, for

any event E, we define [ρ|E] :=?

ρPρ|E(ρ)ρ. If ρ is dependent on some

xPX(x){x} ⊗ ρx, where {x} := |x??x| is the state

representation of x and {X} the corresponding random state. Obviously,

1

2tr(|ρ − σ|), then the real system

We consider the notion of the classical R´ enyi entropy Hα(X) of order

iλ2

i

?, where {λi}iare the eigenvalues of ρ.

All our protocols take place in the bounded quantum-storage model, which

concretely means the following: the state of an adversarial player may con-

sist of an arbitrary number of qubits, and he may perform arbitrary quantum

computation. At a certain point in time though, we say that the memory

bound applies, which means that all but q of the qubits are measured. Af-

ter this point, the player is again unbounded in (quantum) memory and

computing power. We note that our results also apply to some cases where

the adversary’s memory is not bounded but is noisy in certain ways, see

Section 5.

An important tool we will use is universal hashing. A class Hnof hashing

functions from {0,1}nto {0,1} is called two-universal if for any pair x,y ∈

{0,1}nwith x ?= y

??{f ∈ Hn: f(x) = f(y)}??≤|Hn|

2

.

5

Page 6

Several two-universal classes of hashing functions are such that evaluating

and picking a function uniformly and at random in Hncan be done efficiently

[4, 27].

Theorem 2.1 ([23]). Let X be distributed over {0,1}n, and let ρ be a

random state of q qubits1. Let F be the random variable corresponding

to the random choice (with uniform distribution and independent from X

and ρ) of a member of a two-universal class of hashing functions Hn. Then

d([F(X)|{F} ⊗ ρ]) ≤1

22−1

22−1

2(S2([{X}⊗ρ])−S0([ρ])−1)

(1)

≤1

2(H∞(X)−q−1). (2)

The first inequality (1) is the original theorem from [23], and (2) follows

by observing that S2([{X} ⊗ ρ]) ≥ S2([{X}]) = H2(X) ≥ H∞(X). In this

paper, we essentially only use this weaker version of the theorem.

Note that if the rightmost term of (2) is negligible, i.e. say smaller than

2−εn, then this situation is 2−εn-close to the ideal situation where F(X) is

perfectly uniform and independent of ρ and F. In particular, the situations

F(X) = 0 and F(X) = 1 are statistically indistinguishable given ρ and

F [17].

The following lemma is a direct consequence of Theorem 2.1. In Sec-

tion 4, this lemma will be useful for proving the binding condition of our com-

mitment scheme. Recall that for X ∈ {0,1}n, Bδn(X) denotes the set of all

n-bit strings at Hamming distance at most δn from X and Bδn:= |Bδn(X)|

is the number of such strings.

Lemma 2.2. Let X be distributed over {0,1}n, let ρ be a random state of

q qubits and letˆ X be a guess for X given ρ. Then, for all δ <1

that

Pr?ˆ X ∈ Bδn(X)?≤ 2−1

In other words, given a quantum memory of q qubits arbitrarily correlated

with a classical random variable X, the probability to findˆ X at Hamming

distance at most δn from X where nh(δ) <1

2it holds

2(H∞(X)−q−1)+log(Bδn).

2(H∞(X) − q) is negligible.

Proof: Here is a strategy to try to bias F(X) when givenˆ X and F ∈RHn:

Sample X′∈RBδn(ˆ X) and output F(X′). Note that, using psuccas a short

hand for the probability Pr?ˆ X ∈ Bδn(X)?to be bounded,

Pr?F(X′) = F(X)?=psucc

1Remember that ρ can be correlated with X in an arbitrary way. In particular, we can

think of ρ as an attempt to store the n-bit string X in q qubits.

Bδn+

?

1 −psucc

Bδn

?1

2

6

Page 7

=1

2+

psucc

2 · Bδn,

where the first equality follows from the fact that if X′?= X then, as Hn

is two-universal, Pr[F(X) = F(X′)] =1

guessing a binary F(X) given F and ρ is always upper bounded by

d(F(X)|{F} ⊗ ρ), in combination with Theorem 2.1 the above results in

1

2+

2. Since the probability of correctly

1

2+

psucc

2 · Bδn≤1

2+122−1

2(H∞(X)−q−1)

and the claim follows immediately.

?

3Rabin Oblivious Transfer

3.1 The Definition

A protocol for Rabin Oblivious Transfer (ROT) between sender Alice and

receiver Bob allows for Alice to send a bit b through an erasure channel

to Bob. Each transmission delivers b or an erasure with probability

Intuitively, a protocol for ROT is secure if

1

2.

• the sender Alice gets no information on whether b was received or not,

no matter what she does, and

• the receiver Bob gets no information about b with probability at least1

no matter what he does.

2,

In this paper, we are considering quantum protocols for ROT. This means

that while the inputs and outputs of the honest senders are classical, de-

scribed by random variables, the protocol may contain quantum computa-

tion and quantum communication, and the view of a dishonest player is

quantum, and is thus described by a random state.

Any such (two-party) protocol is specified by a family {(Sn,Rn)}n>0of

pairs of interactive quantum circuits (i.e. interacting through a quantum

channel). Each pair is indexed by a security parameter n > 0, where Sn

and Rndenote the circuits for sender Alice and receiver Bob, respectively.

In order to simplify the notation, we often omit the index n, leaving the

dependency on it implicit.

For the formal definition of the security requirements of a ROT protocol,

let us fix the following notation. Let B denote the binary random variable

describing S’s input bit b, and let A and B′denote the binary random vari-

ables describing R’s two output bits, where the meaning is that A indicates

whether the bit was received or not. Furthermore, for a dishonest sender

˜S (respectively˜R) let ρ˜S(ρ˜R) denote the random state describing˜S’s (˜R’s)

view of the protocol. Note that for a fixed candidate protocol for ROT,

and for a fixed input distribution PB, depending on whether we consider

7

Page 8

two honest S and R, a dishonest˜S and an honest R, or an honest S and a

dishonest˜R, the corresponding joint distribution PBAB′, Pρ˜SAB′ respectively

PBρ˜Ris uniquely determined.

Definition 3.1. A two-party (quantum) protocol (S,R) is a (statistically)

secure ROT if the following holds.

Correctness: For honest S and R

Pr[B = B′|A = 1] ≥ 1 − negl(n).

Receiver-Privacy: For any˜S

d(A|ρ˜S) ≤ negl(n).

Sender-Privacy: For any˜R there exists an event E with P[E] ≥1

such that

δ([B ⊗ ρ˜R|E],[B] ⊗ [ρ˜R|E]) ≤ negl(n).

2−negl(n)

If any of the above trace distances equals 0, then the corresponding property

is said to hold perfectly. If one of the properties only holds with respect

to a restricted class S of˜S’s respectively R of˜R’s, then this property is said

to hold and the protocol is said to be secure against S respectively R.

Receiver-privacy requires that the joint quantum state is essentially the

same as when A is uniformly distributed and independent of the sender’s

view, and sender-privacy requires that there exists some event which occurs

with probability at least1

2(the event that the receiver does not receive the

bit) and under which the joint quantum state is essentially the same as when

B is distributed (according to PB) independently of the receiver’s view.

We warn the reader that the above definition does not guarantee that

the ROT protocol is equivalent to an “ideal black-box implementation” of

ROT, so it does not guarantee universal composability, for instance. One

main reason for this is that, unlike the classical case [7], receiver-privacy

as we define it does not guarantee that the input bit b is determined after

the execution of ROT. In other words,˜S is not necessarily bound to her

input. In fact, this is not surprising, since our model places no limitations

whatsoever on the sender. If˜S was indeed bound to her input, a straight-

forward reduction would allow us to build from ROT a statistically hiding

commitment scheme where the ROT sender is the committer. But since

the sender is unbounded, she can always break the binding property using

essentially the standard attack against unconditionally secure quantum bit

commitment [18, 21].

A more rigorous definition of Oblivious Transfer is therefore required

in order to allow for composability. Moreover, we see from the above that

8

Page 9

satisfying such a definition will require some limitation to be placed on the

sender, such as a memory bound. This would, for instance, allow using the

commitment scheme we present later in this paper with the ROT sender in

the role of committer. These issue will be further addressed in a forthcoming

paper [9].

3.2The Protocol

We introduce a quantum protocol for ROT that will be shown perfectly

receiver-private (against any sender) and statistically sender-private against

any quantum memory-bounded receiver. Our protocol exhibits some simi-

larity with quantum conjugate coding introduced by Wiesner [28].

The protocol is very simple (see Figure 1): S picks x ∈R{0,1}nand sends

to R n qubits in state either |x?+or |x?×each chosen with probability1

then measures all received qubits either in the rectilinear or in the diagonal

basis. With probability1

that is forced to measure part of the state (due to a memory bound) can

only have full information on x in case the +-basis was used or in case the ×-

basis was used (but not in both cases). Privacy amplification based on any

two-universal class of hashing functions Hnis then used to destroy partial

information. (In order to avoid aborting, we specify that if a dishonest˜S

refuses to participate, or sends data in incorrect format, then R samples its

output bits a and b′both at random in {0,1}.)

2. R

2, R picked the right basis and gets x, while any˜R

qot(b):

1. S picks x ∈R{0,1}n, and r ∈R{+,×}.

2. S sends |ψ? := |x?rto R (i.e. the string x in basis r).

3. R picks r′∈R{+,×} and measures all qubits of |ψ? in basis r′.

Let x′∈ {0,1}nbe the result.

4. S announces r, f ∈RHn, and e := b ⊕ f(x).

5. R outputs a := 1 and b′:= e ⊕ f(x′) if r′= r and else a := 0 and

b′:= 0.

Figure 1. Protocol for Rabin QOT

As we shall see in Section 3.5, the security of the qot protocol against

receivers with bounded-size quantum memory holds as long as the bound

applies before Step 4 is reached. An equivalent protocol is obtained by

purifying the sender’s actions. Although qot is easy to implement, the

purified or EPR-based version [16] depicted in Figure 2 is easier to prove

secure. A similar approach was taken in the Shor-Preskill proof of security

9

Page 10

for the BB84 quantum key distribution scheme [26].

epr-qot(b):

1. S prepares n EPR pairs each in state |Ω? =

2. S sends one half of each pair to R and keeps the other halves.

1

√2(|00? + |11?).

3. R picks r′∈R{+,×} and measures all received qubits in basis r′.

Let x′∈ {0,1}nbe the result.

4. S picks r ∈R {+,×}, and measures all kept qubits in basis r.

Let x ∈ {0,1}nbe the outcome. S announces r, f ∈RHn, and

e := b ⊕ f(x).

5. R outputs a := 1 and b′:= e ⊕ f(x′) if r′= r and else a := 0 and

b′:= 0.

Figure 2. Protocol for EPR-based Rabin QOT

Notice that while qot requires no quantum memory for honest players,

quantum memory for S seems to be required in epr-qot. The following

Lemma shows the strict equivalence between qot and epr-qot.

Lemma 3.2. qot is secure if and only if epr-qot is secure.

Proof: The proof follows easily after observing that S’s choices of r and

f, together with the measurements all commute with R’s actions. There-

fore, they can be performed right after Step 1 with no change for R’s view.

Modifying epr-qot that way results in qot.

?

Note that for a dishonest receiver it is not only irrelevant whether he tries

to attack qot or epr-qot, but in fact there is no difference in the two

protocols from his point of view.

Lemma 3.3. epr-qot is perfectly receiver-private.

Proof: It is obvious that no information about whether R has received the

bit is leaked to any sender˜S, since R does not send anything, i.e. epr-qot

is non-interactive!

?

3.3Modeling Dishonest Receivers

We model dishonest receivers in qot respectively epr-qot under the as-

sumption that the maximum size of their quantum storage is bounded.

These adversaries are only required to have bounded quantum storage when

they reach Step 4 in (epr-)qot. Before that, the adversary can store and

10

Page 11

carry out quantum computations involving any number of qubits. Apart

from the restriction on the size of the quantum memory available to the

adversary, no other assumption is made. In particular, the adversary is not

assumed to be computationally bounded and the size of its classical memory

is not restricted.

Definition 3.4. The set Rγ denotes all possible quantum dishonest re-

ceivers {˜Rn}n>0in qot or epr-qot where for each n > 0,˜Rnhas quantum

memory of size at most γn when Step 4 is reached.

In general, the adversary˜R is allowed to perform any quantum computation

compressing the n qubits received from S into a quantum register M of size

at most γn when Step 4 is reached. More precisely, the compression function

is implemented by some unitary transform C acting upon the quantum state

received and an ancilla of arbitrary size. The compression is performed by

a measurement that we assume in the computational basis without loss

of generality. Before starting Step 4, the adversary first applies a unitary

transform C:

2−n/2

?

x∈{0,1}n

|x? ⊗ C|x?|0? ?→ 2−n/2

?

x∈{0,1}n

|x? ⊗

?

y

αx,y|ϕx,y?M|y?Y,

where for all x,?

quantum state in register M of size γn qubits. Ignoring the value of y to

ease the notation, the re-normalized state of the system is now in its most

general form when Step 4 in epr-qot is reached:

y|αx,y|2= 1. Then, a measurement in the computational

basis is applied to register Y providing classical outcome y. The result is a

|ψ? =

?

x∈{0,1}n

αx|x? ⊗ |ϕx?M,

where?

3.4

x|αx|2= 1.

Uncertainty Relation

We first prove a general uncertainty result and derive from that a corollary

that plays the crucial role in the security proof of epr-qot and thus of

qot. The uncertainty result concerns the situation where the sender holds

an arbitrary quantum register of n qubits. He may measure them in either

the + or the × basis. We are interested in the distribution of both these

measurement results, and we want to claim that they cannot both be “very

far from uniform”. One way to express this is to say that a distribution is

very non-uniform if one can identify a subset of outcomes that has much

higher probability than for a uniform choice. Intuitively, the theorem below

says that such sets cannot be found for both of the sender’s measurements.

11

Page 12

Theorem 3.5. Let the density matrix ρAdescribe the state of a n-qubit

register A. Let Q+(·) and Q×(·) be the respective distributions of the out-

come when register A is measured in the +-basis respectively the ×-basis.

Then, for any two sets L+⊂ {0,1}nand L×⊂ {0,1}nit holds that

Q+(L+) + Q×(L×) ≤

?

1 +

?

2−n|L+||L×|

?2.

Proof: We can purify register A by adding a register B, such that the

state of the composite system is pure. It can then be written as |ψ?AB=

?

Clearly, Q+(x) = |αx|2. To give a more explicit form of the distribution

Q×, we apply the Hadamard transformation to register A:

x∈{0,1}nαx|x?A|ϕx?Bfor some complex amplitudes αx and normalized

state vectors |ϕx?.

(H⊗n⊗

?B)|ψ? =

?

z∈{0,1}n

|z? ⊗

?

x∈{0,1}n

2−n

2(−1)x·zαx|ϕx?

and obtain

Q×(z) =

?????

?

x∈{0,1}n

2−n

2(−1)x·zαx|ϕx?

?????

2

.

Let L+denote the complement of L+and p its probability Q+(L+). We

can now split the sum in Q×(z) in the following way:

Q×(z) =

?????

?

x∈{0,1}n

√p

2−n

2(−1)x·zαx|ϕx?

?????

2

=

?????

?????

?

x∈L+

2−n

2(−1)x·zαx

√p|ϕx? +

?

x∈L+

2−n

2(−1)x·zαx|ϕx?

?????

2

=

√p · ζz|υz? +

?

x∈L+

2−n

2(−1)x·zαx|ϕx?

?????

2

where |υz? is defined as follows: For the normalized state |υ? :=?

holds that?

that the amplitude is maximized when all unit vectors |ϕx? point in the

same direction and when (−1)x·zαx= |αx|. More formally,

?????

x∈L+αx

√p|x?|ϕx?,

ζz|υz? is the z-component of the state H⊗n|υ? =?

To upper-bound the amplitudes provided by the sum over L+, we notice

zζz|z?⊗|υz?. It therefore

z|ζz|2= 1.

?

x∈L+

2−n

2(−1)x·zαx|ϕx?

?????≤ 2−n

2

?

x∈L+

|αx|

12

Page 13

≤ 2−n

2

???L+??

???L+??,

??

x∈L+

|αx|2

(3)

≤ 2−n

2

where (3) is obtained from the Cauchy-Schwarz inequality. Using ℓ+and ℓ×

as shorthands for

??L+??respectively

Q×(L×) =

?

≤

z∈L×

≤ p

z∈L×

≤ p + 2 · 2−n

√

2−nℓ+ℓ×+ 2−nℓ+ℓ×

√

??L×??, we conclude that

z∈L×

?

?

Q×(z)

?

|√p · ζz|υz?| + 2−n

2√

ℓ+?2

|ζz|2+ 2 · 2−n

2√

ℓ+?

|ζz|2+ 2−nℓ+ℓ×

z∈L×

|ζz| + ℓ×· 2−nℓ+

2√

ℓ+

?

ℓ×?

z∈L×

(4)

≤ p + 2

= 1 − Q+(L+) + 2

2−nℓ+ℓ×+ 2−nℓ+ℓ×.(5)

Inequality (4) follows again from Cauchy-Schwarz while in (5), we use the

definition of p. The claim of the proposition follows after re-arranging the

terms.

This theorem yields a meaningful bound as long as |L+| · |L×| < (√2 −

1)2· 2n, e.g. if L+and L×both contain less than 2n/2elements. If for

r ∈ {+,×}, Lrcontains only the n-bit string with the maximal probability

of Qr, we obtain as a corollary a slightly weaker version of a known relation

(see (9) in [19]).

?

Corollary 3.6. Let q+

butions Q+and Q×from above. It then holds that q+

where c = 2−n/2.

∞and q×

∞be the maximal probabilities of the distri-

∞· q×

∞≤

1

4(1 + c)4

Theorem 3.5 can be generalized to more than two mutually unbiased

bases. We call different sets B0,B1,...,BNof bases of the complex Hilbert

space C2nmutually unbiased, if for all i ?= j ∈ {0,...,N}, it holds that

∀|ϕ? ∈ Bi∀|ψ? ∈ Bj: |?ϕ|ψ?|2= 2−n.

Theorem 3.7. Let the density matrix ρAdescribe the state of a n-qubit

register A and let B0,B1,...,BNbe mutually unbiased bases of register

13

Page 14

A. Let Q0(·),Q1(·),...,QN(·) be the distributions of the outcome when

register A is measured in bases B0,B1,...,BN, respectively. Then, for any

sets L0,L1,...,LN⊂ {0,1}n, it holds that

N

?

Proof: Like in the proof of Theorem 3.5, we can purify register A by

adding a register B. The composite state can then be written as |ψ?AB=

?

We prove the statement by induction over N: For N = 1, by applying an

appropriate unitary transform to the whole system, we can assume without

loss of generality that B0is the standard +-basis.

Let us denote by T the matrix of the basis change from B0to B1. As

the inner product between states |φ? ∈ B0and |φ′? ∈ B1is always |?φ|φ′?| =

2−n/2, it follows that all entries of T are complex numbers of the form

2−n/2· eiλfor real λ ∈ R.

It is easy to verify that the same proof as for Theorem 3.5 applies after

replacing the Hadamard transform H⊗non the sender’s part by T and using

the above observation about the entries of T.

For the induction step from N to N + 1, we define p := Q0(L0), |υ? :=

?

formed into basis Bj. As in the proof of Theorem 3.5, using ℓias a short

hand for

??Li??, it follows:

N

?

N

?

N

?

N

?

where the distributions Piare obtained by measuring register A of the nor-

malized state |υ? in the mutually unbiased bases B1,B2,...,BN. We apply

the induction hypothesis to the sum of Pi(Li):

i=0

Qi(Li) ≤ 1 −

?N + 1

2

?

+

?

0≤j<k≤N

?

1 +

?

2−n|Lj||Lk|

?2

.

x∈{0,1}nαx|x?A|ϕx?Bfor some complex amplitudes αx and normalized

state vectors |ϕx?.

x∈L0

αx

√p|x?|ϕx?, and let ζj

z|υj

z? be the z-component of the state |υ? trans-

i=1

Qi(Li) =

N

?

i=1

?

z∈Li

Qi(z)

≤

i=1

?

z∈Li

?√p??ζi

?

z

??υi

z

???+ 2−n/2?

N

?

N

?

ℓ0

?2

≤ p ·

i=1

z∈Li

|ζi

z|2+

i=1

?

2 ·

?

2−nℓ0ℓi+ 2−nℓ0ℓi

?

≤ p ·

i=1

Pi(Li) +

i=1

?

1 −

?

2−nℓ0ℓi

?2− N

N

?

i=1

Qi(Li) ≤ p ·

N

?

i=1

Pi(Li) +

N

?

i=1

?

1 +

?

2−nℓ0ℓi

?2

− N

14

Page 15

≤?1 − Q0(L0)??

N

?

≤ −Q0(L0) + 1 −

?

1≤j<k≤N

?

?2

?

1 +

?

2−nℓjℓk

?2+ 1 −

?N

2

??

+

i=1

?

1 −

?

2−nℓ0ℓi

− N

?N + 1

2

+

?

0≤j<k≤N

?

1 +

?

2−nℓjℓk

?2

where the last inequality follows by observing that the term in the right

bracket is at least 1 and rearranging the terms. This completes the induction

step and the proof of the proposition.

?

Analogous to Corollary 3.6, we derive an uncertainty relation about the

sum of the min-entropies of up to 2

n

4 distributions.

Corollary 3.8. For an ε > 0, let 0 < N < 2(1

Hi

Then,

N

?

Proof: For i = 0,...,N, we denote by qi

and let Libe the set containing only the n-bit string x with this maximal

probability qi

∞. Theorem 3.7 together with the assumption about N assures

?N

N

?

= (N + 1)?log(N + 1) − negl(n)?.

4−ε)n. For i = 0,...,N, let

∞be the min-entropies of the distributions Qifrom the theorem above.

i=0

Hi

∞≥ (N + 1)?log(N + 1) − negl(n)?.

∞the maximal probability of Qi

i=0qi

mean follows:

∞≤ 1 + negl(n). By the inequality of the geometric and arithmetic

i=0

Hi

∞= −log

N

?

i=0

qi

∞≥ −log

?1 + negl(n)

N + 1

?N+1

?

3.5Security Against Dishonest Receivers

In this section, we show that epr-qot is secure against any dishonest re-

ceiver having access to a quantum storage device of size strictly smaller than

half the number of qubits received at Step 2.

In our setting, we use Theorem 3.5 to lower-bound the overall probability

of strings with small probabilities in the following sense. For 0 ≤ γ +κ ≤ 1,

define

S+:=?x ∈ {0,1}n: Q+(x) ≤ 2−(γ+κ)n?

S×:=?z ∈ {0,1}n: Q×(z) ≤ 2−(γ+κ)n?

and

15

#### View other sources

#### Hide other sources

- Available from Ivan Damgård · May 29, 2014
- Available from ArXiv