Secure Certification of Mixed Quantum States Frdric Dupuis, Serge - - PowerPoint PPT Presentation

Secure Certification of Mixed Quantum States

Frédéric Dupuis, Serge Fehr, Philippe Lamontagne and Louis Salvail

Quantum state certification

H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H

1/8

Quantum state certification

H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H

1/8

Quantum state certification

H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H Certification

• Measure H with {|ψ

ψ|, I − |ψ ψ|}

• If result is |ψ for every H , then most of the remaining

positions are in state |ψ with overwhelming probability [BF10].

• The reference state |ψ must be pure.

1/8

Quantum state certification

H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H Certification

• Measure H with {|ψ

ψ|, I − |ψ ψ|}

• If result is |ψ for every H , then most of the remaining

positions are in state |ψ with overwhelming probability [BF10].

• The reference state |ψ must be pure.

1/8

Quantum state certification

H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H Certification

• Measure H with {|ψ

ψ|, I − |ψ ψ|}

• If result is |ψ for every H , then most of the remaining

positions are in state |ψ with overwhelming probability [BF10].

• The reference state |ψ must be pure.

1/8

Quantum state certification

H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H Certification

• Measure H with {|ψ

ψ|, I − |ψ ψ|}

• If result is |ψ for every H , then most of the remaining

positions are in state |ψ with overwhelming probability [BF10].

• The reference state |ψ must be pure.

1/8

What about certifying mixed states ?

Usual approach fail Notion of typical subspace not applicable

2/8

What about certifying mixed states ?

Usual approach fail Notion of typical subspace not applicable Xsample = 00 . . . 0 Pr≈1 = ⇒ Xrest ∈ {x : x has less than δn 1s}

2/8

What about certifying mixed states ?

Usual approach fail Notion of typical subspace not applicable Xsample = 00 . . . 0 Pr≈1 = ⇒ Xrest ∈ {x : x has less than δn 1s}

2/8

What about certifying mixed states ?

Usual approach fail Notion of typical subspace not applicable Xsample = 00 . . . 0 Pr≈1 = ⇒ Xrest ∈ {x : x has less than δn 1s}

2/8

What about certifying mixed states ?

Usual approach fail Notion of typical subspace not applicable Xsample = 00 . . . 0 Pr≈1 = ⇒ Xrest ∈ {x : x has less than δn 1s}

• For pure states
• ψsample
• = |0⊗k

Pr≈1

= ⇒ |ψrest ∈ span{|x : x has less than δn 1s}

2/8

What about certifying mixed states ?

Usual approach fail Notion of typical subspace not applicable Xsample = 00 . . . 0 Pr≈1 = ⇒ Xrest ∈ {x : x has less than δn 1s}

• For pure states
• ψsample
• = |0⊗k

Pr≈1

= ⇒ |ψrest ∈ span{|x : x has less than δn 1s}

2/8

What about certifying mixed states ?

Usual approach fail Notion of typical subspace not applicable Xsample = 00 . . . 0 Pr≈1 = ⇒ Xrest ∈ {x : x has less than δn 1s}

• For pure states
• ψsample
• = |0⊗k

Pr≈1

= ⇒ |ψrest ∈ span{|x : x has less than δn 1s}

2/8

What about certifying mixed states ?

Usual approach fail Notion of typical subspace not applicable Xsample = 00 . . . 0 Pr≈1 = ⇒ Xrest ∈ {x : x has less than δn 1s}

• For pure states
• ψsample
• = |0⊗k

Pr≈1

= ⇒ |ψrest ∈ span{|x : x has less than δn 1s}

• For some mixed states ϕ,

supp(ϕ⊗n) = H⊗n

2/8

What about certifying mixed states ?

Usual approach fail Notion of typical subspace not applicable Xsample = 00 . . . 0 Pr≈1 = ⇒ Xrest ∈ {x : x has less than δn 1s}

• For pure states
• ψsample
• = |0⊗k

Pr≈1

= ⇒ |ψrest ∈ span{|x : x has less than δn 1s}

• For some mixed states ϕ,

supp(ϕ⊗n) = H⊗n No local measurement for a discrete notion of errors for mixed states

2/8

A mixed state certification protocol

Possible to verify that a qubit is in state ϕ if we have access to its purifying register.

3/8

A mixed state certification protocol

Possible to verify that a qubit is in state ϕ if we have access to its purifying register. Two-player «Game» Verifier wants to certify that his state is close to ϕ⊗n. Prover wants to fool the verifier into thinking he has the right state even though it’s not the case.

3/8

A mixed state certification protocol

Possible to verify that a qubit is in state ϕ if we have access to its purifying register. Two-player «Game» Verifier wants to certify that his state is close to ϕ⊗n. Prover wants to fool the verifier into thinking he has the right state even though it’s not the case.

• P. Prepare |ϕ⊗n

AR, send An to verifier.

• V. Choose a random sample, announce it to prover.
• P. Send R for each position in sample.
• V. Measure {|ϕ

ϕ|AR, I − |ϕ ϕ|AR} for each joint system AR in sample.

• V. Accept if no errors, reject otherwise.

3/8

A mixed state certification protocol

Possible to verify that a qubit is in state ϕ if we have access to its purifying register. Two-player «Game» Verifier wants to certify that his state is close to ϕ⊗n. Prover wants to fool the verifier into thinking he has the right state even though it’s not the case.

• P. Prepare |ϕ⊗n

AR, send An to verifier.

• V. Choose a random sample, announce it to prover.
• P. Send R for each position in sample.
• V. Measure {|ϕ

ϕ|AR, I − |ϕ ϕ|AR} for each joint system AR in sample.

• V. Accept if no errors, reject otherwise.

3/8

A mixed state certification protocol

Possible to verify that a qubit is in state ϕ if we have access to its purifying register. Two-player «Game» Verifier wants to certify that his state is close to ϕ⊗n. Prover wants to fool the verifier into thinking he has the right state even though it’s not the case.

• P. Prepare |ϕ⊗n

AR, send An to verifier.

• V. Choose a random sample, announce it to prover.
• P. Send R for each position in sample.
• V. Measure {|ϕ

ϕ|AR, I − |ϕ ϕ|AR} for each joint system AR in sample.

• V. Accept if no errors, reject otherwise.

3/8

A mixed state certification protocol

Possible to verify that a qubit is in state ϕ if we have access to its purifying register. Two-player «Game» Verifier wants to certify that his state is close to ϕ⊗n. Prover wants to fool the verifier into thinking he has the right state even though it’s not the case.

• P. Prepare |ϕ⊗n

AR, send An to verifier.

• V. Choose a random sample, announce it to prover.
• P. Send R for each position in sample.
• V. Measure {|ϕ

ϕ|AR, I − |ϕ ϕ|AR} for each joint system AR in sample.

• V. Accept if no errors, reject otherwise.

3/8

A mixed state certification protocol

Possible to verify that a qubit is in state ϕ if we have access to its purifying register. Two-player «Game» Verifier wants to certify that his state is close to ϕ⊗n. Prover wants to fool the verifier into thinking he has the right state even though it’s not the case.

• P. Prepare |ϕ⊗n

AR, send An to verifier.

• V. Choose a random sample, announce it to prover.
• P. Send R for each position in sample.
• V. Measure {|ϕ

ϕ|AR, I − |ϕ ϕ|AR} for each joint system AR in sample.

• V. Accept if no errors, reject otherwise.

3/8

A few observations about the protocol

Interaction is necessary How can you distinguish |0 0| 2 + |1 1| 2 ⊗n from

≈n/2 times

• |0|0 . . . |0

≈n/2 times

• |1|1 . . . |1

4/8

A few observations about the protocol

Interaction is necessary How can you distinguish |0 0| 2 + |1 1| 2 ⊗n from

≈n/2 times

• |0|0 . . . |0

≈n/2 times

• |1|1 . . . |1

Interaction gives more power to prover

P. V.

4/8

A few observations about the protocol

Interaction is necessary How can you distinguish |0 0| 2 + |1 1| 2 ⊗n from

≈n/2 times

• |0|0 . . . |0

≈n/2 times

• |1|1 . . . |1

Interaction gives more power to prover

P. V.

• 1. Learns sample

4/8

A few observations about the protocol

Interaction is necessary How can you distinguish |0 0| 2 + |1 1| 2 ⊗n from

≈n/2 times

• |0|0 . . . |0

≈n/2 times

• |1|1 . . . |1

Interaction gives more power to prover

P. V.

• 1. Learns sample
• 2. Measures qubits

4/8

A few observations about the protocol

Interaction is necessary How can you distinguish |0 0| 2 + |1 1| 2 ⊗n from

≈n/2 times

• |0|0 . . . |0

≈n/2 times

• |1|1 . . . |1

Interaction gives more power to prover

P. V.

Abort/continue

• 1. Learns sample
• 2. Measures qubits
• 3. Aborts based on result

4/8

A few observations about the protocol

Interaction is necessary How can you distinguish |0 0| 2 + |1 1| 2 ⊗n from

≈n/2 times

• |0|0 . . . |0

≈n/2 times

• |1|1 . . . |1

Interaction gives more power to prover

P. V.

Abort/continue

• 1. Learns sample
• 2. Measures qubits
• 3. Aborts based on result

P

• s

t

• s

e l e c t i

• n

4/8

A few observations about the protocol

Interaction is necessary How can you distinguish |0 0| 2 + |1 1| 2 ⊗n from

≈n/2 times

• |0|0 . . . |0

≈n/2 times

• |1|1 . . . |1

Interaction gives more power to prover

P. V.

Abort/continue

• 1. Learns sample
• 2. Measures qubits
• 3. Aborts based on result

P

• s

t

• s

e l e c t i

• n

Example

Prepare

1 √ 2(|00 + |11)⊗n,

measure positions outside of sample, abort if result = |0⊗n−k. Resulting state always |0⊗n−k

4/8

What can the prover do ?

5/8

What can the prover do ?

An “undetectable” attack The prover can

• prepare the honest state, up to a few errors,
• prepare a mixture/superposition of such states,
• purify this mixture, and
• post-select on a measurement outcome.

5/8

What can the prover do ?

An “undetectable” attack The prover can

• prepare the honest state, up to a few errors,
• prepare a mixture/superposition of such states,
• purify this mixture, and
• post-select on a measurement outcome.

|ϕ⊗n = |ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ

5/8

What can the prover do ?

An “undetectable” attack The prover can

• prepare the honest state, up to a few errors,
• prepare a mixture/superposition of such states,
• purify this mixture, and
• post-select on a measurement outcome.

|ϕ⊗n = |ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ |ψe = |ϕ |ϕ |ϕ|ϕ|ϕ |ϕ |ϕ |ϕ |ϕ|ϕ|ϕ |ϕ |ϕ|ϕ |ϕ |ϕ|ϕ

5/8

What can the prover do ?

An “undetectable” attack The prover can

• prepare the honest state, up to a few errors,
• prepare a mixture/superposition of such states,
• purify this mixture, and
• post-select on a measurement outcome.

|ϕ⊗n = |ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ|ϕ |ψe = |ϕ |ϕ |ϕ|ϕ|ϕ |ϕ |ϕ |ϕ |ϕ|ϕ|ϕ |ϕ |ϕ|ϕ |ϕ |ϕ|ϕ ρAnRn =

• e

pe|ψe ψe|

5/8

What can the prover do ?

An “undetectable” attack The prover can

• prepare the honest state, up to a few errors,
• prepare a mixture/superposition of such states,
• purify this mixture, and
• post-select on a measurement outcome.

· · · |ψe = |ϕ |ϕ |ϕ|ϕ|ϕ |ϕ |ϕ |ϕ |ϕ|ϕ|ϕ |ϕ |ϕ|ϕ |ϕ |ϕ|ϕ ρAnRn =

• e

pe|ψe ψe| |ΨAnRnE =

e

√pe|ψeAnRn ⊗ |τeE

5/8

What can the prover do ?

An “undetectable” attack The prover can

• prepare the honest state, up to a few errors,
• prepare a mixture/superposition of such states,
• purify this mixture, and
• post-select on a measurement outcome.

· · · ρAnRn =

• e

pe|ψe ψe| |ΨAnRnE =

e

√pe|ψeAnRn ⊗ |τeE |ˆ ΨAnRnE = IAn ⊗ MRnE|ΨAnRnE

5/8

What can the prover do ?

An “undetectable” attack The prover can

• prepare the honest state, up to a few errors,
• prepare a mixture/superposition of such states,
• purify this mixture, and
• post-select on a measurement outcome.

· · · ρAnRn =

• e

pe|ψe ψe| |ΨAnRnE =

e

√pe|ψeAnRn ⊗ |τeE |ˆ ΨAnRnE = IAn ⊗ MRnE|ΨAnRnE ideal state

5/8

The mixed state certification Theorem

Main Result For any strategy of the prover, if the verifier accepts, his output state ρAn satisfies ρAn ≤ pn · ψAn + σ where pn is a fixed-degree polynomial in n, ψAn is the reduced

• perator of an ideal state |ψAnRnE and tr(σ) ≤ negl(n).

6/8

The mixed state certification Theorem

Main Result For any strategy of the prover, if the verifier accepts, his output state ρAn satisfies ρAn ≤ pn · ψAn + σ where pn is a fixed-degree polynomial in n, ψAn is the reduced

• perator of an ideal state |ψAnRnE and tr(σ) ≤ negl(n).

6/8

The mixed state certification Theorem

Main Result For any strategy of the prover, if the verifier accepts, his output state ρAn satisfies ρAn ≤ pn · ψAn + σ where pn is a fixed-degree polynomial in n, ψAn is the reduced

• perator of an ideal state |ψAnRnE and tr(σ) ≤ negl(n).

6/8

The mixed state certification Theorem

Main Result For any strategy of the prover, if the verifier accepts, his output state ρAn satisfies ρAn ≤ pn · ψAn + σ where pn is a fixed-degree polynomial in n, ψAn is the reduced

• perator of an ideal state |ψAnRnE and tr(σ) ≤ negl(n).

6/8

The mixed state certification Theorem

Main Result For any strategy of the prover, if the verifier accepts, his output state ρAn satisfies ρAn ≤ pn · ψAn + σ where pn is a fixed-degree polynomial in n, ψAn is the reduced

• perator of an ideal state |ψAnRnE and tr(σ) ≤ negl(n).

6/8

The mixed state certification Theorem

Main Result For any strategy of the prover, if the verifier accepts, his output state ρAn satisfies ρAn ≤ pn · ψAn + σ where pn is a fixed-degree polynomial in n, ψAn is the reduced

• perator of an ideal state |ψAnRnE and tr(σ) ≤ negl(n).

6/8

The mixed state certification Theorem

Main Result For any strategy of the prover, if the verifier accepts, his output state ρAn satisfies ρAn ≤ pn · ψAn + σ where pn is a fixed-degree polynomial in n, ψAn is the reduced

• perator of an ideal state |ψAnRnE and tr(σ) ≤ negl(n).

Application to Cryptography For any POVM operator E bad of a “bad” outcome, tr

• E badρAn
• ≤ pn · tr
• E badψAn
• + negl(n)

Bad outcome on real state has negligible probability if tr(E badψAn) is negligible.

6/8

The mixed state certification Theorem

Main Result For any strategy of the prover, if the verifier accepts, his output state ρAn satisfies ρAn ≤ pn · ψAn + σ where pn is a fixed-degree polynomial in n, ψAn is the reduced

• perator of an ideal state |ψAnRnE and tr(σ) ≤ negl(n).

Application to Cryptography For any POVM operator E bad of a “bad” outcome, tr

• E badρAn
• ≤ pn · tr
• E badψAn
• + negl(n)

Bad outcome on real state has negligible probability if tr(E badψAn) is negligible.

6/8

Generalisations and special cases

Sufficient conditions Invariance under permutations. Equivalent to protocol where verifier permutes his registers with random π and announces π to the prover. Behaves well on “easy” state. The verifier detects any cheating attempt with overwhelming probability on a state of the form σ⊗n for σ distant from reference state ϕ.

7/8

Generalisations and special cases

Sufficient conditions Invariance under permutations. Equivalent to protocol where verifier permutes his registers with random π and announces π to the prover. Behaves well on “easy” state. The verifier detects any cheating attempt with overwhelming probability on a state of the form σ⊗n for σ distant from reference state ϕ.

7/8

Generalisations and special cases

Sufficient conditions Invariance under permutations. Equivalent to protocol where verifier permutes his registers with random π and announces π to the prover. Behaves well on “easy” state. The verifier detects any cheating attempt with overwhelming probability on a state of the form σ⊗n for σ distant from reference state ϕ. Corollary Theorem implies security of

• a local measurement certification protocol for ϕ = I

2,

• pure state certification [BF10], and
• a “distributed” pure state certification protocol [DDN14] not

covered by [BF10].

7/8

Generalisations and special cases

Sufficient conditions Invariance under permutations. Equivalent to protocol where verifier permutes his registers with random π and announces π to the prover. Behaves well on “easy” state. The verifier detects any cheating attempt with overwhelming probability on a state of the form σ⊗n for σ distant from reference state ϕ. Corollary Theorem implies security of

• a local measurement certification protocol for ϕ = I

2,

• pure state certification [BF10], and
• a “distributed” pure state certification protocol [DDN14] not

covered by [BF10].

7/8

Generalisations and special cases

Sufficient conditions Invariance under permutations. Equivalent to protocol where verifier permutes his registers with random π and announces π to the prover. Behaves well on “easy” state. The verifier detects any cheating attempt with overwhelming probability on a state of the form σ⊗n for σ distant from reference state ϕ. Corollary Theorem implies security of

• a local measurement certification protocol for ϕ = I

2,

• pure state certification [BF10], and
• a “distributed” pure state certification protocol [DDN14] not

covered by [BF10].

7/8

Generalisations and special cases

Sufficient conditions Invariance under permutations. Equivalent to protocol where verifier permutes his registers with random π and announces π to the prover. Behaves well on “easy” state. The verifier detects any cheating attempt with overwhelming probability on a state of the form σ⊗n for σ distant from reference state ϕ. Corollary Theorem implies security of

• a local measurement certification protocol for ϕ = I

2,

• pure state certification [BF10], and
• a “distributed” pure state certification protocol [DDN14] not

covered by [BF10].

7/8

Application : secure two-party randomness generation

7/8

Secure Two-Party Randomness Generation

Goal Produce XA, XB ∈ {0, 1}n such that

• XA = XB if Alice and Bob are both honest,
• H∞(XA) ≥ (1 − ǫ)n and H∞(XB) ≥ (1 − ǫ)n except with

negligible probability.

8/8

Secure Two-Party Randomness Generation

Goal Produce XA, XB ∈ {0, 1}n such that

• XA = XB if Alice and Bob are both honest,
• H∞(XA) ≥ (1 − ǫ)n and H∞(XB) ≥ (1 − ǫ)n except with

negligible probability.

8/8

Secure Two-Party Randomness Generation

Goal Produce XA, XB ∈ {0, 1}n such that

• XA = XB if Alice and Bob are both honest,
• H∞(XA) ≥ (1 − ǫ)n and H∞(XB) ≥ (1 − ǫ)n except with

negligible probability.

8/8

Secure Two-Party Randomness Generation

Goal Produce XA, XB ∈ {0, 1}n such that

• XA = XB if Alice and Bob are both honest,
• H∞(XA) ≥ (1 − ǫ)n and H∞(XB) ≥ (1 − ǫ)n except with

negligible probability. Protocol

• Alice prepares |Ψ⊗N

AB and sends BN to Bob.

• Bob certifies that most of his registers are close to I

2.

• Alice and Bob measure their remaining n registers.

8/8

Secure Two-Party Randomness Generation

Goal Produce XA, XB ∈ {0, 1}n such that

• XA = XB if Alice and Bob are both honest,
• H∞(XA) ≥ (1 − ǫ)n and H∞(XB) ≥ (1 − ǫ)n except with

negligible probability. Protocol

• Alice prepares |Ψ⊗N

AB and sends BN to Bob.

• Bob certifies that most of his registers are close to I

2.

• Alice and Bob measure their remaining n registers.

8/8

Secure Two-Party Randomness Generation

Goal Produce XA, XB ∈ {0, 1}n such that

• XA = XB if Alice and Bob are both honest,
• H∞(XA) ≥ (1 − ǫ)n and H∞(XB) ≥ (1 − ǫ)n except with

negligible probability. Protocol

• Alice prepares |Ψ⊗N

AB and sends BN to Bob.

• Bob certifies that most of his registers are close to I

2.

• Alice and Bob measure their remaining n registers.

8/8

Secure Two-Party Randomness Generation

Goal Produce XA, XB ∈ {0, 1}n such that

• XA = XB if Alice and Bob are both honest,
• H∞(XA) ≥ (1 − ǫ)n and H∞(XB) ≥ (1 − ǫ)n except with

negligible probability. Protocol

• Alice prepares |Ψ⊗N

AB and sends BN to Bob.

• Bob certifies that most of his registers are close to I

2.

• Alice and Bob measure their remaining n registers.

8/8

Secure Two-Party Randomness Generation

Goal Produce XA, XB ∈ {0, 1}n such that

• XA = XB if Alice and Bob are both honest,
• H∞(XA) ≥ (1 − ǫ)n and H∞(XB) ≥ (1 − ǫ)n except with

negligible probability. Protocol

• Alice prepares |Ψ⊗N

AB and sends BN to Bob.

• Bob certifies that most of his registers are close to I

2.

• Alice and Bob measure their remaining n registers.

Our main result ensures that the measurement

• utcome will have near maximal min-entropy

8/8

Thank you !

8/8

Niek J. Bouman and Serge Fehr. Sampling in a quantum population, and applications. In Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, volume 6223 of Lecture Notes in Computer Science, pages 724–741. Springer, 2010. Ivan Damgård, Frédéric Dupuis, and Jesper Buus Nielsen. On the orthogonal vector problem and the feasibility of unconditionally secure leakage resilient computation. Cryptology ePrint Archive, Report 2014/282, 2014.

http://eprint.iacr.org/.

8/8