security proofs for continuous variable quantum key
play

Security proofs for continuous-variable quantum key distribution - PowerPoint PPT Presentation

Feb 06, 2024 •375 likes •711 views

Security proofs for continuous-variable quantum key distribution Anthony Leverrier Inria Paris QCrypt 2020 - virtual 10 August 2020 Anthony Leverrier (Inria) QCrypt 2020 1 / 24 Disclaimer there wont be any COVID joke, sorry! I

  1. Security proofs for continuous-variable quantum key distribution Anthony Leverrier Inria Paris QCrypt 2020 - virtual 10 August 2020 Anthony Leverrier (Inria) QCrypt 2020 1 / 24

  2. Disclaimer ◮ there won’t be any COVID joke, sorry! ◮ I won’t really talk about experimental stuff ◮ I won’t talk about the zillion CVQKD protocols out there, only about a couple that are ◮ simple to describe AND ◮ simple to implement ◮ the talk might contain controversial 1 statements such as: "sure, BB84 is a fine protocol, but it’s high time we move to CV protocols!" 1 but nothing too provocative! e.g. I won’t talk about the quantum Internet Anthony Leverrier (Inria) QCrypt 2020 2 / 24

  3. Outline Discrete versus continuous variables ◮ BB84 vs CVQKD State-of-the-art for security proofs ◮ Gaussian vs discrete modulation of coherent states Next steps, open questions ◮ finite size setting, general attacks Anthony Leverrier (Inria) QCrypt 2020 3 / 24

  4. Discrete versus continuous variables Anthony Leverrier (Inria) QCrypt 2020 4 / 24

  5. Two natural/simple qkd protocols BB84 ◮ so natural that it would have been discovered eventually (much later?), even without B & B ◮ distribute copies of | 00 � + | 11 � ◮ measure with ✶ = 1 2 ( | 0 �� 0 | + | 1 �� 1 | + | + �� + | + |−��−| ) CVQKD = THE ∞ -dim generalization a † ˆ b † | vacuum � ◮ distribute copies of | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · = e λ ˆ ❈ | α �� α | d α , with coherent state | α � = e −| α | 2 / 2 ∑ ∞ α k ◮ measure with ✶ = 1 a † | vacuum � � = e α ˆ √ k ! | k � k = 0 π a.k.a. coherent detection , heterodyne measurement, or double-homodyne measurement alternative for CVQKD ◮ measure the quadratures (homodyne detection) = ⇒ the setup of the EPR paper from 1935! 2 2 formalized much later: Ralph (99), Reid (00), Cerf & al. (01), Grosshans-Grangier (02), Weedbrook & al. (03)... Anthony Leverrier (Inria) QCrypt 2020 5 / 24

  6. Two natural/simple qkd protocols BB84 ◮ so natural that it would have been discovered eventually (much later?), even without B & B ◮ distribute copies of | 00 � + | 11 � ◮ measure with ✶ = 1 2 ( | 0 �� 0 | + | 1 �� 1 | + | + �� + | + |−��−| ) CVQKD = THE ∞ -dim generalization a † ˆ b † | vacuum � ◮ distribute copies of | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · = e λ ˆ ❈ | α �� α | d α , with coherent state | α � = e −| α | 2 / 2 ∑ ∞ α k ◮ measure with ✶ = 1 a † | vacuum � � = e α ˆ √ k ! | k � k = 0 π a.k.a. coherent detection , heterodyne measurement, or double-homodyne measurement alternative for CVQKD ◮ measure the quadratures (homodyne detection) = ⇒ the setup of the EPR paper from 1935! 2 2 formalized much later: Ralph (99), Reid (00), Cerf & al. (01), Grosshans-Grangier (02), Weedbrook & al. (03)... Anthony Leverrier (Inria) QCrypt 2020 5 / 24

  7. Two natural/simple qkd protocols BB84 ◮ so natural that it would have been discovered eventually (much later?), even without B & B ◮ distribute copies of | 00 � + | 11 � ◮ measure with ✶ = 1 2 ( | 0 �� 0 | + | 1 �� 1 | + | + �� + | + |−��−| ) CVQKD = THE ∞ -dim generalization a † ˆ b † | vacuum � ◮ distribute copies of | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · = e λ ˆ ❈ | α �� α | d α , with coherent state | α � = e −| α | 2 / 2 ∑ ∞ α k ◮ measure with ✶ = 1 a † | vacuum � � = e α ˆ √ k ! | k � k = 0 π a.k.a. coherent detection , heterodyne measurement, or double-homodyne measurement alternative for CVQKD ◮ measure the quadratures (homodyne detection) = ⇒ the setup of the EPR paper from 1935! 2 2 formalized much later: Ralph (99), Reid (00), Cerf & al. (01), Grosshans-Grangier (02), Weedbrook & al. (03)... Anthony Leverrier (Inria) QCrypt 2020 5 / 24

  8. Theory vs practice BB84 in practice: NOT SO SIMPLE! ◮ single photons are usually prepared via | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · and heralding ◮ experimentally-friendlier version of BB84 relies on (phase-randomized) coherent states = ⇒ same states as in CVQKD! requires to tweak completely redo the analysis (multi-photon pulses) ◮ photon counters hard to implement replaced by threshold detectors ⇒ infinite-dimensional Fock space, same as CVQKD! = CVQKD: pretty much as advertised ◮ same states, same measurement as specified (modulo a finite precision issue) ◮ P & M version: Alice prepares | α � with α ∼ N ❈ ( 0 , σ 2 ) (or α from finite set) ◮ implementations today closely match the original protocols my personal (provocative) view: BB84 was nice to launch the field of quantum crypto, but the future belongs to CV! Anthony Leverrier (Inria) QCrypt 2020 6 / 24

  9. Theory vs practice BB84 in practice: NOT SO SIMPLE! ◮ single photons are usually prepared via | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · and heralding ◮ experimentally-friendlier version of BB84 relies on (phase-randomized) coherent states = ⇒ same states as in CVQKD! requires to tweak completely redo the analysis (multi-photon pulses) ◮ photon counters hard to implement replaced by threshold detectors ⇒ infinite-dimensional Fock space, same as CVQKD! = CVQKD: pretty much as advertised ◮ same states, same measurement as specified (modulo a finite precision issue) ◮ P & M version: Alice prepares | α � with α ∼ N ❈ ( 0 , σ 2 ) (or α from finite set) ◮ implementations today closely match the original protocols my personal (provocative) view: BB84 was nice to launch the field of quantum crypto, but the future belongs to CV! Anthony Leverrier (Inria) QCrypt 2020 6 / 24

  10. Theory vs practice BB84 in practice: NOT SO SIMPLE! ◮ single photons are usually prepared via | 00 � + λ | 11 � + λ 2 | 22 � + · · · + λ k | kk � + · · · and heralding ◮ experimentally-friendlier version of BB84 relies on (phase-randomized) coherent states = ⇒ same states as in CVQKD! requires to tweak completely redo the analysis (multi-photon pulses) ◮ photon counters hard to implement replaced by threshold detectors ⇒ infinite-dimensional Fock space, same as CVQKD! = CVQKD: pretty much as advertised ◮ same states, same measurement as specified (modulo a finite precision issue) ◮ P & M version: Alice prepares | α � with α ∼ N ❈ ( 0 , σ 2 ) (or α from finite set) ◮ implementations today closely match the original protocols my personal (provocative) view: BB84 was nice to launch the field of quantum crypto, but the future belongs to CV! Anthony Leverrier (Inria) QCrypt 2020 6 / 24

  11. ok... are there any drawbacks to CVQKD? of course not! More challenging theory 3 ◮ ∞ dimension (same is kind of true for implementations of DVQKD) ◮ continuous-valued AND unbounded measurement operators ◮ quality of the correlations measured via covariance matrix (unbounded) , not QBER or CHSH score = ⇒ conceptual difficulties, but rather clean problems Experimental performance: seems less robust to loss than DV ◮ losses are filtered out for DV: discard the no-click events 4 ◮ all pulses are there for CV, but noisier = ⇒ harder to estimate the channel parameters precisely ◮ very large blocks required for long distance 3 modern DVQKD protocols are also very complex! 4 modulo some assumptions on the detectors (as demonstrated by Vadim Makarov!) Anthony Leverrier (Inria) QCrypt 2020 7 / 24

  12. ok... are there any drawbacks to CVQKD? of course not! More challenging theory 3 ◮ ∞ dimension (same is kind of true for implementations of DVQKD) ◮ continuous-valued AND unbounded measurement operators ◮ quality of the correlations measured via covariance matrix (unbounded) , not QBER or CHSH score = ⇒ conceptual difficulties, but rather clean problems Experimental performance: seems less robust to loss than DV ◮ losses are filtered out for DV: discard the no-click events 4 ◮ all pulses are there for CV, but noisier = ⇒ harder to estimate the channel parameters precisely ◮ very large blocks required for long distance 3 modern DVQKD protocols are also very complex! 4 modulo some assumptions on the detectors (as demonstrated by Vadim Makarov!) Anthony Leverrier (Inria) QCrypt 2020 7 / 24

  13. P & M version of CVQKD ◮ Alice sends | α 1 � , · · · | α n � ◮ α k either Gaussian variable or element from a finite set (e.g. {± α , ± i α } ) ◮ Bob measures with heterodyne detection: gets β 1 , · · · , β n ∈ ❈ . ◮ typical model: β = t α + γ with fixed attenuation t and Gaussian noise γ ∼ N ❈ ( 0 , 1 + t 2 ξ ) ◮ t ∼ 0 . 1 at 100km ◮ ξ is the excess noise : 10 − 3 − 10 − 2 in implementations = ⇒ hard to mesure precisely ◮ classical postprocessing (essentially identical to DV) ◮ key map: from Bob’s data (reverse reconcilation 5 ) β 1 , · · · β n → x 1 , · · · x N ∈ { 0 , 1 } ◮ parameter estimation: covariance matrix of α , β (informally, want to estimate t, ξ ) = ⇒ the most challenging part ◮ privacy amplification 5 actually same for BB84 due to discarding no-click events Anthony Leverrier (Inria) QCrypt 2020 8 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Spacetime Replication of Continuous Variable Quantum Information Grant Salton Stanford

Spacetime Replication of Continuous Variable Quantum Information Grant Salton Stanford

Spacetime Replication of Continuous Variable Quantum Information Grant Salton Stanford University With: Patrick Hayden, Sepehr Nezami, and Barry Sanders arXiv: 1501.#### Quantum Error Correction 2014 Outline Part 1: Replicating

809 views • 24 slides
Continuous-variable quantum computing: scalable designs and fault tolerance Nicolas C

Continuous-variable quantum computing: scalable designs and fault tolerance Nicolas C

Continuous-variable quantum computing: scalable designs and fault tolerance Nicolas C Menicucci RIT Jul 2020 (Comic sans forever!) My group https://www.qurmit.org/ 2 ARC Centre of Excellence https://www.cqc2t.org/ 3 What is

1.53k views • 135 slides
Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1 Post Quantum Cryptography

1.22k views • 86 slides
Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10 - 12 September 2016, Hamburg) Gyesik Lee Hankyong National University 1 Overview 1. Verification of proofs 2. Hales proof of the Kepler

651 views • 43 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
continuous random variables Continuous random variable: takes values in an uncountable set, e.g.

continuous random variables Continuous random variable: takes values in an uncountable set, e.g.

continuous random variables Discrete random variable: takes values in a finite or countable set, e.g. X {1,2, ..., 6} with equal probability X is positive integer i with probability 2 -i continuous random variables Continuous random variable:

763 views • 10 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
How Quantum Computing This Lower Bound Is . . . Can Help With (Continuous) How Quantum . . .

How Quantum Computing This Lower Bound Is . . . Can Help With (Continuous) How Quantum . . .

Known Advantages of . . . Need to Consider . . . We Consider Only . . . Non-Quantum Lower . . . How Quantum Computing This Lower Bound Is . . . Can Help With (Continuous) How Quantum . . . Auxiliary Quantum . . . Optimization Main

285 views • 24 slides
continuous random variables continuous random variables Discrete random variable: takes values in

continuous random variables continuous random variables Discrete random variable: takes values in

continuous random variables continuous random variables Discrete random variable: takes values in a finite or countable set, e.g. X {1,2, ..., 6} with equal probability X is positive integer i with probability 2 -i Continuous random variable:

464 views • 23 slides
Continuous Random Variables Recall: A continuous random variable X satisfies: its range is the

Continuous Random Variables Recall: A continuous random variable X satisfies: its range is the

ST 380 Probability and Statistics for the Physical Sciences Continuous Random Variables Recall: A continuous random variable X satisfies: its range is the union of one or more real number intervals; 1 P ( X = c ) = 0 for every c in the range of

410 views • 12 slides
The real story of the film so far... X a continuous random variable : for all x , { X x } is an

The real story of the film so far... X a continuous random variable : for all x , { X x } is an

The real story of the film so far... X a continuous random variable : for all x , { X x } is an Mathematics for Informatics 4a event and P ( X = x ) = 0 (Some) continuous random variables have probability density functions f such that Jos e

336 views • 6 slides
Continuous Random Variables For a discrete variable X, the cumulative distribution function , F(x)

Continuous Random Variables For a discrete variable X, the cumulative distribution function , F(x)

Introduction to Statistics Continuous Random Variables For a discrete variable X, the cumulative distribution function , F(x) = P(X x) , is a step function: F(x) = i:xi x P(X=x i ) For a continuous variable, the cdf is a smooth, non

646 views • 15 slides
CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT JULIEN VEHENT MOZILLA SECURITY MOZILLA SECURITY

724 views • 49 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
Continuous Random Variables Recall that when a random variable takes values in an entire interval,

Continuous Random Variables Recall that when a random variable takes values in an entire interval,

ST 370 Probability and Statistics for Engineers Continuous Random Variables Recall that when a random variable takes values in an entire interval, the variable is called continuous . Example: Flash unit recharge time The time that a flash unit

430 views • 19 slides
DISCRETIZE: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental

DISCRETIZE: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental

DISCRETIZE: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental Variable Estimation DISCRETIZE: Command to Convert a Continuous Instrument into a Dummy Variable for Instrumental Variable Estimation Federico Curci,

876 views • 22 slides
Lecture 13 : The Exponential Distribution 0/ 19 Definition A continuous random variable X is

Lecture 13 : The Exponential Distribution 0/ 19 Definition A continuous random variable X is

Lecture 13 : The Exponential Distribution 0/ 19 Definition A continuous random variable X is said to have exponential distribution with parameter . If the pdf of X is (with > 0 ) e x , x > 0 f ( x ) = (*) 0 ,

339 views • 20 slides
Communication Complexity of Learning Discrete Distributions Krzysztof Onak IBM T.J. Watson

Communication Complexity of Learning Discrete Distributions Krzysztof Onak IBM T.J. Watson

Communication Complexity of Learning Discrete Distributions Krzysztof Onak IBM T.J. Watson Research Center Joint work with Ilias Diakonikolas , Elena Grigorescu , and Abhiram Natarajan . Krzysztof Onak (IBM Research) Communication Complexity of

634 views • 50 slides
Distributed Graph Processing Lecture 13 CSCI 4974/6971 17 Oct 2016 1 / 9 Todays Biz 1.

Distributed Graph Processing Lecture 13 CSCI 4974/6971 17 Oct 2016 1 / 9 Todays Biz 1.

Distributed Graph Processing Lecture 13 CSCI 4974/6971 17 Oct 2016 1 / 9 Todays Biz 1. Reminders 2. Review 3. Assignment 3 4. Distributed Graph Processing 2 / 9 Reminders Assignment 4: out soon - due date TBD Project Update

805 views • 9 slides
MapReduce Reduce Introdu duction ion and Hadoop p Overvie view Lab Course: Databases &

MapReduce Reduce Introdu duction ion and Hadoop p Overvie view Lab Course: Databases &

13 June 2012 MapReduce Reduce Introdu duction ion and Hadoop p Overvie view Lab Course: Databases & Cloud Computi ting ng SS SS 2012 2012 Mart rtin in Przyja zyjaciel el-Zablo Zablocki ki Alexa lexander er Sch htz

1.16k views • 69 slides
Definition of Stochastic Processes Definition of Stochastic Processes st Order Density

Definition of Stochastic Processes Definition of Stochastic Processes st Order Density

Definition of Stochastic Processes Definition of Stochastic Processes st Order Density and Distribution 1 1 st Order Density and Distribution nd Order Density and Distribution 2 2 nd Order Density and Distribution

568 views • 3 slides
BeyOND Unleashing BOND Thomas Bernecker, Franz Graf, Hans-Peter Kriegel, , , g , Christian

BeyOND Unleashing BOND Thomas Bernecker, Franz Graf, Hans-Peter Kriegel, , , g , Christian

DBRank 2011 LUDWIG- August 29, 2011 MAXIMILIANS- DEPARTMENT DATABASE UNIVERSITT INSTITUTE FOR SYSTEMS Seattle, WA Seattle WA MNCHEN MNCHEN INFORMATICS INFORMATICS GROUP GROUP BeyOND Unleashing BOND Thomas Bernecker, Franz

420 views • 23 slides
Embe mbedding dding as a To Tool ol for Al Algorithm orithm De Design sign Le Song

Embe mbedding dding as a To Tool ol for Al Algorithm orithm De Design sign Le Song

Embe mbedding dding as a To Tool ol for Al Algorithm orithm De Design sign Le Song College of Computing Center for Machine Learning Georgia Institute of Technology What is machine learning (ML) Design algorithms and systems that can

467 views • 42 slides
Geometric losses for distributional learning Arthur Mensch (1) , Mathieu Blondel (2) , Gabriel

Geometric losses for distributional learning Arthur Mensch (1) , Mathieu Blondel (2) , Gabriel

Geometric losses for distributional learning Arthur Mensch (1) , Mathieu Blondel (2) , Gabriel Peyr e (1) (1) Ecole Normale Sup erieure, DMA Centre National pour la Recherche Scientifique Paris, France (2) NTT Communication Science

927 views • 47 slides

More recommend