Cryptography in the Bounded-Quantum-Storage Model

Cryptography in the Bounded-Quantum- S to rage Mo del Christian Schaﬀner PhD Dissertation BRICS Resea rch Scho ol D AIMI – Department of Computer Science University of Aarhus Denma rk Cryptograph y in the Bounded-Quantum-Storage Mo del A Dissertation Presen ted to the F acult y of Science of the Univ ersit y of Aarh us in P artial F ulﬁllmen t of the Requiremen ts for the PhD Degree b y Christian Schaﬀner oﬃcial v ersion su bmitted: Marc h 2, 2007 ﬁnal v ersion: Ma y 29, 2018 Abstract Cryptographic primitiv es su ch as o blivious transfer and bit commitmen t are imp ossible to realize if unconditional secur i t y is r e quired agai nst adve rsaries who are unb ounded in runn ing time and memory size. Therefore, it is a great c hallenge to come u p w it h r e strictions on the adversary’s capabilities such t hat on one hand interesting cryptographic primitiv es b eco me p ossible, but on the other hand the mo del is still realistic and as close to practice as p ossible. The b ounde d-quantum-stor age mo del is a p rime example of suc h a crypto- graphic mo del. In this thesis, we initiate the stud y of cryptographic prim itives with unconditional s e curit y un der the sole assumption that the adve rsary’s quantum memory is of b ounded size. Oblivious transfer and bit commitment can b e implemen ted in this mo del using protocols where honest parties need no quantum memory , wh er eas an adv ersarial play er needs to store at le ast a lar g e fr action of the total num b er of transmitted qub its in order to br eak the pr oto col. This is in sh arp con trast to the classical b ounded-memory mo del, where w e can only tolerate adv ersaries with memory of size p olynomially larger than the honest p la y ers’ memory size. On the practica l side, our proto cols are eﬃcien t, non-inte ractiv e and can b e adapted to cop e with v arious kinds of noise in the transmission. In fact, they can b e implemente d using to day’s te chno lo g y . On the theoretical s id e, new entr opic unc ertainty r elations in vo lving min- en trop y are established and used to pro ve the securit y of proto cols in the b ound ed-quan tum-storage mo del according to new strong securit y d eﬁnitions. The uncertain t y r elations lo w er b ound the min-en trop y of the enco d ing used in most quant um-cryp tographic proto cols and therefore contribute to the u nder- standing of the quan tum eﬀects whic h these proto cols are based up on. T he most direct w a y to mak e use of these lo w er b ound s is b y assuming a quantum-memory b ound on the adversary . F or in stance, in the r ealistic setting of Quantum Key Distribution ( QK D ) against quantum-memory-b ounded ea vesdropp ers, the un- certain t y relation allo ws to p r o v e the s ecur it y of Q KD proto cols while toler- ating considerably higher er r or rates compared to the standard m o del with unboun ded adversaries. In addition, thou gh not directly related to the b ound ed-quan tum-storage mo del, a classical result about unconditionally secure 1- out-of-2 Oblivious T rans- fer ( 1 -2 OT ) is obtained. It is p oint ed out that the standard securit y requir e- men t f or 1 -2 OT of bits, namely that the receiv er only learns one of the bits sen t, h olds if and only if the receiv er has n o inform ation on the X OR of the iii t w o bits. This result generalize s to 1 -2 OT of strings, in w hic h case the security can b e c haracterized in terms of binary line ar functions . More pr ecisely , it is sho wn th at the receiv er learns only one of the t w o strings sent, if and only if h e has no information on the result of applying any binary linear fu nction whic h n on-trivially dep ends on b oth inputs to th e t w o strings. This result not only giv es new insigh t into the nature of 1 -2 OT , but it in particular provides a p owerful to ol for analyzing 1 -2 OT pr oto c ols . With this c haracteriza tion at hand, the r educibilit y of 1 -2 OT of strings to a wide r ange of wea ke r primitiv es follo ws by a v ery simple argument. iv Ac kno wledgem en ts I am grateful to ev ery one who h elp ed and supp orted me du ring m y P h D studies here in ˚ Arh us. First of all, I wan t to cordially thank my sup ervisors and co-authors Lou is Salv ail and Iv an Damg ˚ ard and the wh ole cryp tology group at D AIMI f or pr o- viding an excellen t environmen t for cryptographic research. Countless are th e hours I h av e sp en t discussing scienti ﬁc as well as non-scientiﬁc issues with Lou is, mer ci b e auc oup ! I thank my other co-authors C laude Cr´ ep eau, S erge F ehr , Re- nato Renn er , George Sa vvides and J ¨ urg W ullsc hleger for man y inspiring visits and discussions. I app reciated very muc h b eing a PhD student in a w ell-organized and we ll- funded researc h group and to b e able to work in a brand -new building with plen t y of sp ace, great infrastru cture and alw a ys helpful and friendly staﬀ and secretaries: Ellen, Hanne, K aren , Lene, Mic hael, and Uﬀe. Studying in ˚ Arh us has b een a great exp erience mainly b ecause of all the friends fr om the constan tly c hanging “gang” of foreign and Danish f ello ws at D AIMI including Alla n, Claud io, Claus, Doina, Gabi, Henrik, Jan, Jes- p er, Jo o y ong, Johan, Kevin, Mic hael, Mikk el, Mirk a, Run e, T ord, Thomas M, T omas, and T ro els; b u t not to forget the ones who h a v e left Denmark and are no w spread around the w orld: Barnie, Christopher, Eman uela a nd P aolo, Fitzi, Gosia and Darek, Jens, Jes ´ u s, Karl, Kirill, Marco, Nelly and Anto nio, Philipp, Thomas P , and Saurabh. I thank you all for the w onderfu l time, b oth at and oﬀ the table-soccer table. Sp ecial thanks to Gosia and Henr ik for constructiv e commen ts on the in tro du ction of this thesis and to J ¨ urg and S erge for fur ther commen ts. I w ould also lik e to thank Claude Cr´ ep eau for hosting me for a fanta stic summer half-y ear at McGill univ ersit y in Mon tr ´ eal wh ere I had the c hance to meet many int eresting p eople doing quan tum r esearch and exp erience the ex- citing sp ot wh ere the francophone part of North Americ a meets the anglophone rest of the cont inent. I thank Pr of. Andreas Win ter from the Univ ersit y of Bristol and Prof. Stefan W olf from ET H Z ¨ urich as w ell as Prof. Su sanne Bødk er from the Univ ersit y of Aarh us for agreeing to constitute the ev aluation committee for my PhD thesis. Last bu t not least, I wan t to express m y gratitude to m y family for their immense lov e and supp ort from the distance. I am inﬁnitely grateful for the great childhoo d they gav e m e wh ich wa s and still is an inv aluable source of self-conﬁdence for me. v This r esearc h was partially sup p orted by the E U Pro ject SECOQC , No: FP6- 2002- IST -1-506813. Christian Schaﬀner, ˚ Arhus, Mar ch 2, 2007. vi Con ten ts Abstract iii Ac kno wledgemen ts v Con ten ts vii 1 In tro duction 1 1.1 Cryptographic Mo dels and Basic Primitiv es . . . . . . . . . . . . 1 1.2 Classical Bounded-S torage Mo del . . . . . . . . . . . . . . . . . . 3 1.3 Con tributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3.1 Bounded-Quantum-Storage Mo del . . . . . . . . . . . . . 4 1.3.2 Characterization of Security of Classical 1 -2 OT . . . . . . 5 1.3.3 Quant um S ecur it y Deﬁnitions and Proto cols . . . . . . . 5 1.3.4 Quant um Uncertaint y Relations . . . . . . . . . . . . . . 7 1.3.5 QKD against Quantum-Memory-Bo und ed Ea v esdropp er . 9 1.4 Outline of the T hesis . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.5 Related W ork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2 Preliminaries 12 2.1 Notatio n and Basic T o ols . . . . . . . . . . . . . . . . . . . . . . 12 2.2 Probabilit y Theory . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.3 Quant um In formation Theory . . . . . . . . . . . . . . . . . . . . 15 2.4 En tropies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.1 Classical R ´ en yi En trop y . . . . . . . . . . . . . . . . . . . 16 2.4.2 Smo oth R´ en yi Entrop y . . . . . . . . . . . . . . . . . . . . 19 2.4.3 Min-En tropy- Splitting Lemma . . . . . . . . . . . . . . . 22 2.4.4 En tropy of Qu an tum States . . . . . . . . . . . . . . . . . 23 2.5 Tw o-Univ ersal Hashing and Priv acy Amp liﬁcation . . . . . . . . 25 2.5.1 History and Setting of Priv acy Ampliﬁcation . . . . . . . 25 2.5.2 Tw o-Univ ersal Hashing . . . . . . . . . . . . . . . . . . . 25 2.5.3 Priv ac y Am p liﬁcation against Quantum Ad v ersaries . . . 26 2.5.4 Classical Priv acy Ampliﬁcation . . . . . . . . . . . . . . . 28 3 Classical Oblivious T ransfer 29 3.1 In tro du ction and Outline . . . . . . . . . . . . . . . . . . . . . . 29 3.2 Deﬁning 1 -2 OT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.2.1 Randomized 1 -2 OT of Bits . . . . . . . . . . . . . . . . . 30 vii 3.2.2 Randomized 1 -2 OT of Strings . . . . . . . . . . . . . . . 32 3.3 Characterizing Send er-Securit y . . . . . . . . . . . . . . . . . . . 32 3.3.1 The Case of Bit O T . . . . . . . . . . . . . . . . . . . . . 32 3.3.2 The Case of String OT . . . . . . . . . . . . . . . . . . . 33 3.4 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.4.1 Reducing 1 -2 OT ℓ to Rep etitions of W eak 1 -2 OT s . . . . 40 3.4.2 Reducing 1 -2 OT ℓ to One Execution of UO T . . . . . . . 42 3.4.3 Quant itativ e Comparisons T o Related W ork . . . . . . . . 45 3.5 Extension to 1 - n OT ℓ . . . . . . . . . . . . . . . . . . . . . . . . 46 3.6 1 -2 OT in a Quant um S etting . . . . . . . . . . . . . . . . . . . . 50 4 Quan tum Uncertain ty Relations 52 4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 4.1.1 Op erators and Norms . . . . . . . . . . . . . . . . . . . . 52 4.1.2 Azuma’s Inequalit y . . . . . . . . . . . . . . . . . . . . . . 54 4.1.3 Mathematica l T o ols . . . . . . . . . . . . . . . . . . . . . 55 4.2 History and Previous W ork . . . . . . . . . . . . . . . . . . . . . 56 4.2.1 Mutually Unbiase d Bases . . . . . . . . . . . . . . . . . . 56 4.2.2 Uncertain t y Relations Using Shan n on E ntrop y . . . . . . 57 4.2.3 Higher-Order Entropic Un certain t y Relations . . . . . . . 58 4.3 Tw o Mutually Unbiased Bases . . . . . . . . . . . . . . . . . . . 59 4.4 More Mutually Unbiased Bases . . . . . . . . . . . . . . . . . . . 62 4.5 Indep endent Bases f or Eac h Su bsystem . . . . . . . . . . . . . . . 63 4.5.1 A Classical T o ol . . . . . . . . . . . . . . . . . . . . . . . 63 4.5.2 Quant um Uncertaint y Relations . . . . . . . . . . . . . . 65 4.5.3 The Ov erall Av erage Entropic Uncertaint y Bound . . . . 66 5 Rabin OT in the Bounded-Quan tum-Storage Mo del 69 5.1 The Deﬁnition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 5.2 The Proto col . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 5.3 Mo deling Dishonest Receiv ers . . . . . . . . . . . . . . . . . . . . 73 5.4 Securit y Against Dishonest Receiv ers . . . . . . . . . . . . . . . . 73 5.5 On the Necessit y of Priv acy Ampliﬁcation . . . . . . . . . . . . . 74 5.6 W eak ening the Assu mptions . . . . . . . . . . . . . . . . . . . . . 75 5.6.1 W eak Q uan tum Mo del . . . . . . . . . . . . . . . . . . . . 76 5.7 Rabin OT of Strings . . . . . . . . . . . . . . . . . . . . . . . . . 78 6 1 -2 OT in the Bounded-Quantum-Storage Mo del 79 6.1 The Deﬁnition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 6.2 The Proto col . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 6.3 Securit y Against Dishonest Receiv ers . . . . . . . . . . . . . . . . 82 6.4 Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 6.4.1 1 -2 OT ℓ with Longer Strings . . . . . . . . . . . . . . . . 84 6.4.2 W eak ening the Assu mptions . . . . . . . . . . . . . . . . . 84 6.4.3 Rev ersing th e Quan tum Communicatio n . . . . . . . . . . 84 viii 7 Quan tum Bit Commitment 86 7.1 The Proto col . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 7.2 Mo deling Dishonest Committers . . . . . . . . . . . . . . . . . . 87 7.3 Deﬁning the Binding Prop erty . . . . . . . . . . . . . . . . . . . 88 7.3.1 The “Standard” Binding Condition . . . . . . . . . . . . . 88 7.3.2 A Stronger Binding Cond ition . . . . . . . . . . . . . . . 88 7.4 W eak Bind ing of the Commitment Sc heme . . . . . . . . . . . . . 89 7.5 Strong Bindin g of the Commitmen t Scheme . . . . . . . . . . . . 90 7.6 W eak ening the Assu mptions . . . . . . . . . . . . . . . . . . . . . 91 8 QKD Against Bounded Eav esdroppers 94 8.1 Deriv ation of the Maximum T olerated Noise L ev el . . . . . . . . 94 8.2 The Binary-Channel Setting . . . . . . . . . . . . . . . . . . . . . 96 8.3 P ossible E x tens ions . . . . . . . . . . . . . . . . . . . . . . . . . . 97 9 Conclusion 98 9.1 T ow ard s Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 9.1.1 More Imp er f ections . . . . . . . . . . . . . . . . . . . . . . 98 9.1.2 Generalizing the Memory Mod el . . . . . . . . . . . . . . 99 9.2 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Notation 102 Bibliograph y 1 04 Index 117 ix Chapter 1 In tro duction In the quest for in teresting cryptographic mo dels, boun ding the quantum mem- ory of adv ersarial play ers is a great assu mption. 1.1 Cryptographic Mo dels and Basic Primitiv es It is a fascinating art to come u p with pr oto c ols 1 that ac hiev e a cryptographic task like encryption, authen tication, iden tiﬁcation, v oting, secure fun ction ev al- uation to name just a famous few. T o deﬁne a notion of securit y f or suc h proto- cols, one needs to sp ecify a crypto gr aphic mo del , i.e. an environmen t in w hic h the proto col is ru n. The mo del states for example the num b er of honest and dishonest play ers, the allo we d ru n ning time and amount of memory a v ailable to h onest and dishonest pla y ers, h o w d ishonest p la y ers are allo we d to d eviate from the proto col, the use of external r esources like (quan tum) communicatio n c hannels or other already established cryptographic fu nctionalities etc. While coming u p with more and more proto cols for diﬀeren t mo d els, cryp- tographers r ealized that some basic primitives (i.e. precisely d eﬁned crypto- graphic tasks) are u seful as “b enc hmarks” of ho w p ow erful a particular cryp- tographic mo del is. An example is the tw o-part y p r imitiv e Oblivious T r ansfer ( OT ). It comes in diﬀerent ﬂa v ors, but all of these v ariants are equiv alen t in th e sense that an y one of them can b e implement ed using (p ossibly sev eral instances of ) an other. The one-out- of- two v ariant 1 -2 OT was originally int ro d u ced by Wiesner around 1970 (b ut only publish ed m uc h later in [Wie83]) in the very ﬁrst pap er ab out qu an tum cryptography , and later redisco v ered by Eve n, Goldreic h, and Lemp el [EGL82]. It lets a sender Alice tran s mit t w o bits to a receiv er Bob who can c ho ose wh ic h of them to r eceiv e. A secure implement ation of 1 -2 OT do es not allo w a dishonest sender to learn wh ic h of the t w o bits w as receiv ed and it do es not allo w a d ishonest r eceiv er to learn an y information ab out the second b it. It was a surp r ising insigh t w h en Kilian sh o w ed that this simple primitiv e is c omplete for t w o-part y cry p tograph y [K il88]. In other words, a mo del in which 1 -2 OT can b e securely implemented allo ws to implemen t an y cryptographic fu nctionalit y b et we en t w o pla y ers 2 . Another v arian t we are con- 1 A p rotocol consists of clear-cut instructions fo r the p articipating p laye rs. 2 If th e m o del can b e reasonably extend ed to more play ers, this usually allo ws to implement 1 1.1. Cr yptogra phic Models and Bas ic Primitives 2 cerned w ith in this thesis wa s in tro duced b y Rabin [Rab81] and is hence called Rabin Oblivious T ransfer ( Rabin OT ). It is basically a “secure erasure c han- nel”: the sender Alice send s a bit whic h w ith probability one half is absorb ed and with probabilit y one half ﬁn d s its wa y to the receiv er Bob. Th e securit y requirement s are the follo wing: whatev er a dish on est Alice do es, she cannot ﬁnd out whether the bit wa s receiv ed or n ot; and whatev er a dishonest receiv er do es, he do es not get an y information ab out the bit with pr obabilit y one half. Y et another b asic t wo -part y pr imitiv e of int erest is Bit C ommitmen t ( BC ) whic h allo ws a play er to commit himself to a c hoice of a bit b b y comm unicat- ing with a v eriﬁer. The ve riﬁer should n ot learn b (w e sa y the commitmen t is hiding ), y et the committer can later c ho ose to r ev eal b in a convincing w a y , i.e. only the v alue ﬁxed at commitmen t time will b e accepted by the veriﬁer (w e sa y the commitmen t is binding ). Bit Commitmen t is a fundamenta l bu ilding blo c k of virtually ev ery more complicated cryptographic proto col. Imp lement- ing secure BC with a secur e 1 -2 OT at hand is not d iﬃ cu lt 3 . On the other hand, there are cryptographic mo dels allo wing to s ecurely imp lemen t BC , bu t not 1 -2 OT . Mo ran and Naor ga ve an example of suc h a mo del b y assuming the physic al device of a tamp er-pro of seal [MN05]. It is n ot hard to see that the t w o sec urity r equirement s for BC are in a sense con tradictory , so p erf ectly secure bit commitment cannot b e im p lemen ted “from scratc h”, that is if only error-free comm unication is a v aila ble and ther e is no limitation assumed on the computing p o we r and memory of the pla y ers. T he informal reason for this is that th e hiding prop erty imp lies that when 0 is com- mitted to, exactly the same information exchange could hav e happ ened when committing to 1. Hence, ev en if 0 w as actually committed to, the committer could alwa ys compute a complete view of the proto col consistent w ith ha ving committed to 1, and pretend that this view was what he h ad in mind origi- nally . By the reduction of BC to 1 -2 OT follo ws that also 1 -2 OT and many other cryptographic f u nctionalities cannot b e p erfectly secure wh en built from scratc h. One migh t hop e that allo wing the protocol to mak e u se of q u an tum com- m unication would mak e a diﬀerence. Here, information is stored in qubits, i.e., in th e state of t wo -lev el quant um mechanica l sys tems, su c h as the p olarization state of a s ingle photon. Quan tum information b eh a v es in a wa y that is f un- damen tally diﬀerent fr om classical inform ation, enabling, f or ins tance, u n con- ditionally secure k ey exc hange b et w een tw o honest pla y ers (so-called Qu antum Key Distribution ). Ho wev er, in the case of tw o m utually distrusting parties, w e are not so fortun ate: ev en with quantum communicatio n, u nconditionally secure BC a nd 1 -2 OT remain imp ossible. Th is is the infamous imp ossibilit y result b y May er s and by Lo and Chau [Ma y97, LC97]. F or this reason, cryp tographers ha v e tried hard to exhibit more r estricted mo dels where these imp ossibility r esu lts do not apply . The high art in this pr o- secure m ulti-party protocols as well. 3 T o commit to a bit b , the committer sends random bits of p arit y b v ia ( sever al instances of ) 1 -2 OT and t he v eriﬁer pic ks randomly one of the b its. T o open, the committer send s al l the random bits h e wa s u sing, t h e ve riﬁer chec ks whether t hese are consistent with what he receiv ed. 1.2. Classical Bounded-Stor ag e Model 3 cess is to ﬁnd assu mptions that are as rea listic as possib le – thus only minimally restricting the mo d el, bu t still strong enough to allo w for imp lemen ting inter- esting functionalities. Th er e are at least three kinds of p ossible assumptions, namely • b oundin g the computing p o we r of p la y ers, • using the noise in th e communicatio n c hannel, • exploiting some physical limitation of the adv ersary , e.g., if th e size of th e a v ailable memory is b ound ed. The ﬁrst scenario is the basis of man y well known s olutions based on plau- sible but un p ro v en complexit y assumptions, su c h as hardn ess of factoring or discrete logarithms. A term often used for suc h sc hemes is “computational se- curit y”, meaning that it is not imp ossible for an adversary to b ehav e dish onestly , but it is c omputational ly infe asible f or him to do so. S ecurit y pro ofs are usually done b y reduction in the sense that breaking the securit y of the proto col would imply solving a h ard problem lik e factoring the pro duct of tw o large prime num- b ers. T he second scenario has b een used to constru ct b oth BC and OT p roto- cols in v arious models for the noise b y Cr ´ ep eau, Kilian, Damg ˚ ard , Salv ail, F ehr, Morozo v, W olf, and W ullschleg er [CK88, DKS 99, DFMS04, CMW04, W u l07 ]. The third scenario is the fo cus of this thesis. In con trast to the ﬁ rst scenario, w e deal with “un cond itional securit y” wh ere (dep ending on the task a p roto col aims to ac hiev e) an adv ersary has no wa y wh atso ever to gain illegal information. Pro ofs are not done b y reduction, bu t we can pro v e in information-theoretic terms that except with negligible probab ility , the adversary do es not learn any information th at is meant to remain secret. 1.2 Classical Bounded-Storage Mo del In the classical b ound ed -storage mo del, we assume the play er s to u se classical error-free communicatio n an d to b e computationally u n b oun ded, but on the other hand r estrict the size of their memory . I n th e usual setting, there is a large random source R (often called the r and omizer ) which all p la y ers can access, but wh ic h is to o large (or transmitted to o quic kly) to store as a whole. One can think of R as a d eep-space r adio source or a satellite broadcasting random bits at a very high r ate. When Maurer in tro duced the classical b ounded -storage mo d el in [Mau90], the goal w as se cu r e message tr ansmission . He sh o w ed that t w o honest p arties Alice and Bob sharing an initial key can expand that k ey unless the ea ve sdrop - p er Eve can store more than a large fr action of the r andomizer. Th e basic idea of the tec hnique allo wing Alice and Bob to get an adv an tage ov er Eve is that their initial secret key indexes some p ositions in th e randomizer ab out whic h Ev e has some uncertain t y if she cannot store the whole randomizer. Therefore, the bits at these p ositions can b e com bined to yield more secure key bits and so to expand the initial k ey . 1.3. Contributions 4 A line of sub sequen t wo rk by Maurer, Cachin, Aumann , Ding, Rabin, Dziem b o wski, Lu, and V adhan [Mau92, CM97, ADR02, DM04 , Lu04, V ad04] impro v ed th is original proto col in terms of eﬃciency and s ecur it y . Aumann, Ding and R ab in [ADR02] noticed that pr otocols in this mo del enjoy the pr op- ert y of “eve rlasting securit y” in the sense that the newly generated key re- mains secure even when the initial key is later reveal ed and E v e is no longer memory-b ound ed, u n der the sole condition that the origi nal randomizer ca nnot b e accessed any more. Ding [Din05 ] sho wed ho w to d o error correction in the b ound ed-storage mo del and th er efore how to cop e with the situation when the honest parties do not h a v e exactly th e same view on the randomizer. Cac hin, Cr ´ ep eau and Marcil illustrated the p o w er of the b ound ed -storage mo del by exhibiting in [CCM98] a pr otocol f or 1 -2 O T . Ding improv ed on this [Din01a] and later sho w ed a constan t-round proto col f or oblivious transfer in join t wo rk with Harnik, Rosen and Shaltiel [DHRS04]. All these protocols are sh o wn secure as long as the adversary’s memory s ize is at most quadratic in the memory size of the honest play ers. Considering the ease and lo w cost of storing massive amounts of classical data no wa da ys, it is questionable h o w pr actica l suc h an assumption on the memory size of the pla y ers is. It w ould b e clearly m ore satisfact ory to ha v e a larger than quad r atic separation b et we en the memory size of honest p lay ers and that of the adve rsary . Ho w ev er, this was sh o wn to b e imp ossible by Dziem b o wski and Maurer [DM04]. 1.3 Con tributions In this section, we giv e an ov er v iew of the con tributions of th is thesis. The results ab out classical oblivious transfer describ ed in Ch ap ter 3 and su mmarized in Section 1.3.2 are join t work with Damg ˚ ard, F ehr and Salv ail [DFSS06 ]. All other results are based on t w o p ap ers co-authored with Damg ˚ ard , F eh r, S alv ail and Renner: [DFSS05] and [DFR + 07]. A j ournal ve rsion of [DFSS05] is to app ear in a sp ecial issue of the SIAM Jour nal of Computing [DFSS08]. 1.3.1 Bounded-Quan tum-Storage Mo del In this thesis, we stu d y for the ﬁrst time proto cols wh ere quantum comm uni- cation is u sed and w e place a b ound on the adversary’s quantum memory size. There are t w o reasons w h y this may b e a go o d idea: ﬁr st, if we do not b oun d the classical memory size, we a v oid the imp ossibilit y resu lt of [DM04]. Second, the adv ersary’s t ypical goal is to obtain a certain piece of cla ssical inf ormation th at w e wa nt to k eep hidden from him. Ho w ev er, if he cannot store all the quantum information that is sent, he must con ve rt s ome of it to classical information by measuring. Th is m a y irreversibly destroy information, and w e m a y b e able to arrange it in suc h a w a y that the adv ersary cannot aﬀord to lose information this w a y , while h onest pla y ers can. It turn s out that th is can b e ac hiev ed indeed: we present pr otocols for b oth BC and O T in wh ic h n qub its are transm itted, wh ere honest pla y ers need no qu antum memory , but where the adv ersary m ust store at least a large fraction (t ypically n/ 2 or n / 4) of the n transmitted qu bits to break th e proto col. 1.3. Contributions 5 W e emphasize that no b ound is assumed on th e adv ersary’s computing p o w er, nor on his classica l memory . Th is is clearly muc h more satisfactory th an the classical case, not only from a theoretical p oin t of view, but also in practice: while sendin g qubits and m easur ing them immed iately as they arriv e is w ell within reac h of current tec hnology , storing eve n a single qubit for more than a fraction of a second is a f ormidable tec hnologica l c hallenge. F urther m ore, w e show that our p roto cols also w ork in a non-ideal setting where w e allo w the q u an tum sour ce to b e imp erf ect and the quantum com- m unication to b e noisy . W e emphasize that w hat m ak es OT and BC p ossible in our m o del is not so muc h the memory b ound p er se, but rather the loss of information on th e part of th e adv ersary . Ind eed, our r esults also h old if th e ad- v ersary’s memory device holds an arbitrary num b er of qubits, bu t is imp erfect in certain w a ys. All these factors mak e th e assumption of b ounded quan tum memory a very attractiv e cr y p tographic mo del. On one hand, as for the classical b ounded- storage mod el, it is simp le to w ork with and yields b eautiful theoretical results. On the other hand, it is m uc h more reasonable to assu me the d iﬃcult y of storing quan tum information compared to storing classical one and hence, w e are v ery close to the ph ysical realit y and get sc hemes that can actually b e implemen ted! 1.3.2 Characterization of Securit y of Classical 1 -2 OT While the task of formally deﬁn in g unconditional securit y of classical pr otocols for Rabin OT and BC is w ell und ersto o d, capturing the s ecur it y of 1 -2 OT in information-theoretic terms is consid er ab ly more d elicate, as was p oint ed out b y Cr´ ep eau, S a vvides, Sc haﬀner and W ullschleg er [CSS W06]. F or 1 -2 O T of bits, it is clear that th e security for a h onest send er against a c heating receiv er guaran tees that the r eceiv er d o es not learn any inf ormation ab out the X OR of the t w o bits. Somewhat sur prisingly , the con v erse is true as well, not having an y information ab out the X OR of the t w o bits sent implies that we can p oin t at one bit which the d ishonest receiv er d o es not kno w (giv en th e other). This idea can b e generalized to 1 -2 OT of strings wher e the ignorance of the X OR b ecomes ignorance of the ou tcome of all Non-Degenerat e Linear binary F unctions (NDLFs) app lied to the t w o strings sen t. Su ch a c haracterization of send er-securit y in terms of NDLF comp oses w ell w ith str ongly two-universal hashing and hereby yields a p o w erful tec hnique to impr o v e the analyses of the standard redu ctions f r om 1 -2 OT to weak er v arian ts of OT . As a historical sid e note, the original motiv ation for this classical c harac- terizatio n was the h op e that it tr anslates to the qu an tum setting and thereb y yields a security pro of of the 1 -2 O T sc heme in the b ounded-quantum-storage mo del. W e will p oint out why th is approac h do es not w ork. 1.3.3 Quan tum Securit y Deﬁnitions and Proto cols When th e pla y ers are allo we d to use quan tum comm unication, the output of a dish onest play er is a quantum state ev en when the pr otocol implements a classical primitiv e. Th erefore, securit y deﬁn itions for Rabin OT , 1 -2 OT and 1.3. Contributions 6 BC h av e to b e phrased in qu antum terms. As an easy-to-use comp osabilit y framew ork has not y et b een established for quantum proto cols 4 , v arious ad- ho c security requiremen ts are commonly u sed. Th e deﬁnitions in this thesis are th e strongest so far pr op osed, and as they are based on the (cla ssical) considerations in [CSSW06], w e b eliev e that they are b est suited to provi de se qu ential c omp osa bility . Most of the present ed protocols in th e b ounded-quantum-storage mo d el can b e cast in a n on-in teractiv e form, i.e. only one party sends information when doing OT , commitmen t or op ening. W e sho w the follo wing. OT in the Bounde d-Quantum-Stor age M o del: Ther e exist non-inter active pr oto c ols for Rabin OT and 1-out-of-2 Oblivious T r ansfer ( 1 -2 OT ) of ℓ -bit mes- sages, se cur e in the b ounde d-quantum-stor age mo del against adversaries with quantum-memory size at most n / 2 − ℓ for Rabin OT and n / 4 − 2 ℓ for 1 -2 OT . Her e , n i s the numb er of qubits tr ansmitte d in the pr oto c ol and ℓ c an b e a c on- stant fr actio n of n . Honest players ne e d no quantum memory at al l. F or the case of bit commitmen t, the standard deﬁnition of the binding prop erty used in the quant um setting wa s introd uced by Dumais, Ma y ers and Salv ail [DMS00 ]. F or b ∈ { 0 , 1 } , let p b denote the p robabilit y that a dishonest committer successfully op ens the commitmen t to v alue b . The bind in g condition then requires that the su m of p 0 and p 1 do es essentia lly not exceed 1. More formally , p 0 + p 1 ≤ 1 + ne gl ( n ) w here ne gl ( n ) stands for a term wh ic h is negligible in n such as 2 − cn (for a constan t c > 0) which is exp onen tially small in n . This is to capture that a quantum committer can alw a ys commit to the v alues 0 and 1 in su p erp osition. W e call this notion we akly binding in the follo wing. A shortcoming of th is n otion is that committing bit b y bit is n ot guaranteed to yield a secure string commitment —the argument that one is tempted to use requires ind ep endence of th e p b ’s b et w een the diﬀerent executions, w hic h in general do es not hold. Instead, we p r op ose the follo wing str ong binding condition: Af ter the com- mitmen t phase, ther e exists a binary random v ariable D ∈ { 0 , 1 } such that a dishonest committer cannot op en the commitmen t to v alue D except with neg- ligible probabilit y . The p oin t is that the distribution of D is not un der con trol of the dishonest committer. W e will p oint out that using this deﬁn ition, we can easily derive th e securit y of a strin g commitmen t from the securit y of the individual bits. BC in the Bounde d-Quantum-Stor age Mo del: Ther e exists a pr oto c ol for bit c ommitment which is non-inter active. It is p erfe ctly hiding and we akly binding in the b ounde d-quantum-stor age mo del against dishonest c ommitters with quantum-memory size at most n/ 2 . It is str ongly binding against memory sizes of at most n/ 4 . Her e, n is the numb er of qub i ts tr ansmitte d in the pr oto c ol. Honest players ne e d no quantum memory at al l. F urther m ore, th e commitment pr otocol h as the int eresting p rop erty that the only message is sen t to the committer, i.e., it is p ossible to commit while 4 Some rather complicated framew orks are known. They ha ve b een pu t forward by Ben- Or and May ers [BM0 4 ] and Unru h [Unr02]. 1.3. Contributions 7 only r e c e iving information. Suc h a sc heme clea rly do es not exist without a b ound on the committ er’s memory , ev en under compu tational assumptions and using quantum comm unication: a corrupt committer could alw a ys store (p os- sibly quan tumly) all the inform ation sen t, until op ening time, and only then follo w the honest committer’s algo rithm to ﬁgure out what should b e sen t to con vincingly op en a 0 or a 1. Note that in the classical b ound ed-storage mo d el, it h as b een shown by Moran, Shaltiel and T a-Shma [MST04] ho w to do time-stamping that is non- in teractiv e in our sense: a pla y er can time-st amp a docum en t while only receiv- ing information. Ho we ve r, no reasonable proto col f or BC or for time-stamping a s ingle b it exists in this mo del. It is straight forward to see that an y suc h pro- to col can b e brok en b y an adv ersary with classical memory of size t wice that of an honest pla y er, while our p roto col r equires no quan tum memory f or the honest pla y ers and remains secure against any adv ersary unable to store more than half the size of th e quan tum transmission. W e also note th at it has b een sho wn earlier b y Salv ail [S al98] that BC is p ossible using quan tum comm unication, assuming a diﬀerent t yp e of physica l limitation, namely a b ound on the size of coheren t measurement that can b e implemen ted. Th is limitation is incomparable to our s: it do es not limit the total s ize of the memory , instead it limits the n umber of bits that can b e si- m ultaneously op er ated on to pro du ce a classical result. Our adversary has a limit on the total quan tum memory size, but can measure all of it coherent ly . The proto col f rom [Sal98] is in teractiv e, and r equires a b ound on the m aximal measuremen t size that is sub-linear in n . 1.3.4 Quan tum Uncertain t y Relations A problem often encountered in qu an tum cryp tograph y is the follo wing: through some in teraction b et w een the pla y ers, a quan tum state is generated and then measured b y one of the p la y ers (we call her Alice in the follo wing). Assuming Alice is h onest, we w an t to know ho w un p redictable her measurement outcome is to the ad versary . Once a lo w er b ound on the adve rsary’s uncertain t y ab out Alice’s measurement outcome is established, it is usually easy to p ro v e the d e- sired securit y p rop erty of the proto col. Man y existing constructions in qu an tum cryptograph y h a v e b een p r o v en secure follo wing this paradigm. T ypically , Alice d o es not mak e her measurement in a ﬁxed basis, bu t chooses at random from a set of diﬀerent bases. Th ese bases are u sually c hosen to b e pairwise mutual ly unbi ase d , meaning that if the qu an tum state is suc h that the measuremen t outcome in one basis is ﬁxed, then this implies that the uncer- tain t y ab ou t the outcome of the measur ement in th e other basis is maximal. In this w a y , one hop es to ke ep the adv ersary’s un certain t y high, ev en if the state is (partially) u nder the adv ersary’s control . An inequalit y that lo w er b oun d s th e adversary’s un certaint y in suc h a sce- nario is called an unc e rtainty r elation . There exist uncertaint y relations for diﬀeren t measures of u ncertain t y but cryptographic app lications typical ly re- quire the adversary’s min-en trop y to b e b ound ed from b elo w. Su ch u n certain t y relations are the k ey ingredient in the s ecur it y pro ofs of our pr otocols in the 1.3. Contributions 8 b ound ed-quan tum-storage mo del. In this thesis, we in tro du ce new general and tight high-ord er entropic un- certain t y relations. S ince th e relations are expr essed in terms of low er b ound s on the min-entrop y or upp er-b ou n ds on large probabilities r esp ectiv ely , they are applicable to a large class of natural pr oto cols in qu an tum cryptography . The ﬁrst u ncertain t y relation is concerned with the situation wh ere a n -qub it state ρ is measured in one o ut of t w o m utually un biased bases, sa y either in the computational basis (the +-b asis) or in the diagonal basis (the × -basis). First Unc ertainty R elation: L et ρ b e an arbitr ary state of n qubits, and let Q + ( · ) and Q × ( · ) b e the r esp e ctive pr ob ability distributions over { 0 , 1 } n of the outc ome when ρ is me asur e d in the + -b asis r esp e ctively the × -b asis. Then, for any two sets L + ⊂ { 0 , 1 } n and L × ⊂ { 0 , 1 } n it holds that Q + ( L + ) + Q × ( L × ) ≤ 1 + 2 − n/ 2 p | L + || L × | . Another uncertaint y relatio n is derived for situat ions where an n -qub it state ρ has eac h of its qub its measured in a r an d om and ind ep endent basis sampled uniformly f r om a ﬁxed set B of bases. B do es not necessarily ha v e to b e m utu- ally un biased, but we assume a lo w er b ound h —the so-called aver age entr opic unc e rtainty b ound —on the a v erage Shannon en trop y of th e distrib ution P ϑ , ob- tained b y measuring an arbitrary one-qubit state in basis ϑ ∈ B , meaning that 1 |B | P ϑ H( P ϑ ) ≥ h . Se c ond Unc ertainty R elation (informal): L et B b e a set of b ases with an aver age entr opic unc ertainty b ound h as ab ove. L et P θ denote the pr ob ability distribution deﬁne d by me asuring an arbitr ar y n -qubit state ρ in b asis θ ∈ B n . F or a uni f orm choic e Θ ∈ R B n , it hold s exc ept with ne gligible pr ob ability (over Θ and over P θ ) that H ∞ ( P θ | Θ = θ ) & nh. (1.1) Observe th at (1.1) cannot b e imp r o v ed signiﬁ can tly since the min-entrop y of a distr ibution is at most equal to the Shannon en tropy . Our uncertain t y relation is therefore asymp toticall y tigh t w hen the b oun d h is tight. An y lo we r b ound on the Shann on entrop y asso ciated to a set of measure- men ts B can b e u s ed in (1.1 ). In the sp ecial case where the set of bases is B = { + , ×} (i.e. the tw o BB84 bases named after Bennett and Brassard who used them in the ﬁrst quan tum-k ey-distribution pr oto col [BB84]), h is kno wn precisely us ing Maassen and Uﬃnk’s entropic relation [MU88], see (4.2 ). W e get h = 1 2 and (1.1) results in H ∞ ( P θ | Θ = θ ) & n 2 . Uncertain t y relations for the BB84 co ding scheme are useful, since this cod ing is widely used in quan- tum cryptography . Its resilience to imp erfect qu an tum c hann els, s ou r ces, and detectors is an imp ortan t adv an tage in practice. A ma jor diﬀerence b et w een the ﬁrst and second uncertaint y relation is that while b oth relations can b e u sed to b ound the min -en trop y conditioned on an ev en t, this ev en t h app ens in the latter case with probabilit y essenti ally 1 (on a v erage) whereas the corr esp ondin g ev en t from the ﬁrst r elation (deﬁn ed in Corollary 4.17) only h ap p ens w ith probabilit y ab out 1 / 2. 1.3. Contributions 9 1.3.5 QKD against Quan tum-Memory-Bounded Eav esdropper W e illustrate the v ersatilit y of our seco nd uncertain t y relation by applying it to Quant um-Key-Distribution ( QKD ) settings. Q KD is the art of distributing a secret key b et we en t wo distan t parties, Alice and Bob, u sing only a completely insecure quan tum c hann el and authent ic classical communicatio n. QKD p ro- to cols typical ly provide unconditional securit y , i.e., eve n an adve rsary with un - limited resources cannot get an y inform ation ab out the k ey . A ma jor diﬃculty when implement ing QK D sc hemes is that they require a lo w-noise quantum c hannel. Th e tolerated noise lev el dep end s on the actual proto col and on the desired security of the k ey . Because the qualit y of the c hannel t ypically de- creases with its length, the m axim um tolerate d noise level is an imp ortan t parameter limiting the m aximum d istance b etw een Alice and Bob. W e consider a mo d el in whic h th e adversary has a limited amoun t of quan- tum memory to store the information she in tercepts d uring the proto col execu- tion. In this mo del, we sh o w th at the maximum tolerated n oise lev el is larger than in the standard sce nario where the adve rsary has unlimited r esour ces. F or one-way QKD pr oto c ols whic h are proto cols wh ere error-correction is p erf orm ed non-in teractiv ely (i.e., a single classical message is sen t from one party to the other), w e sh ow the follo wing result: QKD A gainst Quantum-Memory-Bounde d E avesdr o pp ers: L et B b e a set of orthonormal b ases of the two-dimensiona l Hilb ert sp ac e H 2 with aver age entr opic unc ertainty b ound h . Then, a one-wa y QKD -proto col pr o duc es a se- cur e key against e avesdr opp ers whose qu antum-memory size is subline ar in the length of the r aw key at a p ositive r ate, as long as the bit-ﬂip pr ob ability p of the quantum channel fulﬁl ls h ( p ) < h wher e h ( · ) denotes the binary Shannon- entr opy fu nction. Although this resu lt do es not allo w us to improv e (compared to unb ound ed adv ersaries) the maxim um error-rate for the BB84 p roto col (the 4-state pr oto- col), the 6-state (using three mutually unbiased bases) p roto col can b e sho wn secure against adversaries with memory b ound sublin ear in the secret-k ey length as long as the b it-ﬂip error-rate is less than 17%. This impr o v es o v er th e maxi- mal error-rate of 13% for th is proto col agai nst unbou n ded adversaries. W e also sho w that the generalizat ion of th e 6-state proto col to more bases (not n eces- sarily m utually un biased) can b e s ho wn secure for a m aximal error-rate up to 20% pro vided the num b er of bases is large enough. Note that the b est kno wn one-w a y proto col based on qubits is p ro v en secure against general attac ks for an err or-r ate of only up to roughly 14 . 1%, and th e theoretical maximum is 16 . 3% [R GK05]. The quantum-memory-b ounded ea v esdropp er mo del studied here is not comparable to other r estrictions on adversaries considered in the literature (e.g. individual attacks , w here the ea v esdropp er is assumed to apply ind ep en- den t m easuremen ts to eac h qu bit sent o ve r th e quantum c hannel as considered b y F uc hs, Gisin, Griﬃths, Niu, P eres, and L ¨ utkenhaus [F GG + 97, L ¨ ut00]). In fact, th ese assumptions are generally artiﬁcial and their purp ose is to simplify securit y pro ofs rather than to relax the conditions on the qualit y of the com- 1.4. Outline o f t he Thesis 10 m unication channel from wh ic h secure k ey can b e generated. W e b eliev e that the quantum-memory-b ounded eav esd ropp er m o del is more realistic. 1.4 Outline of the Thesis In Chap ter 2, w e int ro d uce notation and presen t some b asic concepts fr om probabilit y and quan tum information theory lik e quant um states and v arious kinds of their en tropies. W e prepare the stage b y repro du cing and sligh tly extending th e results ab out pr iv acy ampliﬁcation via t wo -universal hashing from Renner’s PhD thesis [Ren05]. Chapter 3 is the on ly (almost) exclusiv ely classical chapter. It introd uces the diﬀerent ﬂa v ors of oblivious tr ansfer and giv es a c haracterization of the securit y for the sender of 1 -2 OT in terms of non-degenerate linear fun ctions. It is cast in a stand-alone m an n er and the rest of the thesis can b e un dersto o d without reading this chapter. In Chapter 4, the basis for the secur ity pro ofs of the follo wing c hapters is laid b y establishing the quantum min-entropic uncertain t y relations. T he f ol- lo wing Chapters 5 and 6 con tain th e quan tum deﬁnitions, pr otocols and secu- rit y pro ofs for Rabin OT and 1 -2 O T , resp ectiv ely . Chapter 7 treats quant um bit commitmen t. Tw o ﬂav ors of the “binding pr op ert y” are deﬁn ed and the tec hniques from the tw o previous chapters are us ed to pr o v e securit y in th e b ound ed-quan tum-storage mo del. Chapter 8 is dev oted to another app licatio n of the (seco nd) uncertain t y relation, quantum k ey distr ibution against a quan tum-memory-b ounded ea v es- dropp er. Th e last Ch apter 9 add resses some practical issues in greater detail and concludes. A sh ort summary of the notation, the b ibliograph y and an index can b e found at the end of the thesis. 1.5 Related W ork The classical b ounded-storage mo d el is d escrib ed in Section 1.2. Besides w ork p ointe d out in the ov erv iew of the con tributions in Section 1.3 ab o v e, it is w orth men tioning that seve ral pr otocols aiming at ac hieving quantum obliv- ious trans f er h a v e b een prop osed. After Wiesner’s original conjugate-codin g proto col [Wie83], Bennett, Brassard, C r ´ ep eau, and S kubiszewsk a prop osed an in teractiv e proto col for 1 -2 OT [BBCS91], whose secur it y w as sub sequen tly an- alyzed b y Cr´ ep eau [Cr´ e94], Ma y ers, Salv ail [MS94, Ma y95 ], and Y ao [Y ao95]. The proto col from [BBCS91] is in teractiv e and can b e easily b rok en by a dis- honest receiv er with unboun ded quant um memory . T o ensure that the re- ceiv er actually p erforms a measur emen t, it w as s uggested to use (quantum) bit-commitmen t sc hemes such as [BCJL 93 ] whic h were b eliev ed to b e secure against su ch adv ersaries at this p oin t in time. After the imp ossibilit y pro ofs of quan tum bit-commitmen t by Lo and Ch au [LC 97], and Ma y ers [Ma y97 ], and of oblivious transf er b y Lo [Lo97], it b ecame clear that assu mptions are neces- sary in order to securely r ealize these prim itives. Compared to these p r evious 1.5. Rela ted Work 11 attempts, the protocols in this th esis are simpler, non-interact iv e, and pro v ably secure according to stronger security deﬁnitions. W ork related to classical OT-reductions is referr ed to in the in tro ductory sections to Chapter 3 in Sections 3.1 and 3.4.1. Pr evious w ork ab out quant um uncertain t y relations is describ ed in Section 4.2. Chapter 2 Prelim i naries In this chapter, w e intro d uce notatio n and basic concepts used thr oughout the rest of the th esis. In addition, most of the follo wing c hapters ha v e an individual preliminary section in tro du cing co ncepts that are exclusiv ely used in those sp eciﬁc c hapters. This c hapter do es not give a thorough in tro du ction to probabilit y theory , information theory and qu an tum information pro cessing, but w e rather assu me the reader familiar with the basic concepts from the stand ard literature like [CT91, NC 00 ]. Instead, w e giv e a sp eciﬁc ov er v iew of the concepts whic h are required for un derstanding this thesis. 2.1 Notation and Basic T o ols F or a sequence of v ariables x 1 , . . . , x n , we use the abb reviation x i : = x 1 , . . . , x i for the collectio n of v ariables up to index i , and we deﬁne x 0 : = ∅ to b e the empt y string. F or a set I = { i 1 , i 2 , . . . , i ℓ } ⊆ { 1 , . . . , n } an d a n -b it string x ∈ { 0 , 1 } n , we deﬁne x | I : = x i 1 x i 2 · · · x i ℓ . It is sometimes conv enien t that all substrings of this form ha v e the same length, irresp ectiv e of the actual size ℓ of the ind ex s et I . Therefore, we deﬁn e the n -b it string x | ◦ I : = x i 1 x i 2 · · · x i ℓ 0 · · · 0 to b e the original substring padded with n − ℓ zeros. Most logarithms in this thesis are w ith r esp ect to base 2 and d enoted by log( · ). Ho wev er, when n eeded, ln( · ) denotes the natural logarithm to base e . W e w rite B δn ( x ) for the ball of all n -bit strings at Hamming distance at most δn fr om x . Note that the num b er of elemen ts in B δn ( x ) is the same for all x , we denote it by B δn : = | B δn ( x ) | . It is w ell known that B δn ≤ 2 nh ( δ ) , where h ( p ) : = −  p · log p + (1 − p ) · log (1 − p )  is the binary entrop y function. W e d enote by ne gl ( n ) an y function of n s m aller than the in v erse of any p olynomial pr o vided n is suﬃcient ly large. If w e wa nt to choose tw o symb ols + or × according to the bit b ∈ { 0 , 1 } , 12 2.2. Probability Theor y 13 w e write [+ , × ] b . The Kroneck er delta function is d eﬁned as δ i,j =  1 if i = j, 0 if i 6 = j. The indicator rand om v ariable 1 E equals 1, if the even t E o ccurs and 0 else. Deﬁnition 2.1 (con v ex/conca v e function) A fu nction f : R → R is con- v ex on the i nterval [ a, b ] , if for any two p oints x, y ∈ [ a, b ] and 0 ≤ s ≤ 1 , it holds that f ( sx + (1 − s ) y ) ≤ sf ( x ) + (1 − s ) f ( y ) . Ana lo gously, the function is conca v e on [ a, b ] , if f ( sx + (1 − s ) y ) ≥ sf ( x ) + (1 − s ) f ( y ) . Lemma 2.2 ( Jensen’s inequalit y) L et f : R → R b e a c onvex function on R and let x 1 , . . . , x n ∈ R . L et p 1 , . . . , p n ∈ [0 , 1] b e such that P i p i = 1 . Then, f n X i =1 p i x i ! ≤ n X i =1 p i f ( x i ) . F or x 1 = x 2 = . . . = x n , e quality holds. Lemma 2.3 ( Cauc h y-Sc h warz inquality) F or r e al numb ers x 1 , . . . , x n and y 1 , . . . , y n , the fol lowing holds n X i =1 x i · y i ! 2 ≤ n X i =1 x 2 i ! · n X i =1 y 2 i ! . Pro of: Note that P n i =1 ( x i · z + y i ) 2 is a quadratic p olynomial a · z 2 + bz + c without real ro ots unless all x i /y i are equal. Therefore, its discriminant b 2 − 4 ac is non-p ositiv e: 4 n X i =1 x i · y i ! 2 − 4 n X i =1 x 2 i ! · n X i =1 y 2 i ! ≤ 0 .  2.2 Probabilit y Theory F or a discrete probabilit y space (Ω , P ), we write P [ E ] for the p robabilit y of the even t E ⊂ Ω, and we write P X for the distribution of the r andom v ariable X : Ω → X taking v alues in the ﬁ nite set X . As is common pr actice, we d o not refer to the prob ab ility space (Ω , P ) bu t lea v e it imp licitly deﬁned by the join t probabilities of all consid ered even ts and r andom v ariables. F or tw o random v ariables X and Y w ith joint distribution P X Y o v er X × Y , the conditional 2.2. Probability Theor y 14 probabilit y distribution of X given Y is deﬁned as P X | Y ( x | y ) : = P X Y ( x,y ) P Y ( y ) for all x ∈ X and y ∈ Y with P Y ( y ) > 0. F or a probabilit y distribu tion Q ov er X , we abbreviate the (o v erall) probabilit y of a set L ⊆ X with Q ( L ) : = P x ∈ L Q ( x ). Let P and Q b e t w o p robabilit y distributions ov er the same ﬁnite d omain X . The variational distanc e 1 δ  P , Q  b et we en P and Q is deﬁned as δ  P , Q  : = 1 2 X x ∈X   P ( x ) − Q ( x )   . Note th at this deﬁnition makes sense a lso for non-normalize d d istributions, and indeed we deﬁne an d use δ  P , Q  for arbitrary p ositiv e-v alued f unctions P and Q with common domain. In case X is of the form X = U × V , we can expan d δ  P , Q  to δ  P , Q  = P u δ  P ( u, · ) , Q ( u, · )  = P v δ  P ( · , v ) , Q ( · , v )  . W e write P ≈ ε Q to denote that P and Q are ε -close, i.e., that δ  P , Q  ≤ ε . By unif we denote a un iformly distribu ted b inary random v ariable indep en- den t of an ything else, suc h that P unif ( b ) = 1 2 for b oth b ∈ { 0 , 1 } , and unif ℓ stands for ℓ indep endent copies of unif . F or a random v ariable R o v er the reals R , its exp ected v alue is denoted b y E [ R ]. Lemma 2.4 ( Mark o v’s inequality ) F or a non-ne g ative r e al r andom v ariable X and ε > 0 , we have Pr  X ≥ E [ X ] ε  ≤ ε . Pro of: F or the ind icator function 1 E whic h equals 1 if the ev ent E o ccurs and 0 else, w e observe th at E [ X ] ε · 1 n X ≥ E [ X ] ε o ≤ X . T aking the exp ected v alues on b oth sides, using linearit y of the exp ectation an d rearranging the terms yields th e claim.  Lemma 2.5 ( Chernoﬀ ’s inequality) L et X 1 , . . . , X n b e identic al ly and in- dep endently distribute d r andom variables with Bernoul li distribution, i.e. X i = 1 with pr ob ability p and X i = 0 with pr ob ability 1 − p . Then S : = P n i =1 X i has binomial distribution with p ar ameters ( n, p ) and it holds that P [ | S − pn | > εn ] ≤ 2 e − 2 ε 2 n . See [AS00] or [MP95] for a p ro of. 1 also ca lled statistic al or Kolmo gor ov distance 2.3. Quantum Informa t ion Theor y 15 2.3 Quan tum In formation Theory In this section, we give a v ery brief in tro duction to the quan tum notions w e u s e in this thesis, we r efer to [NC00, Ren05] for fur ther exp lanations. F or an y p ositiv e in teger d ∈ N , H d stands for the complex Hilb er t space of dimension d . Sometimes, w e omit the dimension a nd simply write H . The sta te of a quantum-mec h anical system in H is describ ed by a density op er ator ρ . A densit y op erator ρ is norm alized w ith resp ect to the trace norm (tr( ρ ) = 1), Hermitian ( ρ ∗ = ρ ) and has non-negativ e eigen v alues. P ( H ) d enotes the set of all density op er ato rs acti ng on H . 1 denotes the ident it y matrix (describing the fully mixed state) renorm alized by the appropriate dimension. A qu an tum state ρ ∈ P ( H ) is called pur e if it is of the form ρ = | ϕ i h ϕ | for a (normalized) v ector | ϕ i ∈ H . A p ositive op er ator-value d me asur ement (P OVM) is a family M = { E x } x ∈X of n on-negativ e op erators suc h th at P x ∈X E x equals the iden tit y matrix. The probabilit y d istribution P X obtained wh en app lying the POV M M to the quan - tum state ρ is deﬁn ed as P X ( x ) : = tr( E x ρ ). The general ev olution (lik e u nitary transform s, measuremen ts, applying noise etc.) of a quantum system in state ρ can b e describ ed by a qu antum op er ation E ( ρ ), which is a completely p ositive and trace-preserving m ap, i.e. E is linear and maps non-negativ e normalized op erators ρ ∈ P ( H ) into non- negativ e n orm alized op erators E ( ρ ) ∈ P ( H ). The n otion of (v ariational) distance of tw o random v ariables can b e n atu- rally extended to the tr ac e distanc e b et we en t w o d ensit y op erators ρ, σ ∈ P ( H ) deﬁned by δ  ρ, σ  : = 1 2 tr( | ρ − σ | ), wh ere we deﬁne | A | : = √ A ∗ A to b e the p ositiv e square-ro ot of A . As in the classical case, w e write ρ ≈ ε σ to denote that ρ and σ are ε -clo se, i.e. δ  ρ, σ  ≤ ε . The trace distance has an op erational meaning in that the v alue 1 2 + 1 2 δ  ρ, σ  is the a v erage success probability when distinguishing ρ f rom σ via a mea surement. In fact, the rela tion to the classical v ariational distance b ecomes eviden t in δ  ρ, σ  = max M δ  M ( ρ ) , M ( σ )  where the maximization is o v er all PO VMs M and M ( ρ ) refers to the probability dis- tribution ob tained when measuring ρ using M . Rus k ai [Rus94] sho we d that the trace d istance do es not increase und er (trace-preserving) quantum op erations, formally δ  ρ, σ  ≤ δ  E ( ρ ) , E ( σ )  for an y quant um op eration E . The pair {| 0 i , | 1 i} d enotes the computational or rectilinear or “+” basis for the 2-dimensional Hilb ert s pace H 2 . T he diagonal or “ × ” basis is deﬁn ed as {| 0 i × , | 1 i × } where | 0 i × = ( | 0 i + | 1 i ) / √ 2 and | 1 i × = ( | 0 i − | 1 i ) / √ 2. T he circu- lar or “  ” basis consists of v ectors ( | 0 i + i | 1 i ) / √ 2 an d ( | 0 i − i | 1 i ) / √ 2. Mea- suring a qub it in the + -basis (resp. × -basis) means applying the m easuremen t describ ed b y pro j ectors | 0 i h 0 | and | 1 i h 1 | (resp . pro jectors | 0 i × h 0 | × and | 1 i × h 1 | × ). When the con text r equ ires it, w e write | 0 i + and | 1 i + instead of | 0 i resp ectiv ely | 1 i . F or a n -b it strin g x ∈ { 0 , 1 } n , | x i + stands for the state N n i =1 | x i i + ∈ H 2 n and analogous for | x i × . As mentio ned ab o v e, the behavior of a quan tum state in a registe r E is f ully describ ed b y its densit y matrix ρ E . W e often consider cases w h ere a quan tum state ma y d ep end on some classical random v ariable X , in that it is describ ed b y the densit y matrix ρ x E if and only if X = x . F or an obs er ver w h o has only a ccess 2.4. Entropies 16 to the register E but not to X , th e b eha vior of the state is determined by the densit y matrix P x P X ( x ) ρ x E . Th e joint state, consisting of the c lassical X and the q u antum register E and therefore called c q-state , is describ ed b y the d ensit y matrix P x P X ( x ) | x i h x | ⊗ ρ x E . In order to ha ve more compact expr essions , w e use the follo wing notation. W e wr ite ρ X E = X x P X ( x ) | x i h x | ⊗ ρ x E and ρ E = tr X ( ρ X E ) = X x P X ( x ) ρ x E . More general, for any even t E , we write ρ X E |E = X x P X |E ( x ) | x i h x | ⊗ ρ x E and ρ E |E = tr X ( ρ X E |E ) = X x P X |E ( x ) ρ x E . W e also write ρ X = P x P X ( x ) | x i h x | for the quantum represent ation of the classical r andom v ariable X (and similarly for ρ X |E ). This notation extends naturally to quan tum states that d ep end on s everal classical random v ariables (i.e. to ccq-states, cccq-states etc.). Giv en a cq-state ρ X E as ab o v e, b y sa ying that there exists a ran d om v ariable Y such that ρ X Y E satisﬁes some condition, w e mean that ρ X E can b e u ndersto o d as ρ X E = tr Y ( ρ X Y E ) for a ccq-state ρ X Y E that satisﬁes the required cond ition. Ob viously , ρ X E = ρ X ⊗ ρ E holds if and only if the quantum part is indep en- den t of X (in that ρ x E = ρ E for an y x ), wh ere th e latter in p articular implies that no inform ation on X can b e learned by observing only ρ E . F ur thermore, if ρ X E and ρ X ⊗ ρ E are ε -clo se in terms of their trace distance δ  ρ, σ  = 1 2 tr( | ρ − σ | ), then the real system ρ X E “b eha v es” as the ideal system ρ X ⊗ ρ E except with probabilit y ε (as explained by Renn er and K¨ onig in [RK05]) in that for any ev olution of the system no observ er can distinguish the real from the ideal one with adv an tag e greater than ε . 2.4 En tropies 2.4.1 Classical R´ en yi E n trop y Deﬁnition 2.6 L et P b e a pr ob ability distribution over the ﬁnite set X and α ∈ [0 , ∞ ] . The α -order sum of the pr ob ability distribution P is deﬁne d as π α ( P ) : = P x ∈X P ( x ) α . In the limits α → ∞ and α → 0, w e set π ∞ ( P ) : = max x ∈X P ( x ) and π 0 ( P ) : = |{ x ∈ X : P ( x ) > 0 } . Deﬁnition 2.7 (R´ en yi en trop y [R ´ en61]) L et P b e a pr ob ability distribution over the ﬁnite set X and α ∈ [0 , ∞ ] . The R´ en yi en trop y of order α is deﬁne d as H α ( P ) : = 1 1 − α log ( π α ( P )) = − log   X x ∈X P ( x ) α ) 1 α − 1  . 2.4. Entropies 17 In the limit α → ∞ , we obtain the min-e ntr opy H ∞ ( P ) = − log  max x ∈X P ( x )  and for α → 0, w e obtain max-entr opy H 0 ( P ) = log |{ x ∈ X : P ( x ) > 0 }| . An- other imp ortant sp ecial case is the case α = 2, also known as c ol lision pr ob ability π 2 ( P ) = P x ∈X P ( x ) 2 and c ol lision entr opy H 2 ( P ) = − log  P x P ( x ) 2  . F or the limit α → 1, w e can use Jen sen’s in equalit y (Lemma 2.2) with p x : = P ( x ) to obtain − 1 α − 1 log X x p x P ( x ) α − 1 ! ≤ − X x p x log  ( P ( x ) α − 1 ) 1 α − 1  . In the limit α → 1, all P ( x ) α − 1 go to 1 and therefore, equalit y h olds and we obtain the sta nd ard deﬁnition of Shannon entr op y H( P ) : = − P x P ( x ) log P ( x ) as in [Sha48]. F or a random v ariable X w ith p robabilit y d istribution P X , we will most often sligh tly abuse notation and use the common shortcut H α ( X ) instead of H α ( P X ). F or a ﬁxed r andom v ariable X ov er the ﬁnite set X , α 7→ H α ( X ) is a decreasing function on [0 , ∞ ]: log |X | ≥ H 0 ( X ) ≥ H( X ) ≥ H 2 ( X ) ≥ H ∞ ( X ) , with equalit y if and only if X is uniform o v er a su bset of X . F urth er m ore, we ha v e th at for α > 1, π α ( X ) = P x P X ( x ) α ≥ max x P X ( x ) α and therefore, H α ( X ) = 1 1 − α log π α ( X ) ≤ 1 1 − α log max x P X ( x ) α = α 1 − α log max x P X ( x ) , whic h implies th e follo wing relation b et we en R´ en yi en tropies of order α > 1: α − 1 α H α ( X ) ≤ H ∞ ( X ) . (2.1) Conditional R ´ en yi entrop y The R ´ enyi entrop y H α ( X | Y = y ) of X give n the eve nt Y = y is naturally d eﬁned as H α ( X | Y = y ) = 1 1 − α log  P x P X | Y = y ( x ) α  . W e can deﬁ ne th e c onditional α -or der sum of X give n Y and c ondition al R ´ enyi entr opy by π α ( X | Y ) : = max y X x P X | Y = y ( x ) α and H α ( X | Y ) : = 1 1 − α log( π α ( X | Y )) . In the limits w e hav e, π ∞ ( X | Y ) = m ax x,y P X | Y = y ( x ), π 0 ( X | Y ) = max y |{ x ∈ X : P X | Y = y ( x ) > 0 }| . F or the conditional min-, collision- and max-ent ropy , w e get H ∞ ( X | Y ) : = min y H ∞ ( X | Y = y ) = min x,y − log P X | Y = y ( x ) , H 2 ( X | Y ) : = min y H 2 ( X | Y = y ) = min y − log X x P X | Y = y ( x ) 2 ! , H 0 ( X | Y ) : = max y H 0 ( X | Y = y ) = max y log |{ x ∈ X : P X | Y = y ( x ) > 0 }| . 2.4. Entropies 18 In the limit α ↓ 1, we get H ↓ 1 ( X | Y ) = min y H( X | Y = y ) and for α ↑ 1, w e get H ↑ 1 ( X | Y ) = max y H( X | Y = y ) whic h m igh t b e d iﬀeren t. How ev er, the standard deﬁn ition of conditional Sh annon en trop y is neither of th ose, bu t “in b et we en”: H( X | Y ) : = X y P Y ( y ) H( X | Y = y ) = X x,y P X Y ( x, y ) log P X | Y = y ( y ) . W e note that in the literature, H α ( X | Y ) is sometimes deﬁned as a v erage o v er Y , P y P Y ( y ) H α ( X | Y = y ), lik e for Shannon entrop y . Ho w ev er, we deﬁ ne the more natural follo wing notion. F or 1 < α < ∞ , we deﬁ ne the aver age c onditional R ´ enyi entrop y ˜ H α ( X | Y ) as ˜ H α ( X | Y ) : = − log  X y P Y ( y )  X x P X | Y ( x | y ) α ) 1 α − 1  , and as ˜ H ∞ ( X | Y ) = − log  P y P Y ( y ) max x P X | Y ( x | y )  for α = ∞ . Th is n otion is usefu l in particular b ecause it has the prop ert y that if th e aver age cond itional R ´ enyi entrop y is large, th en the conditional R´ en yi en trop y is large with high probabilit y: Lemma 2.8 L et α > 1 (al lowing α = ∞ ) and t ≥ 0 . Then with pr ob ability at le ast 1 − 2 − κ (over the choic e of y ) H α ( X | Y = y ) ≥ ˜ H α ( X | Y ) − κ . Pro of: By deﬁnition of av erag e conditional R´ en yi entrop y , w e hav e 2 − ˜ H α ( X | Y ) = E y h ( π α ( X | Y = y )) 1 α − 1 i . By the Mark o v’s inequalit y (Lemma 2.4), w e get that Pr y h π α ( X | Y = y ) 1 α − 1 ≥ 2 − ˜ H α ( X | Y )+ κ i ≤ 2 − κ and therefore, the probabilit y (o ve r y ) that H α ( X | Y = y ) ≤ ˜ H α ( X | Y ) − κ is at most 2 − κ .  As long as α > 1, the minimization (or av erage) o v er y is the same for all orders of R ´ enyi entrop y h en ce, Equation (2.1) translates to (a v erage) conditional R ´ enyi en tropy: Lemma 2.9 F or any 1 < α < ∞ , we have H 2 ( X | Y ) ≥ H ∞ ( X | Y ) ≥ α − 1 α H α ( X | Y ) ˜ H 2 ( X | Y ) ≥ ˜ H ∞ ( X | Y ) ≥ α − 1 α ˜ H α ( X | Y ) . 2.4. Entropies 19 Conca vit y Lemma 2.10 F or 0 ≤ α ≤ 1 , R´ enyi Entr opy is a conca v e ent ropic fun ctional , i.e., for 0 ≤ s ≤ 1 and distributions P , Q , we have H α ( sP + (1 − s ) Q ) ≥ s H α ( P ) + (1 − s ) H α ( Q ) . F or the case of Shannon entrop y , note th at the function f ( p ) : = − p log p has deriv ati ve s f ′ ( p ) = − 1 − log p and f ′′ ( p ) = − 1 /p and f ′′ ( p ) ≤ 0 for 0 ≤ p ≤ 1. Therefore, f ( p ) is conca v e and we h a v e H( sP + (1 − s ) Q ) = X x f ( sP ( x ) + (1 − s ) Q ( x )) ≥ X x sf ( P ( x )) + (1 − s ) f ( Q ( x )) = s X x f ( P ( x )) + (1 − s ) X x f ( Q ( x )) = s H( P ) + (1 − s ) H( Q ) . Higher-order R ´ enyi en trop y is not n ecessarily conca v e as the follo wing ex- ample illustrates. Consider the distributions P ( x ) = δ x, 0 and Q ( x ) = 2 − n o v er { 0 , 1 } n with H 2 ( P ) = 0 and H 2 ( Q ) = n . F or the equal mixture of these distrib utions h olds H 2 (( P + Q ) / 2) = − log(1 / 4) + O (2 − n ) ≈ 2 < n/ 2 = (H 2 ( P ) + H 2 ( Q )) / 2 for n > 5. F ano’s Inequalit y Lemma 2.11 (F ano’s Inequalit y) L et X ↔ Y ↔ X ′ b e a M arkov c hain 2 . Then, for the err or pr ob ability p e : = P [ X 6 = X ′ ] , i t holds H( X | Y ) ≤ h ( p e ) + p e · log( |X | − 1) . Pro of: W e denote b y E : = 1 { X 6 = X ′ } the indicato r random v ariable of the ev en t { X 6 = X ′ } that the guess w as n ot successful. By the c hain rule for Shannon en trop y , we can write H( X E | Y ) = H( X | Y ) + H( E | X Y ) = H( E | Y ) + H( X | E Y ) W e observ e that H ( E | Y ) ≤ h ( p e ), H( E | X Y ) ≥ 0 and H( X | E Y ) = (1 − p e ) H( X |{ X = X ′ } Y ) + p e H( X |{ X 6 = X ′ } Y ) = p e log( |X | − 1) and the claim follo ws by rearranging the terms.  2.4.2 Smo oth R´ en yi En trop y Smo oth min- and max-entropies w ere introd uced b y Renn er and W olf in [Ren05, R W05] 3 . They are families of entrop y m easur es p arametrized by non-negativ e 2 Think of X ′ as guess of X based only on Y . 3 The notion of smo othing a pr ob ability distribution w as already used in [ILL89]. F u rt her- more, a diﬀerent kind of smo oth R´ enyi entr opy (not equiv alent to th e ones used h ere) was introduced b y Cachin [Cac97]. 2.4. Entropies 20 real num b ers ε , called the smo othn ess . It is a generaliza tion of the n otions of conditional min- and m ax-entrop y deﬁned in the last section. H ε ∞ ( X | Y ) : = max E min x,y − log  P X Y E ( x, y ) P Y ( y )  , H ε 0 ( X | Y ) : = min E max y log |{ x ∈ X : P X Y E ( x, y ) P Y ( y ) > 0 }| where the maximum/minim um ranges o v er all ev en ts E with pr obabilit y Pr[ E ] ≥ 1 − ε . P X Y E ( x, y ) is the p robabilit y that E occur s and X, Y tak e v alues x, y . Hence, the “distribution” P X Y E is not normalized. F or a giv en d istribution P X Y , it is easy to compute its sm o oth min-entrop y (max-en trop y), simply by cu tting a m axim um mass of ε oﬀ the largest (smallest) probabilities. Informally , the statement H ε ∞ ( X ) = r can b e understo o d that the standard min-en tropy of X is close to r , except with prob ab ility ε . As ε can b e in terpreted as an error pr obabilit y , we t ypically r equire ε to b e negligible in the secur ity parameter. The reason wh y we only deﬁn e the min- and max-v ersions of smo oth R´ en yi en trop y is that it is sh o wn in [R W05] that for example smo oth R´ en yi en trop y of order α > 1 ob eys H ε + ε ′ ∞ ( X | Y ) + log(1 /ε ′ ) α − 1 ≥ H ε α ( X | Y ) ≥ H ε ∞ ( X | Y ) . and hence is equiv alent to smo oth min-en trop y up to an additive term which dep end s on α and the smo othness ε ′ . An analogue s tatemen t holds for α < 1 and smo oth max-en trop y . As p ointed out in [R W05], for ε = 0 the relation ab o v e shows for example that H 2 ( X ) cannot b e larger than H ε ∞ ( X ) + log(1 /ε ) whereas for th e non-sm o oth v ersions, we only kno w from Equation (2.1) that H 2 ( X ) ≤ 2 H ∞ ( X ). Most imp ortantly , smo oth min - and max-en trop y h a v e an op er ational me an- ing as they provide the ans w er to t wo f undamenta l inform ation-theoretic prob- lems: • H ε ∞ ( X | Y ) is the maxim um amount 4 of randomness that can be extracted from X and an in dep end en t random string R , su c h that except with p rob- abilit y ε , the extracted string lo oks completely uniform to an adversary who kn o ws Y and learns R . T his falls int o the setting of pr iv acy ampliﬁ- cation, see Section 2.5 b elo w. • H ε 0 ( X | Y ) is the minimal length 4 of an enco din g computed fr om X and some additional in d ep endent randomness R , suc h th at except with p roba- bilit y ε , someone k n o wing Y and R ca n reconstruct X from the en co d ing. This is a data-compression problem whic h is often called information r e c- onciliation or e rr or c orr e ction in cryptographic settings. 4 up to some sma ll additive error term which dep ends lo garithmically on ε 2.4. Entropies 21 In [R W05], it is sho wn that smooth min - and m ax-entropies enjo y sev- eral Shannon-like p rop erties su ch as the c hain ru le (see Lemma 2.12 b elo w), sub-additivit y H ε ∞ ( X Y ) ≤ H ε + ε ′ ∞ ( X ) + H ε ′ 0 ( Y ) and mon otonicit y H ε ∞ ( X ) ≤ H ε ∞ ( X Y )). Lemma 2.12 (C hain Rule [R W05]) F or al l ε, ε ′ > 0 , we have H ε + ε ′ ∞ ( X | Y ) > H ε ∞ ( X Y ) − H 0 ( Y ) − log  1 ε ′  . As a consequence of the asymptotic equipartition prop erty (cf. [CT91]), smo oth R´ en yi entrop y is asymptotically equ al to S hannon entrop y in the fol- lo wing sense. Lemma 2.13 ([R W05 , HR06]) L et ( X 1 , Y 1 ) , . . . , ( X n , Y n ) b e n indep endent p airs of r andom variables distribute d ac c or ding to P X Y . Then, for any α 6 = 1 , lim ε → 0 lim n →∞ H ε α ( X n | Y n ) n = H( X | Y ) . Note that such a lemma do es not hold at all for non-smo oth R´ en yi entropies. T o provi de some intuitio n ab out smo oth min -en trop y , the follo wing lemma sho ws h o w to translate smo oth min-entrop y bac k to regular conditional min- en trop y . Lemma 2.14 If H ε ∞ ( X | Y ) = r then ther e exists an event E ′ such th at Pr( E ′ ) ≥ 1 − 2 ε and H ∞ ( X |E ′ , Y = y ) ≥ r − 1 for every y with P Y E ′ ( y ) > 0 . Pro of: By d eﬁnition of smo oth min-en trop y , there exists an ev en t E with Pr( E ) ≥ 1 − ε an d suc h that H ∞ ( X E | Y = y ) ≥ r f or all y , and thus P X E | Y ( x | y ) ≤ 2 − r for all x and y . Deﬁne E ′ b y setting for all x an d y P X E ′ | Y ( x | y ) : =  P X E | Y ( x | y ) if P E | Y ( y ) ≥ 1 2 0 else Then ob viously for an y y with P Y E ′ ( y ) > 0 and thus P E ′ | Y ( y ) = P E | Y ( y ) ≥ 1 2 , P X |E ′ Y ( x | y ) = P X E ′ | Y ( x | y ) P E ′ | Y ( y ) ≤ 2 − r P E ′ | Y ( y ) ≤ 2 − r +1 . F urther m ore, 1 − ε ≤ Pr( E ) = Pr( E | P E | Y ( Y ) < 1 2 ) · Pr( P E | Y ( Y ) < 1 2 ) + Pr( E | P E | Y ( Y ) ≥ 1 2 ) · Pr( P E | Y ( Y ) ≥ 1 2 ) (2.2) ≤ 1 2 Pr( P E | Y ( Y ) < 1 2 ) + P r( P E | Y ( Y ) ≥ 1 2 ) 2.4. Entropies 22 from whic h follo ws th at Pr( P E | Y ( Y ) < 1 2 ) ≤ 2 ε . Thus we can conclude that Pr( E ′ ) ≥ Pr( E ′ | P E | Y ( Y ) ≥ 1 2 ) · Pr( P E | Y ( Y ) ≥ 1 2 ) ≥ Pr ( E | P E | Y ( Y ) ≥ 1 2 ) · Pr( P E | Y ( Y ) ≥ 1 2 ) ≥ 1 − ε − 1 2 Pr( P E | Y ( Y ) < 1 2 ) ≥ 1 − 2 ε where the second-last in equalit y follo ws f r om (2.2), and noting (once more) that Pr( E | P E | Y ( Y ) < 1 2 ) < 1 2 .  2.4.3 Min-En trop y-Splitting Lemma F or pro ving reductions betw een v arian ts of oblivious transfer in Sect ion 3.4 and the security of 1 -2 OT in the b oun ded-quant um storage in Ch apter 6, w e will mak e use of the f ollo wing min -en trop y s plitting lemma. Note that if the join t en trop y of tw o rand om v ariables X 0 and X 1 is large, then one is tempted to conclude that at least one of X 0 and X 1 m ust still ha v e large ent ropy , e.g. half of the original entrop y . Whereas this is indeed tru e for Sh annon en tropy , it is in general not true for min -entrop y . The follo wing lemma, though, which ﬁrst app eared in a preliminary v ersion of [W ul07 ], sho ws that it is true in a randomized sense. Lemma 2.15 (Min-E n trop y-Splitting Lemma) L et ε ≥ 0 , and let X 0 , X 1 b e r andom variables with H ε ∞ ( X 0 X 1 ) ≥ α Then, ther e exists a r andom variable C ∈ { 0 , 1 } such that H ε ∞ ( X 1 − C C ) ≥ α/ 2 . Pro of: Belo w, w e giv e the pro of f or ε = 0, i.e., for ordinary (non-smo oth) min- en trop y . T he general clai m for smo oth min-en trop y follo ws immediately by observing that the same argumen t also works for non-normalized d istributions with a total prob ab ility sm aller than 1. W e extend the prob ab ility distribution P X 0 X 1 as follo ws to P X 0 X 1 C . Let C = 1 if P X 1 ( X 1 ) ≥ 2 − α/ 2 and C = 0 otherwise. W e ha v e that for all x 1 , P X 1 C ( x 1 , 0) either v anishes or is equal to P X 1 ( x 1 ). I n any case, P X 1 C ( x 1 , 0) < 2 − α/ 2 . On th e other hand, for all x 1 with P X 1 C ( x 1 , 1) > 0, we ha v e that P X 1 C ( x 1 , 1) = P X 1 ( x 1 ) ≥ 2 − α/ 2 and therefore, for all x 0 , P X 0 X 1 C ( x 0 , x 1 , 1) ≤ 2 − α = 2 − α/ 2 · 2 − α/ 2 ≤ 2 − α/ 2 P X 1 ( x 1 ) . Summing o v er all x 1 with P X 0 X 1 C ( x 0 , x 1 , 1) > 0, and thus with P X 1 C ( x 1 , 1) > 0, results in P X 0 C ( x 0 , 1) ≤ X x 1 2 − α/ 2 P X 1 ( x 1 ) ≤ 2 − α/ 2 . This shows that P X 1 − C C ( x, c ) ≤ 2 − α/ 2 for all x, c .  The corollary b elo w follo ws rather straigh tforw ardly b y noting that (for normalized as we ll as n on -n ormalized distributions) H ∞ ( X 0 X 1 | Z ) ≥ α holds exactly if H ∞ ( X 0 X 1 | Z = z ) ≥ α for all z , applying the Min-Entrop y S plitting Lemma, and then u s ing the c hain rule, Lemma 2.12. 2.4. Entropies 23 Corollary 2.16 L et ε ≥ 0 b e give n, and let X 0 , X 1 , Z b e r ando m variables with H ε ∞ ( X 0 X 1 | Z ) ≥ α . Then, ther e exists a binary r andom variable C ∈ { 0 , 1 } such that for ε ′ > 0 , H ε + ε ′ ∞ ( X 1 − C | Z C ) ≥ α/ 2 − 1 − log (1 /ε ′ ) . 2.4.4 En trop y of Quantum States As p ointed out in [RK05], R´ en yi en trop y H α ( ρ ) can also b e deﬁ ned for a qu an- tum state ρ ∈ P ( H ). F or α ∈ [0 , ∞ ] and ρ ∈ P ( H ), w e hav e H α ( ρ ) : = 1 1 − α log (tr ( ρ α )) . In the limit cases α → 0 and α → ∞ , we obtain H 0 ( ρ ) = log (rank( ρ )) and H ∞ ( ρ ) = − log ( λ max ( ρ )), where λ max ( ρ ) denotes the maxim um eigen v alue of ρ . F or α = 2, we obtain the c ol lision entr opy H 2 ( ρ ) = − log  P i λ 2 i  , w h ere { λ i } i are the eigen v alues of ρ . F or a classical random v ariable X enco ded in ρ X = P x P X ( x ) | x i h x | , it h olds that that H α ( ρ X ) = H α ( X ). F or derivin g our v ersion of the priv acy-ampliﬁcati on theorem in the next section, w e need the s lightly more inv olved v ersion of quan tum conditional min-en tropy fr om [Ren05]. Deﬁnition 2.17 ([Ren05]) L et ρ AB ∈ P ( H A ⊗ H B ) and σ B ∈ P ( H B ) . The min-entr opy of ρ AB r elative to σ B is H min ( ρ AB | σ B ) : = − log λ wher e λ is the minimum r e al nu mb er such that λ · 1 A ⊗ σ B − ρ AB is non -ne gative. The min-entr opy of ρ AB given H B is H min ( ρ AB | B ) : = su p σ B H min ( ρ AB | σ B ) wher e the supr emum r anges over al l σ B ∈ P ( H B ) . Similar to the classical case, the smo oth v ersion can b e d eﬁ ned as f ollo ws. Deﬁnition 2.18 ([Ren05]) L et ρ AB ∈ P ( H A ⊗ H B ) , σ B ∈ P ( H B ) , and ε ≥ 0 . The ε -smo oth min-entr opy of ρ AB r elative to σ B is H ε min ( ρ AB | σ B ) : = su p ρ AB H min ( ρ AB | σ B ) wher e the supr emum r anges over the set B ε ( ρ AB ) c ontaining al l H e rmitian, non-ne gative op e r ators ρ AB acting on H A ⊗ H B such that δ  ρ AB , ρ AB  ≤ 2 ε and tr( ρ AB ) ≤ 1 . The ε -smo oth min-entr opy g iven H B is H ε min ( ρ AB | B ) : = su p σ B H ε min ( ρ AB | σ B ) wher e the supr emum r anges over al l σ B ∈ P ( H B ) . 2.4. Entropies 24 T o compute H ε min ( ρ X B | σ B ) where ρ X B is a cq-state, the suprem um can b e restricted to states ρ X B ∈ B ε ( ρ X B ) whic h are classical on H X as w ell [Ren05, Remark 3.2.4]. There is a c hain rule for smo oth min-ent ropy , p ro v en in [Ren05, Lemma 3.2.9]. Lemma 2.19 ([Ren05 ]) L et ρ X U E ∈ P ( H X ⊗ H U ⊗ H E ) , σ U ∈ P ( H U ) , and let σ E ∈ P ( H E ) b e the fu l ly mixe d state on the image of ρ E , and let ε ≥ 0 . Then H ε min ( ρ X U E | σ U ) − H max ( ρ E ) ≤ H ε min ( ρ X U E | σ U ⊗ σ E ) . The follo wing tw o lemmas state that dropp ing a quant um register cannot increase the (smo oth) min-en trop y . Lemma 2.20 L et ρ X U Q ∈ P ( H X ⊗ H U ⊗ H Q ) b e a c c q- state. Then, H min ( ρ X U Q | ρ U ) ≥ H min ( ρ X U | ρ U ) . Pro of: F or λ : = 2 − H min ( ρ X U | ρ U ) , w e hav e by Deﬁnition 2.17 that λ · 1 X ⊗ ρ U − ρ X U ≥ 0. Usin g that b oth X and U are classical, we deriv e that for all x, u , it holds λ · p u − p xu ≥ 0, where p u and p xu are shortcuts f or the probab ilities P U ( u ) and P X U ( x, u ). Let the normalized cond itional op erator ρ x,u Q b e the quan tum state conditioned on the eve nt that X = x and U = u , i.e. X x,u p xu ρ x,u Q ⊗ | xu i h xu | = ρ QX U . Then, X x,u λ · p u ρ x,u Q ⊗ | xu i h xu | − p xu ρ x,u Q ⊗ | x u i h xu | ≥ 0 . Because of ρ x,u Q ≤ 1 Q , we get X x,u λ · p u 1 Q ⊗ | xu i h xu | − p xu ρ x,u Q ⊗ | xu i h xu | ≥ 0 . Therefore, λ · 1 QX ⊗ ρ U − ρ QX U ≥ 0 holds, from whic h follo w s b y deﬁnition that H min ( ρ X U Q | ρ U ) ≥ − log ( λ ).  Lemma 2.21 L et ρ X U Q ∈ P ( H X ⊗ H U ⊗ H Q ) b e a c c q- state and let ε ≥ 0 . Then H ε min ( ρ X U Q | ρ U ) ≥ H ε min ( ρ X U | ρ U ) . Pro of: After the remark after Deﬁnition 2.18 ab o v e, there exists σ X U ∈ B ε ( ρ X U ) classical on H X ⊗ H U suc h that H ε min ( ρ X U | ρ U ) = H min ( σ X U | σ U ). Because b oth X and U are classical, we can wr ite σ X U = P x,u p xu | xu i h xu | and extend it to obtain σ X U Q : = P x,u p xu | xu i h xu | ⊗ ρ x,u Q . Lemma 2.20 from ab o v e yields H min ( σ X U | σ U ) ≤ H min ( σ X U Q | σ U ). W e hav e by construction th at δ  σ X U Q , ρ X U Q  = δ  σ X U , ρ X U  ≤ 2 ε . Therefore, σ X U Q ∈ B ε ( ρ X U Q ) and H min ( σ X U Q | σ U ) ≤ H ε min ( ρ X U Q | ρ U ) .  2.5. Tw o-Univers al Hash ing and Priv acy Amplifica tion 25 2.5 Tw o-Univ ersal Hashing and Pr iv acy Ampliﬁca- tion against Q u an tum A d v ersaries 2.5.1 History and Setting of Priv acy Ampliﬁcation Assume t w o p arties Alice and Bob share some inf ormation X which is only partly secur e in the sense th at an adve rsary Ev e h as some partial knowledge ab out it. Privacy Ampliﬁc ation , in tro duced by Bennett, Brassard, and Rob ert [BBR88], is the art of trans f orming this information X in to a highly secure ke y K b y public d iscussion. The honest parties w an t to end up with an almost uniformly d istributed key K ab out whic h Ev e has only negligible information giv en the communicati on. A common wa y to ac hiev e this is to h a v e Alice pic k a h ash function f at random from a t wo -universal class of hashin g functions (see next section for the deﬁnition), apply it to X and ann ounce it to Bob, who applies it to X as w ell. Due to the r an d omizing p rop erties of a t wo-univ ersal function, the output f ( X ) is close to uniform ly distributed from Ev e’s p oint of view. As shown in [BBR88] and b y Imp agliazz o, Levin, Luby [ILL89] and Bennett, Brassard, Cr ´ ep eau, and Maurer [BBCM95], th e classical privacy ampliﬁc ation the or em or left-over hash lemma (see C orollary 2.27 b elo w) states that if Eve has some classical kno wledge W ab out X , a s ecur e k ey of length roughly the uncertain t y of Eve ab out X (measured in terms of min-en tropy) can b e extracted by t wo - unive rsal hashing. It is p oint ed out in [R W05], that the maximum amount of extractable randomness is essent ially giv en by the conditional smo oth min - en trop y H ε ∞ ( X | W ). It is inte resting to in v estigate the case when Eve holds quan tum infor- mation ab out X . This scenario has b een considered b y K¨ onig, Maurer, and Renner [KMR05, RK05, Ren05] and the results repro duced b elo w sho w that t w o-univ ersal hashing w orks j ust as we ll against quan tum as against classical adv ersaries. W e note that un lik e in the classical case, where man y other forms of ran- domness extractors are kno wn, t w o-unive rsal hashin g is essen tially the only w a y to p erform priv acy ampliﬁcation against quan tum adv ersaries. 5 This to ol is one of the ke y ingredien ts in all proto cols p r esen ted in th is thesis. It h as b een widely used in other applications as w ell, for example in s ecur it y pro ofs of quan tum-k ey-distribution sc hemes b y Christandl, Renner, Ekert, Kraus, and Gisin [CRE04, KGR05, RGK05, Ren05]. 2.5.2 Tw o-Univ ersal Hashing An imp ortant to ol we use is t w o-univ ersal hashin g. Deﬁnition 2.22 A class F n of ha shing fu nctions fr om { 0 , 1 } n to { 0 , 1 } ℓ is c al le d t w o-univ ersal , if for any p air x, y ∈ { 0 , 1 } n with x 6 = y , and F uniformly 5 In a recen t pap er, K¨ onig and T erh al [KT06] exhibit some extractors whic h w ork against quantum adversa ries, but th e parameters are far from the classical ones. 2.5. Tw o-Univers al Hash ing and Priv acy Amplifica tion 26 chosen fr om F n , it holds that P  F ( x ) = F ( y )  ≤ 1 2 ℓ . W e can also deﬁne a sligh tly stronger notion of tw o- un iversalit y as follo ws: Deﬁnition 2.23 A class F n of ha shing fu nctions fr om { 0 , 1 } n to { 0 , 1 } ℓ is c al le d strongly t w o-univ ersal , if for any p air x, y ∈ { 0 , 1 } n with x 6 = y , and F uniformly chosen fr om F n , the r andom variables F ( x ) and F ( y ) ar e indep endent and uniformly distribute d over { 0 , 1 } ℓ . Sev eral t w o-unive rsal and strongly tw o-univ ersal classes of h ashing fun ctions are suc h that ev aluating and pic king a function uniformly an d at random in F n can b e d one eﬃcient ly , as p oin ted out by W egman and Carter [CW77, W C79]. 2.5.3 Priv acy Ampliﬁcation against Quan t um Adv ersaries In the follo wing, w e consider the situation where a hash fun ction is pic k ed randomly fr om F n and applied to a classical v alue X ∈ { 0 , 1 } n whic h is cor- related with a qu an tum r egister H E . F ormally , starting with the cq-state ρ X E = P x ∈{ 0 , 1 } n P X ( x ) | x i h x | ⊗ ρ x E , w e obtain ρ F ( X ) F E = X f ∈F n X z ∈{ 0 , 1 } ℓ | z i h z | ⊗ | f i h f | ⊗ X x ∈ f − 1 ( z ) P X ( x ) ρ x E . (2.3) The follo win g pr iv acy-ampliﬁcation theorem in the presence of quan tum adv er- saries was ﬁrst deriv ed in [RK05]. The version b elo w is from [Ren05, Corollary 5.6.1] 6 . Theorem 2.24 (Priv acy Ampliﬁcation [Ren05]) L et ρ X B ∈ P ( H X ⊗ H B ) b e a c q-state, wher e X takes values i n { 0 , 1 } n . L et F n b e a two-unive rsal family of hash functions fr om { 0 , 1 } n to { 0 , 1 } ℓ , and let ε ≥ 0 . Then, for the c c q-state ρ F ( X ) F B deﬁne d by (2.3) , it holds δ  ρ F ( X ) F B , 1 ⊗ ρ F B  ≤ ε + 1 2 2 − 1 2 (H ε min ( ρ X B | B ) − ℓ ) . F or large parts of this thesis, sligh tly w eak er forms of this theo rem are u sed. These are derived in the f ollo wing. Corollary 2.25 L et ρ X U E b e a c c q-state, wher e X takes values in { 0 , 1 } n , U in the ﬁnite domain U and r e gister E c ont ains q qubits. L et F n b e a two-universal family of hash fu nc tions fr om { 0 , 1 } n to { 0 , 1 } ℓ , and let ε ≥ 0 . Then, for the c c c q -state ρ F ( X ) F U E deﬁne d analo g ous to (2.3) , it holds δ  ρ F ( X ) F U E , 1 ⊗ ρ F U E  ≤ 1 2 2 − 1 2  H ε ∞ ( X | U ) − q − ℓ  + ε. (2.4) 6 Note that in [Ren05], the distance from uniform is deﬁned in terms of the trace-norm distance w hich is tw ice the v ariational distance used in this thesis. 2.5. Tw o-Univers al Hash ing and Priv acy Amplifica tion 27 Recall that b y the deﬁnition of the trace-distance, we hav e that if the righ t- most term of (2.4) is negligible, i.e. sa y smaller than 2 − λn , then this situation is 2 − λn -close to the ideal situation w here F ( X ) is p erfectly uniform and inde- p endent of F , U and E . In particular, replacing F ( X ) by an in dep end en t and uniformly distributed bit results in a common state whic h essentiall y cannot b e distinguished fr om the original one. Pro of: In our case, the quan tum register B fr om Th eorem 2.24 consists of a classical part U and a quan tum part E . Denoting by σ E the f u lly mixed state on the image of ρ E , w e only need to co nsider the term in the exp onen t to deriv e Theorem 2.25 as follo ws H ε min ( ρ X U E | U E ) ≥ H ε min ( ρ X U E | ρ U ⊗ σ E ) ≥ H ε min ( ρ X U E | ρ U ) − H max ( ρ E ) (2.5) ≥ H ε min ( ρ X U | ρ U ) − H max ( ρ E ) (2.6) = H ε ∞ ( X | U ) − q . The ﬁr st inequ ality follo ws by Deﬁnition 2.18 of H ε min as sup rem um o v er all σ U E . Inequ alit y (2.5) is the c hain rule f or smo oth min-ent ropy (Lemma 2.19). Inequalit y (2.6) uses that the smo oth min-ent ropy cannot decrease wh en drop- ping the quantum register whic h is prov en in Lemma 2.21 from the last section. The last step follo ws b y assu m ption ab out the quantum register and observ- ing that th e state ρ X U is classical and th e quant um Deﬁnition 2.18 therefore reduces to classical sm o oth min-en tropy .  The follo wing corollary is a dir ect consequence of Corollary 2.25. In Chap- ter 7, this lemma will b e usefu l for proving the binding condition of our com- mitmen t sc heme. Recall that for X ∈ { 0 , 1 } n , B δn ( X ) denotes the set of all n -bit strings at Hammin g distance at most δ n fr om X and B δn : = | B δn ( X ) | is the num b er of s u c h strings. Corollary 2.26 L et ρ X U E b e a c c q-state, wher e X takes values in { 0 , 1 } n , U in the ﬁnite domain U and r e gister E c ontains q qubits. L et ˆ X b e a guess for X obtaine d by le arning U and me asuring E , and let ε ≥ 0 . Then, for al l δ < 1 2 it holds that P  ˆ X ∈ B δn ( X )  ≤ 2 − 1 2 (H ε ∞ ( X | U ) − q − 1)+log (B δn ) + 2 ε · B δn . In other words, giv en some classica l kno wledge U and a qu antum memory of q qub its arbitrarily correlated w ith a classical random v ariable X , the p rob- abilit y to ﬁnd ˆ X at Hamming d istance at most δ n from X where n h ( δ ) < 1 2 (H ε ∞ ( X | U )) − q ) is small. Pro of: Here is a strategy to try to bias F ( X ) when giv en ˆ X and F ∈ R F n : Sample X ′ ∈ R B δn ( ˆ X ) and output F ( X ′ ). Note that, usin g p succ as a short hand for the pr ob ab ility P  ˆ X ∈ B δn ( X )  to b e b ounded, P  F ( X ′ ) = F ( X )  = p succ B δn +  1 − p succ B δn  1 2 = 1 2 + p succ 2 · B δn , 2.5. Tw o-Univers al Hash ing and Priv acy Amplifica tion 28 where the ﬁ r st equ ality follo ws from the fact that if X ′ 6 = X then, as F n is t w o-univ ersal, P [ F ( X ) = F ( X ′ )] = 1 2 . Note that, giv en F and U and b eing allo w ed to m easure E , the probabilit y of correctly guessing a binary F ( X ) is upp er b ound ed b y 1 2 + δ  ρ F ( X ) F U E , 1 ⊗ ρ F U E  [FvdG99]. In com bination w ith Corollary 2.25 (with ℓ = 1) the ab o v e resu lts in 1 2 + p succ 2 · B δn ≤ 1 2 + 1 2 2 − 1 2 (H ε ∞ ( X | U ) − q − 1) + ε and the claim follo ws by rearranging the terms.  2.5.4 Classical Priv acy Ampliﬁcation The classical priv acy-a mpliﬁcation theorem follo ws as sp ecial case f r om the results ab o v e. When there is no quan tum correlation, we (almost) reco v er th e w ell-kno wn classical left-over hash lemma [ILL89, BBCM95, HILL99]: Corollary 2.27 L et X b e a r andom variable over { 0 , 1 } n , and let F denote the uniform choic e of a hash function in a two-universal family of hash functions F n mapping fr om { 0 , 1 } n to { 0 , 1 } ℓ . Then δ  P F ( X ) F , P unif ℓ P F  ≤ 1 2 2 − 1 2 (H 2 ( X ) − ℓ ) . This corolla ry (with collision- instead of min-entrop y in the exp onent on the righ t-hand side) cannot immediately b e deriv ed from Theorem 2.24 ab o v e, but rather from its pro of in [Ren05]. The reason for this is that the easiest wa y of pro ving b oth Theorem 2.24 and Corollary 2.27 is by directly considering collision en trop y instead of min-entrop y . On the other hand, r elaxing the notion of colli sion entrop y to smooth min-entrop y g iv es the natural op erativ e meaning (see Section 2.4.2) and inte restingly , it only lo oks lik e w e are losing something b y doing that, b ut in fact this ac hiev es optimalit y [R W05]. Chapter 3 Classi cal O blivi ous T ransfer Most of the results presen ted in this c hapter are publish ed in [DFSS 06]. 3.1 In tro duction and Outline As already men tioned in S ection 1.1, 1-out-of-2 Oblivious-T ransfer, 1 -2 OT for short, is a t wo- party primitive whic h allo ws a sender to send tw o bits (or, more generally , strings) B 0 and B 1 to a receiv er, who is allo w ed to learn one of the t w o according his choice C . In f ormally , it is required that the r eceiv er only learns B C but not B 1 − C (what we call securit y for the hon est sender, hence sender- se cu rity ), wh ile at th e s ame time the sender do es n ot learn C ( r e c eiver- se cu rity ). In terestingly , 1 -2 OT wa s introd u ced b y Wiesner around 1970 (bu t only pub- lished muc h later [Wie83]) under the name of “m ultiplexing” in the cont ext of quan tum cryptograph y , and, inspired by [Rab81] where a d iﬀeren t ﬂ a v or was in tro du ced, later r e-discov ered by Ev en, Goldreic h and Lemp el [EGL82]. 1 -2 OT turn ed out to b e very p ow erful as Kilian [Kil88] sh o w ed it to b e suﬃcien t for secure general t w o-part y computation. F or this reason, m uc h eﬀort h as b een p u t into r educing 1 -2 OT to seemingly we ak er ﬂav ors of OT , lik e Rabin OT , 1 -2 X OT , etc. [Cr´ e87, BC97, C ac98 , W ol00, BCW03 , CS06]. In this c hapter, we fo cus on a sligh tly mo diﬁed notion of 1 -2 OT , whic h w e call R ando mize d 1 -2 OT , Rand 1 -2 OT for short, where the bits (or strings) B 0 and B 1 are not in put by the s en der, but generated uniformly at random d uring the Rand 1 -2 O T and then out put to the sender. It is still required that the receiv er only learns the bit (or string) of his c hoice, B C , wh ereas the sender do es not learn an y inf orm ation on C . It is ob vious that a Rand 1 -2 OT can easily b e turned into an ord inary 1 -2 OT simply by us ing the generated B 0 and B 1 to mask the actual inpu t bits (or strings). F u rthermore, all kno wn constructions of unconditionally secure 1 -2 OT proto cols make implicitly the detour via Rand 1 -2 O T . In a ﬁrst step, w e ob s erv e th at the s ender-securit y condition of a Ran d 1 -2 OT of bits is equiv alent to requiring the XOR B 0 ⊕ B 1 to b e close to uniformly dis- tributed from the receiv er’s p oin t of view. Th e pro of is very simple, and it is kind of surpr ising that—to the b est of our kno wledge—this has not b een real- ized b efore. W e then ask and answ er the question whether there is a natural 29 3.2. Defining 1 -2 OT 30 generalizat ion of this result to Rand 1 -2 OT of strings . Not e th at requirin g the b it wise X OR of the tw o strings to b e uniformly distrib uted is ob viously not suﬃcient . W e sho w that the sender-secur ity for Rand 1 -2 OT of strings can b e characte rized in terms of non-de g e ner ate line ar fu nctions (biv ariate b i- nary linear functions whic h non-trivially dep end on both argumen ts, as deﬁned in Deﬁnition 3.3): sen der-securit y holds if and only if the result of applyin g an y n on-degenerate linear f unction to th e tw o strings is (close to) un if orm ly distributed from the r eceiv er’s p oin t of view. W e then sho w the usefulness of this new unders tand ing of 1 -2 OT . W e demonstrate this on the p roblem of reducing 1 -2 OT to weak er primitive s. Con- cretely , w e sho w that the redu cibilit y of an ordinary 1 -2 OT to w eak er ﬂ a v ors via a non-interac tiv e reduction follo ws b y a trivial argumen t f r om ou r charac- terizatio n of sen d er-securit y . This is in sharp con trast to the cur ren t literature: The pro ofs giv en by Brassard , Cr´ ep eau and W olf [BC97, W ol00, BCW03] for reducing 1 -2 OT to 1 -2 X OT , 1 -2 GOT and 1 -2 UOT (w e refer to Section 3.4 for a description of these ﬂa v ors of OT ) are rather complicated and tailored to a p articular class of priv acy-amplifying h ash f u nctions; w hether th e reduc- tions also w ork for a less r estricted class is left as an op en problem [BCW03, page 222]. And, the pro of giv en by Cac hin [Cac98] f or reducing 1 -2 OT to one execution of a general UOT is not only complicated, but also incorr ect, as we will p oin t out. Thus, our charact erization of the condition for send er-securit y allo ws to simplify existing reducibilit y pro ofs and, along th e wa y , to solv e th e op en problem p osed in [BCW03], as we ll as to impro v e th e reduction parameters in most cases, but it also allo ws for new, resp ectiv ely unti l no w only incorrectly pro v en reductions. In r ecen t work by W ullsc hleger [W ul07], the analysis of these reductions is fu rther impro v ed. F urther m ore, we extend our resu lt and sh o w how our c haracterizatio n of Rand 1 -2 OT in terms of non-degenerate linear fu nctions translates to 1 - n OT . As historical side n ote, we note that the original motiv at ion for c haracter- izing sender-secur it y with the help of NDLFs w as to pro v e sender-securit y of the qu an tum p roto col for 1 -2 O T describ ed in Ch apter 6. W e p oin t out by an example in Section 3.6 at the end of this c hapter wh y this approac h do es n ot w ork. 3.2 Deﬁning 1 -2 OT 3.2.1 Randomized 1 -2 OT of Bits F ormally capturing the intuitiv e un derstanding of the secur it y of 1 -2 O T is a non-trivial an d subtle task. F or instance requirin g the sender’s view to b e indep end en t of the receiv er’s choic e b it C is too strong a requirement, since his input migh t already depen d on C . The b est one can hop e for is that his view is indep end en t of C c onditione d on his input B 0 , B 1 . Secur it y against a dishonest receiv er is even more subtle. W e refer to the securit y deﬁnition b y C r ´ ep eau, Sa vvides, S c haﬀner and W u llsc hleger of [CSSW06], w h ere it is argued that this deﬁnition is th e “right ” wa y to deﬁn e un conditionally secur e 1 -2 OT . In their 3.2. Defining 1 -2 OT 31 mo del, a secure 1 -2 OT proto col is as goo d as an ideal 1 -2 OT fu n ctionalit y . In this thesis, we will mainly fo cus on a s ligh t m o diﬁcation of 1 -2 OT , w h ic h w e call R andomize d 1 -2 O T (although sender- randomized 1 -2 OT w ould b e a more app ropriate, but also rather length y name). A Rand omized 1 -2 OT , or Rand 1 -2 OT for short, essen tially coincides w ith an ordinary 1 -2 OT , except that the t w o bits B 0 and B 1 are not input by the sender but generated u n iformly at rand om during the proto col an d output to the sen der. This is formalized in Deﬁnition 3.1 b elo w. There are t w o m ain justiﬁcations for f o cusing on Rand 1 -2 O T . First, an ordinary 1 -2 OT can easily b e constructed from a Rand 1 -2 OT : the sender can u se the rand omly generated B 0 and B 1 to one-time-pad en cr y p t his inpu t bits for the 1 -2 OT , and send the maske d b its to the r eceiv er (as ﬁrst realized b y Bea v er [Bea95]). F or a formal pro of of this we refer to the fu ll v ersion of [CSS W06]. And second, all information-theoretically secure constructions of 1 -2 OT pr oto cols w e are a w are of in fact do implicitly build a Rand 1 -2 OT and use the ab ov e r eduction to ac hiev e 1 -2 O T . W e f ormalize Rand 1 -2 OT in such a wa y that it minimizes and s impliﬁes as m uc h as p ossible the s ecur it y restrain ts, while at the same time remaining suﬃcien t for 1 -2 OT . Deﬁnition 3.1 ( Rand 1 - 2 OT ) An ε -se cur e R and 1 -2 OT is a pr oto c ol b e- twe en sender S and r e c eiver R , with R having input C ∈ { 0 , 1 } (while S has no input), such that for any distribution of C , the fol lowing pr op erties hold: ε -Correctness: F or honest S and R , S has output B 0 , B 1 ∈ { 0 , 1 } and R has output B C , exc ept with pr ob ability ε . ε -Receiv er-securit y: F or honest R and any (dishonest) ˜ S with output V , δ  P C V , P C · P V  ≤ ε. ε -Sender-securit y: F or honest S and any (dishonest) ˜ R with output W , ther e exists a binary r andom variable D such that δ  P B 1 − D W B D D , P unif · P W B D D  ≤ ε. The condition for receiv er-securit y simp ly says that S learns no information on C , and sender-securit y requires that there exists a c hoice bit D , sup p osed to be C , suc h that wh en giv en the choic e D and the corresp on d ing bit B D , then the other bit, B 1 − D , is completely rand om from R ’s p oint of view. W e w ould lik e to p oint out that the deﬁ nition of Rand 1 -2 OT giv en in [CSSW06] lo ok syntact ically s lightly d iﬀeren t than our De ﬁnition 3.1. How ev er, it is not h ard to see that they are actually equiv alen t. The main diﬀerence is that th e deﬁnition in [CS SW06] inv olv es an au x iliary input Z , wh ic h is give n to the d ishonest pla y er, and receiv er- and sender-securit y as we deﬁn e them are required to hold c onditione d on Z for any Z . Considering a c onsta nt Z imme- diately pro v es one d irection of the claimed equiv alence, and the other follo ws from the observ atio n th at if receiv er- and send er-securit y as we d eﬁ ne th em 3.3. Characterizing Sender-S ecurity 32 hold f or any distribu tion P B 0 B 1 C (resp ectiv ely P C ), th en they also hold for the conditional distribution P B 0 B 1 C | Z = z (resp ectiv ely P C | Z = z ). The other diﬀeren ce is that in [CSS W06], in the cond ition for send er-securit y of Rand 1 -2 OT , B 1 − D is requ ired to b e random and ind ep endent of W , B D , D and C . Th is of course implies our send er-securit y condition (whic h is without C ), but it is also im p lied b y our d eﬁnition as C ma y b e p art of the outp ut W . W e feel that simplifying the deﬁ n itions as we do, without changing their meaning, allo ws for an easier handling. 3.2.2 Randomized 1 -2 OT of Strings In a 1 -2 String OT the sender inp u ts t w o strings of the same length, and the receiv er is allo w ed to learn one an d only one of the tw o. F ormally , for any p ositiv e in teger ℓ , 1 -2 OT ℓ and Rand 1 -2 OT ℓ can b e deﬁn ed along the same lines as 1 -2 O T and Rand 1 -2 OT of bits : the binary random v ariables B 0 and B 1 as w ell as unif in Deﬁnition 3.1 are simply replaced b y random v ariables S 0 and S 1 and unif ℓ with range { 0 , 1 } ℓ . 3.3 Characterizing Sender-Securit y 3.3.1 The Case of Bit OT It is w ell kno wn and it follo ws from send er-securit y that in a ( Rand ) 1 -2 OT the receiv er R should in particular learn essentia lly no information on the XOR B 0 ⊕ B 1 of the tw o bits. The follo wing pr op osition shows that this is not only necessary for sender-secur it y but also suﬃcient . Theorem 3.2 The c ondition for ε -sender-se curity for a Rand 1 -2 O T is satis- ﬁe d for a p articular (p ossibly dishonest) r e c eiver ˜ R with output W if and only if δ  P ( B 0 ⊕ B 1 ) W , P unif · P W  ≤ ε . Before going in to the pro of w hic h is surp risingly simple, consider th e follo w- ing example. Assu me a candidate proto col for Rand 1 -2 OT and a dish on est receiv er ˜ R which is able to output W = 0 if B 0 = 0 = B 1 , W = 1 if B 0 = 1 = B 1 and W = 0 or 1 with p robabilit y 1 / 2 eac h in case B 0 6 = B 1 . Th en, it is easy to see that conditioned on, sa y , W = 0, ( B 0 , B 1 ) is (0 , 0) with p robabilit y 1 2 , and (0 , 1) and (1 , 0) eac h w ith p r obabilit y 1 4 , suc h that the condition on the XOR from Th eorem 3.2 is satisﬁed. On the other hand, neither B 0 nor B 1 is uni- formly distr ib uted conditioned on W = 0, and it app ears as if the receiv er has some join t information on B 0 and B 1 whic h is forbidden by a ( Rand ) 1 -2 O T . But th at is not so. In deed, the same view can b e obtained when attac king an ide al Rand 1 -2 OT : s ubmit a random bit C to obtain B C and output W = B C . In the light of Deﬁnition 3.1, if W = 0 w e can split the ev en t ( B 0 , B 1 ) = (0 , 0) in to t w o d isjoin t subsets (sub ev en ts) E 0 and E 1 suc h that eac h has probabilit y 1 4 , and w e deﬁne D by setting D = 0 if E 0 or ( B 0 , B 1 ) = (0 , 1), and D = 1 if E 1 or ( B 0 , B 1 ) = (1 , 0). Then , ob viously , cond itioned on D = d , the b it B 1 − d is uniformly distribu ted, ev en when giv en B d . Th e corresp onding holds if W = 1. 3.3. Characterizing Sender-S ecurity 33 Pro of: The “only if ” implication is well-kno wn an d straight forward. F or the “if ” implication, w e ﬁrst argue the p erfect case where P ( B 0 ⊕ B 1 ) W = P unif · P W . F or an y v alue w with P W ( w ) > 0, the non-normalized distribu tion P B 0 B 1 W ( · , · , w ) can b e exp r essed as depicted in th e left table of Figure 3.1, w here we write a for P B 0 B 1 W (0 , 0 , w ), b for P B 0 B 1 W (0 , 1 , w ), c f or P B 0 B 1 W (1 , 0 , w ) and d for P B 0 B 1 W (1 , 1 , w ). Note that a + b + c + d = P W ( w ) and , b y assumption, a + d = b + c . Du e to symmetry , w e ma y assume that a ≤ b . W e can then deﬁne D by extending P B 0 B 1 W ( · , · , w ) to P B 0 B 1 D W ( · , · , · , w ) as depicted in the righ t t wo tables in Figure 3.1: P B 0 B 1 D W (0 , 0 , 0 , w ) = P B 0 B 1 D W (0 , 1 , 0 , w ) = a , P B 0 B 1 D W (1 , 0 , 0 , w ) = P B 0 B 1 D W (1 , 1 , 0 , w ) = c etc. I m p ortant to realize is that P B 0 B 1 D W ( · , · , · , w ) is ind eed a v alid extension since by assumption c + ( b − a ) = d . a b c d P B 0 B 1 W ( · , · , w ) a a c c P B 0 B 1 D W ( · , · , 0 , w ) 0 b − a 0 b − a P B 0 B 1 D W ( · , · , 1 , w ) Figure 3.1: Distributions P B 0 B 1 W ( · , · , w ) and P B 0 B 1 D W ( · , · , · , w ) It is now ob vious that P B 0 B 1 D W ( · , · , 0 , w ) = 1 2 P B 0 D W ( · , 0 , w ) as well as P B 0 B 1 D W ( · , · , 1 , w ) = 1 2 P B 1 D W ( · , 1 , w ). Th is ﬁnishes the p erfect case. Concerning the general case, th e idea is th e same as ab o v e, except that one has to tak e some care in h an d ling the err or parameter ε ≥ 0. As this do es not giv e any new in sigh t, and we anyw a y state and fully pro v e a more general r esu lt in Theorem 3.6, we skip this part of the pro of. 1  3.3.2 The Case of String OT The obvio us question after the previous sectio n is w hether there is a natural generalizat ion of Theorem 3.2 to 1 -2 OT ℓ for ℓ ≥ 2. Note that the str aigh tfor- w ard generalization of the X OR-condition in Th eorem 3.2, requiring that an y receiv er h as no information on the b it-wise XOR of the t wo strings, is clearly to o w eak, and do es not imp ly sender-security f or Rand 1 -2 OT ℓ : for instance the receiv er could kno w the ﬁ rst half of th e ﬁrst strin g and the second half of the second string. The Characterization Let ℓ b e an arbitrary p ositiv e integer. Deﬁnition 3.3 A function β : { 0 , 1 } ℓ × { 0 , 1 } ℓ → { 0 , 1 } is c al le d a non- degenerate linear fu nction (N DLF) if it is of the form β : ( s 0 , s 1 ) 7→ h a 0 , s 0 i ⊕ h a 1 , s 1 i 1 Although the special case ℓ = 1 in Theorem 3.6 is quantitativel y slightly w eaker than Theorem 3.2 . 3.3. Characterizing Sender-S ecurity 34 for two non-zer o a 0 , a 1 ∈ { 0 , 1 } ℓ , i.e., if it is line ar and non-trivial ly dep ends on b oth input strings. Ev en though this is the main notion w e are using, the follo wing more relaxed notion allo ws to mak e some of our claims slight ly stronger. Deﬁnition 3.4 A binary function β : { 0 , 1 } ℓ × { 0 , 1 } ℓ → { 0 , 1 } is c al le d 2- balanced if for any s 0 , s 1 ∈ { 0 , 1 } ℓ the functions β ( s 0 , · ) and β ( · , s 1 ) ar e b ala nc e d in the usu al sense, me aning that   { σ 1 ∈ { 0 , 1 } ℓ : β ( s 0 , σ 1 ) = 0 }   = 2 ℓ / 2 and   { σ 0 ∈ { 0 , 1 } ℓ : β ( σ 0 , s 1 ) = 0 }   = 2 ℓ / 2 . The follo wing is easy to see and the pr o of is omitted. Lemma 3.5 Every non-de gener ate line ar function is 2-b alanc e d. In case ℓ = 1, the X OR is a NDLF and th us 2-balanced, and it is the only NDLF and up to add ition of a constant the only 2-balanced function. Based on this notion of non-degenerate linear fu nctions, sender-security of Rand 1 -2 String OT can b e c haracterized as follo ws. Theorem 3.6 The c ondition of ε -sender-se curity for a Rand 1 -2 OT ℓ is satis- ﬁe d for a p articular (p ossibly dishonest) r e c eiver ˜ R with output W if δ  P β ( S 0 ,S 1 ) W , P unif · P W  ≤ ε/ 2 2 ℓ +1 for every NDLF β , and, on the other hand, ε -sender-se curity may b e satisﬁe d only if δ  P β ( S 0 ,S 1 ) W , P unif · P W  ≤ ε for ev e ry ND LF β . The num b er of NDLFs is exp onentia l in ℓ , n amely (2 ℓ − 1) 2 . Nev ertheless, we sho w in Section 3.4 that this c haracterizatio n turns out to b e v ery usefu l. Th ere, w e will also argue that an exp onenti al o v erhead in ℓ in the suﬃcien t condition is u na v oidable. The pr o of of Theorem 3.6 also sh o ws that the set of NDLFs forms a minimal set of f unctions among all sets that imply sender-security . In this sense, our charac terization is tigh t. A t ﬁ rst glance, Theorem 3.6 app ears to b e related to the s o-called (information- theoretic) X OR-Lemma, commonly attributed to V azirani [V az86] and nicely explained b y Goldreic h [Gol95], wh ich states that a string is close to u n iform if the XOR of the bits of any non-empty substring are. As far as w e can see, neither follo ws Theorem 3.6 from the X OR-Lemma in an obvious wa y nor can it b e pr o v en b y mo difying the pro of of the X OR-Lemma, as giv en in [Gol95]. F urther m ore, we w ould like to p oint out th at T h eorem 4 in [BCW03] also pro vides a tool to a nalyze sender-securit y of 1 -2 O T proto cols in terms of linear functions; how ev er, the condition that needs to b e s atisﬁed is muc h stronger than for our T heorem 3.6: it additionally requires that one of the t wo strings is a priori un iformly distributed from the receiv er’s p oin t of view. 2 This diﬀeren ce is crucial, b ecause sho wing that one of the t w o str ings is u niform (conditioned on 2 Concretely , it is additionally required t hat every non-trivial parit y of that string is uniform, but b y the XOR-Lemma th is is equiv alen t to the whol e string being uniform. 3.3. Characterizing Sender-S ecurity 35 the receiv er’s view) is u sually tec hnically in v olv ed and sometimes not ev en p os- sible, as the example giv en after Theorem 3.2 sho ws. This is also demonstrated b y the fact that the an alysis in [BCW03] of the consider ed 1 -2 OT pr oto col is tailored to one particular class of priv acy-amplifying h ash functions, and it is stated as an op en problem ho w to prov e th eir construction secure when a diﬀeren t class of hash fun ctions is used. Th e condition for Theorem 3.6, on the other hand, is n aturally satisﬁed for typical constructions of 1 -2 OT proto cols, as w e shall s ee in Secti on 3.4. As a result, Theorem 3.6 allo w s for m uc h simpler and more elegan t securit y p ro ofs for 1 -2 OT protocols, and , as a by-pro duct, allo ws to solv e the op en problem from [BCW03]. W e explain this in detail in Section 3.4, and the in terested reader ma y w ell jump ahead and sa v e the pro of of Theorem 3.6 for later. Pro of of Theorem 3.6 ( “ only if ” part) W e start with the pr o of for the “only if ” part of Theorem 3.6. In fact, a sligh tly stronger statemen t is sho wn, namely that ε -sender-securit y implies δ  P β ( S 0 ,S 1 ) W , P unif · P W  ≤ ε for an y 2-b alanc e d function. According to Deﬁnition 3.1, ε -sender-securit y f or Rand 1 -2 O T is satisﬁed for a receiv er R with outpu t W if there exists a rand om v ariable D with range { 0 , 1 } suc h that 1 2 X w ,d,s 0 ,s 1   P S 1 − D S D D W ( s 1 − d , s d , d, w ) − 2 − ℓ P S D D W ( s d , d, w )   ≤ ε. In order to up p er b ound δ  P β ( S 0 ,S 1 ) W , P unif · P W  = 1 2 X w ,b   P β ( S 0 ,S 1 ) W ( b, w ) − 1 2 P W ( w )   w e expand the terms on the righ t hand side as follo ws. P β ( S 0 ,S 1 ) W ( b, w ) = X d P β ( S 0 ,S 1 ) DW ( b, d, w ) = X d X s d ,s 1 − d β ( s 0 ,s 1 )= b P S 1 − D S D D W ( s 1 − d , s d , d, w ) and P W ( w ) = X d X s d P S D D W ( s d , d, w ) = X d 2 − ℓ +1 · X s d ,s 1 − d β ( s 0 ,s 1 )= b P S D D W ( s d , d, w ) where the last equalit y holds b ecause there are 2 ℓ − 1 v alues f or s 1 − d suc h that β ( s 0 , s 1 ) = b , as β is a 2-balanced function. Using those t w o expansions we 3.3. Characterizing Sender-S ecurity 36 conclude that δ  P β ( S 0 ,S 1 ) W , P unif · P W  ≤ 1 2 X w ,b X d X s d ,s 1 − d β ( s 0 ,s 1 )= b   P S 1 − D S D D W ( s 1 − d , s d , d, w ) − 2 − ℓ P S D D W ( s d , d, w )   = 1 2 X w ,d,s 0 ,s 1   P S 1 − D S D D W ( s 1 − d , s d , d, w ) − 2 − ℓ P S D D W ( s d , d, w )   ≤ ε. where the ﬁrst inequalit y follo ws follo ws f r om the ab o v e expansions and the triangle inequalit y and the last inequalit y is our initial assumption.  The “if ” part, w h ic h is the inte resting direction, is prov en b elow. The Case ℓ = 2 W e feel that in order to under s tand the pro of of Theorem 3.6, it is usefu l to ﬁrst consider the case ℓ = 2. Let u s fo cus on trying to dev elop a cond ition that is suﬃcien t for p erfe ct send er -secur it y . Fix an arbitrary output w , and consider an arbitrary n on-normalized probabilit y distribution P S 0 S 1 W ( · , · , w ) of S 0 and S 1 when W = w . Th is is depicted in the left table of Figure 3. 2, where w e wr ite a for P S 0 S 1 W (00 , 00 , w ), b for P S 0 S 1 W (00 , 01 , w ), etc. W e ma y assume that a ≤ b, c, d . W e no w extend this distribu tion to P S 0 S 1 D W ( · , · , · , w ) sim ilar as in the pro of of Theorem 3.2. This is depicte d in the tw o righ t tables in Figure 3.2. W e v erify w hat conditions P S 0 S 1 W ( · , · , w ) must satisfy suc h that P S 0 S 1 D W is indeed a v alid extension, i.e., that P S 0 S 1 D W ( · , · , 0 , w ) + P S 0 S 1 D W ( · , · , 1 , w ) = P S 0 S 1 W ( · , · , w ). a b c d e f g h i j k l m n o p P S 0 S 1 W ( · , · , w ) a a a a e e e e i i i i m m m m P S 0 S 1 D W ( · , · , 0 , w ) 0 b − a c − a d − a 0 b − a c − a d − a 0 b − a c − a d − a 0 b − a c − a d − a P S 0 S 1 D W ( · , · , 1 , w ) Figure 3.2: Distrib utions P S 0 S 1 W ( · , · , w ) and P S 0 S 1 D W ( · , · , · , w ) F or instance, lo oking at the second row and second column w e get equation e + ( b − a ) = f . Altoget her, we get the follo wing sys tem of equations. b + e = a + f b + i = a + j b + m = a + n c + e = a + g c + i = a + k c + m = a + o d + e = a + h d + i = a + l d + m = a + p 3.3. Characterizing Sender-S ecurity 37 Note that if all these equations d o hold for an y w , then P S 0 S 1 D W ( · , · , · , · ) is we ll deﬁned and satisﬁes P S 0 S 1 D W ( · , · , 0 , · ) = 1 4 P S 0 D W ( · , 0 , · ) and P S 0 S 1 D W ( · , · , 1 , · ) = 1 4 P S 1 D W ( · , 1 , · ), in other w ords, p er f ect sender-securit y holds. The idea now is to sh o w that the ab ov e equatio n system is equ iv alen t to an- other equation system, in wh ic h every equation exp resses that a certain NDLF applied to S 0 and S 1 is uniformly distributed when W = w , whic h holds b y assumption. F or example, by add ing all the equations in the origi nal system w h ile taking ev ery second equ ation with negativ e sign, one gets the equation b + d + e + g + j + l + m + o = a + c + f + h + i + k + n + p . Deﬁne th e fu nction β : { 0 , 1 } 2 × { 0 , 1 } 2 → { 0 , 1 } as follo ws. Let β ( s 0 , s 1 ) b e 0 if the entry which corresp onds to ( s 0 , s 1 ) in the left table in Figure 3.2 app ears on the left hand side of the abov e equ ation, and else w e let β ( s 0 , s 1 ) b e 1. Then the ab o v e equation simply sa ys that β ( S 0 , S 1 ) = 0 w ith the same probabilit y as β ( S 0 , S 1 ) = 1 (when W = w ). Note that it is crucial that in th e ab o v e equation ev ery v ariable a u p to p occurs with multiplici t y exactly 1. By comparing the f u nction tables, it is n o w easy to verify that β coincides with the function ( s 0 , s 1 ) 7→ s 02 ⊕ s 12 , where s i 2 denotes the second co ord inate of s i ∈ { 0 , 1 } 2 , th us is a NDLF. One can no w sho w (and w e are going to do this b elo w f or an arbitrary ℓ ) that th er e are enough su c h equ ations, co rresp onding to NDLFs, such that these equations imply the original ones. This implies th at if β ( S 0 , S 1 ) is distributed uniformly and indep endently of W for ev ery NDLF β , then the original equ ation system is satisﬁed (for any w ), and th us P S 0 S 1 D W is w ell-deﬁned. Pro of of Theorem 3.6 ( “ if ” part). First, w e consider the p erfect case: if P β ( S 0 ,S 1 ) W e qu als P unif · P W for ev ery NDLF β , then send er-securit y for Rand 1 -2 O T ℓ holds p erf ectly . The Perfect Case : Since the case ℓ = 1 is already settled, w e assu me that ℓ ≥ 2. W e generalize the idea from the case ℓ = 2. The main issu e will b e to transform the equations guarante ed by th e assu mption on the linear functions in to th e ones r equired for P S 0 S 1 D W ( · , · , 0 , w ) + P S 0 S 1 D W ( · , · , 1 , w ) = P S 0 S 1 W ( · , · , w ). Fix an arbitrary output w of the receiv er, and consider the non-normalized probabilit y distribution P S 0 S 1 W ( · , · , w ). W e use th e v ariable p s 0 ,s 1 to r efer to P S 0 S 1 W ( s 0 , s 1 , w ), an d we wr ite o for the all-zero string (0 , . . . , 0) ∈ { 0 , 1 } ℓ . W e assume th at p o , o ≤ p o ,s 1 for an y s 1 ∈ { 0 , 1 } ℓ ; w e show later th at we ma y do so. W e extend this distribution to P S 0 S 1 D W ( · , · , · , w ) by setting P S 0 S 1 D W ( s 0 , s 1 , 0 , w ) = p s 0 , o and P S 0 S 1 D W ( s 0 , s 1 , 1 , w ) = p o ,s 1 − p o , o (3.1) for any strings s 0 , s 1 ∈ { 0 , 1 } ℓ , and we collect the equations resu lting fr om the condition that P S 0 S 1 W ( · , · , w ) = P S 0 S 1 D W ( · , · , 0 , w ) + P S 0 S 1 D W ( · , · , 1 , w ) needs to b e satisﬁed: for any t w o s 0 , s 1 ∈ { 0 , 1 } ℓ \ { o } p s 0 , o + p o ,s 1 = p o , o + p s 0 ,s 1 . (3.2) 3.3. Characterizing Sender-S ecurity 38 If all these equations do hold f or an y w , then as in the case o f ℓ = 1 or ℓ = 2, the random v ariable D is w ell deﬁ ned and P S 1 − D S D W D = P unif ℓ · P S D W D holds, since P S 0 S 1 D W ( s 0 , s 1 , 0 , w ) d o es not d ep end on s 1 and P S 0 S 1 D W ( s 0 , s 1 , 1 , w ) not on s 0 . W e pro ceed b y sho wing that the equations pro vided b y the assumed uni- formit y of β ( S 0 , S 1 ) for an y β imply the equations give n by (3.2). Consid er an arb itrary pair a 0 , a 1 ∈ { 0 , 1 } ℓ \ { o } and let β b e the asso ciated NDLF, i.e., suc h th at β ( s 0 , s 1 ) = h a 0 , s 0 i ⊕ h a 1 , s 1 i . By assumption, β ( S 0 , S 1 ) is uniformly distributed, in dep end en t of W . T hus, for an y ﬁ x ed w , this can b e exp r essed as X σ 0 ,σ 1 : h a 0 ,σ 0 i = h a 1 ,σ 1 i p σ 0 ,σ 1 = X σ 0 ,σ 1 : h a 0 ,σ 0 i6 = h a 1 ,σ 1 i p σ 0 ,σ 1 , (3.3) where b oth summations are o v er all σ 0 , σ 1 ∈ { 0 , 1 } ℓ sub j ect to the indicated resp ectiv e p rop erties. Recall, that this equalit y h olds for any p air a 0 , a 1 ∈ { 0 , 1 } ℓ \ { o } . Thus, for ﬁ x ed s 0 , s 1 ∈ { 0 , 1 } ℓ \ { o } , if we sum ov er all such pairs a 0 , a 1 sub j ect to h a 0 , s 0 i = h a 1 , s 1 i = 1, w e get the equ ation X a 0 ,a 1 : h a 0 ,s 0 i = h a 1 ,s 1 i =1 X σ 0 ,σ 1 : h a 0 ,σ 0 i = h a 1 ,σ 1 i p σ 0 ,σ 1 = X a 0 ,a 1 : h a 0 ,s 0 i = h a 1 ,s 1 i =1 X σ 0 ,σ 1 : h a 0 ,σ 0 i6 = h a 1 ,σ 1 i p σ 0 ,σ 1 , whic h, after re-arranging th e terms of the su m mations, leads to X σ 0 ,σ 1 X a 0 ,a 1 : h a 0 ,s 0 i = h a 1 ,s 1 i =1 h a 0 ,σ 0 i = h a 1 ,σ 1 i p σ 0 ,σ 1 = X σ 0 ,σ 1 X a 0 ,a 1 : h a 0 ,s 0 i = h a 1 ,s 1 i =1 h a 0 ,σ 0 i6 = h a 1 ,σ 1 i p σ 0 ,σ 1 . (3.4) W e w ill n o w argue that, u p to a constan t m ultiplicativ e f actor, equation (3.4) coincides with equation (3.2). First, it is straightforw ard to verify that the v ariables p o , o and p s 0 ,s 1 o ccur only on the left han d s ide, b oth with m ultiplicit y 2 2( ℓ − 1) (the n umb er of pairs a 0 , a 1 suc h that h a 0 , s 0 i = h a 1 , s 1 i = 1), whereas p s 0 , o and p o ,s 1 only o ccur on the right hand side, with the same multi plicit y 2 2( ℓ − 1) . No w, w e argue that any other p σ 0 ,σ 1 equally often app ears on the righ t and on the left hand side, and th us cancel out. Note that the set of pairs a 0 , a 1 , o v er whic h the su mmation ru ns on the left r esp ectiv ely the right hand side, can b e u ndersto o d as the set of solutions to a binary non-homogeneous linear equations system:   s 0 0 0 s 1 σ 0 σ 1    a 0 a 1  =   1 1 0   resp ectiv ely   1 1 1   . Also note that the tw o linear equ ation systems consist of three equations and in v olv e at least 4 v ariables, b ecause a 0 , a 1 ∈ { 0 , 1 } ℓ and ℓ ≥ 2. Therefore, using basic linear algebra, one is tempted to conclude that they b oth hav e solutions, and, b ecause they hav e th e same homogeneous part, they hav e the same n umber of solutions, equal to the num b er of homogeneous solutions. Ho w- ev er, this is only guaran teed if the matrix deﬁning the homogeneous part has 3.3. Characterizing Sender-S ecurity 39 full rank. In our situation, this is precisely the case if and only if ( σ 0 , σ 1 ) 6∈ { ( o , o ) , ( s 0 , o ) , ( o , s 1 ) , ( s 0 , s 1 ) } , wh ere those four exceptions h a v e already b een treated ab ov e. It follo ws th at th e equations (3.3), w hic h are guarantee d by assumption, imply the equ ations (3.2). It remains to justify the assumption th at p o , o ≤ p o ,s 1 for an y s 1 . In general, w e c ho ose t ∈ { 0 , 1 } ℓ suc h that p o ,t ≤ p o ,s 1 for an y s 1 ∈ { 0 , 1 } ℓ , and we set P S 0 S 1 D W ( s 0 , s 1 , 0 , w ) = p s 0 ,t and P S 0 S 1 D W ( s 0 , s 1 , 1 , w ) = p o ,s 1 − p o ,t , resulting in the equation p s 0 ,t + p o ,s 1 = p o ,t + p s 0 ,s 1 that needs to b e satisﬁed for s 0 ∈ { 0 , 1 } ℓ \ { o } and s 1 ∈ { 0 , 1 } ℓ \ { t } . This equalit y , though, can b e argued as for equation (3.2 ), wh ic h we did ab o v e, simply by replacing p σ 0 ,σ 1 on b oth s ides of (3.3) b y p σ 0 ,σ 1 ⊕ t (where ⊕ is the bit wise X OR). W e may safely do so: doing a suitable v ariable substitution and using linearit y of the inner pro duct, it is easy to see th at this mo diﬁed equation still expresses uniformit y of β ( S 0 , S 1 ). This concludes the p ro of f or the p er f ect case. The Gene ral Case : No w, w e consider the general case where there exists some ε > 0 su c h that δ  P β ( S 0 ,S 1 ) W , P unif · P W  ≤ 2 − 2 ℓ − 1 ε for any NDLF β . W e use th e observ ations from the p erfect case but additionally k eep trac k of the “error term”. F or any w with P W ( w ) > 0 an d an y NDLF β , set ε w ,β = δ  P β ( S 0 ,S 1 ) W ( · , w ) , P unif · P W ( w )  . Note that P w ε w ,β = δ  P β ( S 0 ,S 1 ) W , P unif · P W  ≤ 2 − 2 ℓ − 1 ε , in dep end en t of β . Fix no w an arb itrary w with P W ( w ) > 0. Then, (3.3) only holds up to an error of 2 ε w ,β , wh ere β is the NDLF asso ciated to a 0 , a 1 . As a consequence, Equation (3.4) only h olds up to an error of 2 P β ε w ,β and thus (3.2) h olds up to an error of δ s 0 ,s 1 = 2 2 2 ℓ − 2 P β ε w ,β , where the sum is o v er th e 2 2 ℓ − 2 functions asso ciated to the pairs a 0 , a 1 with h a 0 , s 0 i = h a 1 , s 1 i = 1. Not e that δ s 0 ,s 1 dep end s on w , but the set of β ’s, o ve r w hic h the s u mmation r uns, do es not. Adding up o v er all p ossible w ’s gives X w δ s 0 ,s 1 = 2 2 2 ℓ − 2 X w X β ε w ,β = 2 2 2 ℓ − 2 X β X w ε w ,β ≤ 2 − 2 ℓ ε . Since (3.2) only h olds approximat ely , P S 0 S 1 D W as in (3.1) is not necessarily a v alid extension, bu t close. This can ob viously b e ov ercome b y ins tead s etting P S 0 S 1 D W ( s 0 , s 1 , 0 , w ) = p s 0 , o ± δ ′ s 0 ,s 1 and P S 0 S 1 D W ( s 0 , s 1 , 1 , w ) = p o ,s 1 − p o , o ± δ ′′ s 0 ,s 1 with suitably chosen δ ′ s 0 ,s 1 , δ ′′ s 0 ,s 1 ≥ 0 with δ ′ s 0 ,s 1 + δ ′′ s 0 ,s 1 = δ s 0 ,s 1 , and with suitably c hosen signs “+” or “ − ”. 3 Using th at ev ery P S 0 S 1 D W ( s 0 , s 1 , 0 , w ) d if- fers f rom p s 0 , o b y at most δ ′ s 0 ,s 1 , it follo ws from a straight forward computation 3 Most of th e time, it probably suﬃces to correct one of the tw o, say , c ho ose δ ′ s 0 ,s 1 = δ s 0 ,s 1 and δ ′′ s 0 ,s 1 = 0; h o wev er, if for instance p s 0 , o and p o ,s 1 − p o , o are b oth p ositiv e b ut P S 0 S 1 W ( s 0 , s 1 , w ) = 0, then one has to correct b oth. 3.4. Applica tions 40 that δ  P S 1 − D S D D W ( · , · , 0 , w ) , P unif P S D D W ( · , 0 , w )  ≤ P s 0 ,s 1 δ ′ s 0 ,s 1 . The corre- sp ond in g holds for P S 0 S 1 D W ( · , · , 1 , w ). It follo ws that δ  P S 1 − D S D W D , P unif P S D W D  ≤ X w X s 0 ,s 1 ( δ ′ s 0 ,s 1 + δ ′′ s 0 ,s 1 ) = X s 0 ,s 1 X w δ s 0 ,s 1 ≤ ε whic h concludes th e pro of.  3.4 Applications In this section w e will sho w the usefu lness of Th eorem 3.6 for the construction of 1 -2 OT ℓ , b ased on w eak er primitives lik e a n oisy channel or other ﬂav ors of OT . In particular, we w ill s h o w that the redu cibilit y of 1 -2 OT to any w eak er ﬂa v or of OT follo ws as a simple argument usin g Theorem 3.6. 3.4.1 Reducing 1 -2 OT ℓ to Indep endent Rep etitions of W eak 1 -2 OT s Bac kground A great deal of eﬀort has b een put int o constru cting p roto cols for 1 -2 OT ℓ based on p h ysical assumptions lik e v arious mo dels for noisy c hannels [CK88, DKS99, DFMS04, C MW04 ] or a memory b ound ed adv ersary [CCM98, Din01b, DHRS04], as w ell as into reducing 1 -2 OT ℓ to (seemingly) wea ke r ﬂ a v ors of OT , like Rabin OT , 1 -2 XOT , 1 -2 GOT and 1 -2 UOT [Cr´ e87, BC97, Cac98, W ol00, BCW03, CS06, W ul07]. Note that the latter three ﬂa v ors of OT are w eak er than 1 -2 OT in that the d ishonest receiv er has more fr eedom in choos- ing the sort of information he w an ts to get ab out the send er’s in p ut bits B 0 and B 1 : B 0 , B 1 or B 0 ⊕ B 1 in case of 1 -2 X OR-OT (whic h is abb reviated b y 1 -2 XOT ), g ( B 0 , B 1 ) for an arbitrary one-bit-output fun ction g in case of 1 -2 Generalized-OT (1 -2 GOT) , and an arbitrary probabilistic Y with mutual information I ( B 0 B 1 ; Y ) ≤ 1 in case of 1 -2 Universal-OT (1 -2 UOT) . 4 All these reductions of 1 -2 OT to w eak er v ersions follo w a sp eciﬁc con- struction d esign, whic h is also at the core of the 1 -2 OT p roto cols based on noisy c hannels or a memory-b ound ed adv ersary . By rep eated indep en d en t ex- ecutions of the underlyin g primitiv e, S tr an s fers a randomly c hosen bit string X = ( X 0 , X 1 ) ∈ { 0 , 1 } n × { 0 , 1 } n to R suc h that: 1. dep ending on his c hoice bit C , the honest R kn ows either X 0 or X 1 , 2. an y ˜ S has no information on wh ic h part of X R learned, and 3. an y ˜ R has some un certaint y in X . 4 As a matter of fact, reducibility has b een prove n for any b ound on I ( B 0 B 1 ; Y ) strictly smaller than 2. Note th at there is some confusion in the literature in what a Universal OT , UOT is: I n [BC97, W ol00 , BCW03], a UOT takes as inp ut tw o bits and the receiv er is do omed to h a ve at least one bit or any other non- trivial amount of Shannon entrop y on t hem; we den ote this by 1 -2 U OT . Whereas in [Cac98], a UOT takes as inp ut tw o strings and the receiver is doomed to hav e some R´ enyi entrop y of order α > 1 on them. W e ad d ress this latter notion in more detail in Section 3.4.2. 3.4. Applica tions 41 Then, this is co mpleted to a Rand 1 -2 OT b y means of pr iv acy ampliﬁcati on (cf. Section 2.5): S samples tw o fu nctions f 0 and f 1 from a t wo- universal class F of hash functions, send s them to R , and outputs S 0 = f 0 ( X 0 ) and S 1 = f 1 ( X 1 ), and R outputs S C = f C ( X C ). Finally , the Rand 1 -2 OT is transformed into an ordinary 1 -2 OT in th e ob vious wa y . Correctness and r eceiv er-securit y of this construction are clear, they follo w immediately fr om 1. and 2. Ho w easy or hard it is to pro ve sender-security dep end s hea vily on the u nderlying primitiv e. In case of Rabin OT it is rather straigh tforw ard. In case of 1 -2 X OT and the other weak er v ersions, this is non- trivial. The p roblem is that since R migh t kn o w X 0 ⊕ X 1 , it is not p ossible to argue that there exists d ∈ { 0 , 1 } suc h th at R ’s u ncertain t y on X 1 − d is large when giv en X d . This, though, would b e necessary in order to ﬁnish the pro of b y simply applying th e priv acy ampliﬁcation theorem (Corollary 2.27). This diﬃcult y is o v ercome in [BC97, BCW03] b y tailoring the pro of to a particu- lar t w o-unive rsal class of hash functions, n amely th e class of all line ar hash functions. Whether the reduction also works for a less restricted class of hash functions is left in [BC97, BCW03] as an op en problem, w hic h we solv e her e as a side r esu lt. Using a smaller class of hash fu nctions wo uld allo w f or instance to reduce the communicat ion complexit y of the proto col. In [CS06], the diﬃculty is o v ercome by giving up on the s implicit y of the reduction. The cost of tw o-w a y comm unication allo wing for in teractiv e hashing is traded for b etter red uction parameters. W e would lik e to emph asize that these parameters are incomparable to our s, b ecause a d iﬀeren t reduction is u sed, whereas our approac h pro vides a b etter analysis of the common n on-in teractiv e reductions. The New Approac h W e argue th at, ind ep endent of th e un derlying pr im itive, sender-security fol- lo ws as a simple consequence of Theorem 3.6 , in com bination with a simple observ at ion regarding the comp osition of non-degenerate linear (resp ectiv ely , more general, 2-balanced) f u nctions with strongly t w o-univ ersal hash fun ctions, stated in Prop osition 3.7 b elo w. Recall Deﬁnition 2.23 of strong tw o-univ ersalit y . A class F of hash functions from { 0 , 1 } n to { 0 , 1 } ℓ is str ongly two-universal , if for an y distinct x, x ′ ∈ { 0 , 1 } n the tw o random v ariables F ( x ) and F ( x ′ ) are indep end ent and u niformly dis- tributed o v er { 0 , 1 } ℓ , where the random v ariable F represen ts the random c hoice of a function in F . Prop osition 3.7 L et F 0 and F 1 b e two classes of str ongly two-universal hash functions fr om { 0 , 1 } n 0 r esp e ctively { 0 , 1 } n 1 to { 0 , 1 } ℓ , and let β : { 0 , 1 } ℓ × { 0 , 1 } ℓ → { 0 , 1 } b e a 2-b alanc e d function. Consider the class F of al l functions f : { 0 , 1 } n 0 × { 0 , 1 } n 1 → { 0 , 1 } with f ( x 0 , x 1 ) = β ( f 0 ( x 0 ) , f 1 ( x 1 )) wher e f 0 ∈ F 0 and f 1 ∈ F 1 . Then, F is str ongly two-universal. 5 5 It is easy to see that the claim does n ot hold in general for ordinary (as opp osed to strongly) t wo-univ ersal classes: if n 0 = n 1 = ℓ and F 0 and F 1 b oth only contain the identity function id : { 0 , 1 } ℓ → { 0 , 1 } ℓ and t hus are tw o-universa l, then F consisting of the fun ct ion f ( x 0 , x 1 ) = β ( id ( x 0 ) , id ( x 1 )) = β ( x 0 , x 1 ) is not tw o-universal. 3.4. Applica tions 42 Pro of: Fix distinct x = ( x 0 , x 1 ) and x ′ = ( x ′ 0 , x ′ 1 ) in { 0 , 1 } n 0 × { 0 , 1 } n 1 . As- sume without loss of generalit y that x 1 6 = x ′ 1 . Fix f 0 ∈ F 0 , and set s 0 = f 0 ( x 0 ) and s ′ 0 = f 0 ( x ′ 0 ). By assumption on F 1 , th e random v ariables F 1 ( x 1 ) and F 1 ( x ′ 1 ) are indep end en t and uniformly distributed ov er { 0 , 1 } ℓ , wh ere F 1 rep- resen ts the random c hoice for f 1 ∈ F 1 . By the assump tion on β , th is implies that β ( f 0 ( x 0 ) , F 1 ( x 1 )) and β ( f 0 ( x ′ 0 ) , F 1 ( x ′ 1 )) are indep endent and u n iformly dis- tributed o v er { 0 , 1 } . Th is h olds no matter ho w f 0 is c hosen, and thus p ro v es the claim.  No w, brieﬂy , sender-security for a construction as sketc hed ab o v e can b e argued as f ollo ws: The only restriction is that F needs to b e str ongly t w o- unive rsal. F rom the indep en den t rep etitions of the underlying weak OT ( Ra- bin OT , 1 -2 X OT , 1 -2 GOT or 1 -2 UOT ) it follo ws that ˜ R has “high” collision en trop y in X . Hence, for an y NDLF β , w e can apply the pr iv acy-ampliﬁcation Theorem 2.27 with the str ongly tw o-univ ersal hash function β ( f 0 ( · ) , f 1 ( · )) and argue that β ( f 0 ( X 0 ) , f 1 ( X 1 )) is close to uniform for randomly chosen f 0 and f 1 . Sender-security then follo ws immediately from Theorem 3.6. W e sa v e the quant itativ e analysis (Theorem 3.8) for next section, where w e consider a reduction of 1 -2 O T to the weak est kind of O T : to one execution of a UOT . Based on this, we compare in Section 3.4.3 the qualit y of the an alysis of the ab o v e reductions based on T h eorem 3.6 with the resu lts in [BCW03]. It turns out that our analysis is tigh ter for 1 -2 GOT and 1 -2 UOT , whereas the analysis in [BCW03] is tighte r for 1 -2 X OT ; b ut in all cases, our analysis is m uc h simpler and , w e b eliev e, more elegan t. 3.4.2 Reducing 1 -2 OT ℓ to One Execution of UOT In this section, we use the deﬁnition and some elemen tary p rop erties of R´ en yi en trop y introd uced in Section 2.4.1. Univ ersal Oblivious T ransfer Probably the weak est ﬂa v or of OT is the Universal OT ( UOT ) as it was in tro- duced b y Cac hin in [Cac98], in that it give s the receiv er the most freedom in getting information on the string X . F ormally , for a ﬁnite s et X and parame- ters α > 1 (allo win g α = ∞ ) and r > 0, an ( α, r ) -UOT ( X ) works as follo ws: the sender inpu ts x ∈ X , and the receiv er ma y choose an arbitrary conditional probabilit y distribution P Y | X with the only restriction that for a uniformly dis- tributed X it m ust satisfy H α ( X | Y ) ≥ r . The receiv er then gets as outpu t y , sampled according to th e distrib ution P Y | X ( ·| x ), wh ereas the sender gets no information on the receiv er’s c hoice for P Y | X . Note that a 1 -2 UOT is a limit case of this kind of UOT since “ 1 -2 UOT = (1 , 1) -UOT ( { 0 , 1 } 2 )”. The crucial prop erty of su ch an UOT is that the inpu t is not r estricted to t w o bits, but may b e t w o bit- strings ; th is p oten tially allo ws to reduce 1 -2 OT to one exec ution of a UOT , rather than to man y indep endent executions of the same primitiv e as f or the 1-2 ﬂav ors of OT men tioned ab o v e. Indeed, follo wing the design principle discussed in Section 3.4.1, it is straigh tforw ard to come 3.4. Applica tions 43 up with a candidate p roto col for 1 -2 OT ℓ whic h uses one execution of a ( α, r ) - UOT ( X ) with X = { 0 , 1 } n × { 0 , 1 } n . The proto col is giv en in Figure 3.3, wher e F is a strongly t w o-univ ersal class of hash functions fr om { 0 , 1 } n to { 0 , 1 } ℓ . OT2UOT ( c ) : 1. S and R r u n ( α, r ) -UOT ( X ): S inpu ts a random x = ( x 0 , x 1 ) ∈ X = { 0 , 1 } n × { 0 , 1 } n , R inputs P Y | X with P Y | X ( x ′ c | ( x ′ 0 , x ′ 1 )) = 1 for any ( x ′ 0 , x ′ 1 ), and as a r esult R obtains y = x c . 2. S samples indep endent random f 0 , f 1 ∈ F , sends f 0 and f 1 to R , and outputs s 0 = f 0 ( x 0 ) and s 1 = f 1 ( x 1 ). 3. R computes and outputs s c = f c ( y ). Figure 3.3: Proto col OT2UOT for Rand 1 -2 OT ℓ . In [C ac98] it is clai med that, for a pp r opriate p arameters, proto col OT 2UOT is a secure Rand 1 -2 OT ℓ , resp ectiv ely , the resulting pr otocol for 1 -2 OT is secure. Ho we ve r, we argue b elo w th at the pro of giv en is not correct and it is not o bvious how to ﬁx it. In Theorem 3.8 w e then sho w that its securit y follo w s easily from Theorem 3.6. A Fla w in t he Security Proof In [Cac98] the securit y of p r oto col OT2UOT is argued as follo ws. Using rather complicated sp oiling-know le dge te chniques , it is shown that, co nditioned on the receiv er’s outpu t (whic h w e su ppress to simplify the notation) at least one out of H ∞ ( X 0 ) and H ∞ ( X 1 | X 0 = x 0 ) is “large” (for any x 0 ), and , similarly , at least one out of H ∞ ( X 1 ) and H ∞ ( X 0 | X 1 = x 1 ). Since collision entrop y is lo w er b ound ed by min-entrop y , it then follo ws from the p riv acy ampliﬁcation theorem that at least one out of H( F 0 ( X 0 ) | F 0 ) and H( F 1 ( X 1 ) | F 1 , X 0 = x 0 ) is close to ℓ , and similarly , one out of H( F 1 ( X 1 ) | F 1 ) and H( F 0 ( X 0 ) | F 0 , X 1 = x 1 ). It is then claimed that this p ro v es OT2UOT sec ure. W e argue that th is v ery last implication is not correct. Indeed, what is pro v en ab out the entrop y of F 0 ( X 0 ) and F 1 ( X 1 ) do es not exclude the p ossibilit y that b oth en tropies H( F 0 ( X 0 ) | F 0 ) and H ( F 1 ( X 1 ) | F 1 ) are maximal, bu t that H( F 0 ( X 0 ) ⊕ F 1 ( X 1 ) | F 0 , F 1 ) = 0. T h is w ould allo w the r eceiv er to learn the bit wise XOR S 0 ⊕ S 1 , whic h is clearly forb idden by the condition of sen d er-securit y . Also note that the p ro of do es not use the fact that the t w o f u nctions F 0 and F 1 are c hosen indep e ndently . Ho we v er, if they are c hosen to b e th e same, then th e p roto col is clearly ins ecure: if the receiv er asks for Y = X 0 ⊕ X 1 , and if F is a class of line ar t w o-unive rsal hash fun ctions, then ˜ R obvio usly learns S 0 ⊕ S 1 . 3.4. Applica tions 44 Reducing 1 -2 OT ℓ to UOT The follo wing theorem guaran tees the security of OT2UOT f or an appropr iate c hoice of the parameters. Th e only restrictio n w e hav e to make is that F needs to b e a str ongly t w o-unive rsal class of hash fun ction. Theorem 3.8 L et F b e a strongly two-universal class of hash functions fr om { 0 , 1 } n to { 0 , 1 } ℓ . Then OT2UOT r e duc es a 2 − κ -se cur e Rand 1 -2 O T ℓ to a p er- fe c t (2 , r ) -UOT ( { 0 , 1 } 2 n ) with n ≥ r ≥ 4 ℓ + 2 κ + 1 . Using the b ounds fr om Lemma 2.9 on the diﬀeren t orders of R ´ en yi ent ropy , the reducibilit y of 1 -2 OT ℓ to ( α, r ) -UOT ( X ) follo ws imm ediately for any α > 1. Informally , sender-security of the proto col OT2UOT is argued as for the re- duction of 1 -2 OT to Rabin OT , 1 -2 X OT etc., discussed in Section 3.4.1, simp ly b y using Prop osition 3.7 in com bination with the p riv acy amp liﬁcation Th eo- rem 2.27 , and applyin g Theorem 3.6. The formal pro of giv en b elo w additionally k eeps trac k of the error term. F rom this pro of it also b ecomes clear that the exp onent ial (in ℓ ) ov erhead in Th eorem 3.6 is una v oidable. I n deed, a s ub-exp onential ov erh ead w ould allo w ℓ in Theorem 3.8 to b e sup er-linear in n , whic h of course is nonsense. Pro of: By th e deﬁn ition of cond itional co llision en trop y , we ha v e that for a ll y , H 2 ( X | Y = y ) ≥ r ≥ 4 ℓ + 2 κ + 1. Fix an arb itrary y and consider an y NDLF β : { 0 , 1 } ℓ × { 0 , 1 } ℓ → { 0 , 1 } . Let F 0 and F 1 b e the rand om v ariables that represent the random choic es of f 0 and f 1 , and set B = β ( F 0 ( X 0 ) , F 1 ( X 1 )). In com b ination with Prop osition 3.7, priv acy ampliﬁ cation (Corollary 2.27) guaran tees that δ  P B F 0 F 1 | Y = y , P unif P F 0 F 1 | Y = y  ≤ 2 − 1 2 (H 2 ( X | Y = y )+1) ≤ 2 − 1 2 (4 ℓ +2 κ +2) = 2 − 2 ℓ − κ − 1 . It no w follo ws th at δ  P β ( S 0 ,S 1 ) W , P unif · P W  = δ  P B F 0 F 1 Y , P unif P F 0 F 1 Y  = X y δ  P B F 0 F 1 | Y = y , P unif P F 0 F 1 | Y = y  P Y ( y ) ≤ 2 − κ / 2 2 ℓ +1 . Sender-security as claimed now follo ws from Theorem 3.6.  The min -entrop y sp litting Lemma 2.15 and a larger (not necessarily strongly) t w o-univ ersal cla ss of hash functions can alternativ ely b e used to sho w the secu- rit y of the r eduction proto col OT2UOT without th e use of NDLFs. W e d o this here for illustration purp oses b ecause the same te c hniqu e is used in the secur it y pro of of 1 -2 OT in the b ounded-quantum-storage mo del in C hapter 6. After the execution of a p erfect ( ∞ , r ) -UOT ( { 0 , 1 } 2 n ), we h a v e H ∞ ( X 0 X 1 | Y ) ≥ r and Lemma 2.15 yiel ds th e existence of a r andom v ariable D ∈ { 0 , 1 } su c h that H ∞ ( X 1 − D D | Y ) ≥ r / 2 an d therefore also H ∞ ( X 1 − D D S D | Y ) ≥ r / 2. By the c hain r ule (Lemma 2.12) and setting ε : = 2 − κ − 1 , w e get H ε ∞ ( X 1 − D | D S D Y ) ≥ r / 2 − 1 − ℓ − κ − 1. Hence to get a 2 − κ -secure Rand 1 -2 OT ℓ via the priv acy am- pliﬁcation theorem (C orollary 2.2 5), w e need r / 2 − ℓ − κ − 2 > 2 κ + ℓ wh ich give s sligh tly worse parameters than in Theorem 3.8, namely n ≥ r ≥ 4 ℓ + 4 κ + 4. 3.4. Applica tions 45 3.4.3 Quan titativ e Comparisons T o R elated W ork Subsequ ent to [DFSS 06], W u llsc hleger imp ro v ed the min-entrop y splitting te c h- nique describ ed in the la st paragraph . In [W ul07], it is sho wn that the protocol OT2UOT redu ces a 2 − κ -secure Rand 1 -2 OT ℓ to a p erfect ( ∞ , r ) -UOT ( { 0 , 1 } 2 n ) if n ≥ r ≥ 2 ℓ + 6 κ + 6 log (3). So, Rand 1 -2 OT ℓ of strings of length ℓ roughly half of the receiv ers min-en trop y r can b e ob tained, which is asymptotically op- timal for th is r eduction-proto col. T ec hnically , th e resu lt is essentially obtained b y using the min-en trop y splitting app roac h sketc h ed at the end of last section and a more careful case distin ction. The random v ariable D ∈ { 0 , 1 } p oint ing to the “known” string X D is basically deﬁ n ed as in Lemma 2.15, but for the case wh en b oth X 0 , X 1 ha v e high min-entrop y , a n ew distribute d left-o v er hash lemma is us ed to sho w that b oth S 0 and S 1 are close to un iform and therefore close to indep end en t (and hence, the p oin ter D can b e c hosen arbitrarily in this case). In the follo wing, w e compare the simple red u ction of 1 -2 O T ℓ to n executions of 1 -2 XOT , 1 -2 GOT and 1 -2 UOT , resp ectiv ely , usin g our analysis based on Theorem 3.6 together with the quan titativ e statemen t giv en in Theorem 3.8, with the results ac hiev ed in [BCW03 ]. 6 The qu ality of th e analysis of a reduction is giv en by the r e duction p ar ameters c len , c sec and c const suc h that the 1 -2 OT ℓ is guaran teed to b e 2 − κ -secure as long as n ≥ c len · ℓ + c sec · κ + c const . The smaller these constants are, th e b etter is the analysis of the r eduction. The comparison of these parameters is giv en in Figure 3.4. W e fo cus o n c len and c sec since c const is not really relev an t, unless ve ry large. 1 -2 X OT 1 -2 GOT 1 -2 UOT c len c sec c len c sec c len c sec BCW [BCW03] 2 2 4.8 4.8 14.6 14.6 this w ork [DFSS06] 4 2 4 3 13.2 10.0 subsequent [W ul07] 2 6 2 7 6.7 23.3 Figure 3.4: C omparison of the redu ction p arameters. The parameters in the ﬁrst line can easily b e extracted from Theorems 5, 7 and 9 of [BCW03], w here in T heorem 9 p e ≈ 0 . 19. The p arameters in the second line co rresp onding to the reduction to 1 -2 X OT follo w immediate ly from Theorem 3.8, u sing the fact that in one execution of a 1 -2 X OT , the receiv er’s conditional collision entrop y on the sender’s t wo input bits is at least 1. Determining the parameters of the reductions to 1 -2 GOT and 1 -2 UOT requires a little more w ork. W e ﬁrst determine the aver age conditional min- en trop y ˜ H ∞ ( X | Y ) of one instance of 1 -2 GOT and 1 -2 UOT . In the case of 1 -2 GOT , ˜ H ∞ ( X | Y ) can easily b e seen to b e at least 1 (for example b y in- 6 As mentioned earlier, these results are incomparable to t he parameters achiev ed in [CS06], where i nter active reduct ions are used. 3.5. Extension t o 1 - n OT ℓ 46 sp ection of T able 2 in [BCW03]). F or one execution of 1 -2 UOT , the r eceiv er’s a v erage Shannon en tropy is at least 1. Therefore, it follo ws fr om F ano’s In - equalit y (Lemma 2.11 ) that his av erage guessing p robabilit y is at most 1 − p e with p e ≈ 0 . 19 as ab o ve , and thus h is a v erage conditional min-entrop y is at least − log(1 − p e ) ≈ 0 . 3. W e use Lemma 2.8 to lo w er b ound the (regular) conditional m in-en trop y H ∞ ( X | Y = y ) except with probabilit y 2 − κ − 1 and use Theorem 3.8 with securit y parameter 2 − κ − 1 whic h together yields a 2 − κ secure Rand 1 -2 OT ℓ . T o ap p ly Theorem 3.8, we require H 2 ( X | Y = y ) ≥ H ∞ ( X | Y = y ) ≥ 4 ℓ + 2 κ + 3 and to obtain this by Lemma 2.8, w e need ˜ H ∞ ( X | Y ) ≥ 4 ℓ + 3 κ + 4. This yields c len = 4 , c sec = 3 for 1 -2 GOT and c len ≈ 4 / 0 . 3 and c sec ≈ 3 / 0 . 3 for 1 -2 UOT . The deriv ation of the parameters for [W u l07] is analogous. 3.5 Extension to 1 - n OT ℓ In this section we extend our c haracterizatio n of sender-securit y of Rand 1 -2 OT to Rand 1 - n OT . W e use the follo wing n otation. F or a sequence of rand om v ariables S 0 , S 1 , . . . , S n − 1 and in dices i, j ∈ { 0 , . . . , n − 1 } , w e den ote b y S i,j the sequence of v ariables { S k : k ∈ { 0 , . . . , n − 1 } \ { i, j }} w ith all indices except i and j . Similarly , S i denotes all v ariables b ut the i th. Deﬁnition 3.9 ( Rand 1 -n OT ℓ ) A n ε -se cur e Rand 1 - n O T is a pr oto c ol b e- twe en S and R , with R having input C ∈ { 0 , 1 , . . . , n − 1 } (while S has no input), such that for any distribution of C , the fol lowing pr op e rties hold: ε -Correctness: F or honest S and R , S has output S 0 , S 1 , . . . , S n − 1 ∈ { 0 , 1 } ℓ and R outputs S C , exc ept with pr ob ability ε . ε -Receiv er-securit y: If R is honest then for any (p ossibly dishonest) ˜ S with output V , δ  P C V , P C · P V  ≤ ε. ε -Sender-securit y: If S is honest then for any (p ossibly disho nest) ˜ R with output W , ther e exists a r andom variable D with r ange { 0 , 1 , . . . , n − 1 } such that δ  P S D W S D D , P n − 1 unif ℓ · P W S D D  ≤ ε. Analogous to the 1 -2 OT -case w e wan t for sender-security that there exists a c hoice D , suc h that when giv en the corresp ond ing string (or bit) S D all the other strings (or b its) lo ok completely rand om from R ’s p oint of view. Recall that f or the c haracterizati on of sender-securit y in the case of 1 -2 OT , it is su ﬃcien t that P β ( S 0 ,S 1 ) W = P unif · P W for every NDLF β . In a ﬁ r st attempt one migh t try to c haracterize th e sender-securit y of 1 - n OT usin g linear functions β that non-trivially dep end on n arguments. In the case of 1 - 3 O T of bits, the only linear function of this kind is the X OR of the three bits, b ut it 3.5. Extension t o 1 - n OT ℓ 47 can b e easily ve riﬁed that the requiremen t that B 0 ⊕ B 1 ⊕ B 2 is u niform do es not imply send er-securit y in the sense deﬁ n ed ab o v e. Instead, as we will see b elo w, suﬃ cient requiremen ts are that the X OR of every p air of b its is uniform when given the value of the thir d . Theorem 3.10 The c ondition for ε -sender-se c urity for a Rand 1 - n OT ℓ is sat- isﬁe d for a p articular (p ossibly dishon est) r e c eiver ˜ R with output W , if for al l i 6 = j ∈ { 0 , . . . , n − 1 } δ  P β ( S i ,S j ) W S i,j , P unif · P W S i,j  ≤ ν for every NDLF β , wher e ν = ε/ (2 2 ℓ n ( n − 1)) . Pro of: W e ﬁrst consider and pr o v e the p erfect case. The Perfect Case: Lik e in the pr o of of Theorem 3.6, w e ﬁx an out- put w of the r eceiv er and consider the non-normalized probability d istribu- tion P S 0 ...S n − 1 W ( · , . . . , · , w ). W e u se the v ariable p s 0 ,...,s n − 1 to refer to the v alue P S 0 ...S n − 1 W ( s 0 , . . . , s n − 1 , w ) and o for the all-zero string (0 , . . . , 0) ∈ { 0 , 1 } ℓ . W e use b old font to den ote a collect ion of strings s : = ( s 0 , s 1 , . . . , s n − 1 ) ∈ { 0 , 1 } ℓn , and w e write s i for ( s 0 , . . . , s i − 1 , s i +1 , . . . , s n − 1 ), the co llection s without s i . Fi- nally , for a collectio n t = ( t 0 , . . . , t k − 1 ) ∈ { 0 , 1 } ℓk of arb itrary size k , we deﬁn e sets of indices with one (resp ectiv ely tw o) non-zero sub s trings: S 1 ( t ) : = { ( o , . . . , o , t i , o , . . . , o ) : i ∈ { 0 , . . . , k − 1 }} S 2 ( t ) : = { ( o , . . . , o , t i , o , . . . , o , t j , o , . . . , o ) : i < j ∈ { 0 , . . . , k − 1 }} where the t i (and t j ) are at i th (and j th) p osition. As in the pro of of Theo- rem 3.6, we assume for the clarit y of exp osition that for all i ∈ { 0 , . . . , n − 1 } and s i ∈ { 0 , 1 } ℓ , it holds that p o ,..., o ≤ p o ,..., o ,s i , o ,..., o (where s i is at p osition i ). F or sym metry reasons, the general case can b e handled along the same lines. W e extend the d istribution P S 0 ...S n − 1 W ( · , . . . , · , w ) similarly to (3.1): for ev ery s ∈ { 0 , 1 } ℓn , w e set P S 0 ...S n − 1 D W ( s 0 , . . . , s n − 1 , 0 , w ) : = p s 0 , o ,..., o , P S 0 ...S n − 1 D W ( s 0 , . . . , s n − 1 , 1 , w ) : = p o ,s 1 , o ,..., o − p o ,..., o , . . . P S 0 ...S n − 1 D W ( s 0 , . . . , s n − 1 , n − 2 , w ) : = p o ,...,s n − 2 , o − p o ,..., o , P S 0 ...S n − 1 D W ( s 0 , . . . , s n − 1 , n − 1 , w ) : = p o ,..., o ,s n − 1 − p o ,..., o . In ord er to sho w that this is a v alid extension, we ha v e to show that f or ev ery s ∈ { 0 , 1 } ℓn p s = X t ∈S 1 ( s ) p t − ( n − 1) p o ,..., o . (3.5) If this holds, then the r andom v ariable D is w ell deﬁn ed, and the S D are uni- formly distributed give n D , S D and W . 3.5. Extension t o 1 - n OT ℓ 48 W e n o w sho w th at (3.5) follo ws from the assumed uniformity prop ert y that P β ( S i ,S j ) W | S i,j = s i,j = P unif · P W | S i,j = s i,j for ev ery non-d egenerate linear function β and any i 6 = j . This is d one by ind uction on n . The case n = 2 is co v ered by the pro of of T heorem 3.6, and b y indu ction assumption we may assume that it also h olds for n − 1. L et us ﬁ x some s ∈ { 0 , 1 } ℓn and i ∈ { 0 , . . . , n − 1 } . It is easy to see that the assumed uniform it y prop er ty o n S 0 , . . . , S n − 1 , W imp lies the corresp onding uniformity prop ert y on S i , W when conditioning on S i = s i , and therefore, by ind u ction assump tion and “multiplying out the conditioning”, p s = X t p t − ( n − 2) p o ,..., o ,s i , o ,..., o . (3.6) where the sum is o v er all t ∈ { 0 , 1 } ℓn with t i = s i and t i ∈ S 1 ( s i ). Su mming all the equations o ve r i ∈ { 0 , . . . , n − 1 } yields n · p s = 2 X t ∈S 2 ( s ) p t − ( n − 2) X t ∈S 1 ( s ) p t . (3.7) By a similar reasoning w e can also d eriv e from the case n = 2 that equations of t yp e (3.2) hold co nditioned on the ev en t that all but t w o of the S i ’s are ze ro. More formally , w e ha v e that for all i < j ∈ { 0 , . . . , n − 1 } , p o ,..., o ,s i , o ,..., o ,s j , o ,..., o = p o ,..., o ,s i , o ,..., o + p o ,..., o ,s j , o ,..., o − p o ,..., o . (3.8) Summing these equations ov er all i < j ∈ { 0 , . . . , n − 1 } yields X t ∈S 2 ( s ) p t = ( n − 1) X t ∈S 1 ( s ) p t −  n 2  p o ,..., o (3.9) W e conclude b y sub stituting (3.9) in to (3.7) as follo ws n · p s = 2 X t ∈S 2 ( s ) p t − ( n − 2) X t ∈S 1 ( s ) p t = 2   ( n − 1) X t ∈S 1 ( s ) p t −  n 2  p o ,..., o   − ( n − 2) X t ∈S 1 ( s ) p t = n X t ∈S 1 ( s ) p t − n ( n − 1) p o ,. .., o , whic h is equation (3.5) after dividing b y n , and th us ﬁnish es the ind uction step and the claim for ε = 0. The General Case: F or the non-zero error case, we follo w the ab o v e argu- men t, bu t k eep trac k of the error. F or tec hnical reasons, w e assume th at the S i ’s are indep endent and u n iformly distributed, and we assume that the assumed uniformity prop ert y with resp ect to NDLFs holds conditioned on S i,j = s ij for any s ij , not j u st on a v erage, i.e., δ  P β ( S i ,S j ) W | S i,j = s ij , P unif · P W | S i,j = s ij  ≤ ν 3.5. Extension t o 1 - n OT ℓ 49 for an y s ij ∈ { 0 , 1 } ℓ ( n − 2) . W e show at the end of the pr o of ho w to argu e in general. W rite δ s =   X t ∈S 1 ( s ) p t − ( n − 1) p o ,..., o − p s   suc h that (3.5) holds up to the error δ s . Note that δ s dep end s on w ; w e also write δ s ( w ) to make this dep end ency exp licit. W e will argue, follo w ing the induction pro of, that X w , s δ s ( w ) ≤ n ( n − 1) · 2 2 ℓ · ν = ε . The pro of can then b e completed analogue to th e pr o of of T heorem 3.6 by “correcting” the v alues for P S 0 ...S n − 1 D W ’s appropriately . By the p ro of of Theorem 3.6, the claime d inequalit y h olds in case n = 2. F or the indu ction step, note th at b y induction assumption, (3.6) holds up to δ s i ( w ) P S i ( s i ) where X w , s i δ s i ( w ) ≤ ( n − 1)( n − 2) · 2 2 ℓ · ν . F urther m ore, from the case n = 2 it follo ws that Equ ation (3.8) holds up to δ s i ,s j ( w ) P S ij ( o · · · o ), wh ere X w ,s i ,s j δ s i ,s j ( w ) ≤ 2 2 ℓ +1 · ν and, b y the additional assumption p osed on the S i ’s, P S ij ( o · · · o ) = 2 − ( n − 2) ℓ . It follo ws that (3.5) holds up to δ s = 1 n  X i δ s i P S i ( s i ) + 2 X i 0 , Pr[ X t − X 0 ≥ τ ] ≤ exp − τ 2 2 P t k =1 c 2 k ! . The theorem is often stated as t w o-sided b ound with absolute v alues: Pr  | X t − X 0 | ≥ τ  ≤ 2 exp − τ 2 2 P t k =1 c 2 k ! , but the one-sided version ﬁts our purp oses b etter. 4.1. Preliminaries 55 Deﬁnition 4.6 A se quenc e of r e al-value d r andom variables R 1 , . . . , R n is c al le d a m artin gale d iﬀeren ce sequence if for every i and every r 1 , . . . , r i − 1 ∈ R : E [ R i | R 1 = r 1 , . . . , R i − 1 = r i − 1 ] = 0 . Note that for an arbitrary sequence of real random v ariables S 0 , S 1 , . . . ∈ R , deﬁning R n : = P n i =1 S i − E [ S i | S i − 1 ] (with R 0 : = 0) yields a martingale diﬀerence sequence R 0 , R 1 , . . . . The follo wing lemma follo ws directly from Azuma’s Theorem 4.5. Corollary 4.7 L et R 1 , . . . , R n b e a martingale diﬀer e nc e se quenc e such that | R i | ≤ c for every 1 ≤ i ≤ n . Then, for any λ > 0 , Pr " X i R i ≥ λn # ≤ exp  − λ 2 n 2 c 2  . Pro of: Set τ : = λn , X 0 : = 0, and for n ≥ 1, X n : = P n i =1 R i in Theorem 4.5.  4.1.3 Mathematical T o ols The follo wing t w o purely analytical lemmas will b e used to b ound some error terms. Lemma 4.8 F or any 0 < x < 1 /e such that y : = x log(1 /x ) < 1 / 4 , it holds that x > y 4 log(1 /y ) . Pro of: Deﬁne the function x 7→ f ( x ) = x log(1 /x ). It h olds th at f ′ ( x ) = d dx f ( x ) = log (1 /x ) − log e , which sh o ws that f is b ij ective in th e in terv al (0 , 1 /e ), and thus the inv erse f u nction f − 1 ( y ) is well deﬁn ed for y ∈ (0 , log ( e ) /e ), whic h con tains the int erv al (0 , 1 / 4). W e are going to show that f − 1 ( y ) > g ( y ) for all y ∈ (0 , 1 / 4), where g ( y ) = y 4 log (1 /y ) . Since b oth f − 1 ( y ) and g ( y ) conv erge to 0 for y → 0, it su ﬃces to sho w that d dy f − 1 ( y ) > d dy g ( y ); resp ectiv ely , w e will compare their recipro cals. F or any x ∈ (0 , 1 /e ) suc h that y = f ( x ) = x log (1 /x ) < 1 / 4 1 d dy f − 1 ( y ) = f ′ ( f − 1 ( y )) = log(1 /x ) − log ( e ) and d dy g ( y ) = 1 4  1 log(1 /y ) + 1 ln(2) log (1 /y ) 2  suc h that 1 d dy g ( y ) = 4 ln(2) log (1 /y ) 2 ln(2) log (1 /y ) + 1 = 4 log(1 /y ) 1 + 1 ln(2) log(1 /y ) > 2 log  1 y  = 2 log  1 x log (1 /x )  = 2  log(1 /x ) − log log(1 /x )  4.2. Histor y and Pre vious Work 56 where for the inequ alit y we are using th at y < 1 / 4 so that ln(2) log (1 /y ) > 2 ln(2) = ln(4) > 1. Deﬁning the f unction h ( z ) : = z − 2 log ( z ) + log( e ) and sho wing that h ( z ) > 0 for all z > 0 ﬁn ishes the pro of, as then 0 < h  log(1 /x )  ≤ 1 d dy g ( y ) − 1 d dy f − 1 ( y ) whic h w as to b e s ho wn. F or this last claim, note that h ( z ) → ∞ for z → 0 and for z → ∞ , and th us the global minim um is at z 0 with h ′ ( z 0 ) = 0. h ′ ( z ) = 1 − 2 / (ln(2) z ) and th us z 0 = 2 / ln(2) = 2 log ( e ), and hence the minim um of h ( z ) equals h ( z 0 ) = 3 log ( e ) − 2 log  2 log ( e )  , whic h turns out to b e p ositive .  Lemma 4.9 F or any 0 < x < 1 / 4 , it holds that exp( − x 2 32(2 − log( x )) 2 ) < 2 − x 4 / 32 . Pro of: Note that exp( − x 2 32(2 − log( x )) 2 ) = 2 − log( e ) 32 x 2 (2 − log( x )) 2 . Therefore, it suﬃces to show that x 4 ≤ x 2 (2 − log( x )) 2 or equiv alen tly that the function x 7→ f ( x ) : = x 2 (2 − log ( x )) 2 is smaller than 1 for 0 < x < 1 / 4. It holds that f (0) = 0 and f (1 / 4) = 1 and it is easy to see th at f is a con tin uous incr easing fun ction, e.g. b y v erifying th at for the ﬁr st deriv ative d dx f ( x ) = 2 x (2 − log( x ))  2 − log( x ) − 1 ln(2)  > 0 holds for 0 < x < 1 / 4.  4.2 History and Previous W ork 4.2.1 Mutually Un biased B ases Deﬁnition 4.10 (Mutually Un biased Bases (MUBs)) Two orthono rmal b ases B 0 : = {| a i i} N i =1 and B 1 : = {| b j i} N j =1 of the c omplex Hilb ert sp ac e H N of dimension N : = 2 n ar e c al le d mutually unbia sed if ∀ i, j ∈ { 1 , . . . , N } : |h a i | b j i| = 1 √ N = 2 − n/ 2 . Mor e B 0 , B 1 , . . . , B M b ases of this sp ac e H N ar e c al le d m utually unbiased , if every p air of them is mutu al ly unbiase d. Wiesner sho w ed in 1970 in one of the ﬁrst articles ab out quant um cryptog- raphy [Wie83] th at ther e are at least m m utually unbiased bases in a Hilb ert space of dimension 2 ( m − 1)! / 2 . L ater, optimal constructions of N + 1 mutually unbiase d bases in a Hi lb ert space of dimension N w ere sho wn by Iv ano vi ´ c wh en N is prime [Ivo 81] and b y W o otters and Fields for N a prim e p o w er [WF89] (in particular, f or N = 2 n in the case of n qubits). A nice construction b ased 4.2. Histor y and Pre vious Work 57 on the stabilizer formalism can b e found in th e article by Lawrence, Brukn er, and Zeilinger [LBZ02]. It turned out to b e an in triguing qu estion to determine the maximal n umber of mutually unbiased bases in other dimensions, already the case N = 6 is still op en [Eng03]. F or a d ensit y matrix ρ d escribing the state of n qub its, let Q 0 ρ ( · ) , Q 1 ρ ( · ) , . . . , Q M ρ ( · ) b e the probabilit y distr ibutions o v er n -bit strings when measuring ρ in bases B 0 , B 1 , . . . , B M , resp ectiv ely . F or instance, for basis B 0 = {| a i i} N i =1 and basis B 1 {| b j i} N j =1 , w e ha ve Q 0 ρ ( i ) = h a i | ρ | a i i and Q 1 ρ ( j ) = h b j | ρ | b j i . W e lea v e out the state ρ in the su bscript when it is clear fr om the conte xt. 4.2.2 Uncertain t y Relations Using Shannon En tropy The history of uncertaint y rela tions starts with Heisen b erg who sho w ed that the outcomes of tw o non-comm uting observ ables applied to a q u an tum state are not easy to predict simultaneously [Hei2 7 ]. Ho w ev er, Heisen b erg only sp eaks ab out the v ariance of the measurement results, and his result was sh own to ha v e sev eral s hortcomings b y Deutsc h [Deu83] and Hilgev o o d and Uﬃnk [HU88]. More general forms of u ncertain t y relations were p rop osed b y Bialynic ki-Birula and Mycielski in [BBM75 ] and b y Deutsch [Deu83] to resolve these p r oblems. The new relations we re called entr opic unc ertainty r elations , b ecause they are expressed using Sh annon entrop y instead of the statistical v ariance. F or mutually unbiase d bases, Deutsc h’s relation reads H( Q 0 ) + H( Q 1 ) ≥ − 2 log 1 2 (1 + 1 √ N ) . A m uc h str on ger b ound wa s ﬁr st conjectured b y Kr aus [K ra87] and later prov ed b y Maassen and Uﬃn k [MU88 ] H( Q 0 ) + H( Q 1 ) ≥ log N = n. (4.2) In tuitiv ely , these b ounds assure that if you kn o w the outcome of m easur ing ρ in basis B 0 prett y w ell, y ou ha v e large uncertain t y when measurin g in the o ther basis B 1 . Note that f or en tropic b ound s using Shannon entr op y , it is suﬃcien t to state them for pure states. They then automatic ally hold f or mixed state b y conca vit y . Lemma 4.11 If H( Q 0 | ϕ i ) + H( Q 1 | ϕ i ) ≥ k holds for al l pur e states | ϕ i ∈ H , then H( Q 0 ρ ) + H( Q 1 ρ ) ≥ k hold s for al l (p ossibly mixe d) states ρ ∈ P ( H ) . Pro of: Let ρ = P x λ x | ϕ x i h ϕ x | the sp ectral comp osition of a mixed state. W e then hav e for i = 0 , 1 that Q i ρ = P x λ x Q i | ϕ x i and therefore b y conca vit y of the Shannon en tropy (Lemma 2.10) H( Q 0 ρ ) + H( Q 1 ρ ) ≥ X x λ x  H( Q 0 | ϕ x i ) + H( Q 1 | ϕ x i )  ≥ k .  4.2. Histor y and Pre vious Work 58 Although a b ound on Shannon entrop y can b e helpful in some cases, it is usually not go o d enough in cryptographic app licatio ns. The main to ol to reduce the adv ersary’s information—priv acy ampliﬁcation by t wo -universal hashing— requires a b ound on the adve rsary’s min-en trop y (in fact collision en trop y), see Section 2.5. As H ( Q ) ≥ H α ( Q ) for α > 1, higher-order entropic b ounds are generally wea k er, but imply b oun ds for Shannon en trop y as w ell. 4.2.3 Higher-Order En tropic Uncertain t y Relations Diﬀeren t r esults are kn o wn for c omp lete sets of N + 1 mutually unbiased bases of H N . All of th em are based on the follo wing surp rising geometrical r esult b y Larsen. Theorem 4.12 ([Lar90]) L et Q 0 ρ , . . . , Q N ρ b e the N + 1 distributions obtaine d by me asuring state ρ in mutual ly unbiase d b ases B 0 , . . . , B N of the Hilb e rt sp ac e H N . Then, N X i =0 π 2 ( Q i ρ ) = 1 + tr( ρ 2 ) , (4.3) wher e π 2 ( Q ) = P x Q ( x ) 2 denotes the c ol lision pr ob ability of a distribution Q (cf. D eﬁnition 2.6). F or a pure state ρ = | ψ i h ψ | , tr( ρ 2 ) = 1 holds and th e right hand s ide of (4.3) equals 2. In this case, using that x 7→ − log( x ) is a con v ex f unction, S ´ anc hez- Ruiz [S´ an95] applies J ensen’s inequalit y (Lemma 2.2) to deriv e the follo wing lo w er-b ound on the sum of the collision entropies N X i =0 H 2 ( Q i ) = N X i =0 − log ( π 2 ( Q i )) ≥ − ( N + 1) log P N i =0 π 2 ( Q i ) N + 1 ! = ( N + 1) log  N + 1 2  . Because of the lac k of con ve xit y of h igher-order R ´ enyi en trop y , w e cannot im- mediately extend an uncertain t y relation for pure s tates to mixed states. On the other hand, the follo wing lemma shows that uncertain t y relations based on upp er b ound s of high-order p r ob ability sums for pure states also hold for mixed states and therefore translate to en trop y low er b ou n ds for mixed s tates. Lemma 4.13 L et α ∈ (1 , ∞ ] . If P M i =0 π α ( Q i | ϕ i ) ≤ c for al l pur e states | ϕ i , then for al l mixe d states ρ , M X i =0 H α ( Q i ρ ) ≥ ( M + 1) log  M + 1 c  . Equality holds for a state ρ for which π α ( Q i ρ ) = c M +1 for al l i . 4.3. Tw o Mutuall y Unbias ed Base s 59 Pro of: As x 7→ x α is con v ex for α > 1, π α ( · ) is a con ve x fu nctional. Therefore, for a mixed state ρ = P x λ x | ϕ x i h ϕ x | , w e h av e Q i ρ = P x λ x Q i | ϕ x i and M X i =0 π α ( Q i ρ ) ≤ M X i =0 X x λ x π α ( Q i | ϕ x i ) ≤ X x λ x M X i =0 π α ( Q i | ϕ x i ) ≤ c. Just as ab o ve follo ws b y J ensen’s in equalit y (Lemma 2.2) that M X i =0 H α ( Q i ρ ) = M X i =0 − log ( π α ( Q i ρ )) ≥ − ( M + 1) log P M i =0 π α ( Q i ρ ) M + 1 ! ≥ ( M + 1) log  M + 1 c  . Jensen’s inequalit y is tigh t if the v alues π α ( Q i ρ ) are all equal.  F or incomplete sets of bases B 0 , . . . , B M with 1 ≤ M ≤ N , the current state-of-t he-art b ound wa s ind ep endently obtained by Damg ˚ ard, Salv ail and P edersen [DPS04] and Azarc hs [Aza04] by subtr acting the minimal amoun t of collision probability (1 / N ) in the bases not included in th e sum: M X i =0 π 2 ( Q i | ϕ i ) ≤ 2 − ( N + 1 − ( M + 1)) N = N + M N . (4. 4) By Lemma 4.13, this yields M X i =0 H 2 ( Q i ρ ) ≥ ( M + 1) log  N ( M + 1) N + M  . (4.5) As ment ioned ab o v e, all low er b oun ds on the collision entrop y f rom th is section imply b oun ds on the Shannon en tropy b ecause H ( Q ) ≥ H 2 ( Q ), but do not tell us anyt hing ab out the min-entrop y H ∞ ( Q ). In the r est of this c hapter, w e derive entropic u ncertain t y relations in v olving min- entr opy . Uncertain t y relations in terms of R ´ enyi entrop y h av e also b een studied in a diﬀeren t cont ext b y Bialynic ki-Birula [BB06]. 4.3 Tw o M utually Un biased Bases In this section, we consider th e situation wh ere a n -qubit state is measured in one out of t w o mutually unbiased b ases of H 2 n . Without loss of generalit y , we assume these t w o bases to b e the n -fold tensor p ro duct of the computational basis + ⊗ n and of the diagonal basis × ⊗ n , in this section simply called +- and × -basis. W e sh o w that t w o distrib utions obtained b y measuring in tw o m utually un - biased bases cannot b oth b e “v ery far from uniform”. One wa y to charact erize non-uniformity of a distribu tion is to iden tify a subset of outcomes that h as m uc h higher probability than for a un iform c hoice . Intuitiv ely , the th eorem b e- lo w sa ys that such set s cannot b e found sim ultaneously for b oth measurements. 4.3. Tw o Mutuall y Unbias ed Base s 60 Theorem 4.14 L et ρ b e an arbitr ary state of n qubits, and let Q + ( · ) and Q × ( · ) b e the r esp e ctive distributions of the outc ome when ρ is me asur e d in the + -b asis r esp e ctively the × -b asis. Then, for any two sets L + ⊂ { 0 , 1 } n and L × ⊂ { 0 , 1 } n it holds that Q + ( L + ) + Q × ( L × ) ≤ 1 + 2 − n/ 2 p | L + || L × | . Pro of: W e deﬁne the t w o orthogonal pro jectors A : = X x ∈ L + | x i h x | and B : = X y ∈ L × H ⊗ n | y i h y | H ⊗ n . Using the sp ectral decomp osition of ρ = P w λ w | ϕ w i h ϕ w | , w e ha ve Q + ( L + ) + Q × ( L × ) = tr ( Aρ ) + tr ( B ρ ) = X w λ w (tr ( A | ϕ w i h ϕ w | ) + tr ( B | ϕ w i h ϕ w | )) = X w λ w ( h ϕ w | A | ϕ w i + h ϕ w | B | ϕ w i ) = X w λ w h ϕ w | ( A + B ) | ϕ w i ≤ k A + B k ≤ 1 + k AB k , where the last line is Prop osition 4.2. T o conclude, w e show that k AB k ≤ 2 − n/ 2 p | L + || L × | . Note that an arbitrary state | ψ i = P z λ z H ⊗ n | z i can b e expressed with co ordinates λ z in the diagonal basis. Then, with the sums o v er x and y un dersto o d as o v er x ∈ L + and y ∈ L × , resp ectiv ely ,   AB | ψ i   =     X x,y | x i h x | H ⊗ n | y i h y | H ⊗ n | ψ i     = 2 − n/ 2     X x,y | x ih y | H ⊗ n | ψ i     = 2 − n/ 2     X x | x i     ·     X y λ y     ≤ 2 − n/ 2 p | L + | X y | λ y | ≤ 2 − n/ 2 p | L + || L × | , The second equalit y holds since h x | H ⊗ n | y i = 2 − n/ 2 are mutually u n biased, the ﬁrst inequalit y follo ws from Pythagoras and the triangle inequalit y , and the last inequalit y follo ws fr om Cauc hy-Sc hw arz (Lemma 2.3). T his implies k AB k ≤ 2 − n/ 2 p | L + || L × | and ﬁn ishes th e pro of.  This theorem yields a meanin gfu l b oun d as long as | L + | · | L × | < 2 n , for instance if L + and L × b oth con tain less than 2 n/ 2 elemen ts. The r elation is tigh t in the sense that for the Hadamard-inv arian t state | ϕ i =  | 0 i ⊗ n + ( H | 0 i ) ⊗ n  / q 2(1 + 2 − n/ 2 ) and L + = L × = { 0 n } , it is straigh tforw ard to v erify that Q + ( L + ) = Q × ( L × ) = (1 + 2 − n/ 2 ) / 2 and therefore Q + ( L + ) + Q × ( L × ) = 1 + 2 − n/ 2 . Another state that ac h iev es equalit y (for n ev en) is | ϕ i = | 0 i ⊗ n/ 2 ⊗ ( H | 0 i ) ⊗ n/ 2 with L + = { 0 n/ 2 x | x ∈ { 0 , 1 } n/ 2 } and L × = { x 0 n/ 2 | x ∈ { 0 , 1 } n/ 2 } . W e get that Q + ( L + ) = Q × ( L × ) = 1 and th us Q + ( L + ) + Q × ( L × ) = 2 = 1 + 2 − n/ 2 √ 2 n . If f or r ∈ { + , ×} , L r con tains only the n -bit s tring with th e m aximal prob- abilit y of Q r , we obtain a known tight relation (see (9) in [MU88]). 4.3. Tw o Mutuall y Unbias ed Base s 61 Corollary 4.15 L et q + ∞ and q × ∞ b e th e max imal pr ob abilities o f the distr ibutions Q + and Q × fr om ab ove. It then holds that q + ∞ + q × ∞ ≤ 1 + c and ther efor e also q + ∞ · q × ∞ ≤ 1 4 (1 + c ) 2 wher e c = 2 − n/ 2 . Equalit y is ac hiev ed for the same state | ϕ i =  | 0 i ⊗ n + ( H | 0 i ) ⊗ n  / p 2(1 + 2 − n/ 2 ) as ab ov e. Using Lemma 4.13, the follo wing corollary is obtained. Corollary 4.16 F or al l qu antum states ρ of n qubits, it holds that H ∞ ( Q + ρ ) + H ∞ ( Q × ρ ) ≥ 2(1 − log (1 + 2 − n/ 2 )) . Ther e exi sts a qu antum state achieving e q u ality. The follo win g corollary pla ys the crucial role in the securit y pro ofs of pr oto- cols in the b ounded -quan tum-storage mo del presen ted in the foll o wing c hapters of this thesis. Corollary 4.17 L et R b e a r ando m variable over { + , ×} , and let X b e the outc ome when ρ is me asur e d in b asis R , su c h that P X | R ( x | r ) = Q r ( x ) . Then, for any λ < 1 2 ther e exists κ > 0 and an e v ent E such that P [ E | R = +] + P [ E | R = × ] ≥ 1 − 2 − κn and thus P [ E ] ≥ 1 2 − 2 − κn in c ase R i s uniform, and such that H ∞ ( X | R = r , E ) ≥ λn for r ∈ { + , ×} with P R |E ( r ) > 0 . Pro of: Cho ose κ > 0 such that λ + 2 κ < 1 2 , and deﬁn e S + : =  x ∈ { 0 , 1 } n : Q + ( x ) ≤ 2 − ( λ + κ ) n  and S × : =  z ∈ { 0 , 1 } n : Q × ( z ) ≤ 2 − ( λ + κ ) n  to b e the sets of strings with small pr obabilities and denote by L + : = S + and L × : = S × their complemen ts 1 . Not e that for all x ∈ L + , w e hav e that Q + ( x ) > 2 − ( λ + κ ) n and therefore | L + | < 2 ( λ + κ ) n . Analogously , w e hav e | L × | < 2 ( λ + κ ) n . F or ease of notation, we abbreviate the prob ab ilities that strings with small probabilities o ccur with q + : = Q + ( S + ) and q × : = Q × ( S × ). It follo ws immediately from the choi ce of κ and Theorem 4.14 that q + + q × ≥ 1 − 2 − n/ 2 · 2 ( λ + κ ) n ≥ 1 − 2 − κn . W e deﬁne E to b e the ev en t X ∈ S R . T hen P [ E | R = +] = P [ X ∈ S + | R = +] = q + and s imilarly P [ E | R = × ] = q × , and thus the ﬁrst claim follo ws immediately . F urthermore, if R is un iformly d istributed, then P [ E ] = P [ E | R = +] P R (+) + P [ E | R = × ] P R ( × ) = 1 2 ( q + + q × ) ≥ 1 2 − 2 − κn / 2 ≥ 1 2 − 2 − κn . 1 Here’s t h e mnemonic: S for the strings with S mall probabilities , L fo r L arge. 4.4. More Mu tuall y Unbiase d Bases 62 Regarding the second claim, in case R = +, w e hav e H ∞ ( X | R = + , E ) = − log  max x ∈ S + Q + ( x ) q +  ≥ − log 2 − ( λ + κ ) n q + ! = λn + κn + log ( q + ) . Th us, if q + ≥ 2 − κn then in deed H ∞ ( X | R = + , X ∈ S + ) ≥ λn . The corresp ond - ing holds for the case R = × . Finally , if q + < 2 − κn (or similarly q × < 2 − κn ) then instead of the ab ov e, w e d eﬁne E as the empty event if R = + and as the ev en t X ∈ S × if R = × . It follo ws that P [ E | R = +] = 0 and P [ E | R = × ] = q × ≥ 1 − 2 − κn , as we ll as H ∞ ( X | R = × , E ) = H ∞ ( X | R = × , X ∈ S × ) ≥ λn + κn + log( q × ) ≥ λn (for n large enough), b oth by the b ound on q + + q × and on q + , whereas P R |E (+) = 0.  4.4 More Mutually Un biased Bases In this section, w e generalize the uncertaint y relation deriv ed in S ection 4.3 to more than t w o m utually unbiase d bases. Suc h uncertaint y relations o v er more than tw o, but not all mutually unbiased b ases in terms of min-ent ropy ma y b e of indep endent in terest, see the discu s sion at the end of Section 4.2. Theorem 4.18 L et the density matrix ρ describ e the state of n qubits and let B 0 , B 1 , . . . , B M b e mutual ly unbiase d b ases of H 2 n . L et Q 0 ( · ) , Q 1 ( · ) , . . . , Q M ( · ) b e the distributions of the outc ome when ρ is me asur e d in b ases B 0 , B 1 , . . . , B M , r esp e ctively. Then, for any sets L 0 , L 1 , . . . , L M ⊂ { 0 , 1 } n , it holds that M X i =0 Q i ( L i ) ≤ 1 + M · 2 − n/ 2 max 0 ≤ i 0 , let 0 < M < 2 n 2 − εn . F or i = 0 , . . . , M , let H ∞ ( Q i ) b e the min-entr op ies of the distributions Q i fr om the the or em ab ove. Then, M X i =0 H ∞ ( Q i ) ≥ ( M + 1)  log( M + 1) − ne gl ( n )  . Pro of: F or i = 0 , . . . , M , w e denote by q i ∞ the maximal p robabilit y of Q i and let L i b e the set conta ining only the n -bit string x with this maximal 4.5. Indepen dent Bases for Ea ch Subsyst em 63 probabilit y q i ∞ . T heorem 4.18 together with the assumption ab out M assures P M i =0 q i ∞ ≤ 1 + ne gl ( n ). By Lemma 4.13 follo ws M X i =0 H ∞ ( Q i ) ≥ ( M + 1)  log( M + 1) − ne gl ( n )  .  4.5 Indep enden t B ases for Eac h Subsystem So far, w e hav e fo cused on the case of an n -qubit state ρ ∈ P ( H 2 n ) measured in t wo or more m utually u nbiased bases of H 2 n . In th is section, w e inv esti- gate th e case w hen eac h of the n qub its is measured in an in dividual basis, pic k ed indep en den tly and uniformly fr om { + , ×} , i.e. ρ is measured in basis Θ ∈ R { + , ×} n . More generally , our resu lt holds for a state ρ ∈ H ⊗ n d of n quantum systems— eac h d -dim en sional—whic h are measured in an in dividual basis, pic k ed indep en- den tly and u niformly from a set B of b asis of H d , see Theorem 4.22. 4.5.1 A Classical T o ol W e start our deriv ation w ith a classical information-theoretic to ol wh ich itself migh t b e of in dep end en t in terest. Theorem 4.20 L et Z 1 , . . . , Z n b e n r andom variables (not ne c essarily inde- p endent) over alphab et Z . If ther e exists a r e al numb er h > 0 such that for al l 1 ≤ i ≤ n and z 1 , . . . , z i − 1 ∈ Z : H( Z i | Z 1 = z 1 , . . . , Z i − 1 = z i − 1 ) ≥ h, then for any 0 < λ < 1 2 H ε ∞ ( Z 1 , . . . , Z n ) ≥ ( h − 2 λ ) n, wher e ε = exp  − λ 2 n 32 log( |Z | /λ ) 2  . If the Z i ’s are in d ep endent and h a v e Sh annon en tropy at least h , it is kno wn (see Lemma 2.13) th at the smo oth min-en trop y of Z 1 , . . . , Z n is at least nh for large enough n . Informally , Theorem 4.20 guaran tees that wh en the indep endence- condition is relaxed to a low er b ound on the Shannon entrop y of Z i given any pr evious history , then w e still ha v e (almost) nh bits of min-entrop y exce pt with negligible probability ε . The pro of idea is to use Azuma’s inequalit y in the form of C orollary 4.7 for clev erly c hosen R i ’s. The main tric k is that for a random v ariable Z o v er Z , w e can deﬁne another random v ariable S : = log P Z ( Z ) o ve r R w ith exp ected v alue E [ S ] = P z ∈Z P Z ( z ) · log P Z ( z ) = H( Z ) equal to the S hannon ent ropy of Z , w hic h allo w s us to mak e the connection with the assumption ab out the Shannon en tropy . 4.5. Indepen dent Bases for Ea ch Subsyst em 64 Pro of: Recall that the sup ers cript means Z i : = ( Z 1 , . . . , Z i ) for an y i ∈ { 1 , . . . , n } , and similarly for other sequences. W e wan t to sho w that Pr  P Z n ( Z n ) ≥ 2 − ( h − 2 λ ) n  ≤ ε for ε as claimed in Th eorem 4.20. This m eans that P Z n ( z n ) is smaller than 2 − ( h − 2 λ ) n except with probabilit y at most ε (o v er th e choic e of z n ), and therefore implies the claim H ε ∞ ( Z n ) ≥ ( h − 2 λ ) n b y the deﬁnition of sm o oth min -en trop y from Section 2.4.2. Note that P Z n ( Z n ) ≥ 2 − ( h − 2 λ ) n is equiv alent to n X i =1  log  P Z i | Z i − 1 ( Z i | Z i − 1 )  + h  ≥ 2 λn (4.6) whic h is of su itable form to apply Azuma’s in equalit y (Corollary 4.7). Consider ﬁ rst an arbitrary sequence S 1 , . . . , S n of r eal-v alued rand om v ari- ables. W e assu me the S i ’s to b e eit her all p ositive o r all negativ e. Deﬁne a new sequence R 1 , . . . , R n of rand om v ariables by putting R i := S i − E [ S i | S i − 1 ]. It is straigh tforw ard to verify that E [ R i | R i − 1 ] = 0, i.e., R 1 , . . . , R n forms a mar- tingale diﬀerence sequ ence. Th us if for any i , | S i | ≤ c for some c , and thus | R i | ≤ c , Azuma’s inequalit y guarantees that Pr " n X i =1  S i − E  S i | S i − 1   ≥ λn # ≤ exp  − λ 2 n 2 c 2  . (4.7) W e no w p ut S i := log P Z i | Z i − 1 ( Z i | Z i − 1 ) for i = 1 , . . . , n . Note that S 1 , . . . , S n ≤ 0. It is easy to see that the b ound on the conditional en trop y of Z i from Theorem 4.20 implies that E [ S i | S i − 1 ] ≤ − h . In deed, f or an y z i − 1 ∈ Z i − 1 , w e ha v e E  log P Z i | Z i − 1 ( Z i | Z i − 1 ) | Z i − 1 = z i − 1  = − H( Z i | Z i − 1 = z i − 1 ) ≤ − h , and th us for any subset E of Z i − 1 , and in particular for the set of z i − 1 ’s whic h map to a giv en s i − 1 , it holds that E  S i | Z i − 1 ∈ E  = X z i − 1 ∈E P Z i − 1 | Z i − 1 ∈E ( z i − 1 ) · E  log P Z i | Z i − 1 ( Z i | Z i − 1 ) | Z i − 1 = z i − 1  ≤ − h . (4.8) As a consequen ce, the b ound on the probability of (4.7) in particular b ound s the p r obabilit y of the eve nt (4.6), eve n with λn instead of 2 λn . A problem though is that w e ha v e no upp er b ound c on the | S i | ’s. Because of that, w e no w consider a mo diﬁed sequence ˜ S 1 , . . . , ˜ S n deﬁned by ˜ S i := log P Z i | Z i − 1 ( Z i | Z i − 1 ) if P Z i | Z i − 1 ( Z i | Z i − 1 ) ≥ δ and ˜ S i := 0 otherwise, wh ere δ > 0 will b e d etermined later. This give s us a b ound like (4.7) b ut w ith an explicit c , namely c = log(1 /δ ). Belo w, we will argue that E  ˜ S i | ˜ S i − 1  − E  S i | ˜ S i − 1  ≤ λ by the righ t c hoice of δ ; the claim then follo ws from observing that ˜ S i − E  ˜ S i | ˜ S i − 1  ≥ S i − E  ˜ S i | ˜ S i − 1  ≥ S i − E  S i | ˜ S i − 1  − λ ≥ S i + h − λ, 4.5. Indepen dent Bases for Ea ch Subsyst em 65 where the last inequalit y follo ws fr om (4.8). Regarding the claim E  ˜ S i | ˜ S i − 1  − E  S i | ˜ S i − 1  ≤ λ , using a s im ilar argumen t as for (4.8 ), it suﬃ ces to sh o w that E  ˜ S i | ˜ Z i − 1 = z i − 1  − E  S i | ˜ Z i − 1 = z i − 1  ≤ λ for an y z i − 1 : E  ˜ S i | ˜ Z i − 1 = z i − 1  − E  S i | ˜ Z i − 1 = z i − 1  = − X z i P Z i | Z i − 1 ( z i | z i − 1 ) log ( P Z i | Z i − 1 ( z i | z i − 1 )) ≤ |Z | δ log (1 /δ ) where the summ ation is o v er all z i ∈ Z with P Z i | Z i − 1 ( z i | z i − 1 ) < δ , and w here the inequalit y holds as long as δ ≤ 1 /e , as can easily b e v eriﬁed. Th us, w e let 0 < δ < 1 /e b e su c h that |Z | δ log (1 /δ ) = λ . Using the mathematical Lemma 4.8, w e ha ve that δ > λ/ |Z | 4 log ( |Z | /λ ) and deriv e that c 2 = log(1 /δ ) 2 = λ 2 / ( δ |Z | ) 2 < 16 log ( |Z | /λ ) 2 , whic h giv es u s the claimed b ound ε on the probabilit y .  4.5.2 Quan tum Uncertain t y Relations W e now state and pro v e the new en tropic un certaint y relation in its most general form. A sp ecial case will th en b e in tro du ced (Corollary 4.23) and used in the securit y analysis of the 1 -2 OT -pr otocols we consider in Chapter 6. Deﬁnition 4.21 L et S b e a ﬁnite set of orthonormal b ases in the d -dimensional Hilb ert sp ac e H d . We c al l h ≥ 0 an av erag e en tropic uncertaint y b oun d for S if ev ery state in H d satisﬁes 1 |S | P ϑ ∈S H( P ϑ ) ≥ h , wher e P ϑ is the distribution obtaine d by me asuring the state in b asis ϑ . Note that by the con v exit y of the S hannon entrop y H, a low er b ound for all pur e states in H d suﬃces to imply the b ound for all (p ossibly m ixed) states. Theorem 4.22 L et S b e a set of orthonormal b ases in H d with an aver age entr opic unc ertainty b ound h , and let ρ ∈ P ( H ⊗ n d ) b e an arbitr ary quantum state. L e t Θ = (Θ 1 , . . . , Θ n ) b e uniformly distribute d over S n and let X = ( X 1 , . . . , X n ) b e the outc ome when me asuring ρ in b asis Θ , distribute d over { 0 , . . . , d − 1 } n . Then for any 0 < λ < 1 2 H ε ∞ ( X | Θ) ≥ ( h − 2 λ ) n with ε = exp  − λ 2 n 32(log( |S | · d/λ )) 2  . Pro of: Deﬁne Z i : = ( X i , Θ i ) and Z i : = ( Z 1 , . . . , Z i ). Let z i − 1 ∈ S i − 1 b e arbitrary . T hen H( Z i | Z i − 1 = z i − 1 ) = H( X i | Θ i , Z i − 1 = z i − 1 ) + H(Θ i | Z i − 1 = z i − 1 ) ≥ h + log |S | , where the inequ alit y follo ws from the fact th at Θ i is c hosen uniformly at r andom and from the deﬁnition of h . Note that h lo w er b ounds the av erage en trop y for an y system in H d , and thus in particular for the i th su b system of ρ , with all previous d -dimens ional subsystems measured. T h eorem 4.20 thus implies that 4.5. Indepen dent Bases for Ea ch Subsyst em 66 H ε ∞ ( X Θ) ≥ ( h + log |B | − 2 λ ) n for any 0 < λ < 1 2 and for ε as claimed. W e conclude that H ε ∞ ( X | Θ) ≥ H ε ∞ ( X Θ) − n log |B | ≥ ( h − 2 λ ) n , where the ﬁrst inequalit y follo ws from the equalit y P X E | Θ ( x | θ ) = P X Θ E ( x, θ ) /P Θ ( θ ) = |B | n · P X Θ E ( x, θ ) for all x and θ and an y ev en t E , and fr om the deﬁnition of (conditional ) smo oth en trop y .  F or the sp ecial case where S = { + , ×} is the set of BB84 bases, we can use the uncertain t y relation of Maassen and Uﬃn k [MU88] (see Equation (4.2)) whic h, us ing our terminology , states that S has av erag e en tropic uncertaint y b ound h = 1 2 . Th eorem 4.22 together with Lemma 4.9 then immediately giv es the follo wing corollary . Corollary 4.23 L et ρ ∈ P ( H ⊗ n 2 ) b e an arbitr ary n -qu bit qu antum state. L et Θ = (Θ 1 , . . . , Θ n ) b e unif ormly distribute d over { + , ×} n and X = ( X 1 , . . . , X n ) b e the outc ome when me asuring ρ in b asis Θ . Then for any 0 < λ < 1 4 H ε ∞ ( X | Θ) ≥  1 2 − 2 λ  n wher e ε = 2 − λ 4 32 n . Maassen and Uﬃnk’s relation b eing optimal means there exists a quant um state ρ —namely the pro d uct state of eigenstates of the subsystems, e.g. ρ = | 0 i h 0 | ⊗ n —for which H( X | Θ) = n 2 . On the other h and, we ha v e shown th at ( 1 2 − λ ) n ≤ H ε ∞ ( X | Θ) for λ > 0 arb itrarily close to 0. F or the pro du ct state ρ , the X are indep end en t and we know from Lemma 2.13 that H ε ∞ ( X | Θ) approac hes H( X | Θ ) = n 2 . It follo ws that the relation cannot b e signiﬁcan tly impro v ed ev en when considering R´ en yi entrop y of order 1 < α < ∞ . Another tigh t corollary is obtained if we consider the set of measur emen ts S = { + , × ,  } (see Section 2.3 for the d eﬁ nition of the circular basis  ). In [S´ an93], S´ anc hez-Ruiz shows that for this S , the av er age en tropic u ncertain t y b ound h = 2 3 (4.9) is optimal. It implies that H ε ∞ ( X | Θ) & H( X | Θ) = 2 n 3 for negligible ε . 4.5.3 The Ov erall Average Entropic Uncertain ty Bound In the this sectio n, w e compute the a v erage u ncertain t y b ound for the set of al l b ases of a d -dimens ional Hilb ert space. Let U ( d ) b e the set of unitaries on H d . Moreo v er, let dU b e the normalized Haar measur e on U ( d ), i.e., Z U ( d ) f ( V U ) dU = Z U ( d ) f ( U V ) dU = Z U ( d ) f ( U ) dU , 4.5. Indepen dent Bases for Ea ch Subsyst em 67 for any V ∈ U ( d ) and any in tegrable f unction f , and R U ( d ) dU = 1. (Note that the normalized Haar measure dU exists and is uniqu e.) Let { ω 1 , . . . , ω d } b e a ﬁ xed orthonormal basis of H d , and let S all = { ϑ U } U ∈U ( d ) b e th e family of bases ϑ U = { U ω 1 , . . . , U ω d } with U ∈ U ( d ). Th e set S all con- sist of al l orthonormal basis of H d . W e generalize Deﬁnition 4.21 , the av erage en tropic uncertaint y b ound for a ﬁnite set of b ases, to the inﬁnite set S all . Deﬁnition 4.24 We c al l h d an o v erall av erage en tropic uncertain t y b ound in H d if every state in H d satisﬁes Z U ( d ) H( P ϑ U ) dU ≥ h d , wher e P ϑ U is the distribution obtaine d by me asuring the state in b asis ϑ U ∈ S all . Prop osition 4.25 F or any p ositive inte ger d , h d = d X i =2 1 i ! / ln (2) is the over al l aver age entr opic unc ertainty b ound in H d . It is attaine d for any pur e state in H d . The pr op osition follo ws immediately fr om F ormula (14) in [JR W94] for a pure state, i.e. ( λ 1 , . . . , λ n ) = (1 , 0 , . . . , 0). Th e result w as originally sh o wn b y S´ yk ora [S´ yk74] and b y Jones [Jon91], another pro of can b e found in the ap- p endix of an article b y Jozsa, Robb, and W o otters [JR W94]. An elemen tary pro of suggested by Harremo ¨ es based on recent r esu lts by Harremo ¨ es and Vig- nat [HV06] is giv en b elo w. Pro of: Let | ϕ i b e a p ure state in H d . F or the probabilit y d istr ibution P ϑ U = ( p 1 , . . . , p d ) holds p i = |h ϕ | U | ω i i| 2 . W e wan t to compute the integ ral Z U ( d ) − d X i =1 p i log( p i ) dU = − d X i =1 Z U ( d ) |h ϕ | U | ω i i| 2 log( |h ϕ | U | ω i i| 2 ) dU. Note that by th e inv ariance of the Haar measure, all su m mands on the right- hand side are equal and it suﬃces to compute − d Z U ( d ) |h ϕ | U | e 1 i| 2 log( |h ϕ | U | e 1 i| 2 ) dU, (4.10) where | e 1 i is the ﬁr st v ector in the computational basis, i.e. |h ϕ | U | e 1 i| 2 is the length of the pr o jection on to the ﬁ r st co ordinate of U ∗ | ϕ i . The Haar measure ov er U ( d ) is the uniform distrib ution o v er the d -dimensional complex sph ere wh ich can b e seen as the uniform distribution o v er the 2 d - dimensional r eal sph er e S 2 d = { ( X, Y ) ∈ R 2 d | P 2 d i =1 X 2 i + Y 2 i = 1 } w here the complex co ordinates are give n by ( X 1 + iY 1 , . . . , X d + iY d ). Setting Z i = X 2 i + Y 2 i 4.5. Indepen dent Bases for Ea ch Subsyst em 68 and Z = ( Z 1 , . . . , Z d ) and u s ing a result from [HV06] ab out the pro jection of the uniform distribu tion o v er S 2 d to the ﬁrst co ordinate, w e obtain that the densit y of Z 1 is f ( z ) = ( d − 1)(1 − z ) d − 2 dz f or z ∈ [0 , 1]. Th er efore, (4.10) equals − d Z 1 0 z log( z ) · ( d − 1)(1 − z ) d − 2 dz = d X i =2 1 i ! / ln (2) , where the ev aluati on of this inte gral follo ws from stand ard calc ulus . By con- v exit y of the Sh annon en trop y , the b oun d also h olds for mixed states and th e claim follo ws.  The f ollo wing table giv es some numerical v alues of h d for sm all v alues of d . d 2 4 8 16 h d 0 . 72 1 . 56 2 . 48 3 . 43 h d log( d ) 0 . 72 0 . 78 0 . 83 0 . 86 It is well-kno w n that the harmonic series in Proposition 4.25 div erges in th e same w a y as log( d ) and therefore, h d log( d ) go es to 1 for large dimensions d . Chapter 5 Rabin OT in the Bounded-Quan tum-Storage Mo del In this chapter, we presen t an eﬃcien t proto col for Rabin Ob livious T r ansfer whic h is secure in th e b oun ded-quant um-storage mo del. It ﬁrst app eared in [DFSS05], a jour nal version of this pap er is in preparation [DFSS08]. 5.1 The Deﬁnition A proto col for R ab in Oblivious T r ansfer ( Rabin OT ) b et wee n sender Alice and receiv er Bob allo ws f or Ali ce to send a bit b through an erasure c hannel to Bob. Eac h trans m ission deliv ers b or an erasur e with pr obabilit y 1 2 . Intuitiv ely , a proto col for Rabin OT is secure if • the sender Ali ce gets no information on whether b was r eceiv ed or not, no matter wh at sh e do es, and • the receiv er Bob gets no information ab out b with p robabilit y at least 1 2 , no matter wh at h e do es. In this c hapter, we are considering quantum proto cols for Rabin OT . Th is means that while the inp uts and outputs of the honest senders are classical, describ ed by random v ariables, the proto col may con tain q u an tum computation and quantum comm unication, and the view of a dishonest pla y er is quantum, and is th us describ ed b y a quantum s tate. An y such (t wo -party) pr otocol is sp eciﬁed by a family { ( S n , R n ) } n> 0 of pairs of in teractiv e quantum circuits (i.e. in teracting through a quan tum c hann el). Eac h pair is indexed by a secur it y parameter n > 0, where S n and R n denote the circuits for sender Alice and receiv er Bob, r esp ectiv ely . In ord er to simplify the notation, we often omit the index n , lea ving the dep endency on it im p licit. F or the formal deﬁ n ition of the securit y requirement s of a Rabin OT proto- col, let us ﬁ x th e follo wing notation. Let B denote the bin ary r an d om v ariable describing S ’s inp u t bit b , and let A and Y denote the b inary random v ariables 69 5.1. The Def inition 70 describing R ’s t wo output bits, where the meaning is that A indicates wh ether the b it was receiv ed or n ot. F u rthermore, for a dish onest send er ˜ S , the ﬁnal state of a ﬁxed candidate proto col for Rand 1 -2 O T can b e d escrib ed by the ccq-state ρ AY ˜ S where (by sligh t abus e of notation) we also d enote by ˜ S the quan tum register th at the sender outputs. Its state ma y dep end on A and Y . Similarly , f or a dishonest receiv er ˜ R , w e hav e the cq-state ρ B ˜ R . Deﬁnition 5.1 A two-p arty (quantum) pr oto c ol ( S , R ) is a ε -secure Rabin OT if the fol lowing holds: ε -Correctness: F or honest S and R , P [ B = Y | A = 1] ≥ 1 − ε . ε -Receiv er-securit y: F or honest R and any dishonest ˜ S ther e exists 1 a binary r andom variable B ′ such that P [ B ′ = Y | A = 1] ≥ 1 − ε, and δ  ρ AB ′ ˜ S , 1 ⊗ ρ B ′ ˜ S  ≤ ε . ε -Sender-securit y: F or any ˜ R ther e exists an event E with P [ E ] ≥ 1 2 − ε such that δ  ρ B ˜ R |E , ρ B ⊗ ρ ˜ R |E  ≤ ε . If any of the ab ove holds for ε = 0 , then the c orr esp onding pr op erty is said to hold p erfectly . If one of the pr op erties only holds with r esp e ct to a r estricte d class S of ˜ S ’s r esp e ctively R of ˜ R ’s, then this pr op erty is said to hold (and the pr oto c ol is said to b e se cur e) against S r esp e ctively R . Receiv er-securit y requ ires that the j oint quantum state is essential ly the same as when the dishonest send er c ho oses a bit B ′ according to some dis- tribution and a (p ossibly dep endent) quantum s tate, and giv es B ′ to an ideal functionalit y whic h p asses it on to the receiv er w ith probability 1 2 . Sender- securit y r equires that th e join t qu an tum state is essen tially the same as when the dishonest receiv er gets the sender’s bit B with probabilit y 1 2 and prepares some state that ma y dep en d on B in case he receiv es it, and pr ep ares some state that do es not d ep end on B otherwise. In other w ords, securit y r equires that the dishonest part y cannot do more than w hen a ttac king an ideal functionalit y . F rom suc h a strong securit y guaran tee we exp ect nice comp osition b eha vior, for instance lik e in [CSSW06]. Note that the original d eﬁ nition giv en in [DFSS05] d o es not guarant ee that the distribution of the inpu t bit is determined at the end the execution of Rabin OT . This is a strictly wea k er deﬁ nition and do es not f u lly captur e what is exp ected fr om a Ra bin OT : it is easy to see that if th e dishonest send er ca n still inﬂuence his inpu t bit after the execution of the proto col, then kn o wn sc hemes based on Rabin OT , lik e bit commitmen ts, are not secure anymore. The securit y deﬁnition giv en here is in the spirit of the security deﬁnition from [DFR + 07] for 1-2 OT, describ ed in the next Chapter 6. 1 Recall from Section 2.3: Given a cq -state ρ X E , b y sa ying that there exists a random v ariable Y such t hat ρ X Y E satisﬁes some cond ition, we mean that ρ X E can b e u n derstoo d as ρ X E = tr Y ( ρ X Y E ) fo r a ccq- state ρ X Y E that satisﬁes the required condition. 5.2. The Protocol 71 5.2 The Proto col W e p resen t a quan tum proto col for Rabin O T that will b e shown perf ectly co r- rect and p erf ectly receiv er-secure (against an y sender) an d statistically sender- secure against an y q u an tum-memory-b ounded receiv er. Ou r proto col exhibits some similarit y with q u an tum conjugate co d ing in tro d u ced by Wiesner [Wie83]. qot ( b ) : 1. S pic ks x ∈ R { 0 , 1 } n , and r ∈ R { + , ×} and s ends | ψ i : = | x i r to R (i.e. the string x enco ded in basis r ). 2. R p ic ks r ′ ∈ R { + , ×} and measures all qubits of | ψ i in basis r ′ . Let x ′ ∈ { 0 , 1 } n b e the result. 3. S announces r , f ∈ R F n , and e : = b ⊕ f ( x ). 4. R outpu ts a : = 1 and y : = e ⊕ f ( x ′ ) if r ′ = r and else a : = 0 and y : = 0. Figure 5.1: Quantum Proto col f or Rabin OT The proto col giv en in Figure 5.1 is very simp le: S p icks x ∈ R { 0 , 1 } n and sends to R n qubits in state either | x i + or | x i × eac h c hosen with prob ab ility 1 2 . R then measures all r eceiv ed qubits either in the rectilinear or in the diagonal basis. With p r obabilit y 1 2 , R p ic k ed the right basis and gets x , while any ˜ R th at is forced to measure part of the state (d u e to a memory b oun d) can only hav e full in formation on x in case the +-basis was us ed or in case the × -basis w as used (but not in b oth cases). Priv acy ampliﬁcation based on an y t wo -universal class of h ash ing f u nctions F n is th en u sed to eliminate p artial in formation (as explained in Section 2.5). F or simplicit y , we f o cus on the case where the output size of the family F n is ju st one bit, i.e. ℓ = 1, but all r esu lts of this c hapter can easily b e extended to Rabin OT ℓ of ℓ -bit strings, b y using an output size ℓ > 1 and adjusting the memory b ounds accordingly , see Section 5.7. In order to a v oid ab orting, w e sp ecify that if a dishonest ˜ S refuses to partic- ipate, or s ends data in incorrect format, then R samples its output bits a and y b oth at random in { 0 , 1 } . W e ﬁrst consider receiv er-securit y . Prop osition 5.2 qot is p e rfe ctly r e c eiver-se cur e. It is ob vious that no information ab out whether R has receiv ed the bit is lea ke d to an y sender ˜ S , since R do es not send anyt hing. Ho w ev er, one needs to sho w the existence of a r andom v ariable B ′ as required by receiv er-securit y . Pro of: Recall, the qu an tum stat e ρ AY ˜ S is deﬁned b y the exp eriment wh ere the dishonest sender ˜ S interacts with the honest memory-b oun ded R . Consider a mo diﬁcation of the exp eriment where we allo w R to b e unb ounde d in memory 5.2. The Protocol 72 and where R waits to receiv e r and then measures all qubits in basis r . Let X ′ b e the resulting s tr ing. Neverthele ss, R pic ks r ′ ∈ R { + , ×} at r andom and outputs ( A, Y ) = (0 , 0) if r ′ 6 = r and ( A, Y ) = (1 , e ⊕ f ( X ′ )) if r ′ = r . Since the only diﬀerence b et w een the tw o exp eriment s is when R measures the qubits and in what b asis R measures them w hen r 6 = r ′ , in w hic h case his ﬁ nal output is indep endent of the measurement outcome, the t wo exp er im ents resu lt in the same ρ AY ˜ S . Ho wev er, in th e mo d iﬁed exp eriment w e can c ho ose B ′ to b e e ⊕ f ( X ′ ), suc h that by construction B ′ = Y if A = 1 and A is uniformly distributed, ind ep endent of an ything, and thus ρ AB ′ ˜ S = 1 ⊗ ρ B ′ ˜ S .  As w e s hall see in S ection 5.4, the secur it y of the qot p roto col against receiv ers with b oun ded-size quantum memory holds as long as the b oun d applies b efore Step 3 is reac hed. An equiv alen t proto col is obtained by p u rifying the sender’s actions. Although qot is easy to implement, the pu r iﬁed or EPR- based version d epicted in Figure 5.2 is easier to p r o v e secure. This tec hnique w as p ioneered b y Ek ert [Eke91] in the s cenario of quantum k ey d istr ibution. A similar approac h wa s taken in the Sh or-Preskill pro of of securit y f or the BB84 quan tum-ke y-distribu tion sc heme [S P 00]. epr - qot ( b ) : 1. S pr epares n EPR pairs eac h in state | Ω i = 1 √ 2 ( | 00 i + | 11 i ) and sends one half of eac h p air to R and ke eps th e other halv es. 2. R pic ks r ′ ∈ R { + , ×} and measures all r eceiv ed qu bits in basis r ′ . Let x ′ ∈ { 0 , 1 } n b e the result. 3. S picks r ∈ R { + , ×} , and measures a ll k ept qu bits in basis r . Let x ∈ { 0 , 1 } n b e the outcome. S announces r , f ∈ R F n , and e : = b ⊕ f ( x ). 4. R outpu ts a : = 1 and y : = e ⊕ f ( x ′ ) if r ′ = r and else a : = 0 and y : = 0. Figure 5.2: Proto col f or EPR-based Rabin O T Notice that wh ile q ot requires no qu an tum memory f or honest play ers, quan tum memory for S seems to b e requir ed in ep r - qot . The follo wing L emma sho ws the strict securit y equiv alence b et we en q ot an d epr - qot . Lemma 5.3 qot is ε -sender-se cur e if and only if epr - qot is. Pro of: The p ro of follo ws easily after observing that S ’s choic es of r and f , together with the measur emen ts all commute with ˜ R ’s actions. Th erefore, they can b e p erformed r igh t after S tep 1 with no change for ˜ R ’s v iew. Mo difyin g epr - qot that wa y results in qo t .  Note that for a dishonest receiv er it is not only irrelev an t whether h e tries to attac k qot or epr - qo t , but in fact there is no d iﬀeren ce in th e t w o proto cols from his p oin t of view. 5.3. Modeling Dishon est Re ceivers 73 5.3 Mo d eling Dishonest Receiv ers W e mod el dishonest receiv ers in qot , r esp ectiv ely epr - qot , und er the assu mp- tion that the maxim um size of their quan tum storage is b ounded. T h ese ad- v ersaries are only required to ha v e b ound ed quantum storage when they reac h Step 3 in ( epr -) qot . Before (and after) that, the adversary can store and carry out quantum computations inv olving any num b er of qubits. Apart from the restriction on the size of the quantum memory a v aila ble to th e adversary , no other assumption is made. I n particular, the adv ersary is not assum ed to be computationally b ound ed and the size of its classical memory is not restricted. Deﬁnition 5.4 The set R γ denotes al l p ossible quantum dishonest r e c eivers { ˜ R n } n> 0 in qot or epr - qot wher e for e ach n > 0 , ˜ R n has quantum memory of size at most γ n when Step 3 is r e ache d. In general, the adv ersary ˜ R is allo wed to p erform an y quantum computation compressing the n qubits receiv ed from S int o a quantum register M of size at most γ n when S tep 3 is reac hed. More precisely , th e compression function is implemente d b y some unitary tr ansform T acting up on the quan tum state receiv ed an d an ancilla register of arbitrary size (initially in the state | 0 i ). Th e compression is p erformed b y a measurement that w e assume in the computa- tional basis without loss of generalit y . Before starting Step 3, the adversary ﬁrst applies a un itary transform T : 2 − n/ 2 X x ∈{ 0 , 1 } n | x i ⊗ T | x i| 0 i 7→ 2 − n/ 2 X x ∈{ 0 , 1 } n | x i ⊗ X y α x,y | ϕ x,y i M | y i Y , where for all x , P y | α x,y | 2 = 1. T h en, a measurement in the compu tational basis is applied to register Y pro viding classical outcome y . Th e result is a quan tum state in register M of size γ n qubits. Ignoring the v alue of y to ease the notation, th e re-normalized state of the sys tem in its most general form when Step 3 in epr - qo t is reac hed is thus of the form | ψ i = X x ∈{ 0 , 1 } n α x | x i ⊗ | ϕ x i M , where P x | α x | 2 = 1. W e will pro v e securit y for an y suc h state | ψ i and thus conditioned on an y v alue y that m a y b e observe d. It is th er efore s afe to lea v e the dep endency on y implicit. 5.4 Securit y Against Dishonest Receiv ers In this s ection, we use the uncertain t y relation deriv ed in Section 4.3 to show that epr - qo t is secure against any dishonest receiv er h a ving access to a qu an- tum storage d evice of size strictly s maller than half the n umber of q u bits re- ceiv ed at S tep 1. 5.5. On the Neces sity of Priv acy Amplifica tion 74 Theorem 5.5 F or al l γ < 1 2 , qot i s ε -se cur e for a ne gligible (in n ) ε against R γ . Pro of: After Lemmas 5.3 and 5.2, it remains to sho w that epr - qot is ε -send er- secure against R γ . Since γ < 1 2 , w e can ﬁnd κ > 0 with γ + κ < 1 2 . Consider a dishonest receiv er ˜ R in epr - qo t with quan tum memory of size γ n . Let R and X denote the random v ariables describing the basis r and the o utcome x o f S ’s m easuremen t (in basis r ) in Step 3 of epr - qot , resp ectiv ely . W e imp licitly understand th e distrib ution of X giv en R to b e conditioned on the classical outcome y of the measurement ˜ R p erformed w hen the memory b ound applies, as describ ed in Section 5.3; the follo wing analysis w orks n o matter what y is. Corollary 4.17 with λ = γ + κ imp lies the existence of ε negligible in n and an ev en t E such th at P [ E ] ≥ 1 2 − ε an d suc h th at H ∞ ( X | R = r , E ) ≥ γ n + κn for an y r elev ant r . Note that by construction, the random v ariables X and R , and th us also the ev en t E , are indep end ent of the sender’s input bit B , and hence ρ B |E = ρ B . It remains to s ho w that δ  ρ B ˜ R |E , ρ B |E ⊗ ρ ˜ R |E  ≤ ε . As the bit B is m ask ed by the output of the t w o-univ ersal h ash fun ction F ( X ) in Step 4 of epr - qot (where the r andom v ariable F represen ts the random c hoice for f ), it suﬃ ces to sho w that F ( X ) is close to uniform and essen tially in dep end en t from ˜ R ’s view, conditioned o n E . But this is guarante ed by the ab ov e b ound on H ∞ ( X | R = r , E ) and b y the priv ac y-ampliﬁcation theorem (Corollary 2.25 with ε : = 0 , ℓ : = 1 , q : = γ n and U constan t).  5.5 On the Necessit y of Priv acy Ampliﬁcation In this sectio n, we sho w that rand omized priv acy ampliﬁcatio n is needed for proto col qot to b e secure. F or instance, it is temp ting to b eliev e that the sender could u se the XOR L i x i in order to mask th e bit b , rather than f ( x ) f or a r andomly sampled f ∈ F n . This would reduce the comm unication complexit y as w ell as the num b er of random coins needed. Ho w ev er, w e argue in th is section that th is is n ot secure (aga inst an ad versary as w e mo del it). Indeed, somewhat surpr isingly , th is v arian t can b e broken b y a dish onest receiv er that has no quantum memory at al l (but that can d o coheren t measuremen ts on pairs of qubits) in the case n is eve n. F or o dd n , th e dishonest receiv er needs to store a single qubit . Clearly , a dish onest receiv er can break the mo diﬁed scheme q ot and learn the bit b with pr obabilit y 1 if he can compu te L i x i with probabilit y 1. Note that, u sing the equiv ale nce b etw een qot and epr - qot , x i can b e und ersto o d as the outcome of the measur emen t in either the +- or the × -basis, p erformed b y the sender on one part of an EPR pair while the other is handed o v er to the receiv er. The follo wing prop osition sho ws that ind eed the receiv er can learn L i x i b y a suitable measurement of his parts of the EPR pairs. Concretely , he measures the qu bits he receiv es pair-wise by a su itable measurement which allo ws him to learn the X OR of the tw o corresp onding x i ’s, no matte r what the basis is (and h e needs to store one sin gle qu b it in case n is o d d). This o bviously allo ws him to learn th e X OR of all x i ’s in all cases. 5.6. Weaken ing the Ass umptions 75 Prop osition 5.6 Consider two EPR p airs, i.e., | ψ i = 1 2 P x | x i S | x i R wher e x r anges over { 0 , 1 } 2 . L et r ∈ { + , ×} , and let x 1 and x 2 b e the r esult when me a- suring the two qubits in r e gister S in b asis r . Ther e exists a ﬁxe d me asur ement for r e gister R so that the outc ome to gether with r uniquely determines x 1 ⊕ x 2 . Pro of: The measurement that do es the job is the Bel l me asur ement , i.e., the measuremen t in the Bell basis {| Φ + i , | Ψ + i , | Φ − i , | Ψ − i} . Recall,   Φ +  = 1 √ 2  | 00 i + + | 11 i +  = 1 √ 2  | 00 i × + | 11 i ×    Ψ +  = 1 √ 2  | 01 i + + | 10 i +  = 1 √ 2  | 00 i × − | 11 i ×    Φ −  = 1 √ 2  | 00 i + − | 11 i +  = 1 √ 2  | 01 i × + | 10 i ×    Ψ −  = 1 √ 2  | 01 i + − | 10 i +  = 1 √ 2  | 10 i × − | 01 i ×  . Due to the sp ecial form of th e Bell b asis, w h en register R is measured and , as a consequence, one of the four Bell states is observ ed, the s tate in register S collapses to that same Bell state. In d eed, when doing the b asis transformatio n, all cross-pro d ucts cancel eac h other out. It no w follo ws b y insp ection that kno wledge of the Bell state and the basis r allo ws to predict the X OR of the t w o bits observe d when measuring the Bell state in basis r . F or instance, f or the Bell state | Ψ + i , the X OR is 1 if r = + and it is 0 if r = × .  Note that f r om the pro of ab o v e, one can see that the r eceiv er’s attac k, resp ectiv ely his measuremen t on eac h pair of qubits, can b e understo o d as telep orting one of the t wo en tangled qub its fr om the receiv er to the send er using the other as E P R pair. Ho we ve r, the receiv er do es n ot s en d the outcome of his measuremen t to th e sender, but k eeps it in order to predict th e X OR. Clearly , the same strategy also w orks against any ﬁ xed linear function. Therefore, the only hop e for doing d eterministic p riv acy ampliﬁ cation is by using a n on-linear fun ction. Ho w ev er, it has b een shown recen tly by Ballester, W ehner, and Win ter [BWW0 6 ], that also this approac h is do omed to fail in o ur scenario, b ecause the outcome of any ﬁxe d Bo ole an function can b e p erfectly predicted by a dish onest receiv er who can store a single qubit and later learns the correct basis r ∈ { + , ×} . 5.6 W eak ening the Assumptions Observe that qot requires err or-free quant um comm unication, in that a tran s - mitted bit b , that is enco ded b y the sender and measured by the receiv er u sing the same basis, is alw a ys r eceiv ed as b . In addition, it also requ ires a p erfect quan tum source wh ic h on request pro du ces one and only one qub it in the righ t state, e.g. one p hoton with the right p olarization. Ind eed, in case of noisy quan tum comm unication, an honest receiv er in q ot is lik ely to receiv e an in - correct bit, and the s ender-securit y of q ot is vulnerable to imp erfect sour ces 5.6. Weaken ing the Ass umptions 76 that once in a while transmit more than one qu b it in the same s tate: a mali- cious receiv er ˜ R can easily determine the basis r ∈ { + , × } and measure all the follo wing qub its in the r igh t basis. Ho w ev er, cur ren t tec hnology only allo ws to appro ximate the b eha vior of single-photon sources and of noise-free quantum comm unication. It w ould b e p r eferable to ﬁ nd a v arian t of qot that allo ws to w eak en th e tec hnologic al r equiremen ts p u t up on the honest parties. In this section, we present such a proto col based on BB84 states [BB84], bb84-qot (see Figure 5.3 ). The securit y pro of follo ws essen tially by adapting the securit y analysis of qot in a rather straigh tforwa rd w a y , as will b e discussed later. 5.6.1 W eak Quan t um Mo del Let us consider a quantum c hann el w ith an error probabilit y φ < 1 2 , i.e., φ denotes the probabilit y that a transm itted b it b , that is enco ded b y the sender and m easured by the receiv er using the same basis, is receiv ed as 1 − b . In order not to ha v e the s ecur it y r ely on an y lev el of noise, w e assume the err or pr ob a- bilit y to b e zero w hen considerin g a dishonest receiv er. Also, let us consider a quan tum sou r ce whic h pro du ces t w o or m ore qubits (in the same state), rather than just one, with probabilit y η < 1 − φ . W e call this the ( φ, η ) -we ak quantum mo del . By adjusting the parameters, this mo del can also c op e with dark counts and empt y p ulses, see Section 9.1.1. In order to deal w ith noisy quantum communicatio n, we n eed to do error- correction without giving the ad versary too muc h in formation. T ec hniqu es to s olve this p roblem are known as information r e c onciliation (as in tro du ced for instance b y Brassard and Salv ail [BS93 ]) or as se cu r e sketches introdu ced b y Dodis, Reyzin, Smith [DRS04]. Let x ∈ { 0 , 1 } ℓ b e an arbitrary string, and let x ′ ∈ { 0 , 1 } ℓ b e the result of ﬂ ipping ev ery bit in x (indep endentl y) with probab ility φ . I t is we ll kno wn that learning the syndr ome S ( x ) of x , with resp ect to a suitable eﬃciently- deco dable linear error-correcting co de C of length ℓ , allo ws to reco ve r x from x ′ , except with negligible probability in ℓ (see,e.g. , [M au91, Cr´ e97, DRS 04]). F urth ermore, it is known f r om co ding theory that, for la rge enough ℓ , suc h a cod e can b e c hosen with rate R arbitrarily cl ose to but smaller than 1 − h ( φ ), i.e., suc h that the syndrome length s is b ound ed b y s < ( h ( φ ) + ε ) ℓ wh ere ε > 0 (see e.g. [Cr ´ e97] or the full version of [DRS04] and the references therein). Regarding the loss of information, w e can use the priv acy- ampliﬁcation statemen t in form of Corollary 2.25 with ε : = 0 and constant U in a simi- lar wa y as b efore, ju st by app en d ing the classical syndr ome S ( x ) (of length s ) to the quantum r egister E , wh ich resu lts in δ  ρ F ( X ) F S ( X ) E , 1 ⊗ ρ F S ( X ) E  ≤ 1 2 2 − 1 2 (H ∞ ( X ) − q − s − 1) . (5.1) Consider the p roto col bb84-qot sho wn in Figure 5.3 in the ( φ, η )-w eak quan tum mo del. The proto col uses an eﬃcient ly deco dable linear co d e C ℓ , parametrized in ℓ ∈ N , with co dewo rd length ℓ , rate R = 1 − h ( φ ) − ε for some small ε > 0, and b eing able to correct err ors o ccurring with pr obabilit y 5.6. Weaken ing the Ass umptions 77 φ (except with negligible probabilit y). Let S ℓ b e the corresp ondin g syndrome function. Lik e b efore, the memory b ound in bb84-qot applies b efore S tep 3. bb84-qot ( b ) : 1. S p icks x ∈ R { 0 , 1 } n and θ ∈ R { + , ×} n and sends x i in th e corre- sp ond in g bases | x 1 i θ 1 , . . . , | x n i θ n to R . 2. R pic ks r ′ ∈ R { + , ×} and measures all qub its in basis r ′ . L et x ′ ∈ { 0 , 1 } n b e the r esu lt. 3. S pic ks r ∈ R { + , ×} , sets I : = { i : θ i = { + , × } [ r ] } and ℓ : = | I | , and announces r , I , sy n : = S ℓ ( x | I ), f ∈ R F ℓ , and e : = b ⊕ f ( x | I ). 4. R reco vers x | I from x ′ | I and s y n , and outputs a : = 1 and b ′ : = e ⊕ f ( x | I ) if r ′ = r and else a : = 0 and b ′ : = 0. Figure 5.3: P roto col for the BB84 v ersion of Rabin OT By the ab o ve mentio ned p rop erties of the co de C ℓ , it is ob vious th at R receiv es the correct bit b if r ′ = r , except with n egligible p robabilit y . (The error p robabilit y is negligible in ℓ , b ut by Chern oﬀ ’s inequalit y (Lemma 2.5), ℓ is linear in n except with n egligible probabilit y .) Also, since there is no comm unication from R to S , a dishonest sender ˜ S cann ot learn wh ether R re- ceiv ed the bit. In fact, bb84-qot can b e sh o wn perf ectly receiv er-secure in the same w a y as in Prop osition 5.2. S imilar as for proto col qot , in order to argue ab out sender-securit y we compare bb84-qot with a puriﬁed v ersion sh o wn in Figure 5.4. bb84-epr-qo t runs in the ( φ, 0)-w eak quantum mo del, and the imp erfectness of the quan tum sou r ce assumed in bb84-qot is sim ulated b y S in bb84-epr-qot so that there is no diﬀerence from R ’s p oin t of view. The securit y equiv alence b et w een bb84-qot (in the ( φ, η )-we ak quan tum mo del) and bb84-epr-qot (in th e ( φ, 0)-w eak qu an tum mo del) follo ws along the same lines as in Section 5.2. Theorem 5.7 In the ( φ, η ) -we ak q u antum mo del, bb84-qot is ε - se cu r e with ε ne glig i ble in n against R γ for any γ < 1 − η 4 − h ( φ ) 2 and n lar ge enough. Pro of Sk etc h: It remains to sh o w that bb84-epr-qo t is sender-secure against R γ (in the ( φ, 0)-we ak quantum mo del). Th e r easoning goes analogo us to the pro of of T heorem 5.5, except that we r estrict our atten tion to those i ’s whic h are in J . By C hernoﬀ ’s inequalit y (Lemma 2.5), ℓ lies within (1 ± ε ) n/ 2 and | J | w ithin (1 − η ± ε ) n/ 2 except with n egligible probabilit y . In order to make the pro of easier to r ead, we assum e that ℓ = n/ 2 and | J | = (1 − η ) n/ 2, and we also treat the ε o ccurrin g in the rate of the co de C ℓ as zero. F or the f ull p ro of, w e simp ly need to carry the ε ’s along, and then c ho ose th em small enough at the end of the pro of. W rite n ′ = | J | = (1 − η ) n/ 2, and let γ ′ b e suc h that γ n = γ ′ n ′ , i.e., γ ′ = 2 γ / (1 − η ). Assume κ > 0 such that γ ′ + κ < 1 2 , where w e mak e sure 5.7. Rabin OT o f Strings 78 bb84-epr-qot ( b ) : 1. S pr epares n EPR p airs eac h in state | Ω i = 1 √ 2 ( | 00 i + | 11 i ). Addi- tionally , S initializes I ′ + := ∅ and I ′ × := ∅ . F or ev ery i ∈ { 1 , . . . , n } , S d o es th e follo wing. With pr obabilit y 1 − η , S sends one half of the i -th p air to R and keeps the other h alf. While with probabilit y η , S pic ks θ i ∈ R { + , ×} , replaces I ′ θ i b y I ′ θ i ∪ { i } and sends t w o or more qubits in the same state | x i i θ i to R where x i ∈ R { 0 , 1 } . 2. R pic ks r ′ ∈ R { + , ×} and measures all r eceiv ed qu bits in basis r ′ . Let x ′ ∈ { 0 , 1 } n b e the result. 3. S pic ks a random index set J ⊂ R { 1 , . . . , n } \ ( I ′ + ∪ I ′ × ). Then, it pic ks r ∈ R { + , ×} , sets I : = J ∪ I ′ r and ℓ : = | I | , and for eac h i ∈ J it measures th e corresp ondin g qubit in basis r . Let x i b e the corresp ondin g outcome, and let x | I b e th e collection of all x i ’s w ith i ∈ I . S ann ounces r , I , sy n = S ℓ ( x | I ), f ∈ R F ℓ , and e = b ⊕ f ( x | I ). 4. R reco vers x | I from x ′ | I and s y n , and outputs a : = 1 and b ′ : = e ⊕ f ( x | I ), if r ′ = r and else a : = 0 and b ′ : = 0. Figure 5.4: Proto col f or EPR-based Rabin O T , BB84 v ersion later that suc h κ exists. It then follo ws f rom Corollary 4.17 that there exists an ev en t E suc h that P [ E ] ≥ 1 2 − ne gl ( n ′ ) = 1 2 − ne gl ( n ) and H ∞  X | J   R = r, E  ≥ ( γ ′ + κ ) n ′ = γ n + κ (1 − η ) n/ 2 . By Inequ alit y (5.1 ), it remains to argue that this is larger than q + s = γ n + h ( φ ) n/ 2, i.e., κ (1 − η ) > h ( φ ) , where κ has to satisfy κ < 1 2 − γ ′ = 1 2 − 2 γ / (1 − η ) . This can obviously b e ac hiev ed (b y c ho osing κ appropriately) if and on ly if the claimed b oun d on γ holds.  5.7 Rabin OT of S trings In this c hapter, we only considered Rabin O T of one bit p er in v o cation. Our tec hnique can easily b e extended to deal with Rabin OT ℓ of ℓ -bit strings, es- sen tially by using a class of t w o-univ ersal functions with r ange { 0 , 1 } ℓn rather than { 0 , 1 } , for s ome ℓ with γ + ℓ < 1 2 (resp ectiv ely < 1 − η 4 − h ( φ ) 2 for bb 84-qot ). Chapter 6 1 -2 OT i n the Bounded-Quan tum-Storage Mo del In the last c hapter, w e h a v e shown how to construct R abin OT securely in the b ounded-qu an tum-storage mo del. Alt hough other ﬂa v ors of OT can b e constructed from Rabin OT u sing standard reductions, a more d irect approac h giv es a b etter ratio b et wee n storage-boun d and comm unication-complexit y . In this c hapter, w e p r esen t an eﬃcien t proto col for 1 -2 Oblivious T ransf er secure in the b ounded-qu an tum-storage mo del. The proto col is v ery close to Wiesner original ”conjugate-cod ing” proto col [Wie83] from the early 70’s. The uncertain t y relatio n from Section 4.5 will b e extensiv ely used for pro ving the securit y . The results of this section app eared in [DFR + 07]. 6.1 The Deﬁnition In 1 -2 OT ℓ , the sender Alice sends tw o ℓ -bit strings S 0 , S 1 to the receiv er Bob in suc h a w a y that Bob can c ho ose whic h string he wa nts to receiv e, but d o es not learn anything ab out the other. Alice do es not get to kno w w hic h string Bob has c hosen. As explained in Ch apter 3, the common wa y to build 1 -2 OT ℓ is by constru cting a proto col for (Sen der-)Randomized 1 -2 OT ℓ , whic h then can easily b e conv erted into an ordinary 1 -2 OT ℓ . Rand 1 -2 OT ℓ essen tially coincides with ord inary 1 -2 OT ℓ , except that th e t w o strin gs S 0 and S 1 are not input by the send er but generated un iformly at r andom durin g the proto col and output to the send er. F or the f ormal deﬁnition of the security requirement s for a qu antum p roto col for Rand 1 -2 O T ℓ , we translate the classical Deﬁnition 3.1 to the quantum set- ting usin g a s imilar notation as for the deﬁ nition of Rabin OT in S ection 5.1: Let C denote the b inary rand om v ariable d escrib ing receiv er R ’s c hoice bit, let S 0 , S 1 denote the ℓ -bit long random v ariables describin g sender S ’s output strings, and let Y d enote th e ℓ -bit long r andom v ariable describ in g R ’s out- put strin g (sup p osed to b e S C ). F u rthermore, for a ﬁxed candidate proto col 79 6.1. The Def inition 80 for Rand 1 -2 OT ℓ , and for a ﬁxed inpu t distr ibution for C , the o verall quan tum state in case of a d ishonest sender ˜ S is give n by the ccq-state ρ C Y ˜ S . Analogo usly , in the case of a dish onest receiv er ˜ R , w e hav e the ccq-state ρ S 0 S 1 ˜ R . Deﬁnition 6.1 ( Rand 1 - 2 OT ℓ ) A n ε -se cur e Rand 1 -2 OT ℓ is a quantum pr o- to c ol b etwe en S and R , with R having input C ∈ { 0 , 1 } while S has no input, such that for any distribution of C , the fol lowing holds: ε -Correctness: If S and R fol low the pr oto c ol, then S gets output strings S 0 , S 1 ∈ { 0 , 1 } ℓ and R gets Y = S C exc e pt with pr ob ability ε . ε -Receiv er-securit y: If R is honest, then for any ˜ S , ther e exist 1 r andom vari- ables S ′ 0 and S ′ 1 such that Pr  Y = S ′ C  ≥ 1 − ε and δ  ρ C S ′ 0 S ′ 1 ˜ S , ρ C ⊗ ρ S ′ 0 S ′ 1 ˜ S  ≤ ε . ε -Sender-securit y: If S i s honest, then for any ˜ R , ther e exists a r and om vari- able D ∈ { 0 , 1 } such that δ  ρ S 1 − D S D D ˜ R , 1 ⊗ ρ S D D ˜ R  ≤ ε . If any of the ab ove holds for ε = 0 , then the c orr esp onding pr op erty is said to hold p erfectly . If one of the pr op erties only holds with r esp e ct to a r estricte d class S of ˜ S ’s r esp e ctively R of ˜ R ’s, then this pr op erty is said to hold and the pr oto c ol is said to b e se cur e against S r esp e ctively R . Receiv er-securit y , as d eﬁ ned here, imp lies that whatev er a dishonest sender do es is as goo d as the follo wing: generate the ccq-state ρ S ′ 0 S ′ 1 ˜ S indep end en tly of C , let R know S ′ C , and output ρ ˜ S . On the other hand , sender-security implies that wh ateve r a dishonest receiv er do es is as goo d as the follo wing: generate the ccq-state ρ S D D ˜ R arbitrarily , let S kn o w S D and an indep end en t uniform ly distributed S 1 − D , and output ρ ˜ R . In other w ords, a pr otocol satisfying Deﬁn i- tion 6.1 is a secure implemen tati on of the natural Rand 1 -2 OT ℓ ideal function- alit y , except that it allo ws a dishonest sender to inﬂuence the distribution of S 0 and S 1 , and the d ishonest receiv er to inﬂuence the distribu tion of the string of his choic e. This is in particular go o d enough for constru cting a standard 1 -2 OT ℓ in the straigh tforward w a y . W e wo uld lik e to p oin t out the imp ortance of requirin g the existence of S ′ 0 and S ′ 1 in the formulatio n of receiv er-securit y in a qu an tum setting: requiring only that the sender learns no in formation on C , as is su ﬃcien t in the classical setting (see e.g. [CSSW06]), do es not pr ev en t a dishonest sender f r om obtaining S 0 , S 1 b y a suitable measuremen t after the execution of the proto col in suc h a w a y that he can c ho ose S 0 ⊕ S 1 at will, and S C is the string the receiv er has obtained in the proto col. Th is would for instance mak e the straigh tforwa rd construction of a bit commitment 2 based on 1 -2 OT insecure. 1 Recall from Section 2.3: Given a cq -state ρ X E , b y sa ying that there exists a random v ariable Y such t hat ρ X Y E satisﬁes some cond ition, we mean that ρ X E can b e u n derstoo d as ρ X E = tr Y ( ρ X Y E ) fo r a ccq- state ρ X Y E that satisﬁes the required condition. 2 The committer sends tw o random bits of parit y equal to the bit he w an ts to commit to, the veriﬁer c hooses to receive at random o ne of those bits. 6.2. The Protocol 81 6.2 The Proto col W e present a quantum pr oto col for Rand 1 -2 OT ℓ that w ill b e sh own p erfectly receiv er-secure against an y send er and statistically send er -secur e against an y quan tum-memory-b ounded receiv er. T h e ﬁrst t wo steps of the proto col are iden tical to Wiesner’s “conjugate co d in g” p roto col [Wie83] from circa 1970 for “tr ansmitting two messages either but not b oth of which may b e r e c eive d” . The s imple pr oto col is describ ed in Figure 6.1. The sender S sends random BB84 states to th e r eceiv er R , who measures all receiv ed qubits according to his c hoice bit C . S then pic ks r an d omly tw o fun ctions from a ﬁxed tw o-univ ersal class of hash functions F n from { 0 , 1 } n to { 0 , 1 } ℓ , w h ere ℓ is to b e determined later, and ap p lies them to the b its enco d ed in the +-basis resp ectiv ely the bits enco ded in × -basis to obtain the outpu t strings S 0 and S 1 . Note that we ma y apply a function f ∈ F n to a n ′ -bit string with n ′ < n by padd ing it with zeros 3 (whic h do es not d ecrease its en tropy) . S announces the enco d ing bases and the hash f u nctions to the receiv er who then can compute S C . In tuitiv ely , a dishonest receiv er who cannot store all the qubits unti l the r igh t b ases are announced will measur e some qub its in the w rong basis and thus cannot learn b oth strings simultaneously . Rand 1 - 2 QOT ℓ : Let c b e R ’s choice b it. 1. S pic ks x ∈ R { 0 , 1 } n and θ ∈ R { + , ×} n and sends | x 1 i θ 1 , | x 2 i θ 2 , . . . , | x n i θ n to R . 2. R measures all qub its in basis [+ , × ] c . Let x ′ ∈ { 0 , 1 } n b e the result. 3. S pic ks t w o hash fun ctions f 0 , f 1 ∈ R F n , ann ou n ces θ and f 0 , f 1 to R , and outpu ts s 0 : = f 0 ( x | ◦ I 0 ) and s 1 : = f 1 ( x | ◦ I 1 ) where I b : = { i : θ i = [+ , × ] b } . 4. R outputs s c = f c ( x ′ | ◦ I c ). Figure 6.1: Q uan tum Proto col for Rand 1 -2 OT ℓ . W e would lik e to stress that although proto col description and analysis are designed f or an id eal setting with p erfect noiseless q u an tum comm unication and with p erfect sources and detectors, all our results can easily b e extend ed to a more realistic noisy setting along the same lines as in the p revious Ch apter 5. It is clear by the non-in teractivit y of Rand 1 - 2 QOT ℓ that a dishonest sender cannot learn anything ab out the r eceiv er’s c hoice bit. Belo w, we sho w Rand 1 - 2 QOT ℓ p erfectly receiv er-secure according to Deﬁnition 6.1. Prop osition 6.2 Rand 1- 2 QOT ℓ is p erfe ctly r e c eiv er-se cur e. Pro of: Recall that the ccq-state ρ C Y ˜ S is d eﬁned by th e exp erimen t where ˜ S in teracts with the honest memory-b ou n ded R . W e no w deﬁne (i n a new Hilb ert 3 Recall the notation for padd ing x | ◦ I introduced in Section 2.1. 6.3. Security Against Dishone st Rec eivers 82 space) the ccccq-stat e ˆ ρ ˆ C ˆ Y ˆ S ′ 0 ˆ S ′ 1 ˜ S b y a slightly diﬀeren t exp eriment : W e let ˜ S in teract with a receiv er with unb ounde d quantum memory , whic h w aits to re- ceiv e θ and then measures the i -th qub it in basis θ i for i = 1 , . . . , n . Let X b e the r esulting string, and deﬁne ˆ S ′ 0 = f 0 ( X | ◦ I 0 ) and ˆ S ′ 1 = f 1 ( X | ◦ I 1 ). Finally , sample ˆ C acco rding to P C and set ˆ Y = ˆ S ′ C . It follo w s by construction that Pr  ˆ Y 6 = ˆ S ′ ˆ C  = 0 and ˆ ρ ˆ C is ind ep endent of ˆ ρ ˆ S ′ 0 ˆ S ′ 1 ˜ S . I t remains to argue that ˆ ρ ˆ C ˆ Y ˜ S = ρ C Y ˜ S , so that corr esp ondin g S ′ 0 and S ′ 1 also exist in the original ex- p eriment. But this is obvio usly satisﬁed since the only diﬀerence b et w een the t w o exp eriment s is when and in wh at basis the qub its at p osition i ∈ I 1 − C are measured, whic h, once C is ﬁxed, cannot inﬂuence ρ Y ˜ S resp ectiv ely ˆ ρ ˆ Y ˜ S .  6.3 Securit y Against Dishonest Receiv ers As in Section 5.3, w e mo del d ish onest receiv ers in Rand 1 - 2 QOT ℓ under the assumption that the maximum size of their qu an tum storage is b ound ed . Suc h adv ersaries are only r equired to hav e b ounded quant um storage when S tep 3 in Rand 1 - 2 QOT ℓ is reac hed. Before and after that, the adv ersary can store and carry out arb itrary quantum compu tations in v olving any num b er of qubits. Apart fr om the restriction on the s ize of the quan tum memory av ailable to the adv ersary , n o other assu mption is made. In particular, th e adversary is not assumed to b e computationally b ound ed and the size of its classical memory is not restricted. Deﬁnition 6.3 The set R γ denotes al l p ossible quantum dishonest r e c eivers ˜ R in Rand 1 - 2 QOT ℓ which have quantum memory of size at most γ n when Step 3 is r e ache d. First, we consider a puriﬁ ed version of Rand 1- 2 QOT ℓ , E PR Rand 1 - 2 QOT ℓ in Figure 6.2, where S prepares an E P R pair | Φ i = 1 √ 2 ( | 00 i + | 11 i ) instead of | x i i θ i and sends one part to the receiv er while keeping the other. Only when Step 3 is reac hed and ˜ R ’s quant um memory is b oun d to γ n qubits, S measures her qu b its in basis θ ∈ R { + , ×} n . It is easy to see th at f or an y ˜ R , E PR Rand 1 - 2 QOT ℓ is equiv alen t to the original Rand 1 - 2 QOT ℓ , and it suﬃces to pr ov e send er-securit y f or th e form er . Ind eed, S ’s c hoices of θ and f 0 , f 1 , together with the measuremen ts all comm ute with R ’s actions. Therefore, they can b e p erformed righ t after Step 1 with n o change for R ’s view. Mo difyin g EPR Rand 1 - 2 QOT ℓ that w a y r esu lts in Rand 1- 2 QOT ℓ . Theorem 6.4 Rand 1 - 2 QOT ℓ is ε -se c u r e against R γ for a ne gligible (in n ) ε if ther e exists δ > 0 such that γ n ≤ n/ 4 − 2 ℓ − δ n . The pr o of has the same stru cture as the security-proof for the reduction OT2UOT describ ed at th e end of Section 3.4.2. The uncertain t y relation from S ection 4.5 lo w er b ounds the dishon est r eceiv er’s (smo oth) min-en tropy ab out the send er ’s X . Hence , w e h av e an (imp erfect) ( ∞ , n 2 ) -UOT ( { 0 , 1 } n ) from wh ic h we get an ord in ary Rand 1 -2 OT ℓ via th e min-entrop y splitting lemma and priv acy ampliﬁcation against quantum adversaries. 6.3. Security Against Dishone st Rec eivers 83 EPR Rand 1 - 2 QOT ℓ : 1. S pr epares n EPR pairs eac h in state | Ω i = 1 √ 2 ( | 00 i + | 11 i ) and sends one half of eac h p air to R and ke eps th e other halv es. 2. R measures all qub its in basis [+ , × ] c . Let x ′ ∈ { 0 , 1 } n b e the result. 3. S pic ks rand om θ ∈ R { + , ×} n , and sh e measures the i th qub it in basis θ i . Let x ∈ { 0 , 1 } n b e the outcome. S pic ks tw o h ash fun ctions f 0 , f 1 ∈ R F n , announces θ and f 0 , f 1 to R and outputs s 0 : = f 0 ( x | ◦ I 0 ) and s 1 : = f 1 ( x | ◦ I 1 ) where I b : = { i : θ i = [+ , × ] b } . 4. R outputs s c = f c ( x ′ | ◦ I c ). Figure 6.2: Proto col for EPR-based Rand 1 -2 OT ℓ . Pro of: Consider the ccq-state ρ X Θ ˜ R in EPR Rand 1 - 2 QOT ℓ after ˜ R has mea- sured all b ut γ n of his qubits, where X describ es th e outcome of the sender measuring her part of the state in rand om basis Θ. Also, let F 0 and F 1 b e the random v ariables that describ e the ran d om and indep enden t c hoices of f 0 , f 1 ∈ F n . Fin ally , let X b b e X b = X | ◦ { i : Θ i =[+ , × ] b } (padded with zeros s o it mak es sense to ap p ly F b ). Cho ose λ, κ all p ositiv e, but small enough su ch that (for large enough n ) γ n ≤ (1 / 4 − λ − λ ′ − κ ) n − 1 − 2 ℓ. F rom the uncertain t y relation (Corollary 4.23), w e kn o w that H ε ∞ ( X 0 X 1 | Θ) ≥ (1 / 2 − 2 λ ) n for ε exp onentiall y small in n . Therefore, b y the Min-Entrop y Splitting Lemma 2.15, there exists a binary random v ariable D suc h that H ε ∞ ( X 1 − D D | Θ) ≥ (1 / 4 − λ ) n. W e d enote by the ran d om v ariables F 0 , F 1 Alice’s c hoices of hash functions. It is clear th at w e can condition (for free) on the indep endent F D . W e wr ite S D = F D ( X D ), set ε ′ = 2 − λ ′ n , and use the c hain rule (Lemma 2.12) to condition on D , S D as w ell. H ε + ε ′ ∞ ( X 1 − D | Θ F D D S D ) ≥ H ε ∞ ( X 1 − D D S D | Θ F D ) − H 0 ( D S D | Θ F D ) − λ ′ n ≥ (1 / 4 − λ − λ ′ ) n − 1 − ℓ ≥ γ n + ℓ + κn, b y the choic e of λ, λ ′ , κ . W e can now apply priv acy ampliﬁcation in form of Corollary 2.25 to 6.4. Extensions 84 obtain δ  ρ S 1 − D F 1 − D Θ F D D S D ˜ R , 1 ⊗ ρ F 1 − D Θ F D D S D ˜ R  ≤ 1 2 2 − 1 2 “ H ε + ε ′ ∞ ( X 1 − D | Θ S D F D D ) − γ n − ℓ ” + ( ε + ε ′ ) ≤ 1 2 2 − 1 2 κn + ε + ε ′ , whic h is n egligible. This sho ws ε -send er-securit y according to Deﬁn ition 6.1.  6.4 Extensions 6.4.1 1 -2 OT ℓ with Longer Strings It is p ossib le to extend recen t tec hniqu es by W ullschlege r [W ul07] describ ed in Section 3.4.3 to the quan tum case and h en ce, the s ecurit y of Rand 1 - 2 QOT ℓ can b e prov en against R γ if there exists δ > 0 such that γ n ≤ n/ 4 − ℓ − δ n . 6.4.2 W eak ening the Assumptions As describ ed in Section 5.6 for Rabin OT , w e can extend proto col Rand 1 - 2 QOT to wo rk in the ( φ, η )-we ak quantum mo del. T o enable the r eceiv er to reco v er from err ors in the transmission, the sen der S additionally s ends error- correcting information in S tep 3. The play er s agree b eforehand o n an eﬃcien tly deco dable error-correcting co d e of length n/ 2 w ith syndr ome length s roughly h ( φ ) n/ 2 as in Section 5.6. Then, S sends along the t w o synd romes of S ( x | I 0 ) and S ( x | I 1 ) (where the x | I b are padded with 0s or truncated to length n/ 2). It can b e argued as f or Rabin O T that this will reduce the m in-en trop y b y the length s of the syndrome and hence, w e can show sender-security of this proto col against the class of receiv ers R γ with γ su c h that th ere exists δ > 0 with γ n ≤  1 − η 4 − h ( φ ) 2  n − 2 ℓ − δ n . 6.4.3 Rev ersing the Quan t um Comm unication In order to illustrate the versatil it y of our securit y analysis, w e sh o w that the pro ofs carry easily ov er to a proto col where the direction of the quant um com- m unication is rev ersed. In the p roto col describ ed in Figure 6.3, the r eceiv er R of the Rand 1 -2 O T sends n qubits, enco ded in the b asis determined b y his c hoice bit. The sender of the Rand 1 -2 OT S measures them in a random b asis. The pla y ers th en pro ceed as in Rand 1 - 2 QOT . It is clear b y construction that the proto col is p erfectly correct. ε -Send er- securit y against dish on est receiv ers in R γ can b e argued as in Theorem 6.4 ab o v e b y observing that the uncertain t y relation applies to an y n -qub it state of the h onest sender whic h is measured in a random basis and ab out wh ich the dishonest receiv er h olds at most γ n qubits of information. F or the s ecur it y of an honest receiv er against a dish onest sender, we can sho w the existence of the t w o input strings as in Prop osition 6.2 ab o v e by 6.4. Extensions 85 Rand 1 - 2 QOT ℓ : Let c b e R ’s choice b it. 1. R pic ks x ′ ∈ { 0 , 1 } n at random and sends | x ′ i θ ′ to R where θ ′ = [+ , × ] c . 2. S pic ks θ ∈ R { + , ×} n and measures the r eceiv ed q u bits in basis θ . Let x ∈ { 0 , 1 } n b e the r esu lt. 3. S pic ks t w o hash fun ctions f 0 , f 1 ∈ R F n , ann ou n ces θ and f 0 , f 1 to R , and outpu ts s 0 : = f 0 ( x | ◦ I 0 ) and s 1 : = f 1 ( x | ◦ I 1 ) where I b : = { i : θ i = [+ , × ] b } . 4. R outputs s c = f c ( x ′ | ◦ I c ). Figure 6.3: Rand 1 - 2 QOT ℓ with Rev ersed Qu an tum Comm unication. letting the sender interac t with an unb ounded receiv er. In an error-free m o del, it fur ther holds that the sender cannot infer the basis in wh ic h the qubits are enco ded and therefore do es not learn an y information ab out the r eceiv er’s c hoice bit. Ho w ev er, in a m ore realistic s etting with m ulti-pulse emissions, th is cod ing sc heme with rev ersed communicatio n is highly insecure, as a m alicious send er can determine the enco din g b asis fr om a multi -pulse qub it. Th e same problem o ccurred for the Rabin OT -proto col qot from the last c hapter. Chapter 7 Quan tum Bit Commitmen t This chapter is abou t quan tum Bit Commitment ( BC ) schemes. In BC , a committer C commits h imself to a c hoice of a bit b ∈ { 0 , 1 } by exchanging information with a veriﬁer V . W e w ant that V d o es not learn b (we sa y the commitmen t is hiding ), y et C can later choose to rev eal b in a convincing w a y , i.e., only the v alue ﬁxed at commitmen t time will b e accepted b y V (we sa y the commitmen t is binding ). In the next section, we pr esen t a BC scheme f rom a committer C with b ound ed quantum m emory to an unb ound ed receiv er V . The sc heme is p eculiar since in order to commit to a bit, the committer do es not send an ything. During the committing stag e, information only go es from V to C . Therefore, there is no w a y for the ve riﬁer to get information ab out the committed bit, i.e. the sc heme is p erfectly hid ing. In Section 7.3, we deﬁne t w o notions of the bind ing p rop erty and sho w our sc heme secur e against quan tum-memory-b ounded committer in b oth of these senses. Similar tec hniques as in the tw o previous c hapters for the analysis of the oblivious-transfer pr otocols are used. The results in this chapter app eared in [DFSS05, DFR + 07]. 7.1 The Proto col The pr otocol is giv en in Figure 7.1. Intuitiv ely , a commitmen t to a bit b is made b y measur ing random BB84- states in b asis { + , ×} [ b ] . As for the oblivious-transfer pr oto cols in the t w o previous c hapters, w e present an equiv alen t EP R-v ersion of the pr otocol that is easier to analyze (see Figure 7.2). Lemma 7.1 comm is se cur e against dishonest c ommitters ˜ C if and only if epr-comm is. Pro of: The pr o of uses similar reasoning as the on e for Lemma 5.3. First, it clearly mak es n o d iﬀerence, if we c hange Step 4 to the follo wing: 4’. V c ho oses the subset I , measures all qub its with index in I in basis { + , ×} [ b ] and all qubits not in I in b asis { + , ×} [1 − b ] . V veriﬁes that x i = x ′ i for all i ∈ I an d accepts if and only if this is the case. 86 7.2. Modeling Dishon est Committe rs 87 comm ( b ) : 1. V picks x ∈ R { 0 , 1 } n and θ ∈ R { + , ×} n and send s x i in the corre- sp ond in g bases | x 1 i θ 1 , | x 2 i θ 2 , . . . , | x n i θ n to C . 2. C commits to the bit b b y measuring all qub its in basis { + , × } [ b ] . Let x ′ ∈ { 0 , 1 } n b e the result. 3. T o op en the commitmen t, C send s b and x ′ to V . 4. V v eriﬁes that x i = x ′ i for those i wh ere θ i = { + , × } [ b ] . V accepts if and only if this is the case. Figure 7.1: Proto col for quantum b it commitmen t epr-comm ( b ) : 1. V pr epares n EPR pairs eac h in state | Ω i = 1 √ 2 ( | 00 i + | 11 i ). V send s one half of eac h p air to C and k eeps the other halv es. 2. C commits to the bit b by measuring all receiv ed qubits in basis { + , ×} [ b ] . Let x ′ ∈ { 0 , 1 } n b e the result. 3. T o op en the commitmen t, C send s b and x ′ to V . 4. V measures all his qub its in basis { + , × } [ b ] and obtains x ∈ { 0 , 1 } n . He c ho oses a random subset I ⊆ { 1 , . . . , n } . V v eriﬁes that x i = x ′ i for all i ∈ I an d accepts if and only if this is the case. Figure 7.2: Proto col for EPR-based qu an tum bit commitment Finally , w e c an observe that the view of ˜ C do es not change if V w ould hav e done his c hoice o f I and his measur emen t already in Step 1 . Doing the m easuremen ts at this p oint means that the qu bits to b e sent to ˜ C collapse to a state that is distributed ident ically to the state prepared in the original sc heme. The EPR- v ersion is therefore equiv alen t to the original commitment s c heme from ˜ C ’s p oint of view.  It is clear that epr-comm is hiding, i.e., that the commit phase revea ls no information on the committed bit, sin ce no information is transmitted to V at all. Hence we hav e Lemma 7.2 epr-comm i s p erfe ctly hiding. 7.2 Mo d eling Dishonest Committers A d ishonest committer ˜ C w ith b ounded memory of at most γ n qubits in epr - comm can b e m o deled ve ry similarly to the dishonest oblivious-transfer re- ceiv ers ˜ R from S ection 5.3 and 6.3: ˜ C consists ﬁrst of a circu it acting on all n 7.3. Defining the Binding Proper ty 88 qubits rece iv ed, then of a measuremen t of all but at most γ n qubits, and ﬁ nally of a circuit that take s the follo wing inpu t: a bit b that ˜ C will attempt to op en, the γ n qubits in m emory , and some ancilla in a ﬁxed state. The output is a string x ′ ∈ { 0 , 1 } n to b e sent to V at the op ening stage. Deﬁnition 7.3 We deﬁne C γ to b e the class of al l c ommitters { ˜ C n } n> 0 in comm or epr-comm that, at the start of the op ening phase (i.e. at Step 3), have a quantum memory of size at most γ n qubits. 7.3 Deﬁning the Binding Prop ert y 7.3.1 The “Standard” Binding Condition In the context of unconditionally secure quantum b it commitmen t, it is widely accepted that “the r igh t w a y” of deﬁning the binding pr op erty is to r equire that the probabilit y of op ening a commitmen t successfully to 0 plus the probabilit y of op ening it successfully to 1 is essentiall y upp er b ounded b y one, pu t forw ard b y Dumais, Ma y ers, and Salv ail [DMS00]. W e call this n otion we akly binding , as opp osed to the new notion of str ongly binding deﬁn ed in the next section b elo w. Deﬁnition 7.4 A (quantum) bit-c ommitment scheme is w eakly b inding against C if for al l { ˜ C n } n> 0 ∈ C , the pr ob ability p b ( n ) that ˜ C n op ens b ∈ { 0 , 1 } with suc- c ess satisﬁes p 0 ( n ) + p 1 ( n ) ≤ 1 + ne gl ( n ) . In the next Section 7.4, we show that ep r-comm is w eakly binding against C γ for an y γ < 1 2 . Note that the binding condition giv en here in Deﬁnition 7.4 is w eak er than the classical one, w here one would require that a b it b exists su c h that p b ( n ) is negligible. F or a general quan tum adv ersary though who ca n alwa ys commit to 0 and 1 in sup erp osition, this is a too strong requirement; th us, it is t ypically argued that Deﬁnition 7.4 is the b est one can hop e for. Ho w ev er, w e argue no w that this wea k er notion is not really satisfactory , and w e sho w that there exists a stronger n otion, which still allo ws the committer to commit to a sup er p osition and thus is not necessarily imp ossible to ac hiev e in a quan tum setting, but whic h is closer to the classical standard wa y of deﬁn ing the bind ing pr op ert y . 7.3.2 A Stronger Binding Condition A shortcoming of Deﬁnition 7.4 is that committi ng bit b y bit is not guaran teed to yield a secure string commitmen t—the argumen t that one is tempted to use requires ind ep endence of th e p b ’s b et w een the diﬀerent executions, w hic h in general do es not hold. W e no w argue that this n otion is unne c essarily w eak, at least in s ome cases, and in particular in the case of commitmen ts in the b ounded-quantum-storage 7.4. Weak Binding of the Commitment S cheme 89 mo del wher e the d ishonest committer is f orced to do some p artial measure- men t and where we assume h onest parties to pro d uce only classical output (b y measuring their entire quant um state). T echnically , this means that for any dishonest committer ˜ C , the join t s tate of the h on est v eriﬁer and of ˜ C after the commit phase is a ccq-state ρ V Z ˜ C = P v,z P V Z ( v , z ) | v i h v | ⊗ | z i h z | ⊗ ρ v,z ˜ C , where the ﬁrst register con tains the veriﬁer’s (classical) output and the r emaining t w o registers cont ain ˜ C ’s (partially classical) output. W e prop ose the follo wing deﬁnition. Deﬁnition 7.5 A c ommitment scheme in the b ounde d-quantum-stor age mo del is c al le d ε -binding , if for every (dishonest) c omm itter ˜ C , i nducing a joint state ρ V Z ˜ C after the c ommit phase, ther e exists a classic al binary r ando m variable D , given by its c onditiona l distribution P D | V Z , such that for b = 0 and b = 1 the state ρ b V Z ˜ C = P v P V Z | D ( v , z | b ) | v i h v | ⊗ | z i h z | ⊗ ρ v,z ˜ C satisﬁes the fol lowing c ondition. When exe cuting the op ening phase on the state ρ b V ˜ C , for any str ate gy of ˜ C , the honest veriﬁer ac c epts an op ening to 1 − b with pr ob ability at most ε . It is easy to see that the binding p rop erty as deﬁned here implies the ab o v e discussed weak version, namely p b ≤ P D ( b ) + P D (1 − b ) ε and th us p 0 + p 1 ≤ 1 + ε . F urther m ore, it is straigh tforwa rd to see that this stronger notion allo ws for a formal pro of of the obvious r ed uction of a strin g to a bit commitmen t by com- mitting bit-wise: th e i -th execution of the bit commitmen t sc heme guarantee s a r andom v ariable D i , deﬁned by P D i | V i Z , suc h that the committer cannot open the i -th b it commitmen t to 1 − D i , and thus there exists a random v ariable S , namely S = ( D 1 , . . . , D m ) deﬁned b y P D 1 ··· D m | V 1 ··· V m Z = Q i P D i | V i Z , suc h that for any op ening str ategy , the committer cannot op en th e list of commitments to an y other string than S . In Section 7.5, we sh ow that the bit commitment comm from Figure 7.1 as a matter of fact satisﬁes this stronger and more u s eful notion of securit y . This turns out to b e a rather straigh tforw ard consequence of th e s ecurit y of the 1 -2 OT sc heme from Chapter 6. 7.4 W eak Binding of the Commitmen t Sc heme In this s ection, we use the tec hniques from the analysis of the Rabin OT pro- to col from Chapter 5 to pro ve our commitmen t scheme comm (or rather its puriﬁed version ep r-comm ) wea kly bind ing against quan tum-memory-b ounded adv ersarial committers. Note that the ﬁrst t w o steps of ep r - qot (from Figure 5.2) and epr -comm (i.e. b efore the m emory b ound app lies) are exactly the same! T his allo ws u s to reuse C orollary 4.17 and the analysis of Section 5.4 to pr o v e th e w eakly binding prop erty of epr-co mm . Theorem 7.6 F or any γ < 1 2 , co mm i s p erfe ctly hiding and we akly b i nding against C γ . The pro of is giv en b elo w. I t b oils do wn to sho wing that essent ially p 0 ( n ) ≤ 1 − q + and p 1 ( n ) ≤ 1 − q × . The w eak bindin g pr op ert y then follo ws immediately 7.5. Strong Binding o f the Commitment Scheme 90 from Corollary 4.17. The in tuition b ehind p 0 ( n ) ≤ 1 − q + = 1 − Q + ( S + ) is that a committe r has only a fair chance in openin g to 0 if x measured in the +-basis has large probabilit y , i.e., x 6∈ S + . The follo wing pro of mak es this intuitio n precise by c ho osing the ε and δ ’s correctly . Pro of: It remains to sho w that ep r-comm is binding against C γ . Let ε, δ > 0 b e su c h that γ + 2 h ( δ ) + 2 ε < 1 / 2, w here h is the binary en trop y function. Recall that the n umber B δn of n -bit s trings of Hamming-distance at most δ n from a ﬁxed string is at most 2 h ( δ ) n . Let R b e the basis, determined b y the bit that ˜ C claims in Step 3, and in whic h V measures the quan tum state in Step 4 , and let X b e the outco me. Corollary 4.17 implies the existence of an eve nt E suc h that P [ E | R = +] + P [ E | R = × ] ≥ 1 − ne gl ( n ) and H ∞ ( X | R = r , E ) ≥ ( γ + 2 h ( δ ) + 2 ε ) n . Applying Corollary 2.26 (with constan t U and ε = 0), it follo ws that any guess ˆ X for X s atisﬁes P  ˆ X ∈ B δn ( X ) | R = r , E  ≤ 2 − 1 2 (H ∞ ( X | X ∈ S + ) − γ n − 1)+log (B δn ) ≤ 2 − εn + 1 2 . Ho w ev er, if ˆ X 6∈ B δn ( X ) then s ampling a random subset of the p ositions w ill detect an error except with probabilit y at most 2 − δn . Hence, writing q + : = P [ E | R = +] an d q × : = P [ E | R = × ], p 0 ( n ) ≤ (1 − q + ) + q + · (2 − εn + 1 2 + 2 − δn ) ≤ 1 − q + + ne gl ( n ) and analogously p 1 ( n ) ≤ 1 − q × + ne gl ( n ). W e conclud e that p 0 ( n ) + p 1 ( n ) ≤ 2 − q + − q × + ne gl ( n ) ≤ 1 + ne gl ( n ) .  7.5 Strong Binding of the Commitmen t Sc heme In this section, w e r euse the analysis of the 1 -2 OT -p r otocol from Chapter 6 to pro v e the strong binding condition. Theorem 7.7 The quantum bit-c ommitment scheme co mm is ε -binding ac- c or ding to Deﬁnition 7.5 against C γ for a ne glig i ble (i n n ) ε i f γ < 1 4 . In tuitiv ely , one can argue that X has (smo oth) m in-en trop y ab out n/ 2 giv en Θ. T h e Min-Entrop y Sp litting Lemma implies that there exists D such that X 1 − D has sm o oth min -en trop y ab out n/ 4 giv en Θ an d D . Priv acy ampliﬁcation implies th at F ( X 1 − D ) is close to random giv en Θ , D , F and ˜ C ’s qu an tum r egister of size γ n , wher e F is a tw o-univ ersal one-bit-output hash fun ction, whic h in particular imp lies that ˜ C cannot guess X 1 − D . Th e formal p r o of is giv en b elo w. Pro of: It remains to sho w that epr-comm is strongly bind ing ag ainst C γ . Let Θ ∈ { + , ×} n b e the random b asis that would corresp ond to the choic e of basis in the ﬁ rst step of comm , i.e. θ i = { + , × } [ b ] for i ∈ I and θ i = { + , × } [1 − b ] for 7.6. Weaken ing the Ass umptions 91 i 6∈ I . Let X b e the measurement outcome when V measures his halves of the EPR-pairs in basis Θ. Recall that h ( · ) denotes the binary Shann on entrop y . Cho ose λ, λ ′ , κ and δ all p ositiv e, bu t small enough suc h that γ ≤ 1 / 4 − λ − λ ′ − 2 h ( δ ) − 2 κ , h ( δ ) ≤ λ ′ − κ , and h ( δ ) ≤ λ 4 32 − κ . Before Step 3, the o v erall state is give n b y the ccq-state ρ X Θ ˜ C after ˜ C h as measured all bu t γ n of h is qubits, w here X describ es the outcome of the v eriﬁer V measuring his part of the state in random basis Θ. F rom the uncertain t y relation (Corollary 4.23), w e know that H ε ∞ ( X | Θ) ≥ (1 / 2 − 2 λ ) n for ε = 2 − λ 4 32 n exp onenti ally sm all in n . Therefore, b y Corollary 2.16, there exists a bin ary ran d om v ariable D ∈ { 0 , 1 } su c h that for ε ′ = 2 − λ ′ n , it holds that H ε + ε ′ ∞ ( X 1 − D | Θ D ) ≥ (1 / 4 − λ − λ ′ ) n − 1 ≥ (1 / 4 − λ − λ ′ ) n − 1 ≥ γ n + 2 h ( δ ) n + 2 κn − 1 . Recall that B δn ≤ 2 h ( δ ) n . Applying Corollary 2.26, it follo ws that any guess ˆ X for X 1 − D satisﬁes P  ˆ X ∈ B δn ( X 1 − D )  ≤ 2 − 1 2 (H ε + ε ′ ∞ ( X 1 − D | Θ D ) − γ n − 1)+log (B δn ) + (2 ε + 2 ε ′ )B δn ≤ 2 − 1 2 (2 κn − 2) + 2 · 2 − λ 4 32 n + h ( δ ) n + 2 · 2 − λ ′ n + h ( δ ) n ≤ 1 2 2 − κn + 2 · 2 − κn + 2 · 2 − κn , whic h is n egligible b y the c hoice of the parameters.  7.6 W eak ening the Assumptions As argued earlier, assumin g that a part y can p ro duce single qu bits (with prob- abilit y 1) is n ot reasonable giv en cur ren t tec hnology . Also th e assump tion that there is no noise on the quan tum c hannel is impractical. It can b e shown that a straigh tforw ard mo diﬁcation of comm remains secure in the ( φ, η )-we ak qu an- tum mod el as in tro du ced in Section 5.6 (se e also Sectio n 9.1.1), with φ < 1 2 and η < 1 − φ . The pr otocol com m ’ in Figure 7.3 is the same as comm from Figure 7.1 except that in the last Step 4, V accepts if and only if x i = x ′ i for all but ab out a φ - fr action of th e i w h ere r i = { + , × } [ b ] . More precisely , for all b ut a ( φ + ε )-fraction, where ε > 0 is su ﬃcien tly small. Theorem 7.8 In the ( φ, η ) -we ak q uantum mo del, c omm ’ is p erfe ctly hiding and it is we akly b inding against C γ for any γ satisfying γ < 1 2 (1 − η ) − 2 h ( φ ) . Pro of Sk etc h: Using Ch er n oﬀ ’s inequalit y (Lemma 2.5), on e can argue th at for honest C a nd V , the op ening of a commitment is accepted except with negligible probabilit y . The hid ing prop ert y h olds us in g the same reasoning as in Lemma 7.2. And the binding prop erty can b e argued essen tially along 7.6. Weaken ing the Ass umptions 92 comm ’ ( b, φ ) : 1. V picks x ∈ R { 0 , 1 } n and θ ∈ R { + , ×} n and send s x i in the corre- sp ond in g bases | x 1 i θ 1 , | x 2 i θ 2 , . . . , | x n i θ n to C . 2. C commits to the bit b b y measuring all qub its in basis { + , × } [ b ] . Let x ′ ∈ { 0 , 1 } n b e the result. 3. T o op en the commitmen t, C send s b and x ′ to V . 4. V v eriﬁes that x i = x ′ i for i where θ i = { + , × } [ b ] . V accepts if and only if this is the case for al l but a φ - fr action of these p ositions . Figure 7.3: Proto col f or noise-toleran t qu antum bit commitmen t the lines of Theorem 7.6, with the follo wing mo d iﬁ cations. Let J denote the set of ind ices i wh ere V succeeds in sending a single qubit. W e r estrict th e analysis to those i ’s w h ic h are in J . By C hernoﬀ ’s inequalit y (Lemma 2.5), the cardin ality of J is ab out (1 − η ) n (meaning within (1 − η ± ε ) n ), except with n egligible p robabilit y . Thus, restricting to these i ’s h as the same eﬀect as replacing γ by γ / (1 − η ) (neglecting the ± ε to simplify notation). Assuming that ˜ C kno ws ev ery x i for i 6∈ J , for all x i ’s with i ∈ J , he has to b e able to guess all but ab out a φ/ (1 − η )-fraction correctly , in order to b e su ccessful in the op ening. Using Corollary 2.26, w e can sho w that for a correctly c hosen δ > 0, the probabilit y of guessin g ˆ X within Hamming distance δ n to the real X is negligible. Therefore, ˜ C succeeds with only n egligible probabilit y if the fraction of allo w ed errors φ/ (1 − η ) is smaller than δ , i.e. φ/ (1 − η ) < δ , Additionally , in order for the machinery from Theorem 7.6 to work, δ m ust b e suc h that γ 1 − η + 2 h ( δ ) < 1 2 . δ can b e c hosen that wa y if γ 1 − η + 2 h  φ 1 − η  < 1 2 . Using the f act that h ( ν p ) ≤ ν h ( p ) for any ν ≥ 1 and 0 ≤ p ≤ 1 2 suc h that ν p ≤ 1, this is clearly satisﬁed if γ + 2 h ( φ ) < 1 2 (1 − η ).  Theorem 7.9 In the ( φ, η ) -we ak q uantum mo del, c omm ’ is p erfe ctly hiding and it i s str ongly binding against C γ for any γ satisfying γ < 1 4 (1 − η ) − 3 h ( φ ) − 4 p 32 h ( φ ) . Pro of Sk etc h: The p ro of go es lik e the pro of of Th eorem 7.8, but uses the tec hniques from Section 7.5. In ord er for those to wo rk, w e n eed to c ho ose 7.6. Weaken ing the Ass umptions 93 λ, λ ′ , and δ all p ositiv e and suc h that φ 1 − η < δ, γ 1 − η + 2 h ( δ ) + λ ′ + λ < 1 / 4 , h ( δ ) < λ ′ , h ( δ ) < λ 4 32 . (7.1) W e ve rify that the assump tion γ < 1 4 (1 − η ) − 3 h ( φ ) − 4 p 32 h ( φ ) on γ allo ws for that. Rearranging the terms and using that x < 4 √ x for 0 < x < 1 yields γ 1 − η + 3 h ( φ ) 1 − η + 4 s 32 h ( φ ) 1 − η < 1 / 4 . Using as in the previous pro of the fact that h ( ν p ) ≤ ν h ( p ) for an y ν ≥ 1 and 0 ≤ p ≤ 1 2 suc h that ν p ≤ 1, w e get that γ 1 − η + 3 h  φ 1 − η  + 4 s 32 h  φ 1 − η  < 1 / 4 . That allo ws to choose δ > φ 1 − η suc h that γ 1 − η + 2 h ( δ ) + h ( δ ) + 4 p 32 h ( δ ) < 1 / 4 , and therefore, also λ and λ ′ can b e c hosen s u c h that the conditions (7.1 ) are fulﬁlled.  Chapter 8 QKD Secure Against Quan tum-Memory-Bounded Ea v esdropp ers In this c hapter, w e presen t another application for the uncertain t y relation deriv ed in Section 4.5. This illustrates that these relations are usefu l in scenarios b eyo nd the simp le t w o-part y setting. In Quantum Key Distribution ( QKD ), t w o h onest pla y ers Alice and Bob w an t to agree on a secure k ey , using only completely insecure quant um and au- then tic classical comm unication. The compu tationally u n b ounded ea v esdropp er Ev e should not ge t any inf orm ation ab out the k ey . A ma jor diﬃcult y when im- plemen ting Q KD sc hemes is th at th ey require a low-noise quan tum c hannel. The tolerated noise lev el dep ends on the actual proto col and on the desired se- curit y of the key . Because the qualit y o f the c hannel t ypically decreases with its length, the maxim um tolerated noise lev el is an imp ortan t parameter limiting the maxim um d istance b et we en Alice and Bob. W e consider a mo d el in whic h th e adversary has a limited amoun t of quan- tum memory to store the information she in tercepts d uring the proto col execu- tion. In this mo del, we sh o w th at the maximum tolerated n oise lev el is larger than in the standard scenario where the adv ersary has unlimited resources. F or simplicit y , we r estrict ourselves to one-way QKD pr oto c ols w hic h are proto cols wh er e error-correction is p erformed non-interact iv ely , i.e., a sin gle classical message is sent fr om one part y to th e other. The results in this chapter app eared in [DFR + 07]. 8.1 Deriv ation of the Maxim um T olerated Noise Lev el Let S b e a set of orthonormal bases of a d -dimensional Hilb ert space H d . F or eac h basis ϑ ∈ S , we assume that the d basis v ectors are p arametrized by the elemen ts of th e ﬁxed set X of size |X | = d . W e then consider QK D proto cols consisting of the steps describ ed in Figure 8.1. Note that the quantum c hannel is only u s ed in the preparation step. Af- terw ards, the comm unication b et w een Alice an d Bob is only classical (o v er an 94 8.1. Deriv a tion o f t he M aximum Tolera ted Noise Level 95 One-W ay Q KD : let N ∈ N b e arbitrary 1. Pr ep ar ation: F or i = 1 . . . N , Alice c ho oses at random a basis ϑ i ∈ S and a random elemen t X i ∈ X . Sh e enco des X i in to the state of a quantum s ystem according to the basis ϑ i and sends this system to Bob. Bob measures eac h of the states h e receiv es according to a rand omly c hosen basis ϑ ′ i and stores the outcome Y i ∈ X of this measuremen t. 2. Sifting: Alice and Bob publicly announce th eir choice s of bases and k eep their data at p osition i only if ϑ i = ϑ ′ i . In the follo wing, we denote b y X and Y the concatenation of the remainin g data X i and Y i , resp ectiv ely . X and Y are sometimes called the sifte d r aw key . 3. Err or c orr e ction: Alice computes some err or correction information C d ep ending on X and send s C to Bob. Bob computes a guess ˆ X for Alice’s string X , u sing C and Y . 4. Privacy ampliﬁc ation: Alice chooses at random a fun ction f fr om a t w o-univ ersal family of hash functions and announ ces f to Bob. Alice and Bob then compu te the ﬁnal key b y applying f to their strings X and ˆ X , resp ectiv ely . Figure 8.1: General form for one-way Q KD proto cols. authen tic channel). As s h o wn in [Ren05, Lemma 6.4.1], the length ℓ of the secret k ey that can b e generated by the p roto col describ ed ab o v e is given b y 1 ℓ ≈ H ε min ( ρ X E | E ) − H 0 ( C ) , where the cq-state ρ X E is the state of the quantum system with the prop erty that E conta ins all the information Ev e has gained durin g th e preparation step of the p r oto col and wh ere H 0 ( C ) is the num b er of error correction bits sent from Alice to Bob. Note that this formula can b e seen as a generalization of the w ell- kno wn expression by C s isz´ ar and K¨ orner for classical key agreemen t [CK78]. Let us no w assu m e that Ev e’s system E can b e d ecomp osed int o a classical part U and a pur ely q u an tum part E ′ . Th en, b y the same deriv ation as in the pro of of Corollary 2.25, we ﬁ nd ℓ ≈ H ε min ( ρ X U E ′ | U E ′ ) − H 0 ( C ) ≥ H ε ∞ ( X | U ) − H max ( ρ E ′ ) − H 0 ( C ) . As, durin g th e p r eparation step, E ve d o es not kno w the enco ding bases w hic h are c hosen at random from the set S , w e can apply our uncertain t y r elation (Theorem 4.22) to get a lo we r b ound for the min-en trop y of X conditioned on 1 The appro ximation in this and the follo wing equations holds up t o some small additive v alue which dep end s logar ithmically on the desired securit y ε of the ﬁ nal key . 8.2. The Binar y-Channel Set ting 96 Ev e’s classical in formation Θ, i.e., H ε ∞ ( X | Θ) ≥ M h, where M denotes the length of the sifted ra w k ey X and h is the a v erage entropic uncertain t y b ound for S . [write much mo re!] Le t q b e the b oun d on the size of Ev e’s qu antum memory H max ( ρ E ′ ) ≤ q . Moreo v er, let e b e the a ve rage amoun t of error correction in f ormation that Alice has to send to Bob p er sym b ol of the sifted ra w key X . T hen ℓ ' M ( h − e ) − q . Hence, if the memory b ound only gro ws su blinearly in th e length M of th e sifted ra w key , then the key r ate , i.e., the n umber of k ey b its generated p er bit of the sifted r aw key , is lo w er b oun ded by rate ≥ h − e . 8.2 The Binary-Channel Setting F or a b inary channel (with a t w o-dimensional Hilb ert space H 2 ), the a v er- age amoun t of error correction information e is giv en by the binary Shannon en trop y 2 h ( p ), wher e p is the b it-ﬂip pr obabilit y (for classical bits enco d ed ac- cording to some orthonormal basis as describ ed ab ov e). The ac hiev able k ey rate of a QKD proto col u sing a binary quantum channel is th us giv en by rate binary ≥ h − h ( p ) . Summing up, we ha ve deriv ed the follo wing theorem. Theorem 8.1 L et S b e a set of orthonormal b ases of H 2 with aver age entr opic unc e rtainty b ound h . Then, a on e-wa y QK D pr oto c ol as in Figur e 8.1 pr o duc es a se cu r e key against e avesdr opp ers whose quantum-memory size is subline ar in the length of the r aw key (i.e., su b line ar in the numb er of qubits sent fr om Alic e to Bob) at a p ositive r ate as long as the bi t-ﬂip pr ob ability p fulﬁl ls h ( p ) < h . (8.1) F or the BB84 proto col [BB84], we ha v e h = 1 2 (cf. Inequality (4.2)). In- equalit y (8.1) is thus satisﬁed as long as p ≤ 11%. This b ound coincides with the known b ou n d for one-wa y QK D in the sta ndard mod el (with an unb ounded ea v esdropp er). So, using our analysis her e, the memory-b ound d o es not give an adv antag e. The situation is diﬀeren t for the six-state p roto col wh er e h = 2 3 . Ac- cording to (8.1 ), security against memory-b oun ded adv ersaries is guarant eed (i.e. h ( p ) < 2 3 ) as long as p ≤ 17%. If one requires security aga inst an unboun ded adversary , the threshold for the s ame pr oto col lies b elo w 13% as 2 This val ue of e is only ac hiev ed if an optimal error-correction scheme is used. In practical implementa tions, the va lue of e migh t be sligh tly la rger. 8.3. Possible Ext ensions 97 sho wn by Lo [Lo01], and ev en the b est known Q K D proto col on binary c han- nels w ith one-wa y classic al p ost-pro cessing can only tolerate noise up to roughly 14 . 1% [R GK05]. It has also been sho wn that, in the u n b ounded mo del, n o su c h proto col can tolerate an error rate of more than 16 . 3%. The p erformance of QKD p roto cols against quan tum-memory b ound ed ea ves- dropp ers can b e impr o v ed furth er by making the choice of th e enco d ing bases more random. F or example, they might b e chosen from the set of all p os- sible orthonormal bases on a t wo- dimensional Hilb er t space. As s ho wn in Section 4.5.3 , the o v erall a v erage entropic u ncertain t y b ound is then giv en b y h ≈ 0 . 72 and (8.1) is satisﬁed if p / 20%. F or an u n b ounded adv ersary , the thresholds are the same as for the six-state protocol (i.e., 14 . 1% for the b est kno wn one-wa y proto col). 8.3 P ossible Extensions It is an interesting op en pr oblem to consider p roto cols using h igher-d imensional quan tum systems. The results d escrib ed in S ection 4.5.3 sho w that for high- dimensional systems, the a v erage en tropic un certain t y b oun d conv erges to its theoretical maxim um. T he maximal tolerated c hannel noise might th us b e higher for suc h protocols (dep en d ing on the noise mo del for higher-dimensional quan tum channels). Another in teresting problem is to deriv e completely one-w a y quantum-k ey- distribution sc hemes, i.e. to eliminate the interac tiv e sifting phase from the proto col in Figure 8.1. Th e idea is to let the h onest parties use a pr e-shared secret k ey to determine the bases of the enco ding. If a ke y of size linear in the n umber of qubits is used, the sc heme has to guaran tee that a big p ortion of the k ey can b e reu s ed seve ral times in order to yield a reasonable amoun t of fresh k ey . Q uan tifying the amount of information an ea v esdropp er can learn ab out the pr e-shared k ey b y inte rfering in the preparation s tep and eav esd ropping on the follo wing classical comm unication is an op en problem. Another approac h consists of exp anding a pre-shared ke y of size only log- arithmic in the n um b er of qub its in to a ps eu do-random linear-size ke y to de- termine the bases of the enco din g. It is an op en question ho w to extend our uncertain t y relation from Section 4.5 to th e case of only p seudo-random bases. Chapter 9 Conclusion 9.1 T o w ards Practice In the follo wing t w o sections, w e elab orate o n the question h o w close to p r actice our s ystems are. First, w e argue th at imp erfections o ccurring in practice lik e dark c ounts and empty pulses are co v ered by our ( φ, η )-w eak quan tum mo del used in Sections 5.6 , 6.4.2, and 7.6. Second, we sk etc h h o w our tec hniques can b e extended to the more r ealistic setting of noisy quantum memory . 9.1.1 More Imp erfections A natural app roac h for implementing tw o-part y proto cols li ke bb84-qot , Rand 1 - 2 QOT ℓ , and comm is to use the p olarization of photons go v erned b y the la ws of quan tum optics. Such systems are no w ada ys at the stage w here th ey can b e built in a optic al physics lab. Besides the already mo deled bit err ors and m ulti- pulse emissions, more imp erfections of the physical apparatus suc h as empty pulses and dark c ounts need to b e tak en into accoun t. The pla ye rs ha v e s ync hronized clo cks and in every predeﬁned time slot, the sender is su pp osed to s en d ou t a single qub it. I n practice, wea k c oherent pulses are u s ed to approximat e single-photon sources by pro du cing in a v erage only a small fraction of one qu bit p er pulse. This means that most of the p ulses are empty , but on the ot her hand, there is also a small probabilit y for a m ulti-qubit pulse. The receiv er rep orts to the s en der in w h ic h time slots h e r eceiv ed pulses. Empt y pu lses also o ccur w hen the qu an tum c hannel lets a transm itted qu bit escap e or w hen it is absorb ed. It is realistic that a goo d estimate on the rate at whic h empt y pu lses are p ro du ced (when n o adv ersary is pr esent) is known, e.g., from the hardware sp eciﬁcations and by measurin g and calibrating the exp erimenta l setup. In this case, the adve rsary can only tak e adv an tage of empt y pu lses caused b y absorption in the ﬁb er. The b est the adv ersary can do is to substitute the ﬁb er for one that preserves all qu bits sent and to rep ort empt y pulses w hen a single pulse h as b een receiv ed. Th e eﬀect is to increase the rate at which multi-qubit pulses o ccur. This attac k is kno wn as Photon-Numb er- Splitting attack as ﬁr st noted by Hu ttner, Imoto, Gisin, a nd Mo r [HIGM95 ] and for instance explained in [BLMS00a, BLMS00b] in the setting of q u an tum ke y 98 9.1. Tow ards Practice 99 distribution. It follo ws that empty pulses can also b e in clud ed in th e ( φ, η )-wea k quan tum mo d el b y an appr opriate adj ustmen t of parameter η . F urther m ore, thermal ﬂuctuation in the d etector hardware migh t r esu lt in detection ev en thou gh no qub it wa s receiv ed. Th is is called a dark c ount . In this time slot, the receiv er w ill rep ort the reception of a qubit and as the outcome is random, it agrees w ith the actual bit sent with pr obabilit y 1 2 . F ormally , assume that a practical implemen tation of bb84-qot , Rand 1 - 2 QOT ℓ , or co mm tak es p lace in a setting where φ x is the p robabilit y for a bit error caused by the c hannel, φ dc is the p robabilit y for a dark coun t in a sp eciﬁc time slot, η mq is the probability for a multi -qubit transmission in a non-empt y pulse, and η ab is th e probabilit y for an empt y pulse caused by absorption of a non-empt y pulse. In these terms, dark coun ts con tribu te φ dc 2 to the bit-error rate φ x . If th e adversary is able to get p erfect transmission, she can suppress single-qubit pulses up to a r ate of η ab , thereb y increasing the rate η mq of m ulti- photon pu lses by 1 1 − η ab . It f ollo ws that if b b84-qot , co mm , and Rand 1 - 2 QOT ℓ are secure in the ( φ x + φ dc 2 , η mq 1 − η ab )-w eak quantum mo del, then their implemen tation is also secure, pro vided it is accurately mo deled b y these four parameters. Lik ewise, a v ariet y of imp erfections sp eciﬁc to p articular implemen tations ma y b e adapted to the we ak quantum mo del. 9.1.2 Generalizing the Memory Mo del The b oun ded-quantum-storag e mo del limits the num b er of ph ysical qub its the adv ersary’s memory can con tain. A more realistic mo del would rather address the noise p ro cess the adv ersary’s m emory und ergo es. F or instance, it is not hard to bu ild a v ery large, but unr eliable memory device con taining a large n umber of qubits. It is reasonable to exp ect that our proto cols r emain secure also in a scenario wher e the adversary’s memory is of arbitrary size, but wher e some quan tum op eration (mo deling noise) applies to it. If w e do not substitute H max ( ρ E ) with the num b er of qu bits q in T erm (2.6) in the priv acy-ampliﬁcation Section 2.5, then our constructions can cop e with sligh tly more general memory mo dels. In particular, all our protocols that are secure against adve rsaries with memory of no more than γ n qubits are also secure a gainst an y noise mo del that reduces the rank H max ( ρ E ) of the mixed s tate ρ E held by the adv ersary to at most 2 γ n . An examp le of a noise pro cess r esulting in a reduction of H max ( ρ E ) is an erasure c hannel. Assu ming the n in itial qubits are eac h erased with probabilit y larger than 1 − γ when the memory b ound applies, it holds except with negligible probabilit y in n that H max ( ρ E ) < γ n . The same applies if the noise p r o cess is mo deled b y a dep olarizing c hannel w ith err or p robabilit y p = 1 − γ . Su c h a dep olarizing channel replaces eac h qub it b y a random one with pr ob ab ility p and do es nothing with p robabilit y 1 − p . The tec hnique we ha ve d ev elop ed do es not allo w to d eal w ith dep olarizing c hannels with p < 1 − γ although on e w ould exp ect that some 0 < p < 1 − γ should b e suﬃcien t to ensur e securit y against suc h adversaries. The reason b eing that not kno wing the p ositions wh ere the errors o ccurr ed s hould make 9.2. Conclusion 100 it more diﬃcult for the adv ersary than when the n oise pro cess is mo deled b y an erasure channel. Ho we v er, it seems that our u n certain t y relations are n ot strong enough to address this case. Generalizing the b ounded-quantum-storage mo del to more realistic n oisy-memory mo dels is an interesting op en question. 9.2 Conclusion The b oun ded-quant um-storage mo del pr esented in this thesis is an attractiv e mo del, in b oth the theoretical and practical sense. On the theoretical side, it allo ws for very simple pr otocols implemen ting basic tw o-part y pr imitiv es such as ob livious transfer and bit commitmen t. New high-order en tropic uncertain t y relations ha ve b een established in ord er to sho w the security w ith the help of tec hniques suc h as pu riﬁcation and priv acy ampliﬁcation by t w o-univ ersal hashing. These uncertain t y relations can also b e ap p lied in diﬀeren t settings lik e quantum k ey distribu tion. On the practica l side, the p r otocols do not requir e an y qu an tum memory f or honest p la y ers and remain secure p ro vided the adve rsary has a quantum mem- ory of size boun ded by a constan t fractio n of all transmitted qubits. Suc h a gap b et we en the amount of s torage r equired for honest p la y ers and adv ersaries is not ac hiev able by classical means. The protocols can b e a dapted to tolerate v arious kinds of errors and in fact, they can b e implemen ted w ith to da y’s tec hnology . A collab oration of p eople from the compu ter science and ph ysics departments of the Univ ersit y of Aarhus is curren tly working on the implemen tatio n of th ese proto cols 1 . In summary , one can s a y that the b ounded -quan tum-storage mo del has passed its ﬁr st tests by pr o ving its p ow er (the p ossibilit y of oblivious trans- fer) and b y inspirin g b eautiful theoretical results (quan tum uncertaint y rela- tions). It is a goo d sign that the proto cols for the basic primitiv es are simple in str ucture. I n pr inciple, enough instances of these proto cols could b e used to implemen t more in v olv ed cry p tographic tasks like secure identiﬁcat ion, whic h reduces essen tially to securely c hec king wh ether t w o in puts are equal (w ith ou t rev ealing more than th is mere bit of information). How ev er, it is a n atur al next step to ﬁnd more eﬃcien t, d irect p roto cols f or those tasks, secure in the b ound ed-quan tum-storage mo d el. Such a d irect app roac h giv es a b etter r atio b et we en storage-b ound and communicatio n-complexit y and is the topic of a recen t pap er [DFSS07]. A ma jor op en problem is the optimalit y of the b oun d s on the adv ersary’s quan tum memory . The b it-commitmen t proto col c omm for instance app ears to b e secure against an y adv ersary with memory less than n qubits, b ut our analysis requir es th e memory to b e smaller than n/ 2 (or n/ 4 for strong b in ding). Also, ﬁn ding pr otocols secure against adversaries in more general noisy-memory mo dels, as discussed in the last S ection 9.1.2, w ould certainly b e a natural and interesti ng extension of this work to more practical settings [DSTW07]. F urther m ore, th ere is still a lac k of simple and intuitiv e securit y deﬁn itions for 1 See http://www.brics .dk/~salvail/qusep.html for further information on the QUSEP pro ject. 9.2. Conclusion 101 primitiv es lik e 1 -2 OT etc. w ith r igorous comp osabilit y results (lik e unive rsal comp osabilit y) in the qu an tum setting. V ery recen t resu lts in this direction ha v e b een established in [WW07]. Notation General log binary logarithm ln natural logarithm N n atural n umbers: 1 , 2 , 3 , . . . R r eal n umber s [ a, b ] set of real num b ers r suc h that a ≤ r ≤ b ( a, b ] set of real num b ers r suc h that a < r ≤ b x | I substring of x consisting of bit p ositions in index set I x | ◦ I as ab o v e, p added with 0s B δn ( x ) set of n -bit strings with Hammin g distance at most δ n from x ne gl ( n ) ne gl ( n ) an y fun ction in n smaller than the inv erse of any p olynomial for large enough n [+ , × ] b + for b = 0 and × for b = 1 δ i,j Kronec k er d elta Classical Information Theory P X | Y conditional probabilit y distr ibution of X giv en Y E [ R ] exp ected v alue of the real random v ariable R δ ( P , Q ) v ariational distance b et w een distribu tions P and Q P ≈ ε Q P and Q are at v ariational distance at most ε unif ind ep endent and uniform ly distr ib uted binary random v ariable unif ℓ ℓ copies of it E ev en t 1 E indicator random v ariable of ev en t E X ↔ Z ↔ Y Mark o v chai n Quan tum Information Theory H d Hilb ert space of dimension d P ( H ) set of densit y op erators on H ρ density op erator: norm alized, Hermitian, non-negativ e tr( ρ ) trace of ρ 1 fully mixed state δ ( ρ, σ ) trace distance b etw ee n ρ and σ | b i θ classical bit b enco ded in b asis θ ρ X E cq-state 102 Not a tion 103 En tropies h ( · ) binary Shann on entrop y function π α ( X | Y ) α -order sum of X giv en Y with joint distrib ution P X Y H α ( X | Y ) R ´ en yi ent ropy of order α of X giv en Y H ∞ ( X | Y ) min-en tropy of X giv en Y H 2 ( X | Y ) collision en tropy of X giv en Y H( X | Y ) Shannon en trop y of X giv en Y H 0 ( X | Y ) max-en trop y of X giv en Y ˜ H α ( X | Y ) a v erage conditional R ´ enyi en tropy of order α H ε α ( X | Y ) ε -smo oth R´ en yi entrop y of order α of X giv en Y H ε ∞ ( X | Y ) ε -smo oth min-entrop y of X giv en Y H ε 0 ( X | Y ) ε -smo oth max-en tropy of X giv en Y H α ( ρ ) R´ en yi en tropy of order α of the s tate ρ H min ( ρ AB | σ B ) min-en tropy of ρ AB relativ e to σ B H min ( ρ AB | B ) min-entrop y of ρ AB giv en H B H ε min ( ρ AB | σ B ) ε -smo oth min-entrop y of ρ AB relativ e to σ B H ε min ( ρ AB | B ) ε -smo oth m in-en trop y of ρ AB giv en H B Bibliograph y [ADR02] Y onatan Aum ann, Y an Zong Ding, and Mic hael O. Rabin. Ev er- lasting secur ity in the b ounded storage mo d el. IEEE T r ansa ctions on Information The ory , 48(6):1668 –1680, Ju ne 2002. cited on page 4. [AS00] Noga Alon and Jo el Sp encer. The Pr ob abilistic M etho d . Series in Discrete Mathematics and Optimization. Wiley-In terscience, 2nd edition, 2000. cited on pages 14 and 54. [Aza04 ] Ad am Azarc hs. En tropic uncertaint y relat ions f or incom- plete sets of m utually un biased observ ables. Av ailable at h ttp://arxiv.org/abs/quan t-ph/0412 083, 2004. cited on page 59. [Azu67] Kaz uoki Azuma. W eigh ted sum s of certain d ep endent r an d om v ari- ables. Tˆ ohoku Mathematic al Journal , 19:357–367 , 1967. cited on page 54. [BB84] Charles H. Bennett and Gilles Brassard. Quan tum cryptography: Public k ey distribu tion and coin tossing. In Pr o c e e dings of IEEE International Confer e nc e on Computers, Systems, and Signal Pr o- c essing , pages 175–179 , 1984. cited on pages 8, 76, and 96. [BB06] I. Bialynic ki-Birula. F orm ulation of the un certain t y relations in terms of th e R ´ enyi en tropies. Physic al R eview A , 74:0 52101, 2006. cited on page 59. [BBCM95] Charles H. Bennett, Gilles Brassard, Claude Cr´ ep eau, and Ueli M. Maurer. Generalized priv acy ampliﬁcation. IE EE T r ansactions on Information The ory , 41:1915 –1923, Nov emb er 1995 . cited on pages 25 and 28. [BBCS91] Ch arles H. Bennett, Gilles Brassard, Claude Cr ´ ep eau, and Marie- H ´ el ` ene Sku biszewsk a. Pr actical quantum oblivious tr an s fer. In A d- vanc es in Cryptolo gy—CR YPTO ’91 , volume 576 of L e ctur e N otes in Computer Scienc e , p ages 351–3 66. Sp ringer, 1991. 104 Bibliography 105 cited on page 10. [BBM75 ] I. Bialynic ki-Birula and J. Mycielski. Uncertain t y r elations f or information en tropy . Communic ations in Mathematic al Physics , 129(4 4), 1975. cited on page 57. [BBR88] Charles H. Bennett, Gilles Brassard, and Jean-Marc Rob ert. Priv ac y ampliﬁcation b y public d iscussion. SIAM J. Comput. , 17(2): 210–229 , 1988. cited on page 25. [BC97] Gille s Brassard and Claude Cr´ ep eau. Oblivious trans fers and pri- v acy ampliﬁcation. In A dvanc es in Cryptolo gy—CR YP TO ’97 , v ol- ume 1294 of L e ctur e Notes in Computer Scienc e . Springer, 1997. cited on pages 29, 30, 40, and 41. [BCJL93] Gilles Brassard, Claude Cr´ ep eau, Ric hard Jozsa, and Denis Lan- glois. A quan tum b it commitmen t scheme pro v ably unbreak able b y b oth parties. In 34th Annua l IEEE Symp osium on F oundations of Computer Scienc e (F OCS) , pages 362–371 , 1993 . cited on page 10. [BCW03] Gilles Brassard, Claude Cr´ ep eau, and Stefan W olf. O blivious trans- fer and pr iv acy ampliﬁcation. Journal of Cryptolo gy , 16(4), 2003. cited on pages 29, 30, 34, 35, 40, 41, 42, 45, and 46. [Bea95 ] Donald Bea v er. Precomputing oblivious transfer. In A dvanc es in Cryptolo g y—CR YP TO ’95 , v olume 963 of L e c tu r e N otes in Com- puter Scienc e , pages 97–10 9. Spr inger, 1995. cited on page 31. [Bha97] Ra jendra Bhatia. Matrix Analysis . Gradu ate T exts in Mathemat- ics. Sprin ger-V erlag, 1997. cited on page 53. [BLMS00a] Gilles Brassard, Norb ert L ¨ utke nhaus , T al Mor, an d Barry C. Sanders. Limitations on p ractical quan tum cryptograph y . Physic al R evie w L etters , 85(6): 1330–13 33, Augus t 2000 . cited on page 98. [BLMS00b] Gilles Brassard , Norb ert L ¨ utk enhaus, T al Mor, and Barry C . Sanders. Securit y asp ects of pr actica l quan tum cryptograph y . In A dva nc es in Cryptolo gy—EUROCR YPT ’00 , vo lume 1807 of L e c - tur e Notes in Computer Scienc e , p ages 289–2 99. Sp ringer, 2000. cited on page 98. Bibliography 106 [BM04] Mic hael Ben-Or and Dominic Ma y ers. General secu- rit y deﬁn ition and comp osabilit y for quantum and clas- sical proto cols, Sep temb er 2004. online a v ailable at http://x xx.lanl. gov/abs/ quant-ph/0409062 . cited on page 6. [BS93] Gilles Brassard and Louis Salv ail. Secret-k ey reco nciliation b y pu b- lic discussion. In A dvanc es in Cryptolo gy—EUROCR YPT ’93 , v ol- ume 765 of L e ctur e N otes in Comp uter Scienc e , pages 410–423. Springer, 1993. cited on page 76. [BWW06 ] Man uel A. Balleste r, Stephanie W ehner, and And reas Win ter. State discrimination with p ost-measuremen t information, 2006. http://a rxiv.org /abs/qua nt-ph/0608014 . cited on page 75. [Cac97] Ch ristian Cac hin. Smo oth entrop y and R ´ en yi en trop y . In A dvanc es in Cryptolo gy—E UROCR YPT ’97 , vol ume 1233 of L e ctur e Notes in Computer Scienc e , p ages 193–2 08. Sp ringer, 1997. cited on page 19. [Cac98] Ch ristian Cac hin. O n th e foundations of oblivious transfer. In A d- vanc es in Cryptolo gy—EU ROCR YPT ’98 , v olume 1403 of L e ctur e Notes in Computer Scienc e . Springer, 1998. cited on pages 29, 30, 40, 42, and 43. [CCM98] C . Cac hin, C. Cr´ ep eau, and J. Marcil. Oblivious tran s fer with a memory-b ound ed receiv er . In 39th Annual IEE E Symp osium on F oundations of Computer Scienc e (FOCS) , p ages 493–5 02, 1998. cited on pages 4 and 40. [CK78] Imr e Csisz´ ar and J´ anos K¨ orner. Broadcast c hann els with con- ﬁdenti al messages. IEEE T r ansa ctions on Information The ory , 24(3): 339–348 , Ma y 1978. cited on page 95. [CK88] Claud e C r ´ ep eau and Jo e Kilian. Ac hieving oblivious transfer using w eak ened securit y assumptions. In 29th Annual IEEE Symp osium on F oundations of Computer Scienc e (FOCS) , pages 42 –53, 1988. cited on pages 3 and 40. [CM97] Christian Cac hin and Ueli M. Maurer. Unconditional security against memory-b oun ded adv ersaries. In A dvanc es in Cryp tolo gy— CR Y PTO ’97 , v olume 1294 of L e ctur e Notes in Computer Scienc e , pages 292–30 6. S pringer, 1997. cited on page 4. Bibliography 107 [CMW04] Claude C r ´ ep eau, Kirill Morozo v, and Stefan W olf. Eﬃcient un- conditional oblivious transfer from almost any noisy channel. In International Confer e nc e on Se curity in Communic atio n Networks (SCN) , vo lume 4 of L e ctur e Notes in Computer Scienc e , 2004. cited on pages 3 and 40. [Cr ´ e87] Claude Cr´ ep eau. Equiv alence b et w een t w o ﬂa vo urs of oblivious transfers. In A dvanc es i n Cryptolo gy—CR YPTO ’ 87 , v olume 293 of L e ctur e N otes in Computer Scienc e . Springer, 1987. cited on pages 29 and 40. [Cr ´ e94] Claude Cr´ ep eau. Quant um oblivious transfer. Journal of Mo dern Optics , 41(12):2 455 – 2466, 1994. cited on page 10. [Cr ´ e97] Claude Cr´ ep eau. Eﬃcient cryptographic proto cols b ased on noisy c hannels. In A dvanc es in Cryptolo gy—EU ROCR Y PT ’97 , v ol- ume 1233 of L e ctur e Notes in Computer Scienc e , pages 306–31 7. Springer, 1997. cited on page 76. [CRE04] Matthias Christandl, Renato Renner, and Artur Ekert. A generic securit y pro of for quan tum k ey distribution. h ttp://arxiv.org/abs/quan t-ph/0402 131, F ebr u ary 2004. cited on page 25. [CS06] Claude Cr´ ep eau and Georges Sa vvides. Optimal red u ctions b e- t w een oblivious transfers using int eractiv e h ashing. In A dvanc es in Cryptolo g y—E UROCR YPT ’06 , volume 4004 of L e ctur e Notes in Computer Scienc e , pages 201–22 1. Spr in ger, 2006. cited on pages 29, 40, 41, and 45. [CSSW06] Claude C r´ ep eau, George Sa vvides, Christian Schaﬀner, and J ¨ ur g W ullsc hleger. Information-theoretic conditions for t w o- part y secure fun ction ev aluatio n. In A dvanc es in Crypto lo g y— EUROCR YPT ’06 , vol ume 4004 of L e ctur e Notes in Computer Sci- enc e , pages 538–554 . S pringer, 2006. cited on pages 5, 6, 30, 31, 32, 70, and 80. [CT91] T.M. Co v er and J.A. Thomas. Elements of Information The ory . Wiley , 1991. cited on pages 12 and 21. [CW77] J. L a wrence Carter and Mark N. W egman. Univ ersal classes of hash functions. I n 9th Annual ACM Symp osium o n The ory of Computing (STOC) , pages 106–112, 1977. cited on page 26. Bibliography 108 [Deu83] Da vid Deutsc h. Uncertain t y in quant um measuremen ts. Physic al R evie w L etters , 50(9): 631–633 , F ebruary 1983. cited on page 57. [DFMS04] I v an B. Damg ˚ ard, Serge F ehr, K irill Morozo v, and Louis S alv ail. Unfair noisy channels and oblivious transf er . In The ory of Crypto g - r aphy Confer enc e (TCC) , v olume 2951 of L e ctur e Notes in Com- puter Scienc e , pages 355–3 73. Sp ringer, 2004. cited on pages 3 and 40. [DFR + 07] Iv an B. Damg ˚ ard, Serge F ehr , Renato Renner, Lou is Salv ail, and Christian Sc haﬀner. A tight high-order en tropic qu an tum u ncer- tain t y relation with app lications. In A dvanc es in Cryptolo gy— CR Y PTO ’07 , v olume 4622 of L e ctur e Notes in Computer Scienc e , pages 360–37 8. S pringer, 2007. cited on pages 4, 52, 70, 79, 86, and 94. [DFSS05] I v an B. Damg ˚ ard, Serge F ehr, Louis Salv ail, and Christian Sc haﬀner. C ryptography in the b ounded qu an tum-storage mo del. In 46th Annual IEEE Symp osium on F oundations o f Comp uter Sci- enc e (F OCS) , pages 449–458, 2005. cited on pages 4, 69, 70, and 86. [DFSS06] I v an B. Damg ˚ ard, Serge F ehr, Louis Salv ail, and Christian Sc haﬀner. Ob livious transfer and lin ear fun ctions. In A dvanc es in Cryptolo g y—CR YP TO ’06 , vol ume 4117 of L e ctur e Notes in Com- puter Scienc e , pages 427–4 44. Sp ringer, 2006. cited on pages 4, 29, and 45. [DFSS07] I v an B. Damg ˚ ard, Serge F ehr, Louis Salv ail, and Christian Sc haﬀner. Secure identi ﬁcation and QKD in the b ounded-quantum- storage m o del. In A dvanc es in Cryptolo gy—CR YPTO ’07 , v ol- ume 4622 of L e ctur e Notes in Computer Scienc e , pages 342–35 9. Springer, 2007. cited on page 100. [DFSS08] I v an B. Damg ˚ ard, Serge F ehr, Louis Salv ail, and Christian Sc haﬀner. Cryptography in the b ounded -quan tum-storage mo del. sp e cial issue of SIA M Journal of Computing , 2008. to app ear. cited on pages 4, 52, and 69. [DHRS04] Y an Zong Ding, Dann y Harnik, Alon Rosen, and Ronen Shaltiel. Constan t-round oblivious transfer in the b ound ed storage mo del. In The ory of Crypto gr aphy Confer enc e (TCC) , vol ume 2951 of L e ctur e Notes in Computer Scienc e , pages 446–47 2. Sp ringer, 2004 . cited on pages 4 and 40. Bibliography 109 [Din01a] Y an Zong Ding. Ob livious transfer in the b ounded storage mo del. In A dvanc es in Cryptolo gy—CR YPTO ’01 , vo lume 2139 of L e ctur e Notes in Computer Scienc e , pages 155–17 0. Sp ringer, 2001 . cited on page 4. [Din01b] Y an Zong Ding. Oblivious transfer in the b oun ded storage m o del. In A dvanc es in Cryptolo gy—CR YPTO ’01 , vo lume 2139 of L e ctur e Notes in Computer Scienc e . Springer, 2001. cited on page 40. [Din05] Y an Zong Ding. E rror co rrection in the b ound ed storage mod el. In The ory of Crypto gr aphy Confer enc e (TCC) , vol ume 3378 of L e ctur e Notes in Computer Scienc e , pages 578–59 9. Sp ringer, 2005 . cited on page 4. [DKS99] Iv an Damg ˚ ard , Jo e K ilian, and Louis Salv ail. On the (im)p ossibilit y of basing oblivious transfer and bit commitment on we ak ened secu- rit y assumptions. In A dvanc es in Cryptolo gy—EUROCR YPT ’99 , v olume 1592 of L e ctur e Notes in Computer Scienc e , pages 56–73. Springer, 1999. cited on pages 3 and 40. [DM04] Stefan Dzie mbowski and Ueli M. Ma urer. On generating the initial k ey in the b ound ed-storage mo del. In A dvanc es in Cryptolo gy— EUROCR YPT ’04 , vol ume 3027 of L e ctur e Notes in Computer Sci- enc e , pages 126–137 . S pringer, 2004. cited on page 4. [DMS00] P au l Dumais, Dominic Ma y ers, and Louis Salv ail. P erfectly con- cealing q u an tum bit commitment fr om any quan tum one-w a y p er- m utation. In A dvanc es in Crypto lo g y—E UROCR YPT ’00 , v ol- ume 1807 of L e ctur e Notes in Computer Scienc e , pages 300–31 5. Springer, 2000. cited on pages 6 and 88. [DPS04] Iv an B. Damg ˚ ard, Thomas B. P edersen, and Louis Salv ail. On the k ey-uncertain t y of quant um ciphers and the computational secu- rit y of one-w a y quant um transmission. In A dvanc es in Cryptolo gy— EUROCR YPT ’04 , vol ume 3027 of L e ctur e Notes in Computer Sci- enc e , pages 91–108. Spr inger, 2004. cited on page 59. [DRS04] Y evgeniy Dod is, Leonid Reyzin, and Adam Smith. F uzzy extrac- tors: Ho w to generate strong k eys from biometrics and other noisy data. In A dvanc es i n Cryptolo gy—E UROCR YPT ’04 , v olume 3027 of L e ctur e Notes in Computer Scienc e , pages 523–540. Sprin ger, 2004. cited on page 76. Bibliography 110 [DSTW07] Da vid P . DiVincenzo, Christian Sc haﬀner, Barbara M. T erhal, and Stephanie W ehner. Cryptography from n oisy quantum storage. priv ate communicati on, 2007. cited on page 100. [EGL82] Shimon Even, Oded Goldreic h, and Abraham Lemp el. A random- ized p roto col for signing con tracts. In A dvanc es in Cryp tolo gy: Pr o c e e dings of CR YPTO 82 . Plenum Pr ess, 1982. cited on pages 1 and 29. [Ek e91] Artu r K. Ek ert. Quan tum cryp tography based on b ell’s theorem. Physic al R eview L etter , 67(6):661– 663, August 1991. cited on page 72. [Eng03] B.-G. Englert. Mutually u n biased bases. Op en Problems in Quantum Information Theory , 2003. http://w ww.imaph .tu-bs.d e/qi/problems . cited on page 57. [F GG + 97] Ch ristopher A. F uc hs, Nicolas Gisin, Rob ert B. Griﬃths, Chie- Sheng Niu, an d Asher P eres. Optimal ea v esdropping in quantum cryptograph y . I. I n formation b ou n d and optimal strateg y . Physic al R evie w A , 56:11 63 – 1172, 1997. cited on page 9. [FvdG99] Christopher A. F uc hs and Jero en v an d e Graaf. Cryp tographic distinguishabilit y measures for quan tum-mec hanical states. IEEE T r ansactions on Information The ory , 45:1216– 1227, 1999. cited on page 28. [Gol95] Oded Goldreic h. Th ree X OR-lemmas - an exp osition. Ele ctr onic Col lo quium on Computationa l Complexity (ECCC) , 2(56), 1995. cited on page 34. [Hei27] W erner Heisen b erg. S c h w ankun gsersc hein ungen u nd quan ten- mec hanik. Zei tschrift f¨ ur Physik , 40:50 1–506, 1927. cited on page 57. [HIGM95] B . Huttner, N. Imoto, N. Gisin, and T. Mor. Quantum cr y p tog- raphy with coheren t states. Phys. R ev. A , 51(3):18 63–1869 , Mar 1995. cited on page 98. [HILL99] J oh an H ˚ astad, Russell Impagliazzo, Leonid A. Levin, and Mic hael Luby . A p seudorandom generator from an y one-wa y function. SIAM Journal on Computing , 28(4), 1999. cited on page 28. Bibliography 111 [HR06] Thomas Holenstein and Ren ato Renner. On the r andomness of in- dep end en t exp erimen ts. http:// www.arxi v.org/cs .IT/0608007 , 2006. cited on page 21. [HU88] J. Hilgev o o d and J.B.M. Uﬃn k. Th e mathematical expression of the uncertaint y principle. In Micr oph ysic al R e ality and Qu antum Description . Kluw er Academic, 1988. cited on page 57. [HV06] Pet er Harremo ¨ es and Ch ristophe Vignat. R´ en yi entropies of marginal distribu tions. sub mitted to Elsevier Science, 2006. cited on pages 67 and 68. [ILL89] Russell Impagliazzo , Leonid A. Levin, and Mic hael Luby . Pseudo- random generation from one-w a y functions. In 21st Annual ACM Symp osium on The ory of Computing (STOC) , pages 12–2 4, 1989. cited on pages 19, 25, and 28. [Iv o81] I. D. Ivo novi ´ c. Geometrical description of quan tal state de- termination. Journal of Physics A: Mathematic al and Gener al , 14(12 ):3241–3 245, Dece mber 1981. cited on page 56. [Jon91] K.R.W. Jones. Riemann-Liouville fr actional int egration and re- duced distributions on hyp erspher es. Journal of Physics A: Math- ematic al and Gener al , 24:123 7–1244 , 1991. cited on page 67. [JR W94] Ric hard Jozsa, Daniel Robb , and William K. W o otters. Lo w er b ound for accessible information in qu antum mechanics. Physic al R evie w A , 49(2 ):668–67 7, 1994. cited on page 67. [K GR05] Barbara Kr aus, Nicolas Gisin, and Renato Ren n er. Lo w er and upp er b ounds on the secret k ey r ate for qkd proto cols using one- w a y classical comm unication. Physic al R ev i ew L etters , 95(0 80501), August 2005. ep r in t arc hive : h ttp://arxiv.org/a bs/quant- ph/041021 5. cited on page 25. [Kil88] Jo e Kilian. F oun ding cryptography on oblivious transfer. In 20th Annual ACM Symp osium on The ory of Computing (STOC) , pages 20–31 , 1988. cited on pages 1 and 29. Bibliography 112 [Kit97] F uad Kittaneh. Norm in equalities for certain op erator sums. Jour- nal of F unctional Analysis , 143(FU96295 7):337–348, 1997. cited on page 53. [KMR05] Rob ert K¨ onig, Ueli Maurer, and Renato Renner. On the p o wer of qu an tum memory . IEEE T r ansa ction on Infor- mation The ory , 51(7):2391– 2401, Ju ly 2005 . eprint arc hive : h ttp://arxiv.org/abs/quan t-ph/0305 154. cited on page 25. [Kra87] K. Kraus . Complemen tary observ ables and uncertaint y relatio ns. Physic al R eview D , 35(10):3070 –3075, Ma y 1987. cited on page 57. [KT06] Rob ert K¨ onig and Barbara M. T erhal. The b ounded storage mo d el in the p r esence of a quantum adv ersary . http://a rxiv.org /abs/qua nt-ph/0608101 , 2006. cited on page 25. [Lar90] Ulf Larsen. Sup erspace geometry: the exact uncertain t y r elation- ship b etw een complement ary asp ects. Journal of Physics A: M ath- ematic al and Gener al , 23(7): 1041–10 61, Apr il 1990 . cited on page 58. [LBZ02] Ja y La wrence, ˇ Casla v Brukner, and An ton Zeilinger. Mu tu ally unbiase d bin ary observ able sets on N qubits. Physic al R eview A , 65(3), F ebr uary 2002. cited on page 57. [LC97] Hong-Kw ong L o an d H. F. C hau. Is qu an tum bit commitmen t really p ossible? Physic al R eview L etters , 78(17):3410 –3413, April 1997. cited on pages 2 and 10. [Lo97] H ong-Kwo ng Lo. Insecurity of qu an tum secure computations. Physic al R eview A , 56(2):1154– 1162, 1997. cited on page 10. [Lo01] H ong-Kwo ng Lo. Pro of of unconditional securit y of six-state quan- tum key distribution sc heme. Quantum Information and Compu- tation , 1(2):81– 94, 2001 . cited on page 97. [Lu04] Chi-Jen Lu. Encryp tion against storage-boun ded adversaries from on-line s tr ong extractors. Journal of Crypto lo gy , 17(1):27– 42, 2004. cited on page 4. Bibliography 113 [L ¨ ut00] Norb ert L ¨ utkenhaus. Securit y against in dividual attac ks for re- alistic quan tum k ey distribu tion. Physic al R eview A , 61:052304, 2000. cited on page 9. [Mau90] Ueli M. Ma urer. A pro v ably-sec ure strongly-randomized cipher. In A dva nc es in Crypto lo g y—E UROCR YPT ’90 , vol ume 473 of L e ctur e Notes in Computer Scienc e , pages 361–37 3. Sp ringer, 1990 . cited on pages 3 and 113 . [Mau91] Ueli M. Maurer. P erfect cryptographic securit y fr om partially in- dep end en t channels. In 23r d Annual ACM Symp osium on The or y of Computing (STOC) , p ages 561–5 72, 1991. cited on page 76. [Mau92] Ueli M. Maurer. Conditionally-p erfect secrecy and a pro v ably- secure rand omized cipher. Journal of Cryptolo gy , 5(1):53– 66, 1992. Preliminary version: [Mau90]. cited on page 4. [Ma y95] Do minic Ma y ers. On the secur ity of the quantum oblivious trans - fer an d ke y d istr ibution pr oto cols. In A dvanc es in Cryptolo gy— CR Y PTO ’95 , v olume 963 of L e ctur e Notes in Computer Scienc e , pages 124–13 5. S pringer, 1995. cited on page 10. [Ma y97] Do minic Ma ye rs. Unconditionally secure quantum bit commitmen t is imp ossible. P hysic al R eview L etters , 78(17):341 4–3417, April 1997. cited on pages 2 and 10. [MN05] T al Moran and Moni Naor. Basing cryptographic protocols on tamp er-evident seals. In 32nd Internat ional Col lo quium on Au- tomata, L anguages and Pr o gr amming (ICALP) , v olume 3580 of L e ctur e Notes in Computer Scienc e , pages 285–297. Sprin ger, 2005. cited on page 2. [MP95] Ra jeev Mot wani and Ragha v an Prabhak ar. R andomize d Algo- rithms . Cam bridge Un iv ersit y Press, 1995. cited on pages 14 and 54. [MS94] Dominic Ma yers and Louis Salv ail. Quan tum oblivious transfer is secure against all individual measurements. In Workshop on Physics and Computation, PhysComp ’94 , pages 69–77, No v em b er 1994. cited on page 10. Bibliography 114 [MST04] T al Moran, Ronen Shaltiel, and Amnon T a-Shma. Non-in teractiv e timestamping in the b ound ed storage mo del. In A dvanc es in Cryptolo g y—CR YP TO ’04 , vol ume 3152 of L e ctur e Notes in Com- puter Scienc e , pages 460–4 76. Sp ringer, 2004. cited on page 7. [MU88] Hans Maassen and Jos B. M. Uﬃn k. Generalized entropic uncer- tain t y relations. Physic al R eview L etters , 60(12):11 03–1106, Marc h 1988. cited on pages 8, 57, 60, and 66. [NC00] Mic hael A. Nielsen and Isaac L. C h uang. Quantum Computation and Quantum Information . Cambridge un iv ersit y pr ess, 2000. cited on pages 12 and 15. [Rab81] M. Rabin. How to exchange secrets by oblivious transfer. T echnical rep ort, Harv ard Aiken Computation Lab, 1981. cited on pages 2 and 29. [R ´ en61] Alfr´ ed R ´ en yi. On measures of entrop y and information. In Pr o- c e e dings of the 4th Berkeley Symp osium M athematic al Statistics and Pr ob ability , vo lume 1, p ages 547–5 61. Univ ersit y of California Press, 1961. cited on page 16. [Ren05] Renato Renner. Se curity of Quantum Key Distribution . PhD thesis, ETH Z ¨ ur ich (Switzerland), Sep tem b er 200 5. http://a rxiv.org /abs/qua nt-ph/0512258 . cited on pages 10, 15, 19, 23, 24, 25, 26, 28, and 95. [R GK05] Renato Renn er, Nicolas Gisin, and Barbara K raus. An inform ation- theoretic security p ro of for QKD proto cols. P hys. R ev. A , 72(01 2332), Ju ly 2005. cited on pages 9, 25, and 97. [RK05] Renato Renner and Rob ert K¨ onig. Univ ersally composable priv acy ampliﬁcation against quant um adversaries. In The ory of Crypto gr a- phy Confer enc e (TCC) , v olume 3 378 of L e ctur e Notes in Computer Scienc e , pages 407–4 25. Sprin ger, 2005. cited on pages 16, 23, 25, and 26. [Rus94] Mary Beth Rusk ai. Beyo nd Strong Sub additivit y? Impr o v ed Bounds on the C on traction of Generalize d Relati ve Ent ropy . R e- views in Mathematic al Physics , 6:1147– 1161, 1994 . cited on page 15. Bibliography 115 [R W05] Renato R en ner and Stefan W olf. S imple and tight b ounds for in- formation reconciliation and pr iv acy ampliﬁcation. In A dvanc es i n Cryptolo g y—A SIACR YPT 2005 , Lecture Notes in Computer Sci- ence, pages 199–216. Sp ringer, 2005. cited on pages 19, 20, 21, 25, and 28. [Sal98] Louis Salv ail. Qu an tum bit commitmen t from a physica l assump - tion. In A dvanc es in Cryptolo gy—CR YPTO ’98 , volume 1462 of L e ctur e Notes in Computer Scienc e , pages 338–353. Sprin ger, 1998. cited on page 7. [S´ an93] J orge S´ anc hez-Ruiz. En tropic uncertain t y and certain t y relatio ns for complemen tary observ ables. Physics L etters A , 173(3):233– 239, F ebruary 1993. cited on page 66. [S´ an95] J orge S´ anc hez-Ruiz. I m pro v ed b ound s in the entropic uncertaint y and certaint y relations for complement ary observ ables. Physics L etters A , 201(2– 3):125–1 31, Ma y 1995. cited on page 58. [Sha48] Claude Elw o o d Sh an n on. A mathematical theory of comm unica- tion. Bel l T elephone System T e chnic al Pu blic atio ns , 1948. cited on page 17. [SP00] P eter W. Shor and John Preskill. Simp le pr o of of security of the BB84 quantum k ey distribution proto col. P hysic al R evi e w L etters , 85(2): 441–444 , Ju ly 2000. cited on page 72. [S´ yk74] S tanisla v S ´ ykora. Quan tum theory and the Ba ye sian inference problems. Journal of Statistic al P hysics , 11(1):1 7–27, 1974. cited on page 67. [Unr02] Do miniqu e Unruh . F ormal securit y in quan tum cryptolog y . Master’s th esis, In s titut f ¨ ur Algorithmen und Kognitiv e Sys- teme, Univ ersit¨ at K arlsr uhe, Decem b er 2002. a v ailable at http://w ww.unruh .de/DniQ /publications . cited on page 6. [V ad04] S alil P . V adhan. On constru cting lo cally computable extractors and cryptosystems in th e b ounded storage mo d el. Journal of Cryptol- o gy , 17(1):43 –77, 2004. cited on page 4. [V az86] Umesh Virku mar V azirani. R andomness, adversaries and c ompu- tation . PhD thesis, Universit y of California, Berk eley , 1986. cited on page 34. Bibliography 116 [W C79] Mark N. W egman and J. Lawrence Carter. New classes and ap- plications of hash functions. In 20th Annual IEEE Symp osium on F oundations of Computer Scienc e (FOCS) , p ages 175–1 82, 1979. cited on page 26. [WF89] William K. W o otters and Brian D. Fields. Optimal state- determination by mutually unbiased measur emen ts. A nnals of Physics , 191(2):3 63–381, 1989 . cited on page 56. [Wie83] Steph en Wiesner. Conj ugate co d ing. SIGACT N ews , 15(1):78–88 , 1983. Original manuscript w ritten circa 1970. cited on pages 1, 10, 29, 56, 71, 79, and 81. [W ol00] S tefan W olf. Reducing oblivious strin g transfer to universal obliv- ious transfer. In IEEE International Symp osium on Information The ory (ISIT) , 2000. cited on pages 29, 30, and 40. [W ul07] J ¨ ur g W ullsc hleger. Oblivious-Trans fer ampliﬁcation. In A dvanc es in Cryptolo gy—EUROCR Y PT ’07 , Lecture Notes in Computer S ci- ence. Sp ringer, 2007. cited on pages 3, 22, 30, 40, 45, 46, and 84. [WW07] Stephanie W ehner and J ¨ urg W ullschleg er. S ecurit y in the b ound ed - quan tum-storage mo del. priv ate comm unication, 2007. cited on page 101. [Y ao95] Andrew Chi-Ch ih Y ao. Securit y of quantum pr oto cols against co- heren t measurements. In 27th A nnual ACM Symp osium on the The ory of Computing (STOC) , pages 67–75, 1995. cited on page 10. Index ( φ, η )-weak qua ntu m mo de l, se e weak q uan- tum mo del E [ · ], se e exp ected v alue 1 (fully mixed state), 15, 102 α -order sum, 16, 17, 1 03 E ( ρ ) quantum oper ation, 15 P ( H ) (set o f densit y op era tors), 15 ε -close, 14 2-balanced, se e balanced function 2-universal hashing, se e tw o-universal hash- ing ab ort, 71 ancilla, 73 auxiliary input, 31 av erage entropic uncer taint y bo und, 8, 65, 96, 97 ov erall, 66, 67 Azuma’s inequality , 54, 55, 63, 64 balanced function, 34, 35, 4 1 basis circular, 15 computational, 8, 15, 74 diagonal, 8, 15, 71, 74 m utually unbiased, se e m utually un- biased bases rectilinear, se e bas is, 71 BB84 co ding scheme, 8, 66, 76, 81 Bell basis, 75 Bell measure men t, 75 binary entrop y function, 12 bit commitment, 2 bit commitment, 2 – 7, 80, 86 – 93 binding, 2, 6, 88 – 91 hiding, 2, 87 strong binding, 90 – 91 weak binding, 8 8 – 90 blo ck ma trix, 53 bo unded-quantum-storage mo del, 4 , 5, 52, 61, 73, 79, 99, 100 Cauch y-Sch w arz, 60 Cauch y-Sch w arz inequalit y , 13 Chernoﬀ ’s inequality , 14, 77, 91, 92 classical b ounded-stora ge mo del, 3, 5, 7 co de, 76 collision probability , 17, 58 comp osability , 6 compressio n, 73 computational basis, se e basis computational security , 3 concav e function, 13, 57 conjugate co ding , 71, 79, 81 conv ex function, 13 correctnes s of classical Rand 1 -2 OT , 3 1 of classical Rand 1 - n O T ℓ , 46 of quantu m Rabin OT , 70, 77 of quantu m Rand 1 -2 OT ℓ , 80 cq-state, 16, 102 cryptogr a phic mo del, 1 dark count , 76, 98, 99 density o p er ator, 15, 102 depo larizing channel, 99 Deutsch ’s relatio n, 57 diagonal basis, se e basis dishonest committer, 87 – 88 dishonest receiver in Rand 1 - 2 QOT ℓ , 82 of Rabin O T , 73 empt y pulse, 76, 9 8, 99 ent ropic functional, 19 ent ropic uncer ta int y b ound, se e av erag e ent ropic uncertaint y bo und ent ropic uncertaint y r elation, se e uncer- taint y relation ent ropy av erage c o nditional min-, 45 av erage c o nditional R´ enyi, 1 8, 103 chain r ule, 21 classical R´ e n yi, 16, 103 collision, 17, 28, 103 conditional R´ enyi, 17 max-, 17, 103 min-, 7, 17, 23, 25, 28, 58, 59, 6 3, 103 117 Index 118 monotonicity , 21 Shannon, 8, 17, 18, 57, 58, 63, 65, 1 03 smo oth, 19 smo oth min-, 23, 103 splitting lemma, se e min-entropy split- ting lemma sub-additivity , 21 EPR pair, 74 EPR-base d v ersion, se e puriﬁcation erasure channel, 69, 99 error corr ection, 20, 76, 84, 95 classical b ounded-stora ge model, 4 error probability , 76 Euclidian norm, 52 even t E , 13, 102 everlasting securit y , 4 exp ected v alue, 14, 102 F a no’s inequality , 19 Haar measure, 66, 67 Hamming distance, 12, 27 hashing, se e tw o-universal has hing Hermitian, 15, 52 – 54 high-order entropic uncertaint y relation, se e uncertaint y relation Hilber t space, 15, 10 2 imper fect source, 76 impo ssibility of quantum bit commitmen t, 2 indicator rando m v ariable, 13, 102 information reconcilia tion, 20, 76 int erac tive hashing, 41 int erv al, 102 Jensen’s inequality , 13, 58, 5 9 key e x pansion, 3 Kolmogo rov dista nce, se e v ariational dis- tance Kronecker delta, 13, 102 laser, 98 left-ov er hash lemma, 28 linear function, se e non-degenera te linear function ln( · ), 12, 102 log( · ), 1 2, 102 Maassen and Uﬃnk’s rela tion, 57, 66 Marko v c hain, 19, 102 Marko v’s inequalit y , 14, 18 martingale diﬀerence sequence, 55 martingale sequence, 54 maximum distanc e , 94 min-entrop y splitting lemma, 22, 45, 51, 82, 90 monotonicity , se e ent ropy m ulti-qubit emissio n, 76, 85, 98 m utually unbiased bases, 7, 8, 56, 59 NDLF, se e non- degenerate line a r function ne gl ( n ), 12, 102 noise level, 94 noisy-memor y mo de l, 99, 100 non-degenera te linear function, 5, 33, 3 4, 37, 39, 41, 44, 46, 48 – 50 oblivious transfer, 1, 3 – 6, 29, 3 0, 32, 33, 40, 42, 79 1 -2 O T , 79 – 8 5 Rabin OT , 69 – 78 generalized, 30, 40, 42, 45, 46 one-out-of- n , 30, 4 6 one-out-of-tw o, iii, iv, vii, viii, 1, 2 , 4 – 6, 1 0, 22, 29 – 32, 34, 35, 40 – 44, 46, 50, 65, 7 0, 79, 80, 84, 89, 9 0, 101, 114 – 116 Rabin, 2, 5, 6, 10, 29, 40 – 42, 44, 69– 72, 77 – 79, 84, 85, 89, 114 – 116 universal, 3 0, 40, 42 – 46, 82 X OR, 29, 30, 40 – 42, 44, 45 op erator norm, 52 orthogo nal pr o jector, 53 photon-num ber -splitting attac k, 98 po sitive o p erator- v a lued meas urement, 1 5 preparatio n, 95 priv acy ampliﬁcation, 25 – 28, 58, 71, 7 4, 76, 82, 83, 95 deterministic, 75 randomized, 74 probability distr ibution conditional, 13 of random v ariable, 13 pro jector orthogo nal, se e orthogonal pro jector proto col, 1 4-state, 9 6-state, 9 pure state, 15 puriﬁcation, 72, 77, 86 quantum cr y ptography , 7 quantum key distribution, iii, 2, 9, 94 – 97 one-wa y , 9 4, 97 quantum op er ation, 15 Index 119 quantum protoco l, 69 quantum uncertaint y relation, se e uncer- taint y relation randomizer, 3 randomness extraction, 20 raw key , 96 receiver-security of 1 -2 OT , 29 of classica l Rand 1 -2 OT , 31 of classica l Rand 1 - n OT ℓ , 46 of quantum Rabin O T , 70, 71, 77 of quantum Rand 1 -2 OT ℓ , 80 reduction, 5 reversed quan tum comm unication, 85 secure sketc h, 76 sender-secur it y characterization of, 5, 34, 47 of classica l 1 - 2 O T , 29 – 51 of classica l Rand 1 -2 OT , 31 of classica l Rand 1 - n OT ℓ , 46 of quantum Rabin O T , 70, 73, 77 of quantum Rand 1 -2 OT ℓ , 80 of quantum R and 1 - 2 QOT , 84 sifting, 95, 97 single-photon source, 76, 98 sp oiling-knowledge, 43 stabilizer formalis m, 57 statistical distance, se e v ariatio na l distance sub-additivity , se e entrop y substring, 12, 102 syndrome, 76 telepo rtation, 75 time slot, 98 time-stamping, 7 trace, 102 trace distance, 15, 10 2 t wo-universal hashing, 25, 7 8, 8 1 strongly , 5, 26, 41 uncertaint y b ound, se e av erage entropic uncertaint y bound uncertaint y relatio n, 7, 8, 5 0, 57 – 68, 82, 100 individual bases, 65, 66 more mutually unbiased bases, 62 t wo m utually un biased bases , 59 uncertaint y relation , 52 unconditional security , 3, 5, 9 unif , 14 v a riational distance, 14, 102 weak coher ent pulse, 98 weak quantum mo del, 76, 77, 81, 84, 85, 91 – 93, 98, 99 X OR-Lemma, 34

Cryptography in the Bounded-Quantum-Storage Model

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment