Lecture Notes

Quantum Cryptography Week 9:

Perfect security from physical assumptions

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Licence.
 Contents

9.1 The noisy storage model 3

9.2 1-2 Oblivious Transfer in the noisy-storage model 3
9.3 Security from quantum uncertainty 4
 9.1 The noisy storage model 3

9.1 The noisy storage model

As we saw in the lecture notes of Week 8, security for two-party cryptography is hard to achieve.
Even when given the ability to use quantum communication, we still cannot hope to achieve the
security conditions. Yet, you maybe see that these are important problems that we need to solve on
an everyday basis! One is therefore willing to make some reasonable assumptions on how powerful
the dishonest party (adversary) can be, in order to obtain security guarantees. Security will thus
hold as long as these assumptions are satisfied.
Classically, one typically makes so-called computational assumptions. This means that we
assume that a particular problem, like factoring a large integer, requires a large amount of computa-
tional resources, and furthermore that the adversary has a relatively limited amount of computational
resources - namely, insufficient to solve the difficult problem within a reasonable time frame. Once
we build a quantum computer, however, many of these assumptions will no longer be valid! For
example, we know that the Shor algorithm provides a much more efficient way to factor large
numbers on a quantum computer! What’s more, however, security can be broken retroactively: that
is, if we build a quantum computer tomorrow, most two-party protocols that have been executed
to date will lose their security/secrecy, since the adversary can now use the quantum computer to
break the protocol. Clearly, this is very undesirable.
One way out of this dilemma is to make physical rather than computational assumptions. These
assumptions only need to be valid during the execution of the protocol, but become irrelevant
afterwards. Here, we will take a very simple assumption, namely we assume that the adversary
can only store q qubits during one particular point during the protocol. Otherwise, the adversary
remains all powerful: he/she may perform arbitrary quantum operations/computations, arbitrary
encoding and decoding procedures, and store an infinite amount of classical information. This
assumption is referred to as the bounded storage model. More generally, one can also invoke the
noisy storage model, where the storage is not only bounded, but also noisy in general. In such
cases, upper bounds quantities such as the entanglement assisted quantum capacity of the memory
[Ber+13] leads to security. Given that even the most sophisticated experimental realization of
quantum memories to date can reliably store no more than a few qubits for a few milliseconds
[Bao+12; Cha+05; Rei+10], this is a technologically well motivated assumption. Before, or after the
execution of the protocol, however, the attacker is allowed to have an arbitrary quantum memory,
and even a quantum computer. In particular, this means that if tomorrow we can build better
quantum memories, security can nevertheless never be broken retroactively.
In the next section, we have a look at a very simple protocol for this task.

9.2 1-2 Oblivious Transfer in the noisy-storage model

We have encountered the oblivious transferm in Week 8, and have seen that this is an important
protocol, in the sense that any two-party protocol may be achieved by a combination of 1-2 oblivious
transfer protocols, making it a fundamental building block of interest. We have also seen that
despite the attempt to construct OT protocols that make use of quantum communication, no secure
protocols exist – a malicious Bob could easily break the protocol by using for example a large
quantum memory. Fortunately, this is extremely difficult to do in current-day technology, and
therefore one may, by using the noisy storage model assumption, prove security for any Bob that
has a limited quantum memory.
Protocol 1 Protocol for 1-2 OT in the noisy-storage model. Alice has inputs s0 , s1 ∈ {0, 1}` ,
Bob has input y ∈ {0, 1}.
1. Alice chooses a random strings x = x1 , . . . , xn ∈ {0, 1}n and random basis θ = θ1 , . . . , θn ∈
{0, 1}n . She sends the bits encoded in the randomly chosen BB84 bases H θ1 |x1 i ⊗ . . . ⊗
 4

H θn |xn i to Bob.
2. If y = 0, then Bob measures all of the qubits in the standard basis. If y = 1, he measures
in the Hadamard basis. He records the resulting outcome string x̃ = x̃1 , . . . , x̃n .
3. Both parties wait time ∆t. (Storage assumption is applied!)
4. Alice sends to Bob the string θ1 , . . . , θn . Bob computes the set of indicdes I = { j | θ j = y}
where the measured in the same basis than Alice.
5. Alice chooses two random extractor functions as specified by random seeds r0 and r1 . She
computes k0 = Ext(x+ , r0 ) and k1 = Ext(x× , r1 ). Where x+ is the substring of x where
Alice encoded in the standard basis, and x× is the substring where she used the Hadamard
basis. She sends r0 and r1 to Bob.
6. Alice sends to Bob m0 = s0 ⊕ k0 and m1 = s1 ⊕ k1 , where ⊕ denotes the bit wise xor.
7. Bob computes k = Ext(xI , ry ) and sy = ky ⊕ ry .
Why does this protocol work? Let us first check that the protocol is correct, that is, Bob actually
obtains sy ! Note that if there is no noise, then whenever θ j = y, we have x j = x̃ j . That is, whenever
Alice had encoded in the basis in which Bob measures, then Bob learns the corresponding element
of Alice’s bit string. This means that if Alice’s now applies an extractor to hash down the elements
of the strings corresponding to the standard and Hadamard basis respectively, then Bob knows
one of them. Since Alice also sends him r0 and r1 , he hence learns ky , which acts like a key that
encrypts sy using one-time pad encryption, allowing him to recover sy . Similar to the case of QKD,
when a small amount of errors occur on the channel, information reconciliation can be performed
in order to ensure that Bob is able to correct for the errors in x̃.

9.3 Security from quantum uncertainty

Is Protocol 1 secure? Let us first check security against dishonest Alice. Here, we want to show
that Alice cannot learn y. If you look at the protocol above, it is clear that this is definitely the case:
Bob never sends any information at all to Alice, from which we could learn anything about y!
The only difficulty is thus to show security against dishonest Bob. Here, we want to show that
while Bob might learn one of the two strings, there is always a string sc̄ about which he knows
(almost) nothing. As you can see from a protocol above, we have used our favorite trick encountered
already in QKD, namely privacy amplification/randomness extraction. This means that if we could
only ensure somehow that Bob’s min-entropy about either x+ or x× is high, then by the properties
of privacy amplification we could be sure that he knows nothing about the extracted key.
Before we do this, let us first consider whether we can say anything at all about Bob’s min-
entropy about the entire string x. To reason about this, let us first observe that something magic
needs to happen in the waiting time ∆t. Clearly, if Bob could store all of Alice’s qubits, then he
can just measure the entire string in the correct basis and learn the whole string x. This means that
security against Bob can never be achieved if the number q of qubits that Bob can store is q ≥ n.
Let us thus assume that q < n. Note that since we allow Bob to have an arbitrary quantum
memory and computer before the waiting time, he can first store all of Alice’s qubits, and perform
an arbitrary quantum operation on all of them. For example, he might measure some of them,
resulting in some classical information K. However, he can then keep only q qubits in his quantum
register which we denote by Q. If we are interested in Bob’s min-entropy about the entire string,
we thus want to bound

Hmin (X+ X× |Θ, K, Q) (9.1)

where we have written X+ X× for the string X to remind ourselves that we are ultimately interested
in the two portions corresponding to the two different bases. To make his guess, Bob can use the
9.3 Security from quantum uncertainty 5

classical information K, the quantum register Q, as well as the basis information Θ that Alice sends
to him after the waiting time.
In QKD, we saw that is it often much easier to show security against an adversary who is purely
classical, so let us try and get rid of Q. As we have done so before in previous weeks, we can apply
the chain rule for the min-entropy. Recall that the chain rule says

Hmin (X+ X× |Θ, K, Q) ≥ Hmin (X+ X× |Θ, K) − log |Q| , (9.2)

= Hmin (X+ X× |Θ, K) − q . (9.3)

Hence, we could worry about a Bob who has only Θ and K. How could we possibly analyze this?
Again, let us think back to the tricks learned in QKD! By the guessing game, we could again
think of Bob preparing qubits and send them to Alice. Alice chooses one of two random basis,
after which she announces the basis choice to Bob. That is, we can use precisely the same guessing
game that we had used in QKD to analzye the case of an eavesdropper Eve who has only classical
information K! This gives the familiar
  
1 1
Hmin (X+ X× |Θ, K) = n − log + √ ≈ 0.22n . (9.4)
2 2 2

Of course, what we really want is to make a statement about the different parts X+ and X× . That is,
we want that there exists a c̄ ∈ {+, ×} such that Bob’s entropy about Xc̄ is high. Fortunately, there
is a beautiful lemma known as the min-entropy splitting lemma proven by Wullschleger which says
that there exists some register C̄ such that

Hmin (X+ X× |Θ, K)

Hmin (XC̄ |Θ, K, C̄) ≥ −1 . (9.5)
2
It is noteworthy that min-entropy splitting only holds if K really is classical which is why we first
have to get rid of q. We thus know that Bob’s min-entropy about at least one of the strings is large!
Putting the two ideas together we thus have

Hmin (XC̄ |Θ, K, C̄Q) ≥ Hmin (XC̄ |Θ, K, C̄) − q (9.6)

Hmin (X+ X× |Θ, K)
≥ −1−q . (9.7)
2
As usual we can now employ privacy amplifcation to say that Bob is ε-close to being ignorant,
whenever

` < Hmin (XC̄ |Θ, K, C̄, Q) − O(log 1/ε) − 1 (9.8)

≈ 0.11n − q − O(log 1/ε) − 2 . (9.9)

This means that whenever q . 0.11n we can have security for some ` > 0! Or, reading it the
other way around, assuming a maximum q for the adversary tells us that we need to send at least
n ≈ 1/0.11q qubits in order to achieve security. By much more sophisticated analysis, it is now
possible to show that security can be achieved as long as q ≤ n − O(log2 n) which is essentially
optimal. We thus see that security is possible by sending just a few more qubits than Bob can store.

Acknowledgments
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
International Licence. The lecture notes are written by Nelly Ng and Stephanie Wehner. We
thank David Elkouss, Kenneth Goodenough, Jonas Helsen, Jérémy Ribeiro, and Jalex Stark for
proofreading.
 Bibliography

[Bao+12] Xiao-Hui Bao et al. “Efficient and long-lived quantum memory with cold atoms inside
a ring cavity”. In: Nature Physics 8.7 (2012), pages 517–521 (cited on page 3).
[Ber+13] Mario Berta et al. “Entanglement cost of quantum channels”. In: IEEE Transactions on
Information Theory 59.10 (2013), pages 6779–6795 (cited on page 3).
[Cha+05] T Chaneliere et al. “Storage and retrieval of single photons transmitted between remote
quantum memories”. In: Nature 438.7069 (2005), pages 833–836 (cited on page 3).
[Rei+10] KF Reim et al. “Towards high-speed optical quantum memories”. In: Nature Photonics
4.4 (2010), pages 218–221 (cited on page 3).