short course on quantum computing andris ambainis university of latvia
TRANSCRIPT
Short course on quantum computing
Andris AmbainisUniversity of Latvia
Lecture 3
Recent results in quantum cryptography
Quantum cryptography
Unconditional secure key distribution.Unconditional security for other tasks?
Setting
QKD: two honest parties, connected by insecure channel. Protection from eavesdropping.Two (or more) parties, some of them might be dishonest. Honest parties need to be protected from dishonest ones.
Bit commitment
Alice has a bit a. She wants to commit it to Bob so that Bob does not learn a, Alice cannot change it.
Coin flipping
Alice and Bob want to flip a coin so that neither of them controls the outcome.If both honest, 0 (1) with probability 1/2.If one honest, 0 (1) with probability at most 1/2+.
Oblivious transfer
Alice has two bits x0, x1. Bob wants to learn xb so that:
Alice does not learn b. Alice is guaranteed that Bob gets only
one bit.
Multiparty computation
Alice has x, Bob has y. They want to compute f(x, y) so that: Alice learns nothing about y except
f(x, y). Bob learns nothing about x except f(x,
y).
Generalizes to more than two parties.
Coin flipping
Alice and Bob want to flip a coin so that neither of them controls the outcome.If both honest, 0 (1) with probability 1/2.If one honest, 0 (1) with probability at most 1/2+.
Classical coin flipping
If hard functions are available,Information-theoretically (unlimited computational power), one party can always force one outcome with probability 1.
nc
1
Quantum coin flipping
Protocol with =1/4 [A, 2000].Lower bound of 1/2+ 1/2 [Kitaev, 2001].Better protocols with weaker definition [A, RS, 2002].
Classical coin flipping
a{0, 1} b{0, 1}Commit (a)
b
Reveal (a)
Result: (a+b) mod 2.
Why is this secure?
Bob is honest, Alice cheating.Alice’s bit a does not depend on b because Alice has to commit a before seeing b.Bob picks 0/1 with probability ½.The result is a or (a+1) mod 2 with probability ½.
Quantum coin flipping
a, x{0, 1} b{0, 1}
b
a,x
Result: (a+b) mod 2.
ax
General quantum states
k-dimensional quantum system.Basis |1>, |2>, …, |k>.General state
1|1>+2|2>+…+k|k>,
|1|^2+…+ |k|^2=12k dimensional system can be constructed as a tensor product of k quantum bits.
Measurements
Measuring 1|1>+2|2>+…+k|k>
in the basis |1>, |2>, …, |k> gives |i> with probability |i|2.
Any orthogonal basis can be used.
Quantum coin flipping
a, x{0, 1} b{0, 1}
b
a,x
Result: (a+b) mod 2.
ax
States
12|2
10|
2
1
0,12|2
10|
2
1
1,01|2
10|
2
1
01|2
10|
2
1
xa
xa
xa
xa
ax
Security result
Theorem. Alice (Bob) cannot achieve 0 (1) with probability more than 3/4.
Cheating Bob
Bob could measure the state in basis |0>, |1>, |2>.If a=0, he gets |0> or |1> with probabilities 1/2.If a=1, |0> or |2> with probabilities 1/2.Learns a with probability 1/2, no information otherwise.
Mixed states
If a=0, Alice sends |0>|1> with probabilities 1/2. If a=1, Alice sends |0>|2> with probabilities 1/2. How well can Bob distinguish these two?
Mixed states
Probabilistic combinations of quantum states.(|0> with probability 1/2 and |1> with probability 1/2) not the same as |0>+|1>.
|1>
|0>
|0> +|1>|0> -|1>
Equivalent mixed states
Let 0 be |0> or |1> with probabilities 1/2.Let 1 be |0>|1> with probabilities 1/2.Any measurement on 0 produces the same probability distribution as on 1.
Bra-ket notation
kaa k |...1|1
ka
a
a
...2
1
**2
*1 ... kaaa
Bra-ket notation
i
ii
k
k ba
b
b
b
aaa *2
1
**2
*1 ...
...
Inner product
Density matrix
Consider the mixed state that is |i> with probabilities pi.
The density matrix is ,i
iiip
**
2
*1
*21
*11
*11
...
.........
...
...
ikikiik
ikiii
ii
ii
ii
aaaa
aaaa
aa
aa
Density matrix
Let 1|2
10|
2
1
000
02
1
2
1
02
1
2
1
02
1
2
1
02
12
1
Cheating Bob
Alice sends 0, 1.
000
02
10
002
1
0
2
100
000
002
1
1
How well can Bob distinguish these two?
Cheating Bob
Theorem: The best probability with which Bob can guess i, given i, is
For matrices in our protocol, ||0-1||t=1, probability 3/4.
,42
1 10 t
AATrA T
t
Cheating Alice.
Fidelity of two density matrices.Bounds how one state can be transformed into another.Probability that Alice can convince Bob that a=0 is F(, 0).
Probability that Alice can convince Bob that a=1 is F(, 1).
Quantum coin flipping
a, x{0, 1} b{0, 1}
b
a,x
Result: (a+b) mod 2.
ax
Better bit commitment
Quantum bit commitment => Quantum coin flipping.Better commitment?Bob can’t guess a at all, but Alice can’t change it?
Impossibility theorem
Theorem [Mayers, 1996]. Perfect quantum bit commitment is impossible. If Bob’s state contains no information about Alice’s bit, Alice can change commitment perfectly.Note: there was a “provably secure” protocol before Mayers’ proof.
Delayed measurements
Any measurement can be delayed till end of protocol. Any classical random variable can be replaced by a quantum state.E.g. 0/1 random bit can be replaced by.1
2
10
2
1
State after commitment
By delayed measurement, pure state |>.Let |0> be the state if Alice commits 0, |1> be the state if Alice commits 1.How well Bob can distinguish |0> and |1>?
Tracing out
Imagine that Alice measures her part. Then, Bob is left with mixed state.
.112
100
2
1
|0> |1>
Distinguishability
If Bob cannot access Alice’s part, distinguishing |0> and |1> is equivalent to distinguishing 0 and 1.
Bob can guess commitment with probability
Perfectly secure if ||0-1 ||t=0, i.e. 0=1.
.42
1 10 t
Transformability
Theorem. If 0=1, then there is a unitary U on Alice’s part such that U|0>= |1>.
Perfectly hiding commitments are completely non-binding.Almost perfecly hiding commitments?
Fidelity
F(0, 1)=max |<0 | 1>|2, over all | 0>, | 1> that give 0, 1 if Alice’s part is traced out.Any test that accepts | 0> with certainty, accepts | 1> with probability at least |<0 | 1>|2.
Fidelity
Theorem. For any | 0>, |1> Alice can transform | 0> into a state that is accepted as |1> with probability F(0, 1).
Theorem [Ullman, 1972] TrF ),(
Trace distance vs. fidelity
Theorem [Fuchs, van de Graaf, 1997]
Tradeoff between Alice’s and Bob’s cheating probabilities.
1),(2 10
10
Ft
Summary on bit commitment
In any protocol, either Alice or Bob is capable of cheating with a constant success probability.Protocols in which both parties can’t cheat perfectly, exist.
Coin flipping
Trace distance vs. fidelity gives some lower bounds for coin flipping.Based on one-round commitment [A,RS, 2001]: 3/4.Based on multi-round commitment: 9/16 [Nayak,Shor,2002].Not based on commitment?
Different protocol [Salvail, 2000]
Alice generate two copies of
sends second qubits to Bob.Bob randomly chooses one and verifies it.Alice and Bob measure the other pair.
,112
100
2
1
Security
Theorem [Salvail, 2000] No party can achieve 0 (1) with probability more than 3/4.
Lower bound [Kitaev, 2002]
Theorem. In any protocol, one party can force 0 (1) with probability at least 1/.Proof. Write a semidefinite program for max probability achieved by Alice/ Bob. Look at the dual program.Combine the dual programs.
Weak CF
Assume that Alice can achieve 0 with probability 1 and Bob can achieve 1 with probability 1.Would the protocol be useful?
Yes, if Alice wants 1 and Bob wants 0.Still allowed by Kitaev’s theorem.
Weak CF
Only interested in probability of Alice achieving 1 and Bob achieving 0.Kitaev’s lower bound allows 1/2+.Theorem [A, Rudolph-Spekkens, 2002] There is a protocol with probability 1/2.
Protocol
11|00| Alice prepares
12|11|00| Bob maps
11|00| |12>
Bob wins,Alice verifies
Alice wins,Bob verifies
CF summary
Strong Weak
3/4 1/2
1/2 >0
Protocol
Lower bound
CF open problems
Better protocols/lower bounds.Coin flipping with penalty for cheating. Party caught cheating loses k coins instead of 1.Best result achievable by cheater?The tradeoff between successful cheating vs. being caught.
Open problems
Other cryptographic primitives.Quantum zero knowledge?Multiparty computation. Composing the primitives.