2. Unconditional security?
• [BB’84]: uncertainty principle → unconditionally secure key distribution
“only” need to trust QM
• Early implementations show quality of devices used crucial
– [BBB+92] implementation leaks basis choice through clicking noise
– [AGM’06] attack based on 4-dimensional encoding
• [MY’98] propose self-checking of the photon source
– Observing the correct correlations
guarantees generation of EPR pair.
(already conjectured in [Eke’91]) A
– Result not robust: need to check B
for exact correlations
• [BLM+’05,BHK’05]: violation of Bell inequality implies privacy
– Direct (but inefficient) argument in the
no-signaling setting, based on monogamy A B E
– Started quest for efficient protocols with
best possible security guarantees
6. A first step: generating certified randomness
• Trusted random bits are prerequisite for QKD
– Devices are users’ only “secure” means of establishing correlations
• [Col’09,PAM+’10]: average Bell inequality violation
sufficient to certify private randomness
– Robust analysis, no independence assumptions B
A
– Limited to classical adversary
• [VV’12]: extend to quantum adversary.
– Protocol tailored to randomness generation, no noise tolerance Ext
– Two useful tools:
1. The “guessing game”, or how to think about monogamy
A B E
2. The “quantum reconstruction paradigm”, or how to leverage
the adversary’s low distinguishing probability
7. The quantum reconstruction paradigm
Smooth conditional min-entropy
quantifies E’s ignorance about B
• Introduced in [Tre’01] to analyze classical extractors
• [DV’11,DVPR’12] Generalization to quantum setting requires more work:
reconstruction involves repeated measurement of E
• [KT06]: can assume Eve applies specific measurement (PGM)
→ simultaneously refines all required measurements
11. Summary
• Variant of Ekert’s protocol secure for DIQKD with quantum adversary
• Efficient: linear key rate, tolerates constant noise
• Proof introduces tools to manipulate quantum adversary. Three steps:
– Reconstruction paradigm: leverage smooth min-entropy
– Identify “good” round, in which Eve can guess B’s output bit
→ Use tools from information theory to bound correlations from conditioning
– Guessing game: intuitive way to make final monogamy statement
Some questions
• Improve analysis: can parameters be made as good as with
independence assumption?
• Compare with robust testing of singlet: what is minimal amount of
work required to prove DIQKD?
• Other settings amenable to similar tools…?