Stronger Attacks on CausalityBased Key Agreement
Abstract
Remarkably, it has been shown that in principle, security proofs for quantum keydistribution (QKD) protocols can be independent of assumptions on the devices used and even of the fact that the adversary is limited by quantum theory. All that is required instead is the absence of any hidden information flow between the laboratories, a condition that can be enforced either by shielding or by spacetime causality. All known schemes for such Causal Key Distribution (CKD) that offer noisetolerance (and, hence, must use privacy amplification as a crucial step) require multiple devices carrying out measurements in parallel on each end of the protocol, where the number of devices grows with the desired level of security. We investigate the power of the adversary for more practical schemes, where both parties each use a single device carrying out measurements consecutively. We provide a novel construction of attacks that is strictly more powerful than the best known attacks and has the potential to decide the question whether such practical CKD schemes are possible in the negative.
I Introduction
The use of quantum theory in cryptography allows for realising a task classically impossible unless assumptions are made on the computational power of the adversary: starting from a small shared secret key, two parties Alice and Bob can generate much longer secret keys. Such quantum cryptography goes back to the celebrated seminal work by Charles Bennett and Gilles Brassard in 1984 [6]. They devised a protocol based on the exchange of single quantum bits, e.g., coded into the polarisation of single photons. The security of the protocol depends on the assumptions sketched in Figure 1.
It lies in the spirit of cryptography to reduce the assumptions under which security can be proven. In the physics community, quantum key distribution became prominent and popular through the work of Artur Ekert [13], who presented a protocol based on entangled pairs of quantum bits, and on the phenomenon of nonlocal correlations [5]: If the joint behaviour, under measurements, of two parts of a system is stronger than what can be explained by shared (classical) information, one speaks of nonlocal correlations since no local hiddenvariable model alone can lead to the behaviour (alone). A joint twopartite inputoutput behaviour, also called system in the following, is recognised to be nonlocal if it violates some Bell inequality, the latter being respected by all local systems. The rationale of Ekert’s method is as follows (see also Figure 2): If, after exchange and measurement on the two parts of the entangled pair, respectively, a (virtually) maximal violation of a specific Bell inequality, due to Clauser, Horne, Shimony, and Holt [11], occurs, then the shared state must be (close to) a maximally entangled pair of quantum bits. Furthermore, (the completeness of) quantum theory implies that the outcomes when such a singlet state is measured are (a) perfectly correlated with each other yet at the same time (b) completely uncorrelated with any (classical or quantum) information outside the two laboratories (and, hence, potentially under an adversary’s control); the latter follows from a state violating maximally the CHSH inequality necessarily being pure.
Ekert’s result (and [18] when dealing with noise) has been a big step towards deviceindependent security [1] and the possibility of dropping assumption (4) (see Figure 1). Vazirani and Vidick [22] devised a scheme similar to Ekert’s, where the two parties could each reuse a single device to achieve full deviceindependent security even tolerating (a certain level of) noise. They proved that the partial security of the raw key consisting of the (measurement) outputs of the devices can be amplified using standard privacyamplification techniques [8], [7], [16]. However, even their security proof, like Ekert’s, rests on the validity of the entire Hilbertspace formalism of quantum theory. It is natural to ask whether it is possible to derive security of the final key directly and only from the (extent of) nonlocality of the generated values (see Figure 2), together with the assumption that no hidden communication has taken place between the laboratories. Barrett, Hardy, and Kent [4] have shown that in principle, the answer is yes: They presented a protocol generating a secret key under the sole assumption that no illegitimate communication takes place between the laboratories. Note that such “causal key agreement” requires neither Assumption (3) nor (4) above, see Figure 1.
Motivated by this proof of principle, several authors have worked on developing protocols that are based on the CHSH inequality instead of the chained Bell inequality [9], and that are not only more efficient but also tolerant to noise [14], [17]. However, besides the nosignalling assumption between the parties, the protocols’ security proofs must be based on the same condition within their laboratories in order to perform privacy amplification.^{3}^{3}3The number of required nosignalling conditions is proportional to the negative logarithm of the tolerable noise level. Actually, in [15], the impossibility of privacy amplification was shown if there are no additional nosignalling conditions assumed. Yet, if Alice and Bob reuse their devices, then previously obtained outputs cannot depend on future inputs as a consequence of (2); the corresponding additional conditions are termed timeordered nosignalling (TONS) conditions. In [3], it was shown that under the TONS conditions, superlinear privacy amplification is impossible: Using class of attacks which we refer to as “prefixcode attacks” (see Definition III.6), they showed that if is the length of the input to the amplification function, then the adversary’s knowledge on the output is at least of order . Furthermore, prefixcode attacks rule out the use of linear privacyamplification functions (which are used for universal hashing) as here the adversary’s knowledge on the output remains constant (i.e., independent of ). However, the knowledge prefixcode attacks yield about nonlinear functions is limited, e.g., for majority functions. We present a novel construction of TONS attacks which comprise prefixcode attacks and, furthermore, can also provide a constant knowledge on the output for highly nonlinear functions, i.e., an improvement of over prefixcode attacks in the case of majority. That our attack proves TONS privacy amplification with linear functions as well as a highly nonlinear function like majority impossible is an indicator that the attack is sufficiently strong to rule out TONS privacy amplification at all. From a practical point of view impossibility of TONS privacy amplification means that Alice and Bob necessarily need additional devices which are shielded against information loss to carry out CKD.
Ii Preliminaries
Iia Nosignalling systems
We refer to a system as a black box with an interface consisting of an input and an output , where its complete inputoutput behaviour is specified by the conditional probability distribution . If a system is shared between parties, each holding marginal systems, then we denote the interface of the th marginal system held by party by . Nosignalling conditions between different systems simply mean that the input one party inserts into her system does not affect the output the other party obtains from her system.
Definition II.1 (Party nosignalling).
An system box
is party nosignalling if no subset of parties, , can signal to any other (disjoint) subset of parties. Defining to be the complementary set to we have formally
(1) 
We introduce the shorthand notation if (II.1) is satisfied, i.e., the systems do not signal to the systems .
Definition II.2 (Marginal).
induces a valid marginal distribution on the systems that is independent of the inputs chosen by the parties in .
Definition II.3 (Nosignalling extension).
A nosignalling extension of a given system (possibly consisting of arbitrarily many subsystems), identified with , is any joint system , identified with , such that and the marginals on coïncide, i.e., .
We consider the case of three parties that we identify with Alice, Bob, and Eve (), where Alice and Bob each hold subsystems. We use the shorthand notation to define the nosignalling conditions that are relevant if Alice and Bob each reuse their devices to create the systems consecutively.
Definition II.4 (Tons).
A system
is timeordered nosignalling (TONS) if no subset of marginal systems can signal to systems outside its causal future. Any union of systems , with and , must have a valid marginal distribution induced by the equations
(2) 
IiB Some explicit nosignalling distributions

We denote by a box that outputs a uniformly random element of the output alphabet
(3) 
We denote by , with , as a box with probabilities
(4) 
We denote by , with and unspecified alphabets , , and , as an arbitrary box that satisfies the nosignalling conditions (II.1) and has a uniform marginal on ,
(5) An example for this type of boxes is the box or the boxes corresponding to the chained Bell inequalities [9] considered in [3] and also multipartite boxes corresponding to the multipartite Guess Your Neighbours Inputgame [2], since the system is not specified and can be composed of an arbitrary number of subsystems.

We denote by the noisy version of an arbitrary box as the box with probabilities^{4}^{4}4We chose this decomposition to be conform with the usual definition of the “noisy PRbox” when corresponds to the box introduced originally by Popescu and Rohrlich in [19].
(6)
IiC Nosignalling privacy amplification
The task of privacy amplification is as follows. Suppose an adversary holding some system can guess a single bit with probability , but a complete bitstring only with exponentially small probability, let us say with probability at most . Usually, in a privacyamplification protocol, one applies a randomly chosen function , where denotes the random choice, to obtain a shorter bitstring , think of a single bit, that cannot be guessed except with probability (exponentially in ) close to . If the adversary is governed by classical or quantum theory, it is possible to generate a single bit that is (exponentially in ) close to uniform if the function is chosen uniformly amongst all linear functions [8], [7], [16], [20]. In nosignalling privacy amplification, Alice and Bob hold a box , and Alice outputs a Boolean function . To analyse the privacy of such a bit against a nosignalling adversary, one considers, in analogy to the quantum case, an adversary Eve that holds a “nosignalling purifying marginal system” with input .
Definition II.5 (TONS attack).
The box
is a timeordered nosignalling (TONS) attack on the box if it is a nosignalling extension of and satisfies the TONS conditions (II.4).
We study privacy amplification in the context of secretkey distribution. Hence, Alice must communicate her choice of the privacyamplification function to Bob eventually, such that they can arrive at a shared secret key in the end of the protocol. Since we assume that Eve can wiretap the classical communication between Alice and Bob and learn the value , she can wait to use her system until that happens and choose her input as a function of , , accordingly. Her actions are completely specified by the box and the figure of merit is Eve’s maximal guessing probability on the output of the privacyamplification protocol. Since the marginal distribution must be, in particular, independent of , each choice of can be investigated independently and we can confine our analysis on attacks on fixed functions , where E has no input. Security against a TONS adversary stems from systems being nonlocal, i.e., from systems violating a Bell inequality. If a nosignalling adversary Eve attacks, e.g., a single box, the probability to guess the output of Alice is at best [14], i.e., which is nontrivial exactly if the box is nonlocal. For simplicity of the representation, we assume that Alice and Bob hold boxes, i.e., the Bell inequality used has binary outcomes on Alice side and we confine ourselves to the hardest case, where Alice outcome is completely random in the noiseless case. The best known previous result on TONS privacy amplification is as follows.
Lemma II.6.
[3] Assume that Eve attacks held by Alice and Bob. Then, for any function , there exists a TONSattack
(7) 
Iii The novel attack
Iiia Novel construction of TONS attacks
We present a novel construction of nosignalling attacks on . The idea is to decompose each of the boxes in a pure and a noise part via (6) and then attack each of the terms separately. We identify restrictions (8) and (9) on marginal (classical) distributions on systems that permit extension to a TONS attack for each of the terms in the decomposition of .
Definition III.1 (Ordered influenceable distributions).
For a set we define an ordered influenceable distribution as a probability distribution that satisfies uniformity on
(8)  
(9) 
We call the distribution ordered influenceable since condition (9) implies that Eve can only bias the bits with , and, furthermore, for the bits can only be biased with respect to bits if .
Definition III.2 (Ordered divisible distribution).
Fix a full set of ordered influenceable distributions . We define an ordered divisible distribution , as
(10) 
with weights
(11) 
Theorem III.3.
Any ordered influenceable distribution can be extended to a TONSattack on the systems with marginal distribution
(12) 
The proof of Theorem III.3 consists of an explicit construction of :
(13)  
(14)  
(15) 
It is a bit tedious but straightforward to show that (13)(15) implies that

satisfies the TONSconditions (II.4),

has the correct marginal on systems :
(16) 
and has the correct marginal on systems :
(17)
Corollary III.4.
For any ordered divisible distribution , there exists a TONSattack on such that
(18) 
Accordingly, we also denote as a TONS attack.
IiiB Prefixcode attacks and their limits
Definition III.5 (Influence).
We define the influence of given the prefix on the function as
(19) 
where .
Definition III.6 (Prefixcode attack).
Given a prefixcode and the function , we define the corresponding prefixcode attack as the ordered divisible distribution induced by the set defined as
(20)  
(21) 
Lemma III.7.
Let the distribution be a prefixcode attack on the majority function . Then, for any choice of a prefixcode the performance of this attack is
(22) 
The insight behind the proof of Lemma III.7 is that in a prefixcode attack on , a single bit is biased towards the value , while all other bits are uniform when conditioned on ; the influence of a single bit on the value of is of the order .
IiiC A stronger attack on Majority
We construct another attack via the set
(23)  
(24) 
for being odd (for even we define as the majority of all but the last bit). Intuitively, Eve makes a maximumlikelihood estimate of on the string , which is to compute . Due to the symmetry of the majority function with respect to exchange of indices, the guessing probability of the adversary depends only on .
Theorem III.8.
Let for some constant such that is odd. Then there exists a series of ordered influenceable distributions such that
(25) 
Through the concentration of measure around , induced by the central limit theorem, a direct consequence of Theorem III.8 is Corollary III.9.
Corollary III.9.
For any , there exists a series of such that
(26) 
Iv Conclusion
Causal key distribution (CKD) requires only a minimal set of assumptions, i.e., (1) a shielded laboratory and (2) free randomness, see Figure 1, which both can be considered also necessary: If the parties’ laboratories leak information about the key the adversary eventually learns it. Without free randomness everything becomes deterministic from the view of the adversary, and she can compute the key herself. All CKD protocols that offer noise tolerance [14], [17] have the impractical requirement for Alice and Bob to use many devices in parallel, where each device needs to be shielded against unwanted information leakage individually. We address the (still) open problem whether CKD is also possible if Alice and Bob each reuse a single device and construct a novel attack on the necessary timeordered nosignalling (TONS) privacyamplification step in the CKD protocol. Our construction is a generalisation of the best known attack [3], and we prove it to be superior if majority functions are used for TONS privacy amplification; the amount of knowledge that our attack provides is optimal (up to a constant factor). That our attack performs well against TONS privacy amplification with linear functions as well as with a highly nonlinear function like majority may suggest that it also powerful enough to prove impossibility of TONS privacy amplification in general, if this is indeed the case.
Acknowledgments
The authors thank Rotem ArnonFriedman, Ämin Baumeler, Gilles Brassard, Omar Fawzi, Arne Hansen, Karol Horodecki, Jibran Rashid, Renato Renner, and Dave Touchette for stimulating discussions and helpful comments. BS and SW are supported by the Swiss National Science Foundation (SNF), the NCCR QSIT, by the COST action on “Fundamental Problems in Quantum Theory,” and the CHISTERA project DIQIP.
References
 [1] Antonio Acín, Nicolas Brunner, Nicolas Gisin, Serge Massar, Stefano Pironio, and Valerio Scarani. Deviceindependent security of quantum cryptography against collective attacks. Phys. Rev. Lett., 98:230501, Jun 2007.
 [2] Mafalda L. Almeida, JeanDaniel Bancal, Nicolas Brunner, Antonio Acín, Nicolas Gisin, and Stefano Pironio. Guess your neighbor’s input: A multipartite nonlocal game with no quantum advantage. Phys. Rev. Lett., 104:230404, Jun 2010.
 [3] Rotem ArnonFriedman and Amnon TaShma. Limits of privacy amplification against nonsignaling memory attacks. Phys. Rev. A, 86:062333, Dec 2012.
 [4] Jonathan Barrett, Lucien Hardy, and Adrian Kent. No signaling and quantum key distribution. Phys. Rev. Lett., 95:010503, Jun 2005.
 [5] John S. Bell. On the EinsteinPodolskyRosen paradox. Physics, 1:195–200, 1964.
 [6] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of the International Conference on Computers, Systems and Signal Processing, pages 175–179, 1984.
 [7] Charles H. Bennett, Gilles Brassard, Claude Crepeau, and Ueli M. Maurer. Generalized privacy amplification. IEEE Trans. Inf. Theor., 41(6):1915–1923, Nov 1995.
 [8] Charles H. Bennett, Gilles Brassard, and JeanMarc Robert. Privacy amplification by public discussion. SIAM J. Comput., 17(2):210–229, Apr 1988.
 [9] Samuel L. Braunstein and Carlton M. Caves. Wringing out better Bell inequalities. Nuclear Physics B  Proceedings Supplements, 6(0):211 – 221, 1989.
 [10] Boris S. Cirel’son. Quantum generalizations of Bell’s inequality. Letter in Mathematical Physics, 4:93–100, 1980.
 [11] John F. Clauser, Michael A. Horne, Abner Shimony, and Richard A. Holt. Proposed experiment to test local hiddenvariable theories. Phys. Rev. Lett., 23:880–884, Oct 1969.
 [12] Roger Colbeck and Renato Renner. No extension of quantum theory can have improved predictive power. Nat. Commun., 2:411, Aug 2011.
 [13] Artur K. Ekert. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett., 67:661–663, Aug 1991.
 [14] Esther Hänggi, Renato Renner, and Stefan Wolf. Efficient deviceindependent quantum key distribution. In Proceedings of the 29th Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’10, pages 216–234, 2010.
 [15] Esther Hänggi, Renato Renner, and Stefan Wolf. The impossibility of nonsignaling privacy amplification. Theoretical Computer Science, 486(0):27–42, 2013.
 [16] Johan Hastad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom generator from any oneway function. SIAM J. Comput., 28(4):1364–1396, Mar 1999.
 [17] Lluis Masanes. Universally composable privacy amplification from causality constraints. Phys. Rev. Lett., 102:140501, Apr 2009.
 [18] Dominic Mayers and Andrew Yao. Quantum cryptography with imperfect apparatus. In Proceedings of the 39th Annual Symposium on Foundations of Computer Science, FOCS ’98, page 503, 1998.
 [19] Sandu Popescu and Daniel Rohrlich. Nonlocality as an axiom. Foundations of Physics, 24(379), (1994).
 [20] Renato Renner. Security of quantum key distribution. International Journal of Quantum Information, 6(01):1–127, 2008.
 [21] Benno Salwey. NoSignalling Attacks and Implications for (Quantum) Nonlocality Distillation. PhD thesis, USI Lugano, 2015.
 [22] Umesh Vazirani and Thomas Vidick. Fully deviceindependent quantum key distribution. Phys. Rev. Lett., 113:140501, Sep 2014.