Stronger Attacks on Causality-Based Key Agreement

Stronger Attacks on Causality-Based Key Agreement

Benno Salwey and Stefan Wolf

Faculty of Informatics, Università della Svizzera Italiana, Via G. Buffi 13, 6900 Lugano, Switzerland

Remarkably, it has been shown that in principle, security proofs for quantum key-distribution (QKD) protocols can be independent of assumptions on the devices used and even of the fact that the adversary is limited by quantum theory. All that is required instead is the absence of any hidden information flow between the laboratories, a condition that can be enforced either by shielding or by space-time causality. All known schemes for such Causal Key Distribution (CKD) that offer noise-tolerance (and, hence, must use privacy amplification as a crucial step) require multiple devices carrying out measurements in parallel on each end of the protocol, where the number of devices grows with the desired level of security. We investigate the power of the adversary for more practical schemes, where both parties each use a single device carrying out measurements consecutively. We provide a novel construction of attacks that is strictly more powerful than the best known attacks and has the potential to decide the question whether such practical CKD schemes are possible in the negative.

I Introduction

The use of quantum theory in cryptography allows for realising a task classically impossible unless assumptions are made on the computational power of the adversary: starting from a small shared secret key, two parties Alice and Bob can generate much longer secret keys. Such quantum cryptography goes back to the celebrated seminal work by Charles Bennett and Gilles Brassard in 1984 [6]. They devised a protocol based on the exchange of single quantum bits, e.g., coded into the polarisation of single photons. The security of the protocol depends on the assumptions sketched in Figure 1.

Fig. 1: Schematic setup of QKD protocols with assumptions (1)-(4). The boxes around the legitimate parties’ laboratories indicate protection against unwanted information leakage (1). The ’s are the sources of free randomness222We refer to the notion of free randomness used by Colbeck and Renner in [12]: A random variable, generated at some point in space-time, displays free randomness if it is independent of any variable which lies outside its future light-cone. (2) used as the inputs to the devices D which generate, and operate on, the specified quantum systems (4). CC refers to a classical insecure (but authenticated) channel to which the adversary Eve also has access. QC is a completely insecure quantum channel which Eve may interfere with to an unspecified extent. The dotted box indicates that the protocol takes place within the rules of quantum theory (3).

It lies in the spirit of cryptography to reduce the assumptions under which security can be proven. In the physics community, quantum key distribution became prominent and popular through the work of Artur Ekert [13], who presented a protocol based on entangled pairs of quantum bits, and on the phenomenon of non-local correlations [5]: If the joint behaviour, under measurements, of two parts of a system is stronger than what can be explained by shared (classical) information, one speaks of non-local correlations since no local hidden-variable model alone can lead to the behaviour (alone). A joint two-partite input-output behaviour, also called system in the following, is recognised to be non-local if it violates some Bell inequality, the latter being respected by all local systems. The rationale of Ekert’s method is as follows (see also Figure 2): If, after exchange and measurement on the two parts of the entangled pair, respectively, a (virtually) maximal violation of a specific Bell inequality, due to Clauser, Horne, Shimony, and Holt [11], occurs, then the shared state must be (close to) a maximally entangled pair of quantum bits. Furthermore, (the completeness of) quantum theory implies that the outcomes when such a singlet state is measured are (a) perfectly correlated with each other yet at the same time (b) completely uncorrelated with any (classical or quantum) information outside the two laboratories (and, hence, potentially under an adversary’s control); the latter follows from a state violating maximally the CHSH inequality necessarily being pure.

Fig. 2: Ekert’s reasoning: If a system violates the CHSH inequality virtually maximally (i.e., close to Tsirelson’s bound [10]), then the framework of quantum theory implies that the state of the system must be close to a maximally entangled and, hence, pure state, a Bell state. The purity of the entangled state implies the secrecy of the local measurement outcomes. This reasoning is strongly based on the formalism of quantum theory. Barrett, Hardy, and Kent’s reasoning: A Bell-inequality violation indicates a non-local correlation that directly implies a constraint on the predictive power of any external piece of information (such as, e.g, Eve’s entire knowledge) about Alice and Bob’s measurement outcomes. This reasoning is independent of quantum theory.

Ekert’s result (and [18] when dealing with noise) has been a big step towards device-independent security [1] and the possibility of dropping assumption (4) (see Figure 1). Vazirani and Vidick [22] devised a scheme similar to Ekert’s, where the two parties could each reuse a single device to achieve full device-independent security even tolerating (a certain level of) noise. They proved that the partial security of the raw key consisting of the (measurement) outputs of the devices can be amplified using standard privacy-amplification techniques [8][7][16]. However, even their security proof, like Ekert’s, rests on the validity of the entire Hilbert-space formalism of quantum theory. It is natural to ask whether it is possible to derive security of the final key directly and only from the (extent of) non-locality of the generated values (see Figure 2), together with the assumption that no hidden communication has taken place between the laboratories. Barrett, Hardy, and Kent [4] have shown that in principle, the answer is yes: They presented a protocol generating a secret key under the sole assumption that no illegitimate communication takes place between the laboratories. Note that such “causal key agreement” requires neither Assumption (3) nor (4) above, see Figure 1.

Motivated by this proof of principle, several authors have worked on developing protocols that are based on the CHSH inequality instead of the chained Bell inequality [9], and that are not only more efficient but also tolerant to noise [14][17]. However, besides the no-signalling assumption between the parties, the protocols’ security proofs must be based on the same condition within their laboratories in order to perform privacy amplification.333The number of required no-signalling conditions is proportional to the negative logarithm of the tolerable noise level. Actually, in [15], the impossibility of privacy amplification was shown if there are no additional no-signalling conditions assumed. Yet, if Alice and Bob reuse their devices, then previously obtained outputs cannot depend on future inputs as a consequence of (2); the corresponding additional conditions are termed time-ordered no-signalling (TONS) conditions. In [3], it was shown that under the TONS conditions, super-linear privacy amplification is impossible: Using class of attacks which we refer to as “prefix-code attacks” (see Definition III.6), they showed that if  is the length of the input to the amplification function, then the adversary’s knowledge on the output is at least of order . Furthermore, prefix-code attacks rule out the use of linear privacy-amplification functions (which are used for -universal hashing) as here the adversary’s knowledge on the output remains constant (i.e., independent of ). However, the knowledge prefix-code attacks yield about non-linear functions is limited, e.g., for majority functions. We present a novel construction of TONS attacks which comprise prefix-code attacks and, furthermore, can also provide a constant knowledge on the output for highly non-linear functions, i.e., an improvement of over prefix-code attacks in the case of majority. That our attack proves TONS privacy amplification with linear functions as well as a highly non-linear function like majority impossible is an indicator that the attack is sufficiently strong to rule out TONS privacy amplification at all. From a practical point of view impossibility of TONS privacy amplification means that Alice and Bob necessarily need additional devices which are shielded against information loss to carry out CKD.

Due to spatial limitations we are forced to omit the detailed proof of Theorem III.3, Lemma III.7, and Theorem III.8 and refer the reader to Chapters 3.4.1 and 3.5.4 in [21].

Ii Preliminaries

Ii-a No-signalling systems

We refer to a system as a black box with an interface consisting of an input and an output , where its complete input-output behaviour is specified by the conditional probability distribution . If a system is shared between parties, each holding marginal systems, then we denote the interface of the -th marginal system held by party by . No-signalling conditions between different systems simply mean that the input one party inserts into her system does not affect the output the other party obtains from her system.

Definition II.1 (-Party no-signalling).

An -system box

is -party no-signalling if no subset of parties, , can signal to any other (disjoint) subset of parties. Defining to be the complementary set to we have formally


We introduce the short-hand notation if (II.1) is satisfied, i.e., the systems do not signal to the systems .

Definition II.2 (Marginal).

induces a valid marginal distribution on the systems that is independent of the inputs chosen by the parties in .

Definition II.3 (No-signalling extension).

A no-signalling extension of a given system (possibly consisting of arbitrarily many subsystems), identified with , is any joint system , identified with , such that and the marginals on coïncide, i.e., .

We consider the case of three parties that we identify with Alice, Bob, and Eve (), where Alice and Bob each hold subsystems. We use the shorthand notation to define the no-signalling conditions that are relevant if Alice and Bob each reuse their devices to create the systems consecutively.

Definition II.4 (Tons).

A -system

is time-ordered no-signalling (TONS) if no subset of marginal systems can signal to systems outside its causal future. Any union of systems , with and , must have a valid marginal distribution induced by the equations


Ii-B Some explicit no-signalling distributions

  • We denote by a box that outputs a uniformly random element of the output alphabet

  • We denote by , with , as a box with probabilities

  • We denote by , with and unspecified alphabets , , and , as an arbitrary box that satisfies the no-signalling conditions (II.1) and has a uniform marginal on ,


    An example for this type of boxes is the box or the boxes corresponding to the chained Bell inequalities [9] considered in [3] and also multi-partite boxes corresponding to the multipartite Guess Your Neighbours Input-game [2], since the system is not specified and can be composed of an arbitrary number of subsystems.

  • We denote by the noisy version of an arbitrary box as the box with probabilities444We chose this decomposition to be conform with the usual definition of the “noisy PR-box” when corresponds to the box introduced originally by Popescu and Rohrlich in [19].


Ii-C No-signalling privacy amplification

The task of privacy amplification is as follows. Suppose an adversary holding some system can guess a single bit with probability , but a complete bit-string only with exponentially small probability, let us say with probability at most . Usually, in a privacy-amplification protocol, one applies a randomly chosen function , where denotes the random choice, to obtain a shorter bit-string , think of a single bit, that cannot be guessed except with probability (exponentially in ) close to . If the adversary is governed by classical or quantum theory, it is possible to generate a single bit that is (exponentially in ) close to uniform if the function is chosen uniformly amongst all linear functions [8], [7], [16], [20]. In no-signalling privacy amplification, Alice and Bob hold a box , and Alice outputs a Boolean function . To analyse the privacy of such a bit against a no-signalling adversary, one considers, in analogy to the quantum case, an adversary Eve that holds a “no-signalling purifying marginal system” with input .

Definition II.5 (TONS attack).

The box

is a time-ordered no-signalling (TONS) attack on the box if it is a no-signalling extension of and satisfies the TONS conditions (II.4).

We study privacy amplification in the context of secret-key distribution. Hence, Alice must communicate her choice of the privacy-amplification function to Bob eventually, such that they can arrive at a shared secret key in the end of the protocol. Since we assume that Eve can wiretap the classical communication between Alice and Bob and learn the value , she can wait to use her system until that happens and choose her input as a function of , , accordingly. Her actions are completely specified by the box and the figure of merit is Eve’s maximal guessing probability on the output of the privacy-amplification protocol. Since the marginal distribution must be, in particular, independent of , each choice of can be investigated independently and we can confine our analysis on attacks on fixed functions , where E has no input. Security against a TONS adversary stems from systems being non-local, i.e., from systems violating a Bell inequality. If a no-signalling adversary Eve attacks, e.g., a single box, the probability to guess the output of Alice is at best  [14], i.e., which is nontrivial exactly if the box is nonlocal. For simplicity of the representation, we assume that Alice and Bob hold boxes, i.e., the Bell inequality used has binary outcomes on Alice side and we confine ourselves to the hardest case, where Alice outcome is completely random in the noiseless case. The best known previous result on TONS privacy amplification is as follows.

Lemma II.6.

[3] Assume that Eve attacks held by Alice and Bob. Then, for any function , there exists a TONS-attack


Iii The novel attack

Iii-a Novel construction of TONS attacks

We present a novel construction of no-signalling attacks on . The idea is to decompose each of the boxes in a pure and a noise part via (6) and then attack each of the terms separately. We identify restrictions (8) and (9) on marginal (classical) distributions on systems that permit extension to a TONS attack for each of the terms in the decomposition of .

Definition III.1 (Ordered -influenceable distributions).

For a set we define an ordered -influenceable distribution as a probability distribution that satisfies uniformity on


We call the distribution ordered -influenceable since condition (9) implies that Eve can only bias the bits with , and, furthermore, for the bits can only be biased with respect to bits if .

Definition III.2 (Ordered -divisible distribution).

Fix a full set of ordered -influenceable distributions . We define an ordered -divisible distribution , as


with weights

Theorem III.3.

Any ordered -influenceable distribution can be extended to a TONS-attack on the systems with marginal distribution


The proof of Theorem III.3 consists of an explicit construction of :


It is a bit tedious but straightforward to show that (13)-(15) implies that

  1. satisfies the TONS-conditions (II.4),

  2. has the correct marginal on systems :

  3. and has the correct marginal on systems :

Corollary III.4.

For any ordered -divisible distribution , there exists a TONS-attack on such that


Accordingly, we also denote as a TONS attack.

Iii-B Prefix-code attacks and their limits

Definition III.5 (Influence).

We define the influence of given the prefix on the function as


where .

Definition III.6 (Prefix-code attack).

Given a prefix-code and the function , we define the corresponding prefix-code attack as the ordered -divisible distribution induced by the set defined as

Lemma III.7.

Let the distribution be a prefix-code attack on the majority function . Then, for any choice of a prefix-code the performance of this attack is


The insight behind the proof of Lemma III.7 is that in a prefix-code attack on , a single bit is -biased towards the value , while all other bits are uniform when conditioned on ; the influence of a single bit on the value of is of the order .

Iii-C A stronger attack on Majority

We construct another attack via the set


for being odd (for even we define as the majority of all but the last bit). Intuitively, Eve makes a maximum-likelihood estimate of on the string , which is to compute . Due to the symmetry of the majority function with respect to exchange of indices, the guessing probability of the adversary depends only on .

Theorem III.8.

Let for some constant such that is odd. Then there exists a series of ordered -influenceable distributions such that


Through the concentration of measure around , induced by the central limit theorem, a direct consequence of Theorem III.8 is Corollary III.9.

Corollary III.9.

For any , there exists a series of such that


Lemma III.7 and Corollary III.9 imply an advantage of our attack on the best previously known attack, the prefix-code attack.

Iv Conclusion

Causal key distribution (CKD) requires only a minimal set of assumptions, i.e., (1) a shielded laboratory and (2) free randomness, see Figure 1, which both can be considered also necessary: If the parties’ laboratories leak information about the key the adversary eventually learns it. Without free randomness everything becomes deterministic from the view of the adversary, and she can compute the key herself. All CKD protocols that offer noise tolerance [14][17] have the impractical requirement for Alice and Bob to use many devices in parallel, where each device needs to be shielded against unwanted information leakage individually. We address the (still) open problem whether CKD is also possible if Alice and Bob each reuse a single device and construct a novel attack on the necessary time-ordered no-signalling (TONS) privacy-amplification step in the CKD protocol. Our construction is a generalisation of the best known attack [3], and we prove it to be superior if majority functions are used for TONS privacy amplification; the amount of knowledge that our attack provides is optimal (up to a constant factor). That our attack performs well against TONS privacy amplification with linear functions as well as with a highly non-linear function like majority may suggest that it also powerful enough to prove impossibility of TONS privacy amplification in general, if this is indeed the case.


The authors thank Rotem Arnon-Friedman, Ämin Baumeler, Gilles Brassard, Omar Fawzi, Arne Hansen, Karol Horodecki, Jibran Rashid, Renato Renner, and Dave Touchette for stimulating discussions and helpful comments. BS and SW are supported by the Swiss National Science Foundation (SNF), the NCCR QSIT, by the COST action on “Fundamental Problems in Quantum Theory,” and the CHIST-ERA project DIQIP.


  • [1] Antonio Acín, Nicolas Brunner, Nicolas Gisin, Serge Massar, Stefano Pironio, and Valerio Scarani. Device-independent security of quantum cryptography against collective attacks. Phys. Rev. Lett., 98:230501, Jun 2007.
  • [2] Mafalda L. Almeida, Jean-Daniel Bancal, Nicolas Brunner, Antonio Acín, Nicolas Gisin, and Stefano Pironio. Guess your neighbor’s input: A multipartite nonlocal game with no quantum advantage. Phys. Rev. Lett., 104:230404, Jun 2010.
  • [3] Rotem Arnon-Friedman and Amnon Ta-Shma. Limits of privacy amplification against nonsignaling memory attacks. Phys. Rev. A, 86:062333, Dec 2012.
  • [4] Jonathan Barrett, Lucien Hardy, and Adrian Kent. No signaling and quantum key distribution. Phys. Rev. Lett., 95:010503, Jun 2005.
  • [5] John S. Bell. On the Einstein-Podolsky-Rosen paradox. Physics, 1:195–200, 1964.
  • [6] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of the International Conference on Computers, Systems and Signal Processing, pages 175–179, 1984.
  • [7] Charles H. Bennett, Gilles Brassard, Claude Crepeau, and Ueli M. Maurer. Generalized privacy amplification. IEEE Trans. Inf. Theor., 41(6):1915–1923, Nov 1995.
  • [8] Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert. Privacy amplification by public discussion. SIAM J. Comput., 17(2):210–229, Apr 1988.
  • [9] Samuel L. Braunstein and Carlton M. Caves. Wringing out better Bell inequalities. Nuclear Physics B - Proceedings Supplements, 6(0):211 – 221, 1989.
  • [10] Boris S. Cirel’son. Quantum generalizations of Bell’s inequality. Letter in Mathematical Physics, 4:93–100, 1980.
  • [11] John F. Clauser, Michael A. Horne, Abner Shimony, and Richard A. Holt. Proposed experiment to test local hidden-variable theories. Phys. Rev. Lett., 23:880–884, Oct 1969.
  • [12] Roger Colbeck and Renato Renner. No extension of quantum theory can have improved predictive power. Nat. Commun., 2:411, Aug 2011.
  • [13] Artur K. Ekert. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett., 67:661–663, Aug 1991.
  • [14] Esther Hänggi, Renato Renner, and Stefan Wolf. Efficient device-independent quantum key distribution. In Proceedings of the 29th Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’10, pages 216–234, 2010.
  • [15] Esther Hänggi, Renato Renner, and Stefan Wolf. The impossibility of non-signaling privacy amplification. Theoretical Computer Science, 486(0):27–42, 2013.
  • [16] Johan Hastad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom generator from any one-way function. SIAM J. Comput., 28(4):1364–1396, Mar 1999.
  • [17] Lluis Masanes. Universally composable privacy amplification from causality constraints. Phys. Rev. Lett., 102:140501, Apr 2009.
  • [18] Dominic Mayers and Andrew Yao. Quantum cryptography with imperfect apparatus. In Proceedings of the 39th Annual Symposium on Foundations of Computer Science, FOCS ’98, page 503, 1998.
  • [19] Sandu Popescu and Daniel Rohrlich. Nonlocality as an axiom. Foundations of Physics, 24(379), (1994).
  • [20] Renato Renner. Security of quantum key distribution. International Journal of Quantum Information, 6(01):1–127, 2008.
  • [21] Benno Salwey. No-Signalling Attacks and Implications for (Quantum) Nonlocality Distillation. PhD thesis, USI Lugano, 2015.
  • [22] Umesh Vazirani and Thomas Vidick. Fully device-independent quantum key distribution. Phys. Rev. Lett., 113:140501, Sep 2014.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description