Stronger Attacks on Causality-Based Key Agreement
Remarkably, it has been shown that in principle, security proofs for quantum key-distribution (QKD) protocols can be independent of assumptions on the devices used and even of the fact that the adversary is limited by quantum theory. All that is required instead is the absence of any hidden information flow between the laboratories, a condition that can be enforced either by shielding or by space-time causality. All known schemes for such Causal Key Distribution (CKD) that offer noise-tolerance (and, hence, must use privacy amplification as a crucial step) require multiple devices carrying out measurements in parallel on each end of the protocol, where the number of devices grows with the desired level of security. We investigate the power of the adversary for more practical schemes, where both parties each use a single device carrying out measurements consecutively. We provide a novel construction of attacks that is strictly more powerful than the best known attacks and has the potential to decide the question whether such practical CKD schemes are possible in the negative.
The use of quantum theory in cryptography allows for realising a task classically impossible unless assumptions are made on the computational power of the adversary: starting from a small shared secret key, two parties Alice and Bob can generate much longer secret keys. Such quantum cryptography goes back to the celebrated seminal work by Charles Bennett and Gilles Brassard in 1984 . They devised a protocol based on the exchange of single quantum bits, e.g., coded into the polarisation of single photons. The security of the protocol depends on the assumptions sketched in Figure 1.
It lies in the spirit of cryptography to reduce the assumptions under which security can be proven. In the physics community, quantum key distribution became prominent and popular through the work of Artur Ekert , who presented a protocol based on entangled pairs of quantum bits, and on the phenomenon of non-local correlations : If the joint behaviour, under measurements, of two parts of a system is stronger than what can be explained by shared (classical) information, one speaks of non-local correlations since no local hidden-variable model alone can lead to the behaviour (alone). A joint two-partite input-output behaviour, also called system in the following, is recognised to be non-local if it violates some Bell inequality, the latter being respected by all local systems. The rationale of Ekert’s method is as follows (see also Figure 2): If, after exchange and measurement on the two parts of the entangled pair, respectively, a (virtually) maximal violation of a specific Bell inequality, due to Clauser, Horne, Shimony, and Holt , occurs, then the shared state must be (close to) a maximally entangled pair of quantum bits. Furthermore, (the completeness of) quantum theory implies that the outcomes when such a singlet state is measured are (a) perfectly correlated with each other yet at the same time (b) completely uncorrelated with any (classical or quantum) information outside the two laboratories (and, hence, potentially under an adversary’s control); the latter follows from a state violating maximally the CHSH inequality necessarily being pure.
Ekert’s result (and  when dealing with noise) has been a big step towards device-independent security  and the possibility of dropping assumption (4) (see Figure 1). Vazirani and Vidick  devised a scheme similar to Ekert’s, where the two parties could each reuse a single device to achieve full device-independent security even tolerating (a certain level of) noise. They proved that the partial security of the raw key consisting of the (measurement) outputs of the devices can be amplified using standard privacy-amplification techniques , , . However, even their security proof, like Ekert’s, rests on the validity of the entire Hilbert-space formalism of quantum theory. It is natural to ask whether it is possible to derive security of the final key directly and only from the (extent of) non-locality of the generated values (see Figure 2), together with the assumption that no hidden communication has taken place between the laboratories. Barrett, Hardy, and Kent  have shown that in principle, the answer is yes: They presented a protocol generating a secret key under the sole assumption that no illegitimate communication takes place between the laboratories. Note that such “causal key agreement” requires neither Assumption (3) nor (4) above, see Figure 1.
Motivated by this proof of principle, several authors have worked on developing protocols that are based on the CHSH inequality instead of the chained Bell inequality , and that are not only more efficient but also tolerant to noise , . However, besides the no-signalling assumption between the parties, the protocols’ security proofs must be based on the same condition within their laboratories in order to perform privacy amplification.333The number of required no-signalling conditions is proportional to the negative logarithm of the tolerable noise level. Actually, in , the impossibility of privacy amplification was shown if there are no additional no-signalling conditions assumed. Yet, if Alice and Bob reuse their devices, then previously obtained outputs cannot depend on future inputs as a consequence of (2); the corresponding additional conditions are termed time-ordered no-signalling (TONS) conditions. In , it was shown that under the TONS conditions, super-linear privacy amplification is impossible: Using class of attacks which we refer to as “prefix-code attacks” (see Definition III.6), they showed that if is the length of the input to the amplification function, then the adversary’s knowledge on the output is at least of order . Furthermore, prefix-code attacks rule out the use of linear privacy-amplification functions (which are used for -universal hashing) as here the adversary’s knowledge on the output remains constant (i.e., independent of ). However, the knowledge prefix-code attacks yield about non-linear functions is limited, e.g., for majority functions. We present a novel construction of TONS attacks which comprise prefix-code attacks and, furthermore, can also provide a constant knowledge on the output for highly non-linear functions, i.e., an improvement of over prefix-code attacks in the case of majority. That our attack proves TONS privacy amplification with linear functions as well as a highly non-linear function like majority impossible is an indicator that the attack is sufficiently strong to rule out TONS privacy amplification at all. From a practical point of view impossibility of TONS privacy amplification means that Alice and Bob necessarily need additional devices which are shielded against information loss to carry out CKD.
Ii-a No-signalling systems
We refer to a system as a black box with an interface consisting of an input and an output , where its complete input-output behaviour is specified by the conditional probability distribution . If a system is shared between parties, each holding marginal systems, then we denote the interface of the -th marginal system held by party by . No-signalling conditions between different systems simply mean that the input one party inserts into her system does not affect the output the other party obtains from her system.
Definition II.1 (-Party no-signalling).
An -system box
is -party no-signalling if no subset of parties, , can signal to any other (disjoint) subset of parties. Defining to be the complementary set to we have formally
We introduce the short-hand notation if (II.1) is satisfied, i.e., the systems do not signal to the systems .
Definition II.2 (Marginal).
induces a valid marginal distribution on the systems that is independent of the inputs chosen by the parties in .
Definition II.3 (No-signalling extension).
A no-signalling extension of a given system (possibly consisting of arbitrarily many subsystems), identified with , is any joint system , identified with , such that and the marginals on coïncide, i.e., .
We consider the case of three parties that we identify with Alice, Bob, and Eve (), where Alice and Bob each hold subsystems. We use the shorthand notation to define the no-signalling conditions that are relevant if Alice and Bob each reuse their devices to create the systems consecutively.
Definition II.4 (Tons).
is time-ordered no-signalling (TONS) if no subset of marginal systems can signal to systems outside its causal future. Any union of systems , with and , must have a valid marginal distribution induced by the equations
Ii-B Some explicit no-signalling distributions
We denote by a box that outputs a uniformly random element of the output alphabet
We denote by , with , as a box with probabilities
We denote by , with and unspecified alphabets , , and , as an arbitrary box that satisfies the no-signalling conditions (II.1) and has a uniform marginal on ,
An example for this type of boxes is the box or the boxes corresponding to the chained Bell inequalities  considered in  and also multi-partite boxes corresponding to the multipartite Guess Your Neighbours Input-game , since the system is not specified and can be composed of an arbitrary number of subsystems.
We denote by the noisy version of an arbitrary box as the box with probabilities444We chose this decomposition to be conform with the usual definition of the “noisy PR-box” when corresponds to the box introduced originally by Popescu and Rohrlich in .
Ii-C No-signalling privacy amplification
The task of privacy amplification is as follows. Suppose an adversary holding some system can guess a single bit with probability , but a complete bit-string only with exponentially small probability, let us say with probability at most . Usually, in a privacy-amplification protocol, one applies a randomly chosen function , where denotes the random choice, to obtain a shorter bit-string , think of a single bit, that cannot be guessed except with probability (exponentially in ) close to . If the adversary is governed by classical or quantum theory, it is possible to generate a single bit that is (exponentially in ) close to uniform if the function is chosen uniformly amongst all linear functions , , , . In no-signalling privacy amplification, Alice and Bob hold a box , and Alice outputs a Boolean function . To analyse the privacy of such a bit against a no-signalling adversary, one considers, in analogy to the quantum case, an adversary Eve that holds a “no-signalling purifying marginal system” with input .
Definition II.5 (TONS attack).
is a time-ordered no-signalling (TONS) attack on the box if it is a no-signalling extension of and satisfies the TONS conditions (II.4).
We study privacy amplification in the context of secret-key distribution. Hence, Alice must communicate her choice of the privacy-amplification function to Bob eventually, such that they can arrive at a shared secret key in the end of the protocol. Since we assume that Eve can wiretap the classical communication between Alice and Bob and learn the value , she can wait to use her system until that happens and choose her input as a function of , , accordingly. Her actions are completely specified by the box and the figure of merit is Eve’s maximal guessing probability on the output of the privacy-amplification protocol. Since the marginal distribution must be, in particular, independent of , each choice of can be investigated independently and we can confine our analysis on attacks on fixed functions , where E has no input. Security against a TONS adversary stems from systems being non-local, i.e., from systems violating a Bell inequality. If a no-signalling adversary Eve attacks, e.g., a single box, the probability to guess the output of Alice is at best , i.e., which is nontrivial exactly if the box is nonlocal. For simplicity of the representation, we assume that Alice and Bob hold boxes, i.e., the Bell inequality used has binary outcomes on Alice side and we confine ourselves to the hardest case, where Alice outcome is completely random in the noiseless case. The best known previous result on TONS privacy amplification is as follows.
 Assume that Eve attacks held by Alice and Bob. Then, for any function , there exists a TONS-attack
Iii The novel attack
Iii-a Novel construction of TONS attacks
We present a novel construction of no-signalling attacks on . The idea is to decompose each of the boxes in a pure and a noise part via (6) and then attack each of the terms separately. We identify restrictions (8) and (9) on marginal (classical) distributions on systems that permit extension to a TONS attack for each of the terms in the decomposition of .
Definition III.1 (Ordered -influenceable distributions).
For a set we define an ordered -influenceable distribution as a probability distribution that satisfies uniformity on
We call the distribution ordered -influenceable since condition (9) implies that Eve can only bias the bits with , and, furthermore, for the bits can only be biased with respect to bits if .
Definition III.2 (Ordered -divisible distribution).
Fix a full set of ordered -influenceable distributions . We define an ordered -divisible distribution , as
Any ordered -influenceable distribution can be extended to a TONS-attack on the systems with marginal distribution
The proof of Theorem III.3 consists of an explicit construction of :
satisfies the TONS-conditions (II.4),
has the correct marginal on systems :
and has the correct marginal on systems :
For any ordered -divisible distribution , there exists a TONS-attack on such that
Accordingly, we also denote as a TONS attack.
Iii-B Prefix-code attacks and their limits
Definition III.5 (Influence).
We define the influence of given the prefix on the function as
Definition III.6 (Prefix-code attack).
Given a prefix-code and the function , we define the corresponding prefix-code attack as the ordered -divisible distribution induced by the set defined as
Let the distribution be a prefix-code attack on the majority function . Then, for any choice of a prefix-code the performance of this attack is
The insight behind the proof of Lemma III.7 is that in a prefix-code attack on , a single bit is -biased towards the value , while all other bits are uniform when conditioned on ; the influence of a single bit on the value of is of the order .
Iii-C A stronger attack on Majority
We construct another attack via the set
for being odd (for even we define as the majority of all but the last bit). Intuitively, Eve makes a maximum-likelihood estimate of on the string , which is to compute . Due to the symmetry of the majority function with respect to exchange of indices, the guessing probability of the adversary depends only on .
Let for some constant such that is odd. Then there exists a series of ordered -influenceable distributions such that
For any , there exists a series of such that
Causal key distribution (CKD) requires only a minimal set of assumptions, i.e., (1) a shielded laboratory and (2) free randomness, see Figure 1, which both can be considered also necessary: If the parties’ laboratories leak information about the key the adversary eventually learns it. Without free randomness everything becomes deterministic from the view of the adversary, and she can compute the key herself. All CKD protocols that offer noise tolerance ,  have the impractical requirement for Alice and Bob to use many devices in parallel, where each device needs to be shielded against unwanted information leakage individually. We address the (still) open problem whether CKD is also possible if Alice and Bob each reuse a single device and construct a novel attack on the necessary time-ordered no-signalling (TONS) privacy-amplification step in the CKD protocol. Our construction is a generalisation of the best known attack , and we prove it to be superior if majority functions are used for TONS privacy amplification; the amount of knowledge that our attack provides is optimal (up to a constant factor). That our attack performs well against TONS privacy amplification with linear functions as well as with a highly non-linear function like majority may suggest that it also powerful enough to prove impossibility of TONS privacy amplification in general, if this is indeed the case.
The authors thank Rotem Arnon-Friedman, Ämin Baumeler, Gilles Brassard, Omar Fawzi, Arne Hansen, Karol Horodecki, Jibran Rashid, Renato Renner, and Dave Touchette for stimulating discussions and helpful comments. BS and SW are supported by the Swiss National Science Foundation (SNF), the NCCR QSIT, by the COST action on “Fundamental Problems in Quantum Theory,” and the CHIST-ERA project DIQIP.
-  Antonio Acín, Nicolas Brunner, Nicolas Gisin, Serge Massar, Stefano Pironio, and Valerio Scarani. Device-independent security of quantum cryptography against collective attacks. Phys. Rev. Lett., 98:230501, Jun 2007.
-  Mafalda L. Almeida, Jean-Daniel Bancal, Nicolas Brunner, Antonio Acín, Nicolas Gisin, and Stefano Pironio. Guess your neighbor’s input: A multipartite nonlocal game with no quantum advantage. Phys. Rev. Lett., 104:230404, Jun 2010.
-  Rotem Arnon-Friedman and Amnon Ta-Shma. Limits of privacy amplification against nonsignaling memory attacks. Phys. Rev. A, 86:062333, Dec 2012.
-  Jonathan Barrett, Lucien Hardy, and Adrian Kent. No signaling and quantum key distribution. Phys. Rev. Lett., 95:010503, Jun 2005.
-  John S. Bell. On the Einstein-Podolsky-Rosen paradox. Physics, 1:195–200, 1964.
-  Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of the International Conference on Computers, Systems and Signal Processing, pages 175–179, 1984.
-  Charles H. Bennett, Gilles Brassard, Claude Crepeau, and Ueli M. Maurer. Generalized privacy amplification. IEEE Trans. Inf. Theor., 41(6):1915–1923, Nov 1995.
-  Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert. Privacy amplification by public discussion. SIAM J. Comput., 17(2):210–229, Apr 1988.
-  Samuel L. Braunstein and Carlton M. Caves. Wringing out better Bell inequalities. Nuclear Physics B - Proceedings Supplements, 6(0):211 – 221, 1989.
-  Boris S. Cirel’son. Quantum generalizations of Bell’s inequality. Letter in Mathematical Physics, 4:93–100, 1980.
-  John F. Clauser, Michael A. Horne, Abner Shimony, and Richard A. Holt. Proposed experiment to test local hidden-variable theories. Phys. Rev. Lett., 23:880–884, Oct 1969.
-  Roger Colbeck and Renato Renner. No extension of quantum theory can have improved predictive power. Nat. Commun., 2:411, Aug 2011.
-  Artur K. Ekert. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett., 67:661–663, Aug 1991.
-  Esther Hänggi, Renato Renner, and Stefan Wolf. Efficient device-independent quantum key distribution. In Proceedings of the 29th Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’10, pages 216–234, 2010.
-  Esther Hänggi, Renato Renner, and Stefan Wolf. The impossibility of non-signaling privacy amplification. Theoretical Computer Science, 486(0):27–42, 2013.
-  Johan Hastad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom generator from any one-way function. SIAM J. Comput., 28(4):1364–1396, Mar 1999.
-  Lluis Masanes. Universally composable privacy amplification from causality constraints. Phys. Rev. Lett., 102:140501, Apr 2009.
-  Dominic Mayers and Andrew Yao. Quantum cryptography with imperfect apparatus. In Proceedings of the 39th Annual Symposium on Foundations of Computer Science, FOCS ’98, page 503, 1998.
-  Sandu Popescu and Daniel Rohrlich. Nonlocality as an axiom. Foundations of Physics, 24(379), (1994).
-  Renato Renner. Security of quantum key distribution. International Journal of Quantum Information, 6(01):1–127, 2008.
-  Benno Salwey. No-Signalling Attacks and Implications for (Quantum) Nonlocality Distillation. PhD thesis, USI Lugano, 2015.
-  Umesh Vazirani and Thomas Vidick. Fully device-independent quantum key distribution. Phys. Rev. Lett., 113:140501, Sep 2014.