Renato Renner

Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology

The goals of this paper are two-fold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. In contrast to the conventional notion of indistinguishability, indifferentiability is applicable in settings where a possible adversary is assumed to have access to additional information about the internal state of the involved systems, for instance the public parameter selecting a member from a family of hash functions.

The Operational Meaning of Min- and Max-Entropy

In this paper, we show that the conditional min-entropy <i>H</i> _min(<i>A</i> |<i>B</i>) of a bipartite state <i>rhoAB</i> is directly related to the maximum achievable overlap with a maximally entangled state if only local actions on the <i>B</i>-part of <i>rhoAB</i> are allowed. In the special case where <i>A</i> is classical, this overlap corresponds to the probability of guessing <i>A</i> given <i>B</i>. In a similar vein, we connect the conditional max-entropy <i>H</i> _max(<i>A</i> |<i>B</i>) to the maximum fidelity of <i>rhoAB</i> with a product state that is completely mixed on <i>A</i>. In the case where <i>A</i> is classical, this corresponds to the security of <i>A</i> when used as a secret key in the presence of an adversary holding <i>B</i>. Because min- and max-entropies are known to characterize information-processing tasks such as randomness extraction and state merging, our results establish a direct connection between these tasks and basic operational problems. For example, they imply that the (logarithm of the) probability of guessing <i>A</i> given <i>B</i> is a lower bound on the number of uniform secret bits that can be extracted from <i>A</i> relative to an adversary holding <i>B</i>.

Universally composable privacy amplification against quantum adversaries

Privacy amplification is the art of shrinking a partially secret string Z to a highly secret key S. We show that, even if an adversary holds quantum information about the initial string Z, the key S obtained by two-universal hashing is secure, according to a universally composable security definition. Additionally, we give an asymptotically optimal lower bound on the length of the extractable key S in terms of the adversarys (quantum) knowledge about Z. Our result has applications in quantum cryptography. In particular, it implies that many of the known quantum key distribution protocols are universally composable.

Simple and tight bounds for information reconciliation and privacy amplification

Shannon entropy is a useful and important measure in information processing, for instance, data compression or randomness extraction, under the assumption—which can typically safely be made in communication theory—that a certain random experiment is independently repeated many times. In cryptography, however, where a system’s working has to be proven with respect to a malicious adversary, this assumption usually translates to a restriction on the latter’s knowledge or behavior and is generally not satisfied. An example is quantum key agreement, where the adversary can attack each particle sent through the quantum channel differently or even carry out coherent attacks, combining a number of particles together. In information-theoretic key agreement, the central functionalities of information reconciliation and privacy amplification have, therefore, been extensively studied in the scenario of general distributions: Partial solutions have been given, but the obtained bounds are arbitrarily far from tight, and a full analysis appeared to be rather involved to do. We show that, actually, the general case is not more difficult than the scenario of independent repetitions—in fact, given our new point of view, even simpler. When one analyzes the possible efficiency of data compression and randomness extraction in the case of independent repetitions, then Shannon entropy H is the answer. We show that H can, in these two contexts, be generalized to two very simple quantities—

Information-theoretic security proof for quantum-key-distribution protocols

H_0^\epsilon

Tight finite-key analysis for quantum cryptography

and

A Fully Quantum Asymptotic Equipartition Property

H_\infty^\epsilon

Quantum Cryptography with Finite Resources: Unconditional Security Bound for Discrete-Variable Protocols with One-Way Postprocessing

, called smooth Renyi entropies—which are tight bounds for data compression (hence, information reconciliation) and randomness extraction (privacy amplification), respectively. It is shown that the two new quantities, and related notions, do not only extend Shannon entropy in the described contexts, but they also share central properties of the latter such as the chain rule as well as sub-additivity and monotonicity.

Smooth Renyi entropy and applications

We present a new technique for proving the security of quantum key distribution (QKD) protocols. It is based on direct information-theoretic arguments and thus also applies if no equivalent entanglement purification scheme can be found. Using this technique, we investigate a general class of QKD protocols with one-way classical post-processing. We show that, in order to analyze the full security of these protocols, it suffices to consider collective attacks. Indeed, we give new lower and upper bounds on the secret-key rate which only involve entropies of two-qubit density operators and which are thus easy to compute. As an illustration of our results, we analyze the BB84, the six-state, and the B92 protocol with one-way error correction and privacy amplification. Surprisingly, the performance of these protocols is increased if one of the parties adds noise to the measurement data before the error correction. In particular, this additional noise makes the protocols more robust against noise in the quantum channel.

Symmetry of large physical systems implies independence of subsystems

Despite enormous theoretical and experimental progress in quantum cryptography, the security of most current implementations of quantum key distribution is still not rigorously established. One significant problem is that the security of the final key strongly depends on the number, M, of signals exchanged between the legitimate parties. Yet, existing security proofs are often only valid asymptotically, for unrealistically large values of M. Another challenge is that most security proofs are very sensitive to small differences between the physical devices used by the protocol and the theoretical model used to describe them. Here we show that these gaps between theory and experiment can be simultaneously overcome by using a recently developed proof technique based on the uncertainty relation for smooth entropies.