Efficient Information-Theoretic Secrecy from Relativity Theory

Esther Hanggi1 Renato Renner2 Stefan Wolf 3

1 Computer Science Department, ETH Zurich, ETH Zentrum, CH-8092 Zurich, Switzerland.E-mail: esther.haenggi@inf.ethz.ch

2 Physics Department, ETH Zurich, ETH Honggerberg, CH-8093 Zurich, Switzerland.E-mail: renner@itp.phys.ethz.ch

3 Computer Science Department, ETH Zurich, ETH Zentrum, CH-8092 Zurich, Switzerland.E-mail: wolf@inf.ethz.ch

Abstract. Information-theoretic (as opposed to computational) security is impossible to achieve fromscratch, but must be based on some ultimately physical assumption. Examples of such startingpoints are noise in communication channels, limitations on the adversarys memory capacity, or theuncertainty principle of quantum physics. In 2005, Barrett, Hardy, and Kent showed that information-theoretic secrecy can in principle be obtained based solely on the impossibility of message transmissionfaster than at the speed of light as postulated by special relativity. Roughly speaking, a protocolfor entanglement-based quantum key agreement is executed, but the security rests entirely on theimpossibility of explaining the resulting correlations by pre-shared classical information. Unfortunately,their protocol is inefficient: it has communication complexity (1/) if Eves information is to be limitedby . Moreover, no noise can be tolerated. Despite earlier results suggesting that this might be optimal,we show that, actually, the communication complexity can be reduced to O(log(1/)); in other words,the information leaked to the adversary becomes exponentially small. In addition, no maximal violationof any Bell inequality is required, i.e., even in the presence of noise, the key-generation rate can bepositive. The basic idea of our new key-agreement protocol is to use the no-signaling condition withinAlices and Bobs laboratories. The resulting scheme is secure if either quantum or relativity theory iscorrect. From a practical point of view, its advantage is that the security is device-independent andtrust in the manufacturer unnecessary.

1 Introduction, Motivation, and Our Result

1.1 Cryptographic Security Based on Physical Principles

It is a well-established fact that information-theoretic secrecy must be based on certain assumptions to startwith. According to Landauer [18], such an assumption ultimately boils down to some fact or restriction onthe physical level. This can be noise in communication channels [27], [9], [22], a limitation on an adversarysmemory space [21], [10], or the uncertainty principle of quantum physics [5].

In this article, we consider key-agreement protocols the security of which follows from the impossibilityof superluminal signaling. More precisely, a protocol closely related to known entanglement-based quantumcryptography is used; however, quantum physics only enters the game for showing that the protocol works,i.e., is not aborted with overwhelming probability. Its security proof, however, relies on relativity only and isindependent of quantum physics. Roughly speaking, the idea is as follows: If the results of certain measure-ments cannot have existed before the measurement is actually executed, then, in particular, the adversarycannot have (completely) known the corresponding pieces of information.

1.2 Relativity-Based Cryptography

The security of relativity-based (or relativistic) cryptography can be proven under the sole assumption thatthe non-signaling postulate of relativity theory is correct. The latter states that information transmissionfaster than at the speed of light is impossible.

The basic idea, as proposed by Barrett, Hardy, and Kent [2], is as follows: By communication over aquantum channel, two parties Alice and Bob generate some shared entangled quantum state. They can carryout measurements and use an authentic classical channel to determine the resulting correlation of theirrespective data.

So far, this is entanglement-based quantum cryptography as proposed by Ekert [12]1 some years after thefirst variant of quantum cryptography proposed by Bennett and Brassard [5] and not based on entanglementat all. Let us quickly follow Ekerts path: From the correlations, they conclude on error rates and adversarialinformation and generate a key, the security of which can be proven based on the assumption that quantumphysics with all its Hilbert space formalism is correct [24]. An additional assumption that usually has to bemade is that the devices operate on specific quantum systems of a certain dimension (e.g., single polarizedphotons); the security is lost when the actual systems are different (e.g., pairs of photons). The questionof device-independent security has been raised already in [1]. It was shown that under certain restrictionson the type of possible attack, namely to so-called collective, i.e., i.i.d. attacks, it can be achievable, at theprice, however, of a lower key-generation rate.

Let us now turn back to relativistic cryptography: Here, Alice and Bob carry out measurements on theirrespective systems in a space-like separated fashion (i.e., signaling is excluded), and this will allow them toconclude privacy directly from the correlations of their resulting data. The proofs then hold for whateverquantum systems the devices operate on; no Hilbert space formalism is used, only classical information theory.Actually, the assumption is not even necessary that the possibilities of what an adversary can do is limitedby quantum physics. The latter guarantees the protocol to work, i.e., leads to the expected correlations,the occurrence of which can be verified, but the security is completely independent of quantum physics. Aninteresting consequence is that protocols can be given which are secure if either quantum physics or relativity(or both, of course) is correct.

But how can it be possible to derive secrecy from correlations alone? In quantum physics, this is well-known: Quantum correlations, called entanglement, are monogamous to some extent [25]. If Alice and Bobare maximally entangled, then Eve must be out of the picture. But classically, we do not know such an effect:If Alice and Bob have highly correlated bits, Eve can nevertheless know them. The point is that we have tolook at correlations of bipartite systems, characterized by their joint input-output behavior.

John Bell has proven in 1964 [3] that entangled quantum states can have non-local behavior undermeasurements. More precisely, the system consists of the choice of the particular measurement to be carriedout the inputs and the corresponding outcomes the outputs. Bells work was a reply to Einstein,Podolsky, and Rosens claim [11] that quantum physics was incomplete and should be augmented by classicalvariables determining the behavior of every system under any possible measurement. Bell proved that sucha thing is impossible: these variables do not exist. That is what can be exploited cryptographically: If theydo not exist, then no adversary can know them!

We explain this concept in more detail and start with a closer look at systems and correlations.

1.3 Systems, Correlations, and Non-Locality

In order to explain the essence of non-locality, we introduce the notion of two-partite systems, defined by theirjoint input-output behavior PXY |UV (see Figure 1). We classify systems by the correlation they introduce,and by the resource that is required to explain the behavior of its parts.

Definition 1. A system PXY |UV is independent if there exist PX|U and PY |V such that PXY |UV = PX|U PY |V . It is local if

PXY |UV =ni=1

wiPiX|UP

iY |V

1 Interestingly, the title of Ekerts celebrated article, Quantum cryptography based on Bells theorem, suits muchmore precisely and might have anticipated in some way the idea of relativistic cryptography based on non-local correlations: Here, the security proof is directly based on Bells theorem, which is not the case for Ekertsprotocol.

PXY |UV

U V

X Y

Fig. 1: A two-partite system.

holds for for some weights wi 0 and conditional distributions PiX|U and P

iY |V , i = 1, . . . , n. A system is

signaling if it allows for message transmission: There exist distributions PU and PV such that I(X ;V |U) +I(Y ;U |V ) > 0 holds.

In terms of classical resources required to establish them, these categories correspond to no resources atall, shared information and message transmission, respectively. Of interest for us will be systems that areneither local nor signaling. Communication is required to explain their behavior classically, but for some ofthem, distributed quantum information is sufficient. Because they are non-signaling, this does not contradictrelativity. We give an alternative characterization of locality.

Lemma 1. For any system PXY |UV , where U and V are the ranges of U and V , respectively, the followingconditions are equivalent:

1. PXY |UV is local,2. there exist random variables Xu (u U) and Yv (v V) with a joint distribution that is such that the

marginals satisfy PXuYv = PXY |U=u,V=v.

Proof. Assume that PXY |UV is local, i.e., PXY |UV =

wiPiX|UP

iY |V . For U = {u1, u2, . . . , um} and V =

{v1, v2, . . . , vn}, define

PXu1 XumYv1 Yvn (x1, . . . , xm, y1, . . . , yn) :=

wiP

iX|U=u1(x1) P

iX|U=um(xm) P

iY |V=v1(y1) P

iY |V=vn(yn) .

This distribution has the desired property. The reverse direction is obvious.

Intuitively speaking, we can simply forget about the inputs, and all the alternative outputs can be putunder the roof of a single joint distribution (see Figure 2).

PXY |UV

u v

Xu1 , ..., Xum Yv1, ..., Yvn

Fig. 2: Locality is realism.

Lemma 1 connects locality with so-called realism: All the outputs to the alternative inputs co-exist and can, hence, be pre-selected in a consistent way. We are interested in the contraposition of thestatement: As soon as a system behaves non-locally, all these classical pieces of information cannot pre-exist.

1.4 Non-Locality Implies Secrecy

In order to explain this more explicitly, let us consider a specific example of a system, the so-called non-localbox.

Definition 2. [23] A non-local box (or NL box for short) is the following two-partite system PXY |UV : Therandom variable X is a random bit, given the pair (U, V ), and we have

Prob [X Y = U V ] = 1 . (1)

Bells theorem states that this system is indeed non-local. More precisely, any system that behaves likean NL box with probability superior to 75% is. Interestingly, quantum states achieve roughly 85%.

Theorem 1. (John Bell, 1964 [3].) Any system that behaves like an NL box with probability > 75% forrandom inputs is non-local.

Proof. Lemma 1 states that a system is local only if alternative outputs (i.e., outputs to alternative inputs)consistently co-exist. In the case of the NL box, this corresponds to a joint distribution of four bits PX0X1Y0Y1such that Prob [X0 = Y0] = Prob [X0 = Y1] = Prob [X1 = Y0] = 1 and Prob [X1 6= Y1] = 1 hold. Theseconditions are contradictory: Only three out of the four can be satisfied at a time.

Note that although in terms of classical resources, the behavior of an NL box can be explained bymessage transmission only, the system is actually non-signaling: X and Y separately are perfectly randombits and independent of the input pair. On the other hand, a system PXY |UV (where all variables arebits) satisfying (1) is non-signaling only if the outputs are completely unbiased, given the input pair, i.e.,PX|U=u,V=v(0) = PY |U=u,V=v(0) = 1/2. In other words, the output bit cannot be pre-determined, not evenslightly biased. The outputs are, hence, perfectly random and the randomness must have been generatedafter input reception. This is what we can make use of for key agreement: Assume that Alice and Bobshare any kind of physical system, carry out space-like separated measurements (hereby excluding messagetransmission), and measure data having the statistics of an NL box. (In order to test this, they exchange allthe input bits and some randomly chosen outputs.) The resulting data are then perfectly secret bits, becauseeven conditioned on an adversarys complete information, the correlation between Alice and Bob must benon-signaling!

Unfortunately, however, perfect NL boxes do not exist in nature: Quantum physics is non-local, butnot maximally2. Can we still obtain virtually secret bits from weaker, quantum-physically achievable, non-locality? Barrett, Hardy, and Kent [2] have shown that the answer is yes ; but their protocol is inefficient: Inorder to reduce the probability that the adversary learns a generated bit shared by Alice and Bob below ,they have to communicate (1/) Qbits. Barrett et. al.s protocol and its analysis are based on a type onnon-locality different from the one modeled by the NL box the latter is typically referred to as CHSH [8]non-locality.

Masanes and Winter [20] proposed to use a number of 85%-approximations to the NL box (this is achiev-able with so-called singlets, i.e., maximally entangled Qbit pairs). Indeed, any, even weak, non-locality impliessome secrecy, but no perfect secrecy in general. In order to illustrate this, consider a system approximatingan NL box with probability 1 for all inputs. More precisely, we have

Prob [X Y = U V |U = u, V = v] = 1 (2)

2 It is a fundamental question, studied by many researchers, why this is the case. Is there a classical significance tothe 85%-bound?

for all (u, v) {0, 1}2. Then, what is the maximal possible bias p := Prob [X = 0|U = 0, V = 0] such thatthe system is non-signaling?

x PX|U=u,V=v(0) PY |U=u,V=v(0) y0 p p 00 p p 11 p 2 p 01 p 2 p 1

We explain the table: Because of (2), the bias of Y , given U = V = 0, must be at least p . Because ofnon-signaling, X s bias must be p as well when V = 1, and so on. Finally, condition (2) for U = V = 1implies p (1 (p 2)) , hence, p 1/2 + 2. For any < 1/4, this is a non-trivial bound. (Thisreflects the fact that = 1/4 is the local limit, as we have seen in the proof of Bells theorem.) If we applythis, conditioned on Eves knowledge, we obtain a lower bound on her uncertainty which is the better thestronger the non-locality is. (A special case is what we have seen above already: maximal CHSH non-localityleads to perfect secrecy.)

Masanes and Winters idea was to apply privacy amplification a concept well-known from classical [13],[4] and quantum [16] cryptography to increase secrecy. In order to achieve this, they made some additionalassumptions, such as a short secret key. The resulting secrecy is thus not satisfactory.

In [14] is has been pessimistically argued that privacy amplification of no-signaling secrecy is impossible,the problem being that certain collective attacks exist that leave the adversary with significant informationabout the final key, however, it is obtained from the raw key. This results suggests that the protocol ofBarrett, Hardy, and Kent might be optimal.

Fortunately, the situation changes completely when one considers space-like separation of measurementevents even within Alices as well as Bobs laboratories. In [19], Masanes has shown that in that case privacyamplification is possible in principle. However, his privacy amplification protocol needs an exponential numberof communicated bits and is therefore not realisable in practise.

We show here, that it is in that case possible to apply usual privacy-amplification techniques using a setof two-universal hash functions and we give a protocol which is efficient both in terms of classical as well asquantum communication.

1.5 Our Result: Efficient Relativistic Key Agreement

We show that there exists a protocol for efficiently generating a virtually secret key, where this secrecy canbe derived from the no-signaling postulate only. The protocol consists of measuring n copies of a maximallyentangled state, where all 2n measurement events are supposed to be space-like separated.

Main Result. There exists a key-agreement protocol the security of which is solely based on the impos-sibility of superluminal signaling, and where the adversarys entire information about the resulting key is2(C) if C is the protocols communication complexity.

Note that this protocol is secure against the most general so-called coherent attacks and even ifthe adversary is post-quantum, i.e., not limited be the laws of quantum physics. The resulting security isuniversally composable. It is of practical significance that it is device-independent as well: Secrecy is impliedby the observed correlations alone, and no assumptions on what happens within the devices are necessary;their manufacturer need not be trusted. Moreover, a certain amount of noise can be tolerated: Our scheme hasa positive key-generation rate as soon as the correlations approximate NL boxes with an accuracy exceeding80% and the output bits are correlated with more than 99% when Alice and Bob both choose to measure inthe first basis (see Figure 3).

Fig. 3: The parameter regions for which key agreement is possible (red), reachable by quantum mechanics (blue) andtheir intersection (green). is the probability to violate the CHSH condition for uniform inputs, the probability notto have the same output bits on input (0, 0).

2 The Model and the General Attack

When Alice, Bob, and Eve carry out measurements on a (joint) physical system, they can choose theirmeasurement settings and receive their respective outcomes. It is, therefore, natural to model the situationby a three-partite input-output system, characterized by a conditional distribution PXY Z|UVW . This systemcould, for example, be realized by an entangled quantum state. The question we study in the following is:Interacting with their respective parts of the system, can Alice and Bob agree on a common string that isunknown to Eve? More specifically, this confidentiality should be a direct consequence only of the fact thatall measurement events carried out by Alice and Bob are space-like separated.

Abstractly, we can model the tripartite system by a box which takes three inputs (one for Alice, Bob andEve corresponding to their choice of measurement) and gives three outputs (the measurement results).This box is fully characterized by a tri-partite conditional probability distribution.

A E BU V

X Y

ZW

:= PXY Z|UVW

If Alices, Bobs, and Eves measurement events are space-like separated, then, according to relativitytheory, the resulting system must be non-signaling: the input/output behavior of one side tells nothing aboutthe input on the other side(s) (and also, dividing the ends of the box in any two subsets, the input/outputbehavior of one subset tells nothing about the input of the other).

Condition 1 ([2]) The system PXY Z|UVW must not allow for superluminal signaling:

x

PXY Z|UVW (x, y, z, u, v, w) =x

PXY Z|UVW (x, y, z, u, v, w)

y

PXY Z|UVW (x, y, z, u, v, w) =y

PXY Z|UVW (x, y, z, u, v, w) (3)

z

PXY Z|UVW (x, y, z, u, v, w) =z

PXY Z|UVW (x, y, z, u, v, w)

If a system is non-signaling between its interfaces this also means that its marginal systems are well-defined: What happens at one of the interfaces does not depend on any other input. This implies that at allthe interfaces, an output can always be provided immediately after the input has been given.

We require Condition 1 to hold even when the inputs and outputs do not actually occur in a space-likeseparated way. This corresponds to the assumption that Alice and Bob have secure laboratories [2]. It is clearthat no secure key can be established if this key is sent to the eavesdropper from Alices laboratory. Thenon-signaling condition can be seen as the requirement that no information leaks from Alices and Bobslaboratories that is not supposed to. Another way of interpreting Condition 1 is that the set of possibleinputs (measurements) of Eve does not change in time [2], Eve can only use side-information to choose thebest measurement.

On the other hand, we do allow for Eve to delay her choice of input (measurement) until all of Alicesand Bobs communication is finished - in particular Eve knows the protocol of Alice and Bob and could getto know Alices and/or Bobs input, hear later communication between Alice and Bob and can adapt herstrategy. From now on, we assume without loss of generality that Alices bit will form the raw key and thatthe input was the all-zero input. Similar statements for the other cases follow by symmetry.

We can reduce this tri-partite scenario to a bi-partite one: Because Eve cannot signal to Alice and Bob(even together) by her choice of input, we must have

z

PXY Z|UVW (x, y, z, u, v, w) =z

PXY Z|UVW (x, y, z, u, v, w) := PXY |UV (x, y, u, v)

and this is exactly the marginal box as seen by Alice and Bob. We can therefore see Eves input as a choice ofconvex decomposition of Alices and Bobs box and her output as indicating one part of the decomposition.Informally, we can write

A B = p(z0|w) A B

z0

+ p(z1|w) A B

z1

+ . . .

and this also covers all possibilities available to Eve. Formally, we define:

Definition 3. A box partition of a given box PXY |UV is a family of pairs (pz ,P zXY |UV ), where pz is a weight

and P zXY |UV is a box, such that

PXY |UV =z

pz P zXY |UV (4)

And we describe Eves possibilities as:

Lemma 2. For any given tri-partite box PXY Z|UVW any input w induces a box partition parametrized by z:pz := p(z|w), P zXY |UV := PXY |UV,Z=z,W=w.

Lemma 3. Given a bi-partite box PXY |UV let W be the set of all box partitions

W = {(pz, P zXY |UV )} .

Then the tri-partite box, where the input w is a box partition, defined by PXY Z|UV,W=w(z) := pz P zXY |UV isnon-signaling and has marginal box PXY |UV .

The condition that even Alice and Eve together must not be able to signal to Bob and vice versa meansthat the conditional boxes P zXY |UV must also be non-signaling between Alice and Bob.

Note that the P zXY |UV are Alices and Bobs systems behavior from Eves viewpoint. In particular, biasesin the output distributions correspond to knowledge of her.

3 The Case of a Single Box

Let us take a closer look at the case where the system Alice and Bob share is an NL box. This means thatU, V,X, Y are bits such that X Y = U V and the system is non-signaling. It is easy to see that theonly possible box partition of the NL box is the trivial one, which means that Eve can get no informationwhatsoever about Alices output bit even if she knows the inputs, because the output bits of the NL boxneed to be unbiased. Alice and Bob can then announce their input bits, if they were (1, 1) Bob flips his bitand they share a perfectly secure key bit.

In case Alice and Bob share an imperfect NL box one that fulfills P (X Y = U V ) = 1 foruniform inputs Eve can get some knowledge depending on , but the probability that she can guess oneof the outputs correctly is limited by 4 (assuming she gets to know the input).

If Eve has an end of a box taking input W and giving output Z and Alice has a bit-string S thenwe measure Eves knowledge by the distinguishing advantage between the real situation, i.e., PS,Z|W andthe ideal situation PU PZ|W (Alices string is uniformly distributed and completely independent of Evessystem). This definition implies that the resulting security is universally composable.

Definition 4. The distinguishing advantage from independent uniformity of a random variable S given abox E taking input W and giving output Z is

(PS,E , PU PE) = 1/2 s

maxw(s)

z

|PS,Z|W=w(s, z) PU PZ|W=w(z)|,

where w := w(s) is chosen such as to maximize this quantity and PU := 1/|S|.

In our case, we will show that this holds for the box E which takes as input W and gives as output Z and allother information that Eve possibly knows, such as U , V , the information communicated in the informationreconciliation phase etc. We will write E := (Z,U = u, V = v|W ) for this box. Further let us emphasize thefollowing here: the set of allowed box partitions W only depends on the probability distribution PXY |UVand does not depend on the value that X (or even Y , U or V ) have taken. So what we will show is actuallysomething stronger than what is required by the definition: no matter what the value of s, for all w, thedistinguishing advantage is small. (Which choice of W is the best one might, however, depend on the sideinformation respectively how the key is obtained from the outputs.)

Lemma 4. Assume a non-signaling probability distribution PXY Z|UVW such that the marginal PXY |UV is anon-local box with P (XY = U V ) = 1 for uniform inputs. Then the distance from uniform independentof the output bit X given E := (Z,U = u, V = v|W ) is at most 1/2 4.

Proof. First we generalize the table from Section 1.4 to the case where P (X Y 6= U V ) = on average foruniform inputs (and it is not necessarily for every single input). In that case, the maximal probability thatX = x for a certain input is still 1/2 + 2. Let z denote the average probability that X Y 6= U V holds,of the box given Z = z. Because this box must still be non-signaling, the bias of X given Z = z, U = u andV = v is at most 1/2 4z by the above argument. However, because PXY |UV =

z p

z P zXY |UV , we also have =

z p

z z and, therefore, the distance from uniform independent of X given E := (Z,U = u, V = v|W )is at most 1/2

z p

z 4z = 1/2 4.

It can be shown that for a fixed guessing probability, the best type of knowledge Eve can have is providedby a binary erasure channel [26]; it is, therefore, the best thing for Eve to choose a box partition withZ {0, 1, }, P (X = 0|Z = 0) = P (X = 1|Z = 1) = 1, and P (X = 0|Z = ) = 1/2 for a certain input pairu, v. However, the probability that she obtains 0 or 1 is limited as follows.

Lemma 5. Assume a non-signaling probability distribution PXY |UV with binary inputs and outputs andsuch that P (X Y = U V ) = 1 for uniform inputs and a box partition such that Z {0, 1, }and P (X = 0|Z = 0) = P (X = 1|Z = 1) = 1 and P (X = 0|Z = ) = 1/2 for the input u, v. Then

z{0,1} pz 4

Proof. Assume

z{0,1} pz > 4. Then the distance from uniform independent of X given E := (Z,U =

u, V = v|W ) is larger than 1/2 4, which contradicts Lemma 4.

Note that there exists a box partition which reaches this bound, and that can be found through astraight-forward maximization.

Systems PXY |UV that approximate an NL box with error [0, 0.25) are non-local. We see that forany non-local box, Eve cannot obtain perfect knowledge about Alices output bit, and the box, therefore,contains some secrecy.

4 The General Case of Several Boxes: The Gain of Space-Like SeparationBetween Different Events on Each Side

When Alice and Bob share several systems (which we assume, were provided by Eve) they cannot knowwhether these systems are independent, or they just look independent. In fact, each system could really justcorrespond to one input/output end of a large non-signaling system. We therefore need to assume that Evewill be able to attack the whole big system as one, as given in Figure 4.

.

.

.

.

.

.

un

xn

vn

yn

u2

x2

v2

y2

u1

x1

v1

y1

w z

Fig. 4: Alice and Bob share n seemingly independent NL boxes. Eve can attack all of them at once.

However, even if Alice and Bob only share different ends of a single large system and not independentsystems, they can bring the different ends far apart and make the inputs in a space-like separated way.This is possible because we are looking at non-signaling systems and therefore all marginal input/outputdistributions are well-defined. Providing the inputs and making sure the outputs are given in a space-likeseparated way assures that the output of the second system on Alices side cannot depend on her input inthe first, etc., i.e., the system must be non-signaling among all 2n interfaces by relativity theory 3. We callsuch a system 2n+1-partite non-signaling. The non-signaling condition between all 2n ends then even needsto hold given Eves output z, i.e. P zXY |UV must not allow for signaling between any of the n NL boxes sharedbetween Alice and Bob. This limits Eves possible choices of a box partition. It further means that each ofthe marginal distributions PXiYi|UiVi is well-defined and in case Xi, Yi, Ui, Vi are bits can be characterizedby a probability to fulfill the CHSH condition 1 i.

3 Instead of measuring in a space-like separated way, Alice and Bob could also ensure the non-signaling condition byplacing each of their n systems in a separate shielded laboratory. As we assume that Alice and Bob have a securelaboratory (Condition 1) it seems reasonable to assume that they can also build several secure laboratories.

..

.

.

.

.

un

xn

vn

yn

u2

x2

v2

y2

u1

x1

v1

y1

Fig. 5: The dashed lines mean space-like separation.

5 The Power of Individual Attacks

Assume now that we are in the situation as given in Figure 4. We will show in this section, that the probabilitythat Eve knows all of Alices output bits cannot be made higher by making a coherent attack as opposed toan individual one. We will do this in two steps: First we show that, without loss of generality, we can assumethat Eves output Z gives information of binary erasure type about every single output bit of Alice. Thenwe will show that the probability to know all outputs of a set K of boxes is limited by the value that can bereached through an individual attack.

Lemma 6. For any box partition (pz,P zXY |UV ) such that the box PzXY |UV is still non-signaling between all 2n

input/output pairs, it is possible to define another box partition (pz

,P z

XY |UV ) with z = (z1, ..., z

n) {0, 1, }

n

where given Ui = ui, Vi = vi Zi gives binary erasure information about Xi and such that the original box

partition can be recovered by forgetting information.

Proof. Because the box given outcome z P zXY |UV is still non-signaling between all ends, every marginal boxP zXiYi|UiVi is well-defined and has an associated probability that XiYi 6= Ui Vi, which we denote by

zi . The

situation is therefore the same as before any box partition occurred: n boxes with a certain (now updated)CHSH non-locality are to be partitioned. Start with the first box P zX1Y1|U1V1 , it is either:

fully non-local, in which case we write Z 1 = fully local, which means knowing Ui = ui, Vi = vi X1 is completely determined and we write Z

1 = {0, 1}

something in between, in which case we can split it up into a local and non-local part

The newly defined box partition now gives binary erasure information about the first box (knowing U1 =u1, V1 = v1) and we can continue with the second marginal box. Notice that when continuing with the secondbox, the first will stay local or non-local whichever one it was at the beginning. We continue until weget binary erasure information about each of the n boxes. All the information that could be obtained fromthe original box partition z can now be obtained from the finer box partition z with Z i

n {0, 1, }n (and

maybe randomness if the same Z occurred in different Zs) and by forgetting information.

Remark 1. Note that in case Z i = {0, 1} (the box i is completely local) it is actually possible to make an evenfiner box partition, such that Eve knows exactly which local deterministic strategy has occurred. However,as we are only interested in Alices outcome X , we only write Z i = 0 or Z

i = 1.

The probability that Eve knows all of Alices outcomes of a certain set of boxes can be bounded by thefollowing lemma.

..

.

.

.

.

un

xn

vn

yn

u2

x2

v2

y2

u1

x1

v1

y1

w z = zn

i {0, 1, }n

Fig. 6: Without loss of generality, we can assume that Z is of the form Zi {0, 1, } and where Zi gives informationabout Xi.

Lemma 7. Assume a 2n+1-partite non-signaling probability distribution PXY Z|UVW such that the marginalPXY |UV corresponds to n non-local boxes each with an associated error i and consider a box partition inducedby an input w such that Z = (Z1, ..., Zn) with Zi giving binary erasure information about Xi (knowingUi = ui, Vi = vi). Then for every subset K of boxes the probability that Z gives information about all the Xiin the set is bounded by

{z|iK:zi{0,1}}

pz iK

(4i), (5)

where pz are the probabilities associated with the output z.

Remark 2. In case all boxes have the same non-locality, this means that for every subset of size k, P (zi {0, 1} i K) (4)k.

Proof. The probability that all of the k boxes in the set do not fullfill the CHSH condition (i.e.XiYi 6= Ui Vifor all i K) is

iK i (and cannot be changed by the choice of box partition W because of the non-

signaling condition). By Lemma 6, the box given Zi {0, 1} is local, and therefore can at most fulfill theCHSH condition with probability 3/4. This means that the probability to never fulfill the CHSH conditiongiven Zi {0, 1} for all i is lower-bounded by PXiYi 6=UiVi i|zi{0,1} i (1/4)

k. The box given Zi = is completely non-local and therefore always fulfills the CHSH condition. This means PXiYi 6=UiVi i =PZi{0,1} i PXiYi 6=UiVi i|Zi{0,1} i =

i i and therefore P (Zi {0, 1} i)

i(4i).

From now on we will only consider 2n+1-partite non-signaling systems PXY Z|UVW such that the marginalPXY |UV corresponds to n non-local boxes with error i and such that := 1/n

i i. Further, w.l.o.g. we

only consider box partitions induced by an input W such that the output is such that Z = (Z1, ..., Zn) withZi giving binary erasure information about Xi.

Lemma 8. Equality can be reached by an individual attack.

This is a direct consequence of the attack on a single box.This means that if Alice takes the XOR of all the outcomes of her boxes, then Eve knows almost nothing

about this bit, as stated in the following Lemma 9.

Lemma 9. The distinguishing advantage from independent uniformity of XOR(Xi) given E := (Z,U =u, V = v|W ) is at most (PXOR(Xi),E , PU PE)

12 (4)

n

Proof. Follows from Lemma 7 and the fact thati(4i) for a given average is maximized when i = for

all i.

Alice can therefore create a bit from her output bits, which is highly secret from Eve. But the problemis that Bob might not have the same bit as Alice and they can therefore not use this bit as a key. In fact,Alice and Bob have correlated output bits, but not perfectly correlated output bits. They therefore needto do information reconciliation, to obtain a highly correlated bit-string, before doing privacy amplification.Eve can hear the information exchanged between Alice and Bob over the public but authentic channel andshe can use it to correct missing information or to choose a better box partition. The question is therefore,whether the best attack Eve can do is still an individual attack? It is possible to give an example which showsthat this is in general not the case, however, Lemma 7 does give us a limit on the knowledge an adversarycan possibly reach.

6 Information Reconciliation / Error Correction

Alice and Bob use a two-universal hash function [7] from n to m bits to correct the errors in their rawkey [6]. They randomly choose a m n matrix with coefficients in GF (2) and such that for every entryp(0) = p(1) = 1/2. Then Alice calculates Ax (where x is her raw key and we write for the multiplicationover GF (2)) and sends it to Bob over the classical authentic channel.

0 0 1 0 1 1 01 1 00 1

0110100

=

0110

We need a result from [7] about two-universal sets of hash functions.

Theorem 2 ([7]). The set of functions fA(x) := A x, where A is any m n-matrix over GF (2) istwo-universal.

In the limit of large n, m = n h(), where is the probability that Bobs bit is different from Alicesand h the binary entropy function, is both necessary and sufficient for Bob to correct the errors in his rawkey, as described by the following theorem.

Theorem 3 ([6]). Suppose an n-bit string x another n-bit string y obtained by sending x over a binarysymmetric channel with error parameter . Assume the function f : {0, 1}n {0, 1}m is choosen at randomamongst a set of two-universal functions. Choose y such that dH(y, y) is minimal among all strings r withf(r) = f(x). Then Px 6=y 1 e2

nh(+)m

+ (logn)2(1)n .

This shows that for n and m = n h() the protocol is -correct for any > 0.

Remark 3. There is no known efficient (in terms of computation) decoding algorithm for the above infor-mation reconciliation scheme. However, there exists an interactive scheme, where Alice and Bob leek anarbitrarily small amount of additional information which is efficient. We expect that it should be possible tochange our protocol such as to use this efficient scheme.

7 Privacy Amplification

To do privacy amplification Alice and Bob proceed exactly the same way as for the information reconciliation:they choose a random sn-matrix B and Bx is the secret key of length s. Every key bit is therefore givenby b x with b a random n-bit vector such that p(0) = p(1) = 1/2.

To show that this key is secure, we will first show something stronger: every single bit of the key is stillsecure, even if Eve knows all other key bits (and the information reconciliation). The security of the keystring then follows by the triangle inequality. We assume that Eve knows A x, where A is a randommatrix of size m+ s 1 n that includes both the information reconciliation and the other key bits. Let usnow calculate, when b x is still secure.

We will arbitrarily distinguish different cases:

Case 1 from the lines of A it is possible to form a vector v such that dH(v, b) kCase 2 from the lines of A it is not possible to form a vector v such that dH(v, b) k

Now we bound the probabilities of the different situations:

Lemma 10. Assume m := m+s1 n-bit vectors ai, i = 1, ...,m are randomly chosen such that p((ai)j =0) = p((ai)j = 1) = 1/2 for all i, j. The probability that a linear combinations of these random vectors overGF (2) can form a vector with hamming distance at most k < n/2 from another randomly chosen n-bit vectorb is bounded by

PA,b(Case 1) 2m

ik(ni

)

2n 2m

2nh(k/n)n =(2m

/n+h(k/n)1)n

, (6)

where the probability is taken over the choices of A and b.

Proof. There are at most 2m

1 different non-trivial linear combinations of the m vectors. Every linearcombination (over GF (2)) of a random n-bit vectors will again be a random n-bit vector with p(0) = p(1) =1/2. The probability that a random n-bit vector v has dH(v, b) k for k < n/2 and a certain vector b isbounded by

P [random n bit vector contains at most k 1s] =

ik(ni

)

2n 2nh(k/n)n. (7)

The probability that the trivial linear combination (the all-zero vector) has hamming distance less than kfrom b is exactly the probability that b contains at most k 1s and is again given by (7). We obtain the claimby the union bound.

Let us now also bound the probability that Eve knows the key bit in Case 2: Assume that all of the2m

linear combinations can reach hamming distance exactly k (for some k < n/2) from the vector b (thisincludes the case that b itself only contains a few 1s, because this is exactly the case when the trivial linearcombination of the m vectors has hamming distance less than k from b).

Lemma 11. Assume A and b were chosen such that we are in Case 2. Then the distinguishing advantagefrom independent uniformity of the bit b X given E := (Z,A, b, U = u, V = v,A X = A x|W ) whenCase 2 happend is bounded by

(PbX,E,Case 2, PU PE,Case 2) 1/2 2m

(4)k = 1/2 (2m

/n(4)k/n)n

(8)

Remark 4. It is important to notice that our result holds for any box partition w, in particular also for onethat can be adaptively chosen after hearing the information released in the information reconciliation phase.

Proof. From m random vectors, we can at most form 2m

different linear combinations. By assumption, weare in Case 2, that is, each of these linear combinations has hamming distance larger than k from b. Thismeans, for each of the vectors, there is a set of size at least k, such that we must have zi {0, 1} for alli K in order to now b x. The probability pz of such a Z is bounded by (5). The Lemma follows by theunion bound over all of the 2m

vectors.

We can finally bound the total probability that Eve knows the key bit in either case.

Lemma 12. The distinguishing advantage from independent uniformity of the bit bX given E := (Z,A, b, U =u, V = v,A X = A x|W ) is bounded by

(PbX,E , PU PE) 1/2 [(2m

/n+h(1k/n)1)n

+(2m

/n(4)k/n)n]

Proof. Follows directly from Lemma 10 and 11 and

(PbX,E , PU PE) = P (Case 1) (PbX,E,Case 1, PU PE,Case 1) +

P (Case 2) (PbX,E,Case 2, PU PE,Case 2)

1/2 P (Case 1) + (PbX,E,Case 2, PU PE,Case 2)

.

From Lemma 12 we obtain a bound on the distinguishing advantage from independent uniformity of thewhole bit-string by the triangle inequality.

Lemma 13. The distinguishing advantage from independent uniformity of the bit-string B X given E :=(Z,A,B,U = u, V = v,AX = A x|W ) is bounded by

(PBX,E , PU PE) 1/2 s[(2m

/n+h(1k/n)1)n

+(2m

/n(4)k/n)n]

(9)

(notice that PU is given by 1/2s).

This shows that for n the protocol is -secret for any > 0 whenever there exists a k/n < 1/2 suchthat m/n+ h(1 k/n) < 1 and 2h()(4)k/n < 1 and implies the following lemma.

Lemma 14. The above protocol reaches a positive secret key rate whenever

log4(2h()) < 1/2, and (10)

h() + h(log4(2h())) < 1. (11)

Remark 5. In our scheme Alice and Bob choose the matrix A, B used for information reconciliation andprivacy amplification at random after they have measured the boxes. Alternatively they could use a fixedfunction, but apply a (common) random permutation to their raw bit string after measurement.

8 Key Generation Protocol in the Quantum Regime

If Alice and Bob share a box which has the same probability to fulfill the CHSH condition for all inputs(such as it happens for example for the quantum system giving the highest violation of the Bell inequality),then = and our protocol does not reach a positive secret key rate in the quantum regime ( 0.15).However, there exist other boxes which can be made quantum mechanically with lower error probability inthe raw key and Alice and Bob therefore need to do less error correction. for that box on the other hand is

slightly higher. Alice and Bob therefore choose the following box and generate their raw key only from theoutputs when they have given input (0, 0) .

@@@VU

0 1

@@@YX

0 1 0 1

00 12

2

2

38

2

18+

2

1 212

2

18+

2

38

2

10 38

2

18+

2

18+

2

38

2

1 18+2

38

2

38

2

18+

2

(12)

Note that this distribution can be achieved (even for , = 0) by measuring a singlet state (see Section 9).We have introduced and to allow for noise in the state and/or measurement. In a noiseless setting Aliceand Bob will have perfectly correlated bits (and therefore wouldnt need to do any error correction) and theprobability of the box to violate the CHSH condition would be = 0.1875 (and this is also the parameterwhich limits Eves knowledge). Including noise, = 0.2 and = 0.01 are parameters which can be attained inthe quantum regime and which yield a positive secret key rate. The whole parameter region is characterizedin Figure 3.

9 The New Key-Generation Protocol

The following protocol allows for unconditionally secure key agreement based on relativity theory.

Protocol for Relativity-Based Key Agreement

1. Alice creates n + k maximally entangled states | = 12(|01 |10), for some k = (n), and sends

one Qbit of every state to Bob.2. Alice and Bob randomly measure the ith system in either the basis U0 or U1 (for Alice) or V0 and V1

(Bob); the four bases are shown in Figure 24. All the 2(n+k) measurement events are pairwise space-likeseparated .

3. They randomly choose n of the measurement results when both measured U0, V0 to form the raw key..4. For the remaining k measurements they announce the results over the public authentic channel and

estimate the parameters and (see [17],[15]). They also check whether they have obtained roughly thesame number of 1s and 0s (for IR scheme) If the parameters are such that key agreement is possible(Figure 3) they continue; otherwise they abort.

5. information reconciliation and privacy amplification: Alice randomly chooses a (m + s) n-matrix Msuch that p(0) = p(1) = 1/2 for all entries and communicates M to Bob over the authentic channel.Then she calculates M x (where x is Alices raw key) and communicates the first m := n h() bitsto Bob. The remaining bits form the secret key.

Theorem 4. The above protocol achieves a positive secret-key-generation rate as soon as the parameterestimation shows an approximation of NL boxes with an accuracy exceeding 80% and a correlation of theoutputs on input (0, 0) higher than 99%. There exists an event A with probability Prob [A] = 2(n) suchthat given A does not occur and the protocol is not aborted, then Alice and Bob share a common key that isperfectly secret, where this secrecy based on the sole assumption that signaling faster than light is impossible.

The above protocol also allows for quantum key agreement a` la Ekert. Therefore, we have the following.

Corollary 1. The above protocol allows for efficient information-theoretic key agreement if quantum ORrelativity theory is correct.

4 Alice and Bob will actually select the bases with a bias towards zero, such that in roughly n+k cases they measureU0, V0 because the raw key will only be formed from these outcomes.

30

30

U0U1

V0

V1

Fig. 7: Alices and Bobs measurement bases in the polarization basis

10 Concluding Remarks and Open Questions

We propose an efficient both in terms of classical as well as quantum communication protocol forgenerating a secret key between two parties connected by a quantum channel. The resulting (classical) keycan be proven secret under the sole assumption that the no-signaling postulate of special relativity holds.Practical advantages of such a scheme are that security of quantum key distribution can be made device-independent, and that a certain noise level can be tolerated which is a feature previously unattainedunder such assumptions.

The main idea of our protocol is to have space-like separation not only between events happening onAlices and Bobs side, but also between events in the same laboratory. It is a natural open question whetherthe space-like-separation conditions can be relaxed. For instance, is it sufficient if they hold on one of thetwo sides? Or in one direction among the n events on each side? Obviously, the latter would be very easy toguarantee in practice.

References

1. A. Acn, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani. Device-independent securit of quantumcryptography against collective attacks. Physical Review Letters, 98:230501, 2007.

2. J. Barrett, L. Hardy, and A. Kent. No signalling and quantum key distribution. Physical Review Letters,95:010503, 2005.

3. J. S. Bell. On the Einstein-Podolsky-Rosen paradox. Physics, 1:195200, 1964.4. C. Bennett, G. Brassard, C. Crepeau, and U. Maurer. Generalized privacy amplification. In Proc. 1994 IEEE

International Symposium on Information Theory (Abstracts), page 350, 1994.5. C. H. Bennett and G. Brassard. Quantum cryptography: public key distribution and coin tossing. In Proceedings

of International Conference on Computers, Systems and Signal Processing, 1984.6. G. Brassard and L. Salvail. Secret-key reconciliation by public discussion. In EUROCRYPT 93: Workshop on

the theory and application of cryptographic techniques on Advances in cryptology, pages 410423, 1994.7. J. L. Carter and M. N.Wegman. Universal classes of hash functions (extended abstract). In STOC 77: Proceedings

of the ninth annual ACM symposium on Theory of computing, pages 106112, 1977.8. J. F. Clauser, M. A. Horne, A. Shimony, and R. A. Holt. Proposed experiment to test local hidden-variable

theories. Physical Review Letters, 23(15):880884, 1969.9. I. Csiszar and J. Korner. Broadcast channels with confidential messages. IEEE Transactions on Information

Theory, 24(3):339348, May 1978.

10. S. Dziembowski and U. Maurer. The bare bounded-storage model: The tight bound on the storage requirementfor key agreement. IEEE Transaction on Information Theory, 54(6):27902792, 2008.

11. A. Einstein, B. Podolsky, and N. Rosen. Can quantum-mechanical description of physical reality be consideredcomplete? Physical Review, 47:777780, 1935.

12. A. K. Ekert. Quantum cryptography based on Bells theorem. Physical Review Letters, 67(6):661663, 1991.13. J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function.

SIAM Journal on Computing, 28(4):13641396, 1999.14. E. Hanggi, R. Renner, and S. Wolf. The impossibility of non-signaling privacy amplification. submitted, 2008.15. K. Horodecki, M. Horodecki, P. Horodecki, D. Leung, and J. Oppenheim. Quantum key distribution based on

private states: unconditional security over untrusted channels with zero quantum capacity, 2006.16. R. Koenig, U. Maurer, and R. Renner. On the power of quantum memory, 2003.17. R. Koenig and R. Renner. A de Finetti representation for finite symmetric quantum states. Journal of Mathe-

matical Physics, 46(122108), December 2005. see also http://arxiv.org/abs/quant-ph/0410229.18. R. Landauer. Irreversibility and heat generation in the computing process. IBM Journal of Research and

Development, 5:183, 1961.19. Ll. Masanes. Universally-composable privacy amplification from causality constraints, 2008.20. Ll. Masanes and A. Winter. Unconditional security of key distribution from causality constraints, 2006.21. U. Maurer. A provably-secure strongly-randomized cipher. In Advances in Cryptology EUROCRYPT 90,

volume 473 of Lecture Notes in Computer Science, pages 361373, 1990.22. U. Maurer. Conditionally-perfect secrecy and a provably-secure randomized cipher. Journal of Cryptology,

5(1):5366, 1992.23. S. Popescu and D. Rohrlich. Quantum nonlocality as an axiom. Foundations of Physics, 24(3):379385, 1994.24. R. Renner. Security of quantum key distribution. PhD thesis, Swiss Federal Institute of Technology (ETH) Zurich,

2005. available at http://arxiv.org/abs/quant-ph/0512258.25. B. M. Terhal. Is entanglement monogamous? IBM Journal of Research and Development, 48(1):7178, 2004.26. S. Wolf. Reducing oblivious string transfer to universal oblivious transfer. In Proceedings of ISIT 2000, page 311,

2000.27. A. D. Wyner. The wire-tap channel. Bell System Technical Journal, 54(8):13551387, 1975.