Randomness amplification (8 devices): Difference between revisions
(Created page with "Randomness amplification is a protocol for Quantum Random Number Generator which takes a string from a weak source of randomness - one which contains correlations and may...") |
(No difference)
|
Revision as of 23:19, 4 November 2019
Randomness amplification is a protocol for Quantum Random Number Generator which takes a string from a weak source of randomness - one which contains correlations and may be at least somewhat predictable by an adversary - and converts it to a (potentially shorter) string which is (close to) uniformly random and private from any adversaries. The protocol of Brandao et al allows for eight untrusted devices to be used in a noise-tolerant setting to amplify an arbitrarily weak Santha-Vazirani (SV) source.
Classically, it is only possible to extract uniform, private randomness by combining multiple weak sources together. This protocol enables the extraction of such randomness from only a single weak source - useful in any situation where only some randomness has been provided but absolute security is required.
Tags: Building Blocks, Quantum Functionality, Specific Task
Assumptions
- No-signalling theorem is correct
- The measurement devices do not interact during measurements
- The measurement devices are not correlated with the input string
Outline
In this protocol, Alice has an initial string that has been produced by an SV source and therefore is not uniformly random. She has been provided with eight identical measurement devices by Eve, each of which has two settings and can produce two outputs. Classical randomness extractors exist which are capable of combining three independent sources of weak randomness into a single (close to) uniform, private source. Alice's overarching goal is, therefore, to use her provided apparatus to simulate three independent sources using only her single initial string.
First, Alice divides up the measurement devices into two groups of four. Then, she divides her input string into four portions, the required sizes of which will depend on her choice of randomness extractor and the confidence with which she would like the protocol to succeed (i.e. produce a string which is uniformly random and private). She also decides on a threshold for noise which she deems acceptable.
Using the first portion of the string and the first group of four measurement devices, Alice performs a four-party analogue of a CHSH game: taking four bits at a time from the string, she uses their values to choose measurement settings on the devices (i.e. if the bits taken are then she sets device one to , two to , three to and four to ). Then, she prepares a four-partite entangled state across the devices and measures with each, storing the results she gets as a string of bits. Once the portion of string she started with has been exhausted, she looks at the correlation of her chosen inputs and results - if this value is within an accepted threshold (defined by her choice of noise) she continues, otherwise, the protocol is aborted.
Taking two more portions of the string and the remaining four devices, and dividing one of these portions into a number of equally sized blocks, Alice repeats the measurement process as described above, using each block in turn. She stops before the correlation check and records her results each time. Using the other selected portion of the string as an index to her list of stored results, Alice chooses one of the blocks of inputs and recorded results, and passes this to the same correlation check.
If this check does not abort, Alice passes the first string of measurement results, the randomly selected string of results and the remaining portion of the original string to a classical randomness extractor. The output of this is then returned as (close to) uniformly random, private (i.e. randomness amplified) string.
- : number of measurement iterations (per block)
- : number of blocks to repeat second set of measurements for
- : measurement setting for device on iteration
- : measurement result for device on iteration
- : tuple of measurement bases for each device; \textrm{bases} =
- : string of measurement basis groups;
- : string of measurement result groups;
- : list of strings of measurement basis groups for blocks 1 to ;
- : list of strings of measurement result groups for blocks 1 to ;
- : initial weak random seed
- : final randomness amplified string
- : maximally entangled two qubit Bell states
- : two qubit entangled state;
- : two qubit entangled state;
- : entangled state shared by measurement systems;
- : chosen tolerated noise
- : estimate of the bell inequality defined in Brandao et. al.
- : indicator function taking value 1 if \textrm{cond} evaluates true and 0 otherwise
- : group of measurement devices containing devices 1 to 4
- : group of measurement devices containing devices 5 to 8
- : three-source randomness extractor
Requirements
- Network stage: Entanglement Distribution
- Weak (SV) random number generator
- Authenticated quantum channel
- Authenticated classical channel
- Hardware:
- Mutli qubit non-seperable state preparation
- Single qubit measurement
- Single qubit gate
Properties
- Requires eight measurement devices
- Devices can be untrusted
- Noise tolerance is dependent on weakness of the source
- Arbitrarily weak SV sources can be amplified in the absence of noise
- Length of the amplified string depends on the choice of a randomness extractor
Pseudocode
\hspace*{\algorithmicindent} \textbf{Input}: $t$, $\delta$, $N$, $\textrm{Ext}$\\ \hspace*{\algorithmicindent} \textbf{Output}: $u$ \begin{algorithmic}[1] \State split $t$ into $t=(t^{(1)},t^{(2)},t^{(3)},t^{(4)})$ where $|t^{(3)}|=\log{N}$, $|t^{(2)}|=N|t^{(1)}|$ and $|t^{(1)}|,|t^{(4)}|$ are determined by $\textrm{Ext}$ \State $n\leftarrow\big\lfloor\frac{|t^{(1)}|}{2}\big\rfloor$ \State initialise arrays $r$, $s$ of length $n$ \State initialise (2D) arrays $R$, $S$ of length $N$ (with elements of length $n$) \State \textrm{measurementBlock}($D^{(1)}$,$t^{(1)}$,$n$,$s$,$r$) \State $\hat{B}\leftarrow$\textrm{estimateBellViolation$(n,s,r)$} \If{$\hat{B}>\delta$}
\State \textbf{abort}
\EndIf \For{$k\leftarrow1$ to $N$}
\State \textrm{measurementBlock}($D^{(2)},t^{(2)}_{nk:n(k+1)},n,S[k],R[k]$)
\EndFor \State $t^{(3)}\leftarrow$ cast $t^{(3)}$ as an integer \State $\hat{B}\leftarrow$\textrm{estimateBellViolation$(n,S[t^{(3)}],R[t^{(3)}])$} \If{$\hat{B}>\delta$}
\State \textbf{abort}
\EndIf \State $u\leftarrow$\textrm{Ext}($r,R[t^{(3)}],t^{(4)}$) \end{algorithmic}
With the following subroutines defined:\\ \textrm{measurementBlock}\\ \hspace*{\algorithmicindent} \textbf{Input}: $D$, $t$, $n$, $s$, $r$ \begin{algorithmic}[1] \For{$i\leftarrow1$ to $n$}
\State prepare state $\ket{\Psi}=\frac{1}{\sqrt{2}}\big(\ket{\phi_-}\ket{\Tilde{\phi}_+} + \ket{\psi_+}\ket{\Tilde{\psi}_-}\big)$ and share across $D$ \For{$j\leftarrow1$ to 4} \State $x_{i,j}\leftarrow t_{4i+j}$ \State $a_{i,j}\leftarrow$ measurement from device $j$ in basis \textrm{bases}[$x_{i,j}$] \EndFor \State $s[i]\leftarrow(x_{i,1},x_{i,2},x_{i,3},x_{i,4})$ \State $r[i]\leftarrow(a_{i,1},a_{i,2},a_{i,3},a_{i,4})$
\EndFor \end{algorithmic}
\textrm{estimateBellViolation}\\ \hspace*{\algorithmicindent} \textbf{Input}: $n$, $s$, $r$\\ \hspace*{\algorithmicindent} \textbf{Output}: $\hat{B}$ \begin{algorithmic}[1] \State $\hat{B}\leftarrow0$ \For{$i\leftarrow1$ to $n$}
\State $x_1,x_2,x_3,x_4\leftarrow s[i]$ \State $a_1,a_2,a_3,a_4\leftarrow r[i]$ \State $\hat{B}\leftarrow\hat{B}+\frac{1}{n}\big(\mathbb{I}_{\bigoplus_{j=1}^4x_j=0}\mathbb{I}_{\bigoplus_{a=1}^4u_j=1}+\mathbb{I}_{\bigoplus_{j=1}^4x_j=1}\mathbb{I}_{\bigoplus_{a=1}^4u_j=0}\big)$
\EndFor \end{algorithmic}
\rule{\textwidth}{2pt}
\section*{Further Information}
\hyperlink{https://www.nature.com/articles/ncomms11345}{Brandão \emph{et al}} also provide a protocol which achieves randomness amplification using only four devices, however the randomness extractor required to produce multiple bits is only defined implicitly (i.e. we can prove that it exists but have not yet been able to construct it). A randomness extractor does exist that is able to produce a single private bit.