Verifiable Quantum Anonymous Transmission: Difference between revisions
m (→Outline) |
m (→Notation) |
||
Line 31: | Line 31: | ||
* <math>t</math>: number of adversarial network nodes taking part in the anonymous transmission. | * <math>t</math>: number of adversarial network nodes taking part in the anonymous transmission. | ||
* <math>|\psi\rangle</math>: quantum message which the Sender wants to send anonymously. | * <math>|\psi\rangle</math>: quantum message which the Sender wants to send anonymously. | ||
* <math>|GHZ\rangle = \frac{1}{\sqrt{2 | * <math>|GHZ\rangle = \frac{1}{\sqrt{2}} (|0^n\rangle + |1^n\rangle)</math>: GHZ state. | ||
* <math>|\Psi\rangle</math>: state provided by the untrusted source for anonymous transmission (in the ideal case, this is the GHZ state). | * <math>|\Psi\rangle</math>: state provided by the untrusted source for anonymous transmission (in the ideal case, this is the GHZ state). | ||
* <math>\mathcal{S}</math>: the Sender of the quantum message. | * <math>\mathcal{S}</math>: the Sender of the quantum message. |
Revision as of 00:32, 29 May 2019
This [example protocol] implements the task of anonymous transmission in a multi-node quantum network. The protocol uses an untrusted -partite GHZ state to enable two nodes, Sender and Receiver, to establish a link which they use to transmit a quantum message. In addition to adversarial nodes, the source of the GHZ state may be controlled by an adversary. To address this, the protocol includes verification of the GHZ state. It incorporates a reduced fidelity GHZ state used for anonymous transmission, resulting in a notion of anonymity for imperfect scenarios called -anonymity.
Assumptions
- Network: The network consists of nodes (honest or adversarial) with pairwise authenticated classical channels and a classical broadcast channel.
- Source: Untrusted multipartite state source.
- Adversarial model: Active adversary who can control the source.
Outline
This verified GHZ-based quantum anonymous transmission protocol is based on the work of \cite{Unnikrishnan}, which uses the following subroutines from \cite{Wehner}, \cite{Broadbent}, \cite{Pappa}, \cite{McCutcheon}:
- Parity \cite{Broadbent}: privately computes the parity of an input string.
- LogicalOR \cite{Broadbent}: privately computes the logical OR of an input string, using a modified version of Parity.
- Notification \cite{Broadbent}: allows one player to anonymously notify another player, using LogicalOR.
- RandomBit \cite{Unnikrishnan}: allows one player to anonymously choose a bit according to a probability distribution, using LogicalOR.
- Verification \cite{Pappa, McCutcheon}: allows one player (the Verifier) to run a test to check if the shared state is the GHZ state. The Verifier instructs each player to measure their qubit in a particular basis and checks the parity of the measurement outcomes.
- Anonymous Entanglement \cite{Wehner}: nodes (all except for and ) measure in the basis and broadcast their measurement outcome. and broadcast random dummy bits. The parity of measurement outcomes allows the establishment of an entangled link between and which is called anonymous entanglement.
The protocol for quantum anonymous transmission consists of the following steps:
- Receiver notification: The Sender notifies the Receiver by running Notification.
- State distribution: A source, who may be untrusted, distributes a state claiming to be the GHZ state.
- Verification or anonymous transmission: anonymously chooses whether to verify the state or use it for anonymous transmission, using RandomBit.
If verification is chosen, a player is chosen to run Verification, using repetitions of RandomBit. If the test passes, the protocol goes back to the State distribution stage and runs again. If the test fails, the players abort.
If anonymous transmission is chosen, the players run Anonymous Entanglement, establishing an anonymous entanglement link between and . then teleports the message state to using the established anonymous entanglement. The classical message associated with teleportation is also sent anonymously.
Notation
- : number of network nodes taking part in the anonymous transmission.
- : number of adversarial network nodes taking part in the anonymous transmission.
- : quantum message which the Sender wants to send anonymously.
- : GHZ state.
- : state provided by the untrusted source for anonymous transmission (in the ideal case, this is the GHZ state).
- : the Sender of the quantum message.
- : the Receiver of the quantum message.
- : the security parameter.
Properties
The pseudocode given below implements anonymous transmission of a quantum message, incorporating a verification stage. Further, the following analysis considers anonymous transmission with a reduced fidelity state rather than a perfect GHZ state.
Let be the event that the protocol does not abort and the state used for anonymous transmission is such that, no matter what operation the adversarial players do to their part, the fidelity of the state with the GHZ state is at most . Then, \begin{align*} P[C_\epsilon] \leq 2^{-q} \frac{4n}{1 - \sqrt{1-\epsilon^2}}. \end{align*} By doing many repetitions of the protocol, the honest players can ensure that this probability is negligible.
If the state used for anonymous transmission is of fidelity at least with the GHZ state, \begin{align*} P_{\text{guess}} [\mathcal{S} | C, \mathcal{S} \notin \mathcal{A} ] \leq \frac{1}{n-t} + \epsilon, \\ P_{\text{guess}} [\mathcal{R} | C, \mathcal{S} \notin \mathcal{A} ] \leq \frac{1}{n-t} + \epsilon, \end{align*} where is the subset of adversaries among nodes and is the register that contains all classical and quantum side information accessible to the adversaries.
Pseudocode
<math>\epsilon<math>-anonymous transmission of a quantum message
\noindent {Input}: Security parameter <math>q<math>. \\ {Goal}: <math>\mathcal{S}<math> sends message qubit <math>\ket{\psi}<math> to <math>\mathcal{R}<math> with <math>\epsilon<math>-anonymity.
- {\bf Receiver notification}: \\
Run Notification for <math>\mathcal{S}<math> to notify <math>\mathcal{R}<math> as the Receiver.
- {\bf Distribution of state}: \\
A source (who may be untrusted) generates a state <math>\ket{\Psi}<math> and distributes it to the players (in the ideal case, <math>\ket{\Psi}<math> is the GHZ state).
- {\bf <math>\mathcal{S}<math> anonymously chooses verification or anonymous transmission}:
- Run RandomBit, with the input of <math>\mathcal{S}<math> chosen as follows: she flips <math>q<math> fair classical coins, and if all coins are heads, she inputs 0, else she inputs 1. Let the outcome be <math>x<math>.
- If <math>x=1<math>,
- Run RandomBit <math>\log_2 n<math> times, with the input of <math>\mathcal{S}<math> chosen according to the uniform random distribution. Let the outcome be <math>v<math>.
- Run Verification with player <math>v<math> as the Verifier. If she accepts the outcome of the test, return to step 2, otherwise abort.
Else if <math>x=0<math>, run Anonymous Transmission.
If at any point in the protocol, <math>\mathcal{S}<math> realises someone does not follow the protocol, she stops behaving like the Sender and behaves as any player.
Subroutines
Parity
\noindent {Input}: <math>\{ x_i \}_{i=1}^n<math>. \\ {Goal}: Each player gets <math>y_i = \bigoplus_{i=1}^n x_i<math>.
- Every player <math>i<math> chooses random bits <math>\{r_i^j \}_{j=1}^n<math> such that <math>\bigoplus_{j=1}^n r_i^j = x_i<math>.
- Every player <math>i<math> sends their <math>j<math>th bit <math>r_i^j<math> to player <math>j<math> (<math>j<math> can equal <math>i<math>).
- Every player <math>j<math> computes <math>z_j=\bigoplus_{i=1}^n r_i^j<math> and reports the value in the simultaneous broadcast channel.
- The value <math>z=\bigoplus_{j=1}^n z_j<math> is computed, which equals <math>y_i<math>.
LogicalOR
\noindent {Input}: <math>\{ x_i \}_{i=1}^n<math>, security parameter <math>q<math>. \\ {Goal}: Each player gets <math>y_i = \bigvee_{i=1}^n x_i<math>.
- The players agree on <math>n<math> orderings, with each ordering having a different last participant.
- For each ordering:
- Each player <math>i<math> picks the value of <math>p_i<math> as follows: if <math>x_i=0<math>, then <math>p_i=0<math>; if <math>x_i=1<math>, then <math>p_i=1<math> with probability <math>\frac{1}{2}<math> and <math>p_i=0<math> with probability <math>\frac{1}{2}<math>.
- Run Parity with input <math>\{p_i\}_{i=1}^n<math>, with a regular broadcast channel rather than simultaneous broadcast, and with the players broadcasting according to the current ordering. If the result is <math>1<math>, then <math>y_i = 1<math>.
- Repeat steps 2(a) - 2(b) <math>q<math> times in total. If the result of Parity is never <math>1<math>, then <math>y_i = 0<math>.
Notification
\noindent {Input}: Security parameter <math>q<math>, <math>\mathcal{S}<math>'s choice of <math>\mathcal{R}<math> is player <math>r<math>. \\ {Goal}: <math>\mathcal{S}<math> notifies <math>\mathcal{R}<math>. \\ For each player <math>i<math>:
- For each player <math>i<math>:
- Each player <math>j \neq i<math> picks <math>p_j<math> as follows: if <math>i = r<math> and player <math>j<math> is <math>S<math>, then <math>p_j = 1<math> with probability <math>\frac{1}{2}<math> and <math>p_j = 0<math> with probability <math>\frac{1}{2}<math>. Otherwise, <math>p_j = 0<math>. Let <math>p_i = 0<math>.
- Run Parity with input <math>\{p_i\}_{i=1}^n<math>, with the following differences: player <math>i<math> does not broadcast her value, and they use a regular broadcast channel rather than simultaneous broadcast. If the result is <math>1<math>, then <math>y_i = 1<math>.
- Repeat steps 1(a) - (b) <math>q<math> times. If the result of Parity is never 1, then <math>y_i = 0<math>.
- If player <math>i<math> obtained <math>y_i = 1<math>, then she is <math>\mathcal{R}<math>.
RandomBit
\noindent {Input:} All: parameter <math>q<math>. <math>\mathcal{S}<math>: distribution <math>D<math>. \\ {Goal:} <math>\mathcal{S}<math> chooses a bit according to <math>D<math>.
- The players pick bits <math>\{ x_i \}_{i=1}^n<math> as follows: <math>\mathcal{S}<math> picks bit <math>x_i<math> to be 0 or 1 according to <math>D<math>; all other players pick <math>x_i = 0<math>.
- Run LogicalOR with input <math>\{ x_i \}_{i=1}^n<math> and security parameter <math>q<math> and output its outcome.
Verification
\noindent {Input}: <math>n<math> players share state <math>\ket{\Psi}<math>. \\ {Goal}: GHZ verification of <math>\ket{\Psi}<math> for <math>n-t<math> honest players.
- The Verifier generates random angles <math>\theta_j \in [0,\pi)<math> for all players including themselves (<math>j\in[n]<math>), such that <math>\sum_j \theta_j<math> is a multiple of <math>\pi<math>. The angles are then sent out to all the players in the network.
- Player <math>j<math> measures in the basis <math>\{\ket{+_{\theta_j,\ket{-_{\theta_j\}=\{\frac{1}{\sqrt{2(\ket{0}+e^{i\theta_j}\ket{1}),\frac{1}{\sqrt{2(\ket{0}-e^{i\theta_j}\ket{1})\}<math>, and sends the outcome <math>Y_j=\{0,1\}<math> to the Verifier.
- The state passes the verification test if
<math> \bigoplus_j Y_j=\frac{1}{\pi}\sum_j\theta_j\pmod 2. <math>
Anonymous Transmission
\noindent {Input}: <math>n<math> players share a GHZ state. \\ {Goal}: Anonymous transmission of quantum message <math>\ket{\psi}<math> from <math>\mathcal{S}<math> to <math>\mathcal{R}<math>.
- <math>\mathcal{S}<math> and <math>\mathcal{R}<math> do not do anything to their part of the state.
- Every player <math>j \in [n] \backslash \{ \mathcal{S}, \mathcal{R} \}<math>:
- Applies a Hadamard transform to her qubit, \
- Measures this qubit in the computational basis with outcome <math>m_j<math>,
- Broadcasts <math>m_j<math>.
- <math>\mathcal{S}<math> picks a random bit <math>b \in_R \{ 0, 1 \}<math> and broadcasts <math>b<math>.
- <math>\mathcal{S}<math> applies a phase flip <math>Z<math> to her qubit if <math>b=1<math>.
- <math>\mathcal{R}<math> picks a random bit <math>b' \in_R \{ 0, 1 \}<math> and broadcasts <math>b'<math>.
- <math>\mathcal{R}<math> applies a phase flip <math>Z<math> to her qubit, if <math>b \oplus \underset{j \in [n] \backslash \{ \mathcal{S}, \mathcal{R} \{\bigoplus} m_j = 1<math>.
- <math>\mathcal{S}<math> and <math>\mathcal{R}<math> share <math>\epsilon<math>-anonymous entanglement. <math>\mathcal{S}<math> then uses the quantum teleportation circuit with input <math>\ket{\psi}<math>, and obtains measurement outcomes <math>m_0, m_1<math>.
- The players run a protocol to anonymously send bits <math>m_0, m_1<math> from <math>\mathcal{S}<math> to <math>\mathcal{R}<math> (see Further Information for details).
- <math>\mathcal{R}<math> applies the transformation described by <math>m_0, m_1<math> on her part of the entangled state and obtains <math>\ket{\psi}<math>.
Further Information
- For simplicity, the same security parameter <math>q<math> has been used throughout, however this is not required.
- Although Parity requires a simultaneous broadcast channel, only modified versions of Parity that remove this requirement are used in the anonymous transmission protocol.
- The protocol assumes there is only one Sender for simplicity. However, if this is not the case, the players can run a classical \cite{Broadbent} or quantum \cite{Wehner} collision detection protocol to deal with multiple Senders.
- To send classical teleportation bits <math>m_0, m_1<math>, the players can run Fixed Role Anonymous Message Transmission from \cite{Broadbent}, or the anonymous transmission protocol for classical bits with quantum resources from \cite{Wehner}.
- Verification was experimentally demonstrated for 3- and 4-party GHZ states in \cite{McCutcheon}.
- The Broadbent-Tapp protocol \cite{Broadbent} implements classical anonymous transmission. It requires pairwise authenticated classical channels, and a classical broadcast channel.
- The Christandl-Wehner protocol \cite{Wehner} implements both classical and quantum anonymous transmission. However, this protocol assumes the nodes share a perfect, trusted GHZ state.
- The Brassard et. al. protocol \cite{Brassard} implements verified quantum anonymous transmission. While their protocol includes a verification stage, it requires each player to perform a size-<math>n<math> quantum circuit and to have access to quantum communication with all other agents.
- The Lipinska et. al. protocol \cite{Lipinska} implements quantum anonymous transmission with a trusted W state instead of a GHZ state. While this is beneficial in terms of robustness to noise, the protocol proceeds to create anonymous entanglement only probabilistically, whereas GHZ-based anonymous entanglement proceeds deterministically.
\begin{thebibliography}{9} \bibitem{Unnikrishnan} A. Unnikrishnan, I. J. MacFarlane, R. Yi, E. Diamanti, D. Markham, and I. Kerenidis. {Anonymity for practical quantum networks.} To be published in Physical Review Letters. arXiv:1811.04729 (2018). \bibitem{Wehner} M. Christandl and S. Wehner. {Quantum anonymous transmissions.} Proceedings of ASIACRYPT (2005). \bibitem{Broadbent} A. Broadbent and A. Tapp. {Information-theoretic security without an honest majority.} Proceedings of ASIACRYPT (2007). \bibitem{Pappa} A. Pappa, A. Chailloux, S. Wehner, E. Diamanti, and I. Kerenidis. {Multipartite entanglement verification resistant against dishonest parties.} Physical Review Letters, 108 (2012). \bibitem{McCutcheon} W. McCutcheon, A. Pappa, B. A. Bell, A. McMillan, A. Chailloux, T. Lawson, M. Mafu, D. Markham, E. Diamanti, I. Kerenidis, J. G. Rarity, and M. S. Tame. {Experimental verification of multipartite entanglement in quantum networks.} Nature Communications (2016). \bibitem{Brassard} G. Brassard, A. Broadbent, J. Fitzsimons, S. Gambs, and A. Tapp. {Anonymous quantum communication.} Proceedings of ASIACRYPT (2007). \bibitem{Lipinska} V. Lipinska, G. Murta, and S. Wehner. {Anonymous transmission in a noisy quantum network using the W state.} Physical Review A, 98 (2018).
\end{thebibliography}