Randomness: between faith and reality

Yaoyun Shi University of Michigan

joint works with Carl Miller (arXiv:1402.0489&1411.6608), Kai-Min Chung and Xiaodi Wu (arXiv:1402.4797)

Kai-Min Chung Xiaodi WuCarl Miller

Randomness is a faith

Randomness is a faith“[We assume] that

the developer understands the behavior of the entropy source

and has made a good faith effort to

produce a consistent source

of entropy.”

Randomness is impossible to test directly

• All randomness test can be easily fooled

• A test program is a Boolean function TEST()

• Fix an input x such that TEST(x) = ACCEPT

• Always outputting x passes the test

Randomness may not exist at all

• Could the world be deterministic?

• Possible even when quantum theory is correct (but not complete)

• We’d never know

Randomness = Secrecy

?

Perfect secrecy/ random

?Almost perfect secrecy/random

?

Randomness is indispensable in reality

• Random Number Generators (RNGs) provide the mother secret for cryptography

• RNGs are in all computers/smart phones

• Hardware generator: Intel’s on-chip generator RdRand/RdSeed

• Software generator: Linux’s /dev/random

• 100 T bits/day worldwide?

• Each computer process uses randomness in starting: Address space layout randomization

• We trust that they are doing their jobs

Blind faith is dangerous• Lack of entropy causes weak cryptography keys

[Heninger+, Lenstra+]

• Backdoors may be in government standards for RNGs [Snowden]

• Hardware may be maliciously modified

• [Becker+’13]: Changing the dopant-level in Intel’s RNG can essentially remove the output randomness

How much of blind faith is necessary for ensuring

true randomness?

Necessary blind faith: Randomness exits

• Min-entropy source: Weakest form of randomness?

• A (n, k)-source consists of n bits, which the adversary can guess correctly by no more than 2-k probability

• A Santha-Vazirani source is a (n, cn) source for a constant c, thus highly random

Faith required by classical approach

• Randomness extractors [since 1980’s]: transform input weak sources to output true randomness

• Requires two independent sources

• Single-source extraction is impossible

deterministicweak randomness sources

true randomness

Independence is impossible to test

• Uniform (x, x) is maximumly correlated

• but is a convex combination of independent distributions

Put faith in quantum theory• Randomness is postulated in quantum theory

• Measuring |0>+|1> state yields a perfect coin

• Thus faith in both the correctness and the completeness of quantum theory implies the existence of unlimited perfect randomness

• Correctness: consistent with experiments

• Completeness: adversary has no better than quantum strategy to cheat

Knowing that it exists does not mean knowing that you have it

We cannot verify quantum states and quantum operations directly

Is the faith in the device necessary?

Imperfect and completely untrusted quantum devices

• Mayers-Yao’98: what if the quantum device is imperfect?

• Trusting certain “self-testing” procedure

• Completely untrusted devices [Barrett-Hardy-Kent’05, Colbeck’06, Colbeck-Renner’12]

• This talk focuses on quantum devices

• Entanglement among the device components and the adversary

Adversary

Faiths on the user

• Can interact with the device classically

• Can restrict communications among the device components and the adversary

• Necessary for all cryptography

Results [Miller-Shi’14,’15, Chung-Shi-Wu’14]

• Start with a single (n, k)-source

• Arbitrary output length

• Failure chance “close” to best possible (≧2-k)

• Failure: reject on honest device or accept and output is not random enough

• Full quantum security

• Robust: device error can approach maximum (for CHSH, .751 suffices)

deterministic

(n, k) source

Adversary

arbitrary length

error=exp(-kc)

Step 1: reduction of seedless extraction to seeded extraction [CSW’14]

• Seeded:input is uniform; seedless:input is weak

• From weak source create “somewhere” randomness

• Most blocks are (almost) uniform

• Decoupling: each seeded extraction transform uniform-to-device input to global uniform output

≅uniform to device

≅uniform to adversary

X

Input X

Ext

seed=10 · · · 0· · · · · ·Ext

seed=00 · · · 0Ext

seed=11 · · · 1

PExtseed· · · · · ·PExtseed PExtseed

�

Output Z if no more than ⌘ fraction of PExtseed reject.

X X

X

S00···0 S11···1S10···0

Z00···0 Z11···1

Z10···0

Figure 2: Our Physical Randomness Extractor PExt with parameters Ext, PExtseed, and ⌘. Ext is a

quantum-proof strong extractor 30 and PExtseed a seeded-PRE whose input length equals the output

length of Ext. For each distinct seed value i of Ext, run an instance of Ext with that seed value and

X as the source. Use the output Si as the input to a separate instance of PExtseed. Output the XOR

of the Zi’s, or abort if � ⌘ fraction of PExtseed aborted.

15

Step 2: seeded extraction (randomness expansion introduced by Colbeck’06)

[MS’14,’15]• Faith: globally uniform input

• Match Vazirani-Vidick’12: 2 components, exponential expanding, quantum security (Classical/restricted security by [Pironio+’10,Pironio-Massar’13, Fehr+’13, Coudron+’13])

• Cryptographic security: failure prob. is negligible

• Robustness

• Can be used for QKD (first robust QKD proved by Vazirani-Vidick’13)

• Other properties:Unit-size quantum memory, flexible building block, new proof technique

error: exp(-logtN)for any ts < μ

μ ∈[.5, 1] a universal constant

deterministicuniform

k bits

∼N rounds

N=exp(ks) bits

Adversary

Step 3: Unbounded expansion [MS-CSW’14]

• Any two expansion protocols can cross-feed securely for unbounded expansion

• First proved for a specific construction by Coudron-Yuen’14

Key insights: many pieces fit together

Equivalence Lemma

Strong self-testing

Forcing TrustSchatten-

norm Uncertainty

Principle

Amortizing randomness generation

Quantifying randomness

Equivalence Lemma [CSW’14]

• Secure under global uniform input if and only if secure under uniform-to-device input

• Enables decoupling and unbounded expansion

Adversary

X: global uniform

Adversary=X:

uniform to device

EL enables generating private randomness from public randomness

• NIST’s Randomness Beacon project: broadcasting public randomness

• Can be used for Miller-Shi input

• Faith: NIST randomness is uniform to your device

Have we minimized faith?• Chung-Shi-Wu is not cryptographically secure (Miller-Shi

is)

• Too many device components are used

• Open problem: minimal faith for cryptographic randomness

• ? Possible: single weak source, 2 device-components, cryptographic level of security, robustness

• Weakening faith on physics: Non-signaling security?

Conclusions• Faith is necessary to be assured of true randomness

• All current RNGs are “trusted” solutions: you must have faith on them

• Unlimited true randomness can be obtained on the faiths of

• A weak source, quantum theory, restriction of communication

• Cryptographic randomness can be obtained on

• A short seed, quantum theory, restriction of communication

• Such a RNG delivers assured randomness and is trustworthy

• Assurance: you know that you are getting it

• Trustworthiness: the hardware proves its integrity to you

June 28 – July 2, 2015 University of Michigan, Ann Arbor, Michigan, USA!

Trustworthy Quantum Information !

1 s t I n t e r n a t i o n a l W o r k s h o p o n

Registration: tyqi.org!