量子暗号の形式的検証のための 確率双模倣
久保田 貴大*, 角谷 良彦*, 加藤 豪†, 河野 泰人†, 櫻田 英樹†
*東京大学情報理工学系研究科, †NTTコミュニケーション科学基礎研究所
量子暗号の形式的検証のための 近似双模倣
久保田 貴大*, 角谷 良彦*, 加藤 豪†, 河野 泰人†, 櫻田 英樹†
*東京大学情報理工学系研究科, †NTTコミュニケーション科学基礎研究所
背景
• 暗号安全性証明の検証は難しい
–古典暗号に対しては, 検証のための 形式体系やツールが開発・適用されている
• 形式的検証は, 量子暗号に対しても有用
–複雑な安全性証明がある [Mayers’98]
–今後も, さまざまなプロトコルが 提案される可能性がある
本研究の目標
• 量子プロセス計算qCCSを, Shor-PreskillのBB84の安全性証明に適用すること
–プロセス計算は並行システムを記述するのに 適している
• qCCSには, プロセスの双模倣の概念がある [Feng+’11]
– Shor-Preskillの証明は, 最もシンプルな安全性証明のひとつ [Shor-Preskill’00]
public quantum channel
public classical channel
BB84
Alice
Bob
Outline of Shor-Preskill proof of BB84
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
Outline of Shor-Preskill proof of BB84
EDP-based
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
Outline of Shor-Preskill proof of BB84
EDP-based
(1) Prove equivalence
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
Outline of Shor-Preskill proof of BB84
(2) Prove security
EDP-based
(1) Prove equivalence
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
EDP-based
Our formal verification
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
EDP-based
Our formal verification
双模倣の自動検証 (FAIS2013春) ≈
Formalization as qCCS configs.
qCCSの枠組みで形式化(FAIS2012春)
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
EDP-based
Our formal verification
public quantum channel
public classical channel
private classical channel Alice
EDP-ideal
Bob
≈
Formalization as qCCS configs.
双模倣の自動検証 (FAIS2013春)
qCCSの枠組みで形式化(FAIS2012春)
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
EDP-based
Our formal verification
public quantum channel
public classical channel
private classical channel Alice
EDP-ideal
Bob
≈
Formalization as qCCS configs.
双模倣の自動検証 (FAIS2013春)
qCCSの枠組みで形式化(FAIS2012春) 安全性が自明に成り立つプロトコル
AliceとBobは, 事前にEPRペアを共有
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
EDP-based
Our formal verification
public quantum channel
public classical channel
private classical channel Alice
EDP-ideal
Bob
≈
双模倣の自動検証 (FAIS2013春)
qCCSの枠組みで形式化(FAIS2012春)
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
EDP-based
Our formal verification
public quantum channel
public classical channel
private classical channel Alice
EDP-ideal
Bob
≈
近似双模倣の自動検証 ~
双模倣の自動検証 (FAIS2013春)
qCCSの枠組みで形式化(FAIS2012春)
qCCSの枠組みで形式化
本研究の貢献
• 非決定的qCCSのコンフィグレーションたちに 対して, 近似双模倣関係を定義した
–並行合成に関して閉じている
• 𝑃, 𝜌 ∼ 𝑄, 𝜎 ならば 𝑃||𝑅, 𝜌 ∼ 𝑄||𝑅, 𝜎
–安全性証明に適用可能
• 検証ツールを拡張し, Shor-Preskillの証明の 後半部分に適用した
qCCSをツール用に 簡略化した枠組み
Outline
• Quantum process calculus qCCS
• Nondeterministic qCCS
• Approximate bisimulation
• Application to Shor-Preskill’s security proof
• Experiment
Outline
• Quantum process calculus qCCS
• Nondeterministic qCCS
• Approximate bisimulation
• Application to Shor-Preskill’s security proof
• Experiment
Syntax of qCCS [Feng+’11]
𝑒 : real expression 𝑏 : boolean expression on real numbers 𝑞 : quantum variable M : Hermitian operator 𝑜𝑝 : TPCP map 𝑞 : sequence of quantum variables L : set of channels
20
Quantum operation Measurement
Quantum communication
Quantum communication
Configuration
• A pair 𝑃, 𝜌 of a process 𝑃 and a quantum state 𝜌
where 𝜌𝐸 is the outsider’s arbitrary state
+ :=0 +|1⟩
2
𝑃 𝜌
22
• 𝑃, 𝜌𝛼 𝜇
– A configuration 𝑃, 𝜌 performs an action 𝛼 and transits to a probability distribution 𝜇 on configurations
𝜌 is a distribution on quantum states
𝜇 is a distribution on configurations
Probabilistic labeled transition
Probabilistic labeled transition
𝜏 𝜏
1/2 1/2
1
1
Sends 𝑞𝐵 to the outside through c
Measures 𝑞𝐴
Probabilistic labeled transition
𝜏 𝜏
1/2 1/2
1
1
Only measurement causes a prob. branch
1
Probabilistic labeled transition
𝜏 𝜏
1/2 1/2
1
Visible action from the outside
Invisible action from the outside
Bisimulation Relation
• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are bisimilar, written 𝑃, 𝜌 ≈ 𝑄, 𝜎 , if
1. qv(𝑃) = qv(𝑄) and trqv 𝑃 𝜌 = trqv 𝑄 𝜎 hold
-- namely, the states that the outsider can access are the same
2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃), Each transition of 𝑃, 𝐸𝜌 is “simulated” by those of 𝑄, 𝐸𝜎 up to 𝜏 transitions
Bisimulation Relation
• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are bisimilar, written 𝑃, 𝜌 ≈ 𝑄, 𝜎 , if
1. qv(𝑃) = qv(𝑄) and trqv 𝑃 𝜌 = trqv 𝑄 𝜎 hold
-- namely, the states that the outsider can access are the same
2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃), Each transition of 𝑃, 𝐸𝜌 is “simulated” by those of 𝑄, 𝐸𝜎 up to 𝜏 transitions
のとき,
trqv 𝑃 (𝜌) = 𝜌𝐸 𝑃 𝜌
Bisimulation Relation
• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are bisimilar, written 𝑃, 𝜌 ≈ 𝑄, 𝜎 , if
1. qv(𝑃) = qv(𝑄) and trqv 𝑃 𝜌 = trqv 𝑄 𝜎 hold
-- namely, the states that the outsider can access are the same
2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃), Each transition of 𝑃, 𝐸𝜌 is “simulated” by those of 𝑄, 𝐸𝜎 up to 𝜏 transitions
Example of Bisimulation
≈ 𝑃, 𝜌 𝑄, 𝜎
Example of Bisimulation
𝑃, 𝐸𝜌 𝑄, 𝐸𝜎
≈ 𝑃, 𝜌 𝑄, 𝜎
Example of Bisimulation
𝑃, 𝐸𝜌 𝑄, 𝐸𝜎
𝐜! 𝑞
𝑃′, 𝜌′
≈ 𝑃, 𝜌 𝑄, 𝜎
Example of Bisimulation
𝑃, 𝐸𝜌 𝑄, 𝐸𝜎
𝐜! 𝑞
𝑃′, 𝜌′ 𝑄′, 𝜎′
𝜏 𝐜! 𝑞
≈
≈
𝑃, 𝜌 𝑄, 𝜎
Example of Bisimulation
𝑃, 𝐸𝜌 𝑄, 𝐸𝜎
𝐜! 𝑞
𝑃′, 𝜌′ 𝑄′, 𝜎′
𝜏 𝐜! 𝑞
𝑃′, 𝐸′𝜌′ 𝑄′, 𝐸′𝜎′
≈
≈
𝑃, 𝜌 𝑄, 𝜎
Example of Bisimulation
𝑃, 𝐸𝜌 𝑄, 𝐸𝜎
𝐜! 𝑞
𝑃′, 𝜌′
𝜏 𝜏
𝑄′, 𝜎′
𝜏 𝐜! 𝑞
𝑃1, 𝜌1 𝑃2, 𝜌2
𝑃′, 𝐸′𝜌′ 𝑄′, 𝐸′𝜎′
≈
≈
𝑃, 𝜌 𝑄, 𝜎
1/3 2/3
Example of Bisimulation
𝑃, 𝐸𝜌 𝑄, 𝐸𝜎
𝐜! 𝑞
𝑃′, 𝜌′
𝜏 𝜏
𝑄′, 𝜎′
𝑄3, 𝜎3
𝜏 𝐜! 𝑞
𝑃1, 𝜌1 𝑃2, 𝜌2
𝑃′, 𝐸′𝜌′
𝑄2, 𝜎2
𝑄1, 𝜎1
𝑄′, 𝐸′𝜎′ 𝜏 𝜏
𝜏
𝜏 𝜏 𝜏
≈
≈
𝑃, 𝜌 𝑄, 𝜎
1/3 2/3
1/3
1/3
1/3
Example of Bisimulation
𝑃, 𝐸𝜌 𝑄, 𝐸𝜎
𝐜! 𝑞
𝑃′, 𝜌′
𝜏 𝜏
𝑄′, 𝜎′
𝑄3, 𝜎3
𝜏 𝐜! 𝑞
𝑃1, 𝜌1 𝑃2, 𝜌2
𝑃′, 𝐸′𝜌′
𝑄2, 𝜎2
𝑄1, 𝜎1
𝑄′, 𝐸′𝜎′ 𝜏 𝜏
𝜏
𝜏 𝜏 𝜏
≈
≈
𝑃, 𝜌 𝑄, 𝜎
1/3 2/3
1/3
1/3
1/3 ≈
≈
≈
Outline
• Quantum process calculus qCCS
• Nondeterministic qCCS
• Approximate bisimulation
• Application to Shor-Preskill’s security proof
• Experiment
Simplification of Syntax
• 𝑀[𝑞; 𝑥] and if must always be written together
q must be a qubit
Simplification of syntax
1/2
τ τ
1/2
1/2
1/2
τ τ
1/2
1/2
trace is 1
Simplification of operational semantics
probability to reach here
• Excluded probability from the transition system by extending the def. of configurations
τ τ
1/2 1/2
1/2
Simplification of operational semantics
trace is 1/2 probability to reach here
Simplified formal framework
• We call nondeterministic qCCS
•
• Transition system is only nondeterministic
– For a configuration 𝑃, 𝜌 , tr(𝜌) is the probability to reach it
and the quantum state is 𝜌
tr(𝜌)
Outline
• Quantum process calculus qCCS
• Nondeterministic qCCS
• Approximate bisimulation
• Application to Shor-Preskill’s security proof
• Experiment
public quantum channel
public classical channel
public quantum channel
public classical channel
private classical channel
BB84
Alice
Bob
Alice
Bob
EDP-based
Our formal verification
public quantum channel
public classical channel
private classical channel Alice
EDP-ideal
Bob
≈
近似双模倣の自動検証 ~
双模倣の自動検証 (FAIS2013春)
qCCSの枠組みで形式化(FAIS2012春)
qCCSの枠組みで形式化(FAIS2012春)
Trace distance
• 𝑑 𝜌, 𝜎 ≔ 1
2tr|𝜌 − 𝜎|, where 𝐴 = 𝐴†𝐴
• Examples
– 𝑑 0 0 , + + =1
2
– 𝑑 0 0 ⊗𝑛, + + ⊗𝑛 = 1 −1
2𝑛
Approximate Bisimulation
• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are approximately bisimilar, written 𝑃, 𝜌 ~ 𝑄, 𝜎 , if
1. qv(𝑃) = qv(𝑄) hold and
𝑑 trqv 𝑃 𝜌 , trqv 𝑄 𝜎 is negligible
2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃),
𝑃, 𝐸𝜌𝛼 𝑃′, 𝜌′ holds and tr(𝜌′) is non-negligible,
𝑄, 𝐸𝜎𝜏∗
𝛼
𝜏∗ 𝑄′, 𝜎′ and 𝑃′, 𝜌′ ~ 𝑄′, 𝜎′ hold
for some 𝑄′, 𝜎′ , and conversely
Properties of approximate bisimulation
• The relation ∼ is an equivalence relation
• If 𝑃, 𝜌 ∼ 𝑄, 𝜎 holds, then 𝑃||𝑅, 𝜌 ∼ 𝑄||𝑅, 𝜎 holds for all process 𝑅
Application of the property
• Multiple session
⟨𝑃, 𝜌 ⊗ 𝜌𝐸⟩~ 𝑄, 𝜎 ⊗ 𝜌𝐸 for all 𝜌𝐸, and
⟨𝑃′, 𝜌′ ⊗ 𝜌′𝐸⟩~ 𝑄′, 𝜎′ ⊗ 𝜌′𝐸 for all 𝜌′𝐸 implies ⟨𝑃||𝑃′, 𝜌 ⊗ 𝜌′′𝐸⟩~⟨𝑄||𝑄′, 𝜎 ⊗ 𝜌′′𝐸⟩ for all 𝜌′′𝐸
Outline
• Quantum process calculus qCCS
• Nondeterministic qCCS
• Approximate bisimulation
• Application to Shor-Preskill’s security proof
• Experiment
Application to QKD protocols
𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal
…
𝑃′′′, 𝜌′′′
…
𝑃′, 𝜌′
s!kA
c1!qA
τ c1?qB
𝑃′′, 𝜌′′
s!kA
…
c1!qA
τ c1?qB
τ
𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal
…
𝑃′′′, 𝜌′′′
…
𝑃′, 𝜌′
s!kA
c1!qA
τ c1?qB
𝑃′′, 𝜌′′
s!kA
…
c1!qA
τ c1?qB
τ
~
tr(𝜌′) is non-neg. tr(𝜌′′) is non-neg. tr(𝜌′′′) is neg.
Application to QKD protocols
𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal
…
𝑃′′′, 𝜌′′′
…
𝑃′, 𝜌′
s!kA
c1!qA
τ c1?qB
𝑃′′, 𝜌′′
s!kA
…
…
𝑄′, 𝜎′
s!kA
c1!qA
τ c1?qB
𝑄′′, 𝜎′′
s!kA
τ
~
tr(𝜌′) is non-neg. tr(𝜌′′) is non-neg. tr(𝜌′′′) is neg.
Application to QKD protocols
𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal
…
𝑃′′′, 𝜌′′′
…
𝑃′, 𝜌′
s!kA
c1!qA
τ c1?qB
𝑃′′, 𝜌′′
s!kA
…
…
𝑄′, 𝜎′
s!kA
c1!qA
τ c1?qB
𝑄′′, 𝜎′′
s!kA
τ
Trace distances are negligibly small
~
~ ~ tr(𝜌′) is non-neg. tr(𝜌′′) is non-neg. tr(𝜌′′′) is neg.
Application to QKD protocols
Property of distance of probability-weighted density matrices
• If 𝑑 𝜌, 𝜎 is negligible, then
tr 𝜌 − tr 𝜎 is negligible and
|tr 𝜌 tr 𝜋𝜌
tr(𝜌)− tr 𝜎 tr 𝜋
𝜎
tr 𝜎| is
negligible for all projector 𝜋
– For a configuration 𝑃, 𝜌 ,
• tr 𝜌 is the probability to reach 𝑃, 𝜌
•𝜌
tr(𝜌) is the quantum state
Property of distance of probability-weighted density matrices
• If 𝑑 𝜌, 𝜎 is negligible, then
tr 𝜌 − tr 𝜎 is negligible and
|tr 𝜌 tr 𝜋𝜌
tr(𝜌)− tr 𝜎 tr 𝜋
𝜎
tr 𝜎| is
negligible for all projector 𝜋
– For a configuration 𝑃, 𝜌 ,
• tr 𝜌 is the probability to reach 𝑃, 𝜌
•𝜌
tr(𝜌) is the quantum state
Joint probability that the configuration reaches 𝑃, 𝜌 and
obtain the measurement result corresponding to 𝜋
Application to QKD
• If 𝑑 𝜌, 𝜎 is negligible, then
tr 𝜌 − tr 𝜎 is negligible and
|tr 𝜌 tr 𝜋𝑖𝜌
tr(𝜌)− tr 𝜎 tr 𝜋𝑖
𝜎
tr 𝜎| is neg.
Let
𝜌 : a final state of an execution of EDP-based
𝜎 : a final state of an execution of EDP-ideal
𝜋𝑖 : the projector to the subspace where 𝑖-th bits of Alice’s and Eve’s key are equal
This is 1/2
Application to QKD
• If 𝑑 𝜌, 𝜎 is negligible, then
tr 𝜌 − tr 𝜎 is negligible and
|tr 𝜌 tr 𝜋𝑖𝜌
tr(𝜌)− tr 𝜎 tr 𝜋𝑖
𝜎
tr 𝜎| is neg.
We can derive that p(𝑘𝐴,𝑖 = 𝑘𝐸,𝑖) − 1/2 is negligible for all 𝑖.
This is 1/2
Outline
• Quantum process calculus qCCS
• Nondeterministic qCCS
• Approximate bisimulation
• Application to Shor-Preskill’s security proof
• Experiment
Verifier2
• Checks 𝑃, 𝜌 ∼ 𝑄, 𝜎
• Input: – 𝑃, 𝜌 , 𝑄, 𝜎
– A set of equations 𝑒𝑞𝑠
– A set of indistinguishability expressions 𝑖𝑛𝑑𝑠
• Output: true or false
65
プロトコルの形式化
プロトコルの形式化
プロトコルの形式化
プロトコルの形式化
ユーザ定義近似式
Environment of the experiment
• Panasonic CF-J9 Intel(R) Core(TM) i5 CPU M460 @ 2.53GHz, 1GB memory
Results
BB84∼EDP EDP∼ideal
eqs 6 0
inds 0 24
time (sec) 39.50 112.50
proc. calls 1039 907
今後の課題
• 等式・近似式の正しさの形式的検証
• qCCSの枠組みにおける近似双模倣関係の定義
• 非決定的qCCSの近似双模倣関係の 健全性の考察
• 他のプロトコルへの適用
– B92, six-state protocol
Approximate Bisimulation
• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are approximately bisimilar, written 𝑃, 𝜌 ~ 𝑄, 𝜎 , if
1. qv(𝑃) = qv(𝑄) hold and
𝑑 trqv 𝑃 𝜌 , trqv 𝑄 𝜎 is negligible
2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃),
𝑃, 𝐸𝜌𝛼 𝑃′, 𝜌′ holds and tr(𝜌′) is non-negligible,
𝑄, 𝐸𝜎𝜏∗
𝛼
𝜏∗ 𝑄′, 𝜎′ and 𝑃′, 𝜌′ ~ 𝑄′, 𝜎′ hold
for some 𝑄′, 𝜎′ , and conversely
1/2
τ τ
1/2
1/2
probability to reach here
trace is 1
Simplification of operational semantics
• Excluded probability from the transition system by extending the def. of configurations
τ τ
1/2 1/2
1/2
Simplification of operational semantics
trace is 1/2 probability to reach here
𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal
…
𝑃′′′, 𝜌′′′
…
𝑃′, 𝜌′
s!kA
c1!qA
τ c1?qB
𝑃′′, 𝜌′′
s!kA
…
…
𝑄′, 𝜎′
s!kA
c1!qA
τ c1?qB
𝑄′′, 𝜎′′
s!kA
τ
Trace distances are negligibly small
~
~ ~ tr(𝜌′) is non-neg. tr(𝜌′′) is non-neg. tr(𝜌′′′) is neg.
Application to QKD protocols
Verifier2
If 𝑃, 𝐸 𝑟 𝜌 by measure,
it searches 𝑄1, 𝜎1 and 𝑄2, 𝜎2 such that
and 𝑃1, 𝜌1 ≈Verifier2 𝑄1, 𝜎1 and 𝑃2, 𝜌2 ≈Verifier2 𝑄2, 𝜎2
τ
τ
𝑃1, 𝜌1
𝑃2, 𝜌2
𝑄, 𝐸 𝑟 𝜎 𝑄1, 𝜎1
𝑄2, 𝜎2
τ*
τ* 𝑄, 𝐸 𝑟 𝜎 Not limited form
79
Verifier1
If 𝑃, 𝐸 𝑟 𝜌 by measure,
it searches 𝑄1, 𝜎1 and 𝑄2, 𝜎2 such that
and 𝑃1, 𝜌1 ≈Verifier1 𝑄1, 𝜎1 and 𝑃2, 𝜌2 ≈Verifier1 𝑄2, 𝜎2
τ
τ
𝑃1, 𝜌1
𝑃2, 𝜌2
𝑄, 𝐸 𝑟 𝜎
𝑄1, 𝜎1
𝑄2, 𝜎2
τ* τ
τ
τ*
τ* Limited form
80
measure branch