Noisy-storage model

The noisy-storage model refers to a cryptographic model employed in quantum cryptography. It assumes that the quantum memory device of an attacker (adversary) trying to break the protocol is imperfect (noisy). The main goal of this model is to enable the secure implementation of two-party cryptographic primitives, such as bit commitment, oblivious transfer and secure identification.

Motivation
Quantum communication has proven to be extremely useful when it comes to distributing encryption keys. It allows two distant parties Alice and Bob to expand a small initial secret key into an arbitrarily long secret key by sending qubits (quantum bits) to each other. Most importantly, it can be shown that any eavesdropper trying to listen into their communication cannot intercept any information about the long key. This is known as quantum key distribution (QKD).

Yet, it has been shown that even quantum communication does not allow the secure implementation of many other two-party cryptographic tasks. These all form instances of secure function evaluation. An example is oblivious transfer. What sets these tasks apart from key distribution is that they aim to solve problems between two parties, Alice and Bob, who do not trust each other. That is, there is no outside party like an eavesdropper, only Alice and Bob. Intuitively, it is this lack of trust that makes the problem hard. Unlike in quantum key distribution, Alice and Bob cannot collaborate to try and detect any eavesdropping activity. Instead, each party has to fend for himself.

Since tasks like secure identification are of practical interest, one is willing to make assumptions on how powerful the adversary can be. Security then holds as long as these assumptions are satisfied. In classical cryptography, i.e., without the use of quantum tools, most of these are computational assumptions. Such assumptions consists of two parts. First, one assumes that a particular problem is difficult to solve. For example, one might assume that it is hard to factor a large integer into its prime factors (e.g. 15=5x3). Second, one assumes that the adversary has a limited amount of computing power, namely less than what is (thought to be) required to solve the chosen problem.

Bounded storage
In information theoretic cryptography physical assumptions appear, which do not rely on any hardness assumptions, but merely assume a limit on some other resource. In classical cryptography, the bounded-storage model introduced by Ueli Maurer assumes that the adversary can only store a certain number of classical bits. Protocols are known that do (in principle) allow the secure implementation of any cryptographic task as long as the adversary's storage is small. Very intuitively, security becomes possible under this assumption since the adversary has to make a choice which information to keep. That is, the protocol effectively overflows his memory device leading to an inevitable lack on information for the adversary. It was later discovered that any classical protocol which requires the honest parties to store $$n$$ bits in order to execute it successfully can be broken by an adversary that can store more than about $$O(n^2)$$ bits. That is, the gap between what is required to execute the protocol, and what is required to break the security is relatively small.

Bounded quantum storage
This gap changes dramatically when using quantum communication . That is, Alice and Bob can send qubits to each other as part of the protocol. Likewise, one now assumes that the adversary's quantum storage is limited to a certain number of qubits. There is no restriction on how many classical bits the adversary can store. This is known as the bounded-quantum-storage model. It was shown that there exist quantum protocols in which the honest parties need no quantum storage at all to execute them, but are nevertheless secure as long as Alice transmits more than twice the number of qubits than the adversary can store.

Noisy storage
More generally, security is possible as long as the amount of information that the adversary can store in his memory device is limited. This intuition is captured by the noisy-storage model, which includes the bounded-quantum-storage model as a special case. Such a limitation can, for example, come about if the memory device is extremely large, but very imperfect. In information theory such an imperfect memory device is also called a noisy channel. The motivation for this more general model is threefold. First, it allows one to make statements about much more general memory devices that the adversary may have available. Second, security statements could be made when the signals transmitted, or the storage device itself, uses continuous variables whose dimension is infinite and thus cannot be captured by a bounded storage assumption without additional constraints. Third, even if the dimension of the signals itself is small, the noisy-storage analysis allows security beyond the regime where bounded-storage itself can make any security statement. For example, if the storage channel is entanglement breaking, security is possible even if the storage device is arbitrarily large (i.e., not bounded in any way).

Assumption
The assumption of the noisy-storage model is that during waiting times $$\Delta t$$ introduced into the protocol, the adversary can only store quantum information in his noisy memory device. Such a device is simply a quantum channel $$\mathcal{F}:\mathcal{S}(\mathcal{H}_{\rm in}) \rightarrow \mathcal{S}(\mathcal{H}_{\rm out})$$ that takes input states $$\rho_{\rm in} \in \mathcal{S}(\mathcal{H}_{\rm in})$$ to some noisy output states $$\rho_{\rm out} \in \mathcal{S}(\mathcal{H}_{\rm out})$$. Otherwise, the adversary is all powerful. For example, he can store an unlimited amount of classical information and perform any computation instantaneously.

The latter assumption also implies that he can perform any form of error correcting encoding before and after using the noisy memory device, even if it is computationally very difficult to do (i.e., it requires a long time). In this context, this is generally referred to as an encoding attack $$\mathcal{E}$$ and a decoding attack $$\mathcal{D}$$. Since the adversary's classical memory can be arbitrarily large, the encoding $$\mathcal{E}$$ may not only generate some quantum state as input to the storage device $$\mathcal{F}$$ but also output classical information. The adversary's decoding attack $$\mathcal{D}$$ can make use of this extra classical information, as well as any additional information that the adversary may gain after the waiting time has passed.

In practise, one often considers storage devices that consist of $$N$$ memory cells, each of which is subject to noise. In information-theoretic terms, this means that the device has the form $$\mathcal{F} = \mathcal{N}^{\otimes N}$$, where $$\mathcal{N}: S(\Complex^d) \rightarrow S(\Complex^d)$$ is a noisy quantum channel acting on a memory cell of dimension $$d$$.

Examples

 * The storage device consists of $$N$$ qubits, each of which is subject to depolarizing noise. That is, $$\mathcal{F} = \mathcal{N}^{\otimes N}$$, where $$\mathcal{N}(\rho) = \lambda \rho + (1-\lambda) \mathsf{id}/2$$ is the 2-dimensional depolarizing channel.
 * The storage device consists of $$N$$ qubits, which are noise-free. This corresponds to the special case of bounded-quantum-storage. That is, $$\mathcal{F} = \mathsf{id}^{\otimes N}$$, where $$\mathsf{id}$$ is the identity channel.

Protocols
Most protocols proceed in two steps. First, Alice and Bob exchange $$n$$ qubits encoded in two or three mutually unbiased bases. These are the same encodings which are used in the BB84 or six-state protocols of quantum key distribution. Typically, this takes the form of Alice sending such qubits to Bob, and Bob measuring them immediately on arrival. This has the advantage that Alice and Bob need no quantum storage to execute the protocol. It is furthermore experimentally relatively easy to create such qubits, making it possible to implement such protocols using currently available technology.

The second step is to perform classical post-processing of the measurement data obtained in step one. Techniques used depend on the protocol in question and include privacy amplification, error-correcting codes, min-entropy sampling, and interactive hashing.

General
To demonstrate that all two-party cryptographic tasks can be implemented securely, a common approach is to show that a simple cryptographic primitive can be implemented that is known to be universal for secure function evaluation. That is, once one manages to build a protocol for such a cryptographic primitive all other tasks can be implemented by using this primitive as a basic building block. One such primitive is oblivious transfer. In turn, oblivious transfer can be constructed from an even simpler building block known as weak string erasure in combination with cryptographic techniques such as privacy amplification.

All protocols proposed to date allow one of the parties (Alice) to have even an unlimited amount of noise-free quantum memory. I.e., the noisy-storage assumption is applied to only one of the parties (Bob). For storage devices of the form $$\mathcal{F} = \mathcal{N}^{\otimes N}$$ it is known that any two-party cryptographic task can be implemented securely by means of weak string erasure and oblivious transfer whenever any of the following conditions hold.


 * For bounded-quantum-storage (i.e., $$\mathcal{N} = \mathsf{id}$$), security can be achieved using a protocol in which Alice sends $$n > 2N$$ BB84 encoded qubits. That is, security can be achieved when Alice sends more than twice the number of qubits than Bob can store. One can also look at this from Bob's perspective and say that security can be achieved when Bob can store strictly less than half of the qubits that Alice sent, i.e., $$N < n/2$$.
 * For bounded-quantum-storage using higher-dimensional memory cells (i.e., each cell is not a qubit, but a qudit), security can be achieved in a protocol in which Alice sends $$n$$ higher-dimensional qudits encoded one of the possible mutually unbiased bases. In the limit of large dimensions, security can be achieved whenever $$n \gtrapprox N$$. That is, security can always be achieved as long as Bob cannot store any constant fraction of the transmitted signals. This is optimal for the protocols considered since for $$n = N$$ a dishonest Bob can store all qudits sent by Alice. It is not known whether the same is possible using merely BB84 encoded qubits.


 * For noisy-storage and devices of the form $$\mathcal{F} = \mathcal{N}^{\otimes N}$$ security can be achieved using a protocol in which Alice sends $$n$$ BB84 encoded qubits if


 * $$n > 2 \cdot N \cdot C(\mathcal{N})$$, where $$C(\mathcal{N})$$ is the classical capacity of the quantum channel $$\mathcal{N}$$, and $$\mathcal{N}$$ obeys the so-called strong converse property, or, if


 * $$n > 2 \cdot N \cdot E_C(\mathcal{N})$$, where $$E_C(\mathcal{N})$$ is the entanglement cost of the quantum channel $$\mathcal{N}$$. This is generally much better than the condition on the classical capacity, however it is harder to evaluate $$E_C(\mathcal{N})$$.


 * For noisy-storage and devices of the form $$\mathcal{F} = \mathcal{N}^{\otimes N}$$ security can be achieved using a protocol in which Alice sends $$n$$ qubits encoded in one of the three mutually unbiased bases per qubit, if


 * $$n > Q(\mathcal{N}) N$$, where $$Q$$ is the quantum capacity of $$\mathcal{N}$$, and the strong converse parameter of $$\mathcal{N}$$ is not too small.

The three mutually unbiased bases are the same encodings as in the six-state protocol of quantum key distribution. The last condition does form the best known condition for most channels, yet the quantum capacity as well as the strong converse parameter are generally not easy to determine.

Specific tasks
Using such basic primitives as building blocks is not always the most efficient way to solve a cryptographic task. Specialized protocols targeted to solve specific problems are generally more efficient. Examples of known protocols are


 * Bit commitment in the noisy-storage model, and in the case of bounded-quantum-storage
 * Oblivious transfer in the noisy-storage model, and in the case of bounded-quantum-storage
 * Secure identification in the bounded-quantum-storage model

Noisy-storage and QKD
The assumption of bounded-quantum-storage has also been applied outside the realm of secure function evaluation. In particular, it has been shown that if the eavesdropper in quantum key distribution is memory bounded, higher bit error rates can be tolerated in an experimental implementation.