量子暗号の形式的検証のための 確率双模倣

久保田 貴大*, 角谷 良彦*, 加藤 豪†, 河野 泰人†, 櫻田 英樹†

*東京大学情報理工学系研究科, †NTTコミュニケーション科学基礎研究所

量子暗号の形式的検証のための 近似双模倣

久保田 貴大*, 角谷 良彦*, 加藤 豪†, 河野 泰人†, 櫻田 英樹†

*東京大学情報理工学系研究科, †NTTコミュニケーション科学基礎研究所

背景

• 暗号安全性証明の検証は難しい

–古典暗号に対しては, 検証のための 形式体系やツールが開発・適用されている

• 形式的検証は, 量子暗号に対しても有用

–複雑な安全性証明がある [Mayers’98]

–今後も, さまざまなプロトコルが 提案される可能性がある

本研究の目標

• 量子プロセス計算qCCSを, Shor-PreskillのBB84の安全性証明に適用すること

–プロセス計算は並行システムを記述するのに 適している

• qCCSには, プロセスの双模倣の概念がある [Feng+’11]

– Shor-Preskillの証明は, 最もシンプルな安全性証明のひとつ [Shor-Preskill’00]

public quantum channel

public classical channel

BB84

Alice

Bob

Outline of Shor-Preskill proof of BB84

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

Outline of Shor-Preskill proof of BB84

EDP-based

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

Outline of Shor-Preskill proof of BB84

EDP-based

(1) Prove equivalence

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

Outline of Shor-Preskill proof of BB84

(2) Prove security

EDP-based

(1) Prove equivalence

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

EDP-based

Our formal verification

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

EDP-based

Our formal verification

双模倣の自動検証 (FAIS2013春) ≈

Formalization as qCCS configs.

qCCSの枠組みで形式化(FAIS2012春)

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

EDP-based

Our formal verification

public quantum channel

public classical channel

private classical channel Alice

EDP-ideal

Bob

≈

Formalization as qCCS configs.

双模倣の自動検証 (FAIS2013春)

qCCSの枠組みで形式化(FAIS2012春)

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

EDP-based

Our formal verification

public quantum channel

public classical channel

private classical channel Alice

EDP-ideal

Bob

≈

Formalization as qCCS configs.

双模倣の自動検証 (FAIS2013春)

qCCSの枠組みで形式化(FAIS2012春) 安全性が自明に成り立つプロトコル

AliceとBobは, 事前にEPRペアを共有

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

EDP-based

Our formal verification

public quantum channel

public classical channel

private classical channel Alice

EDP-ideal

Bob

≈

双模倣の自動検証 (FAIS2013春)

qCCSの枠組みで形式化(FAIS2012春)

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

EDP-based

Our formal verification

public quantum channel

public classical channel

private classical channel Alice

EDP-ideal

Bob

≈

近似双模倣の自動検証 ~

双模倣の自動検証 (FAIS2013春)

qCCSの枠組みで形式化(FAIS2012春)

qCCSの枠組みで形式化

本研究の貢献

• 非決定的qCCSのコンフィグレーションたちに 対して, 近似双模倣関係を定義した

–並行合成に関して閉じている

• 𝑃, 𝜌 ∼ 𝑄, 𝜎 ならば 𝑃||𝑅, 𝜌 ∼ 𝑄||𝑅, 𝜎

–安全性証明に適用可能

• 検証ツールを拡張し, Shor-Preskillの証明の 後半部分に適用した

qCCSをツール用に 簡略化した枠組み

Outline

• Quantum process calculus qCCS

• Nondeterministic qCCS

• Approximate bisimulation

• Application to Shor-Preskill’s security proof

• Experiment

Outline

• Quantum process calculus qCCS

• Nondeterministic qCCS

• Approximate bisimulation

• Application to Shor-Preskill’s security proof

• Experiment

Syntax of qCCS [Feng+’11]

𝑒 : real expression 𝑏 : boolean expression on real numbers 𝑞 : quantum variable M : Hermitian operator 𝑜𝑝 : TPCP map 𝑞 : sequence of quantum variables L : set of channels

20

Quantum operation Measurement

Quantum communication

Quantum communication

Configuration

• A pair 𝑃, 𝜌 of a process 𝑃 and a quantum state 𝜌

where 𝜌𝐸 is the outsider’s arbitrary state

+ :=0 +|1⟩

2

𝑃 𝜌

22

• 𝑃, 𝜌𝛼 𝜇

– A configuration 𝑃, 𝜌 performs an action 𝛼 and transits to a probability distribution 𝜇 on configurations

𝜌 is a distribution on quantum states

𝜇 is a distribution on configurations

Probabilistic labeled transition

Probabilistic labeled transition

𝜏 𝜏

1/2 1/2

1

1

Sends 𝑞𝐵 to the outside through c

Measures 𝑞𝐴

Probabilistic labeled transition

𝜏 𝜏

1/2 1/2

1

1

Only measurement causes a prob. branch

1

Probabilistic labeled transition

𝜏 𝜏

1/2 1/2

1

Visible action from the outside

Invisible action from the outside

Bisimulation Relation

• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are bisimilar, written 𝑃, 𝜌 ≈ 𝑄, 𝜎 , if

1. qv(𝑃) = qv(𝑄) and trqv 𝑃 𝜌 = trqv 𝑄 𝜎 hold

-- namely, the states that the outsider can access are the same

2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃), Each transition of 𝑃, 𝐸𝜌 is “simulated” by those of 𝑄, 𝐸𝜎 up to 𝜏 transitions

Bisimulation Relation

• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are bisimilar, written 𝑃, 𝜌 ≈ 𝑄, 𝜎 , if

1. qv(𝑃) = qv(𝑄) and trqv 𝑃 𝜌 = trqv 𝑄 𝜎 hold

-- namely, the states that the outsider can access are the same

2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃), Each transition of 𝑃, 𝐸𝜌 is “simulated” by those of 𝑄, 𝐸𝜎 up to 𝜏 transitions

のとき,

trqv 𝑃 (𝜌) = 𝜌𝐸 𝑃 𝜌

Bisimulation Relation

• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are bisimilar, written 𝑃, 𝜌 ≈ 𝑄, 𝜎 , if

1. qv(𝑃) = qv(𝑄) and trqv 𝑃 𝜌 = trqv 𝑄 𝜎 hold

-- namely, the states that the outsider can access are the same

2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃), Each transition of 𝑃, 𝐸𝜌 is “simulated” by those of 𝑄, 𝐸𝜎 up to 𝜏 transitions

Example of Bisimulation

≈ 𝑃, 𝜌 𝑄, 𝜎

Example of Bisimulation

𝑃, 𝐸𝜌 𝑄, 𝐸𝜎

≈ 𝑃, 𝜌 𝑄, 𝜎

Example of Bisimulation

𝑃, 𝐸𝜌 𝑄, 𝐸𝜎

𝐜! 𝑞

𝑃′, 𝜌′

≈ 𝑃, 𝜌 𝑄, 𝜎

Example of Bisimulation

𝑃, 𝐸𝜌 𝑄, 𝐸𝜎

𝐜! 𝑞

𝑃′, 𝜌′ 𝑄′, 𝜎′

𝜏 𝐜! 𝑞

≈

≈

𝑃, 𝜌 𝑄, 𝜎

Example of Bisimulation

𝑃, 𝐸𝜌 𝑄, 𝐸𝜎

𝐜! 𝑞

𝑃′, 𝜌′ 𝑄′, 𝜎′

𝜏 𝐜! 𝑞

𝑃′, 𝐸′𝜌′ 𝑄′, 𝐸′𝜎′

≈

≈

𝑃, 𝜌 𝑄, 𝜎

Example of Bisimulation

𝑃, 𝐸𝜌 𝑄, 𝐸𝜎

𝐜! 𝑞

𝑃′, 𝜌′

𝜏 𝜏

𝑄′, 𝜎′

𝜏 𝐜! 𝑞

𝑃1, 𝜌1 𝑃2, 𝜌2

𝑃′, 𝐸′𝜌′ 𝑄′, 𝐸′𝜎′

≈

≈

𝑃, 𝜌 𝑄, 𝜎

1/3 2/3

Example of Bisimulation

𝑃, 𝐸𝜌 𝑄, 𝐸𝜎

𝐜! 𝑞

𝑃′, 𝜌′

𝜏 𝜏

𝑄′, 𝜎′

𝑄3, 𝜎3

𝜏 𝐜! 𝑞

𝑃1, 𝜌1 𝑃2, 𝜌2

𝑃′, 𝐸′𝜌′

𝑄2, 𝜎2

𝑄1, 𝜎1

𝑄′, 𝐸′𝜎′ 𝜏 𝜏

𝜏

𝜏 𝜏 𝜏

≈

≈

𝑃, 𝜌 𝑄, 𝜎

1/3 2/3

1/3

1/3

1/3

Example of Bisimulation

𝑃, 𝐸𝜌 𝑄, 𝐸𝜎

𝐜! 𝑞

𝑃′, 𝜌′

𝜏 𝜏

𝑄′, 𝜎′

𝑄3, 𝜎3

𝜏 𝐜! 𝑞

𝑃1, 𝜌1 𝑃2, 𝜌2

𝑃′, 𝐸′𝜌′

𝑄2, 𝜎2

𝑄1, 𝜎1

𝑄′, 𝐸′𝜎′ 𝜏 𝜏

𝜏

𝜏 𝜏 𝜏

≈

≈

𝑃, 𝜌 𝑄, 𝜎

1/3 2/3

1/3

1/3

1/3 ≈

≈

≈

Outline

• Quantum process calculus qCCS

• Nondeterministic qCCS

• Approximate bisimulation

• Application to Shor-Preskill’s security proof

• Experiment

Simplification of Syntax

• 𝑀[𝑞; 𝑥] and if must always be written together

q must be a qubit

Simplification of syntax

1/2

τ τ

1/2

1/2

1/2

τ τ

1/2

1/2

trace is 1

Simplification of operational semantics

probability to reach here

• Excluded probability from the transition system by extending the def. of configurations

τ τ

1/2 1/2

1/2

Simplification of operational semantics

trace is 1/2 probability to reach here

Simplified formal framework

• We call nondeterministic qCCS

•

• Transition system is only nondeterministic

– For a configuration 𝑃, 𝜌 , tr(𝜌) is the probability to reach it

and the quantum state is 𝜌

tr(𝜌)

Outline

• Quantum process calculus qCCS

• Nondeterministic qCCS

• Approximate bisimulation

• Application to Shor-Preskill’s security proof

• Experiment

public quantum channel

public classical channel

public quantum channel

public classical channel

private classical channel

BB84

Alice

Bob

Alice

Bob

EDP-based

Our formal verification

public quantum channel

public classical channel

private classical channel Alice

EDP-ideal

Bob

≈

近似双模倣の自動検証 ~

双模倣の自動検証 (FAIS2013春)

qCCSの枠組みで形式化(FAIS2012春)

qCCSの枠組みで形式化(FAIS2012春)

Trace distance

• 𝑑 𝜌, 𝜎 ≔ 1

2tr|𝜌 − 𝜎|, where 𝐴 = 𝐴†𝐴

• Examples

– 𝑑 0 0 , + + =1

2

– 𝑑 0 0 ⊗𝑛, + + ⊗𝑛 = 1 −1

2𝑛

Approximate Bisimulation

• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are approximately bisimilar, written 𝑃, 𝜌 ~ 𝑄, 𝜎 , if

1. qv(𝑃) = qv(𝑄) hold and

𝑑 trqv 𝑃 𝜌 , trqv 𝑄 𝜎 is negligible

2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃),

𝑃, 𝐸𝜌𝛼 𝑃′, 𝜌′ holds and tr(𝜌′) is non-negligible,

𝑄, 𝐸𝜎𝜏∗

𝛼

𝜏∗ 𝑄′, 𝜎′ and 𝑃′, 𝜌′ ~ 𝑄′, 𝜎′ hold

for some 𝑄′, 𝜎′ , and conversely

Properties of approximate bisimulation

• The relation ∼ is an equivalence relation

• If 𝑃, 𝜌 ∼ 𝑄, 𝜎 holds, then 𝑃||𝑅, 𝜌 ∼ 𝑄||𝑅, 𝜎 holds for all process 𝑅

Application of the property

• Multiple session

⟨𝑃, 𝜌 ⊗ 𝜌𝐸⟩~ 𝑄, 𝜎 ⊗ 𝜌𝐸 for all 𝜌𝐸, and

⟨𝑃′, 𝜌′ ⊗ 𝜌′𝐸⟩~ 𝑄′, 𝜎′ ⊗ 𝜌′𝐸 for all 𝜌′𝐸 implies ⟨𝑃||𝑃′, 𝜌 ⊗ 𝜌′′𝐸⟩~⟨𝑄||𝑄′, 𝜎 ⊗ 𝜌′′𝐸⟩ for all 𝜌′′𝐸

Outline

• Quantum process calculus qCCS

• Nondeterministic qCCS

• Approximate bisimulation

• Application to Shor-Preskill’s security proof

• Experiment

Application to QKD protocols

𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal

…

𝑃′′′, 𝜌′′′

…

𝑃′, 𝜌′

s!kA

c1!qA

τ c1?qB

𝑃′′, 𝜌′′

s!kA

…

c1!qA

τ c1?qB

τ

𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal

…

𝑃′′′, 𝜌′′′

…

𝑃′, 𝜌′

s!kA

c1!qA

τ c1?qB

𝑃′′, 𝜌′′

s!kA

…

c1!qA

τ c1?qB

τ

~

tr(𝜌′) is non-neg. tr(𝜌′′) is non-neg. tr(𝜌′′′) is neg.

Application to QKD protocols

𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal

…

𝑃′′′, 𝜌′′′

…

𝑃′, 𝜌′

s!kA

c1!qA

τ c1?qB

𝑃′′, 𝜌′′

s!kA

…

…

𝑄′, 𝜎′

s!kA

c1!qA

τ c1?qB

𝑄′′, 𝜎′′

s!kA

τ

~

tr(𝜌′) is non-neg. tr(𝜌′′) is non-neg. tr(𝜌′′′) is neg.

Application to QKD protocols

𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal

…

𝑃′′′, 𝜌′′′

…

𝑃′, 𝜌′

s!kA

c1!qA

τ c1?qB

𝑃′′, 𝜌′′

s!kA

…

…

𝑄′, 𝜎′

s!kA

c1!qA

τ c1?qB

𝑄′′, 𝜎′′

s!kA

τ

Trace distances are negligibly small

~

~ ~ tr(𝜌′) is non-neg. tr(𝜌′′) is non-neg. tr(𝜌′′′) is neg.

Application to QKD protocols

Property of distance of probability-weighted density matrices

• If 𝑑 𝜌, 𝜎 is negligible, then

tr 𝜌 − tr 𝜎 is negligible and

|tr 𝜌 tr 𝜋𝜌

tr(𝜌)− tr 𝜎 tr 𝜋

𝜎

tr 𝜎| is

negligible for all projector 𝜋

– For a configuration 𝑃, 𝜌 ,

• tr 𝜌 is the probability to reach 𝑃, 𝜌

•𝜌

tr(𝜌) is the quantum state

Property of distance of probability-weighted density matrices

• If 𝑑 𝜌, 𝜎 is negligible, then

tr 𝜌 − tr 𝜎 is negligible and

|tr 𝜌 tr 𝜋𝜌

tr(𝜌)− tr 𝜎 tr 𝜋

𝜎

tr 𝜎| is

negligible for all projector 𝜋

– For a configuration 𝑃, 𝜌 ,

• tr 𝜌 is the probability to reach 𝑃, 𝜌

•𝜌

tr(𝜌) is the quantum state

Joint probability that the configuration reaches 𝑃, 𝜌 and

obtain the measurement result corresponding to 𝜋

Application to QKD

• If 𝑑 𝜌, 𝜎 is negligible, then

tr 𝜌 − tr 𝜎 is negligible and

|tr 𝜌 tr 𝜋𝑖𝜌

tr(𝜌)− tr 𝜎 tr 𝜋𝑖

𝜎

tr 𝜎| is neg.

Let

𝜌 : a final state of an execution of EDP-based

𝜎 : a final state of an execution of EDP-ideal

𝜋𝑖 : the projector to the subspace where 𝑖-th bits of Alice’s and Eve’s key are equal

This is 1/2

Application to QKD

• If 𝑑 𝜌, 𝜎 is negligible, then

tr 𝜌 − tr 𝜎 is negligible and

|tr 𝜌 tr 𝜋𝑖𝜌

tr(𝜌)− tr 𝜎 tr 𝜋𝑖

𝜎

tr 𝜎| is neg.

We can derive that p(𝑘𝐴,𝑖 = 𝑘𝐸,𝑖) − 1/2 is negligible for all 𝑖.

This is 1/2

Outline

• Quantum process calculus qCCS

• Nondeterministic qCCS

• Approximate bisimulation

• Application to Shor-Preskill’s security proof

• Experiment

Verifier2

• Checks 𝑃, 𝜌 ∼ 𝑄, 𝜎

• Input: – 𝑃, 𝜌 , 𝑄, 𝜎

– A set of equations 𝑒𝑞𝑠

– A set of indistinguishability expressions 𝑖𝑛𝑑𝑠

• Output: true or false

65

プロトコルの形式化

プロトコルの形式化

プロトコルの形式化

プロトコルの形式化

ユーザ定義近似式

Environment of the experiment

• Panasonic CF-J9 Intel(R) Core(TM) i5 CPU M460 @ 2.53GHz, 1GB memory

Results

BB84∼EDP EDP∼ideal

eqs 6 0

inds 0 24

time (sec) 39.50 112.50

proc. calls 1039 907

今後の課題

• 等式・近似式の正しさの形式的検証

• qCCSの枠組みにおける近似双模倣関係の定義

• 非決定的qCCSの近似双模倣関係の 健全性の考察

• 他のプロトコルへの適用

– B92, six-state protocol

Approximate Bisimulation

• Two configurations 𝑃, 𝜌 , 𝑄, 𝜎 are approximately bisimilar, written 𝑃, 𝜌 ~ 𝑄, 𝜎 , if

1. qv(𝑃) = qv(𝑄) hold and

𝑑 trqv 𝑃 𝜌 , trqv 𝑄 𝜎 is negligible

2. For any outsider’s operation 𝐸 acting on 𝑞𝑉𝑎𝑟 − qv(𝑃),

𝑃, 𝐸𝜌𝛼 𝑃′, 𝜌′ holds and tr(𝜌′) is non-negligible,

𝑄, 𝐸𝜎𝜏∗

𝛼

𝜏∗ 𝑄′, 𝜎′ and 𝑃′, 𝜌′ ~ 𝑄′, 𝜎′ hold

for some 𝑄′, 𝜎′ , and conversely

1/2

τ τ

1/2

1/2

probability to reach here

trace is 1

Simplification of operational semantics

• Excluded probability from the transition system by extending the def. of configurations

τ τ

1/2 1/2

1/2

Simplification of operational semantics

trace is 1/2 probability to reach here

𝑃, 𝜌 𝑄, 𝜎 EDP-based EDP-ideal

…

𝑃′′′, 𝜌′′′

…

𝑃′, 𝜌′

s!kA

c1!qA

τ c1?qB

𝑃′′, 𝜌′′

s!kA

…

…

𝑄′, 𝜎′

s!kA

c1!qA

τ c1?qB

𝑄′′, 𝜎′′

s!kA

τ

Trace distances are negligibly small

~

~ ~ tr(𝜌′) is non-neg. tr(𝜌′′) is non-neg. tr(𝜌′′′) is neg.

Application to QKD protocols

Verifier2

If 𝑃, 𝐸 𝑟 𝜌 by measure,

it searches 𝑄1, 𝜎1 and 𝑄2, 𝜎2 such that

and 𝑃1, 𝜌1 ≈Verifier2 𝑄1, 𝜎1 and 𝑃2, 𝜌2 ≈Verifier2 𝑄2, 𝜎2

τ

τ

𝑃1, 𝜌1

𝑃2, 𝜌2

𝑄, 𝐸 𝑟 𝜎 𝑄1, 𝜎1

𝑄2, 𝜎2

τ*

τ* 𝑄, 𝐸 𝑟 𝜎 Not limited form

79

Verifier1

If 𝑃, 𝐸 𝑟 𝜌 by measure,

it searches 𝑄1, 𝜎1 and 𝑄2, 𝜎2 such that

and 𝑃1, 𝜌1 ≈Verifier1 𝑄1, 𝜎1 and 𝑃2, 𝜌2 ≈Verifier1 𝑄2, 𝜎2

τ

τ

𝑃1, 𝜌1

𝑃2, 𝜌2

𝑄, 𝐸 𝑟 𝜎

𝑄1, 𝜎1

𝑄2, 𝜎2

τ* τ

τ

τ*

τ* Limited form

80

measure branch