Weak randomness completely trounces the security of QKD

In usual security proofs of quantum protocols the adversary (Eve) is expected to have full control over any quantum communication between any communicating parties (Alice and Bob). Eve is also expected to have full access to an authenticated classical channel between Alice and Bob. Unconditional security against any attack by Eve can be proved even in the realistic setting of device and channel imperfection. In this Letter we show that the security of QKD protocols is ruined if one allows Eve to possess a very limited access to the random sources used by Alice. Such knowledge should always be expected in realistic experimental conditions via different side channels

Optimality of private quantum channels

We addressed the question of optimality of private quantum channels. We have shown that the Shannon entropy of the classical key necessary to securely transfer the quantum information is lower bounded by the entropy exchange of the private quantum channel $\cal E$ and von Neumann entropy of the ciphertext state $\varrho^{(0)}$. Based on these bounds we have shown that decomposition of private quantum channels into orthogonal unitaries (if exists) is optimizing the entropy. For non-ancillary single qubit PQC we have derived the optimal entropy for arbitrary set of plaintexts. In particular, we have shown that except when the (closure of the) set of plaintexts contains all states, one bit key is sufficient. We characterized and analyzed all the possible single qubit private quantum channels for arbitrary set of plaintexts. For the set of plaintexts consisting of all qubit states we have characterized all possible approximate private quantum channels and we have derived the relation between the security parameter and the corresponding minimal entropy.Comment: no commen

Fair and optimistic quantum contract signing

We present a fair and optimistic quantum contract signing protocol between two clients that requires no communication with the third trusted party during the exchange phase. We discuss its fairness and show that it is possible to design such a protocol for which the probability of a dishonest client to cheat becomes negligible, and scales as N^{-1/2}, where N is the number of messages exchanged between the clients. Our protocol is not based on the exchange of signed messages: its fairness is based on the laws of quantum mechanics. Thus, it is abuse-free, and the clients do not have to generate new keys for each message during the Exchange phase. We discuss a real-life scenario when the measurement errors and qubit state corruption due to noisy channels occur and argue that for real, good enough measurement apparatus and transmission channels, our protocol would still be fair. Our protocol could be implemented by today's technology, as it requires in essence the same type of apparatus as the one needed for BB84 cryptographic protocol. Finally, we briefly discuss two alternative versions of the protocol, one that uses only two states (based on B92 protocol) and the other that uses entangled pairs, and show that it is possible to generalize our protocol to an arbitrary number of clients.Comment: 11 pages, 2 figure

A framework for estimating society’s economic welfare following the introduction of an animal disease: the case of Johne’s disease

Animal diseases are global issues affecting the productivity and financial profitability of affected farms. Johne’s disease is distributed on farms worldwide and is an endemic contagious bacterial infection in ruminants caused by Mycobacterium avium subspecies paratuberculosis. In cattle, the clinical disease manifests itself as chronic enteritis resulting in reduced production, weight loss, and eventually death. Johne’s disease is prevalent in the UK, including Scotland. Direct costs and losses associated with Johne’s disease have been estimated in previous research, confirming an important economic impact of the disease in UK herds. Despite this, the distributional impact of Johne’s disease among milk consumers and producers in Scotland has not been estimated. In this paper, we evaluate the change in society’s economic welfare, namely to dairy producers (i.e. infected and uninfected herds) and milk consumers in Scotland induced by the introduction of Johne’s disease in the national Scottish dairy herd. At the national-level, we conclude that the economic burden falls mainly on producers of infected herds and, to a lesser extent, milk consumers, while producers of uninfected herds benefit from the presence of Johne’s. An infected producer’s loss per cow is approximately two times larger in magnitude than that of an uninfected producer’s gain. Such economic welfare estimates are an important comparison of the relative costs of national herd prevalence and the wider economic welfare implications for both producers and consumers. This is particularly important from a policy, public good, cost sharing, and human health perspective. The economic welfare framework presented in this paper can be applied to other diseases to examine the relative burden of society’s economic welfare of alternative livestock disease scenarios. In addition, the sensitivity analysis evaluates uncertainty in economic welfare given limited data and uncertainty in the national herd prevalence, and other input parameters, associated with Johne’s disease in Scotland. Therefore, until the prevalence of Johne’s is better understood, the full economic cost to Scottish dairy herds remains uncertain but in the meantime the sensitivity analysis evaluates the robustness of economic welfare to such uncertainties

Using quantum key distribution for cryptographic purposes: a survey

The appealing feature of quantum key distribution (QKD), from a cryptographic viewpoint, is the ability to prove the information-theoretic security (ITS) of the established keys. As a key establishment primitive, QKD however does not provide a standalone security service in its own: the secret keys established by QKD are in general then used by a subsequent cryptographic applications for which the requirements, the context of use and the security properties can vary. It is therefore important, in the perspective of integrating QKD in security infrastructures, to analyze how QKD can be combined with other cryptographic primitives. The purpose of this survey article, which is mostly centered on European research results, is to contribute to such an analysis. We first review and compare the properties of the existing key establishment techniques, QKD being one of them. We then study more specifically two generic scenarios related to the practical use of QKD in cryptographic infrastructures: 1) using QKD as a key renewal technique for a symmetric cipher over a point-to-point link; 2) using QKD in a network containing many users with the objective of offering any-to-any key establishment service. We discuss the constraints as well as the potential interest of using QKD in these contexts. We finally give an overview of challenges relative to the development of QKD technology that also constitute potential avenues for cryptographic research.Comment: Revised version of the SECOQC White Paper. Published in the special issue on QKD of TCS, Theoretical Computer Science (2014), pp. 62-8

The impact of using BARCIST 1.0 criteria on quantification of BAT volume and activity in three independent cohorts of adults

Human brown adipose tissue (BAT) is commonly assessed by cold-induced 18F-fluorodeoxyglucose (FDG) PET-CT using several quantification criteria. Uniform criteria for data analysis became available recently (BARCIST 1.0). We compared BAT volume and activity following BARCIST 1.0 criteria against the most commonly used criteria [Hounsfield Units (HU):-250, -50, standardized uptake value (SUV):2.0; HU: Not applied, SUV:2.0 and HU:-180, -10, SUV:1.5] in a prospective study using three independent cohorts of men including young lean adults, young overweight/obese adults and middle-aged overweight/obese adults. BAT volume was the most variable outcome between criteria. While BAT volume calculated using the HU: NA; SUV: 2.0 criteria was up to 207% higher than the BAT volume calculated based on BARCIST 1.0 criteria, it was up to 57% lower using the HU: -250, -50; SUV: 2.0 criteria compared to the BARCIST 1.0. Similarly, BAT activity (expressed as SUVmean) also differed between different thresholds mainly because SUVmean depends on BAT volume. SUVpeak was the most consistent BAT outcome across the four study criteria. Of note, we replicated these findings in three independent cohorts. In conclusion, BAT volume and activity as determined by 18F-FDG-PET/CT highly depend on the quantification criteria used. Future human BAT studies should conduct sensitivity analysis with different thresholds in order to understand whether results are driven by the selected HU and/or SUV thresholds. The design of the present study precludes providing any conclusive threshold, but before more definitive thresholds for HU and SUV are available, we support the use of BARCIST 1.0 criteria to facilitate interpretation of BAT characteristics between research groups

How much randomness can be extracted from memoryless Shannon entropy sources?

We revisit the classical problem: given a memoryless source having a certain amount of Shannon Entropy, how many random bits can be extracted? This question appears in works studying random number generators built from physical entropy sources. Some authors use a heuristic estimate obtained from the Asymptotic Equipartition Property, which yields roughly $n$ extractable bits, where $n$ is the total Shannon entropy amount. However the best known precise form gives only $n-O(\sqrt{\log(1/\epsilon) n})$, where $\epsilon$ is the distance of the extracted bits from uniform. In this paper we show a matching $n-\Omega(\sqrt{\log(1/\epsilon) n})$ upper bound. Therefore, the loss of $\Theta(\sqrt{\log(1/\epsilon) n})$ bits is necessary. As we show, this theoretical bound is of practical relevance. Namely, applying the imprecise AEP heuristic to a mobile phone accelerometer one might overestimate extractable entropy even by $100\%$, no matter what the extractor is. Thus, the ``AEP extracting heuristic\u27\u27 should not be used without taking the precise error into account