Ecient Information-Theoretic Secrecy from Relativity Theory

Esther H anggi
1
Renato Renner
2
Stefan Wolf
3
1
Computer Science Department, ETH Z urich, ETH Zentrum, CH-8092 Z urich, Switzerland.
E-mail: esther.haenggi@inf.ethz.ch
2
Physics Department, ETH Z urich, ETH Honggerberg, CH-8093 Z urich, Switzerland.
E-mail: renner@itp.phys.ethz.ch
3
Computer Science Department, ETH Z urich, ETH Zentrum, CH-8092 Z urich, Switzerland.
E-mail: wolf@inf.ethz.ch
Abstract. Information-theoretic (as opposed to computational ) security is impossible to achieve from
scratch, but must be based on some ultimately physical assumption. Examples of such starting
points are noise in communication channels, limitations on the adversarys memory capacity, or the
uncertainty principle of quantum physics. In 2005, Barrett, Hardy, and Kent showed that information-
theoretic secrecy can in principle be obtained based solely on the impossibility of message transmission
faster than at the speed of light as postulated by special relativity. Roughly speaking, a protocol
for entanglement-based quantum key agreement is executed, but the security rests entirely on the
impossibility of explaining the resulting correlations by pre-shared classical information. Unfortunately,
their protocol is inecient: it has communication complexity (1/) if Eves information is to be limited
by . Moreover, no noise can be tolerated. Despite earlier results suggesting that this might be optimal,
we show that, actually, the communication complexity can be reduced to O(log(1/)); in other words,
the information leaked to the adversary becomes exponentially small. In addition, no maximal violation
of any Bell inequality is required, i.e., even in the presence of noise, the key-generation rate can be
positive. The basic idea of our new key-agreement protocol is to use the no-signaling condition within
Alices and Bobs laboratories. The resulting scheme is secure if either quantum or relativity theory is
correct. From a practical point of view, its advantage is that the security is device-independent and
trust in the manufacturer unnecessary.
1 Introduction, Motivation, and Our Result
1.1 Cryptographic Security Based on Physical Principles
It is a well-established fact that information-theoretic secrecy must be based on certain assumptions to start
with. According to Landauer [18], such an assumption ultimately boils down to some fact or restriction on
the physical level. This can be noise in communication channels [27], [9], [22], a limitation on an adversarys
memory space [21], [10], or the uncertainty principle of quantum physics [5].
In this article, we consider key-agreement protocols the security of which follows from the impossibility
of superluminal signaling. More precisely, a protocol closely related to known entanglement-based quantum
cryptography is used; however, quantum physics only enters the game for showing that the protocol works,
i.e., is not aborted with overwhelming probability. Its security proof, however, relies on relativity only and is
independent of quantum physics. Roughly speaking, the idea is as follows: If the results of certain measure-
ments cannot have existed before the measurement is actually executed, then, in particular, the adversary
cannot have (completely) known the corresponding pieces of information.
1.2 Relativity-Based Cryptography
The security of relativity-based (or relativistic) cryptography can be proven under the sole assumption that
the non-signaling postulate of relativity theory is correct. The latter states that information transmission
faster than at the speed of light is impossible.
The basic idea, as proposed by Barrett, Hardy, and Kent [2], is as follows: By communication over a
quantum channel, two parties Alice and Bob generate some shared entangled quantum state. They can carry
out measurements and use an authentic classical channel to determine the resulting correlation of their
respective data.
So far, this is entanglement-based quantum cryptography as proposed by Ekert [12]
1
some years after the
rst variant of quantum cryptography proposed by Bennett and Brassard [5] and not based on entanglement
at all. Let us quickly follow Ekerts path: From the correlations, they conclude on error rates and adversarial
information and generate a key, the security of which can be proven based on the assumption that quantum
physics with all its Hilbert space formalism is correct [24]. An additional assumption that usually has to be
made is that the devices operate on specic quantum systems of a certain dimension (e.g., single polarized
photons); the security is lost when the actual systems are dierent (e.g., pairs of photons). The question
of device-independent security has been raised already in [1]. It was shown that under certain restrictions
on the type of possible attack, namely to so-called collective, i.e., i.i.d. attacks, it can be achievable, at the
price, however, of a lower key-generation rate.
Let us now turn back to relativistic cryptography: Here, Alice and Bob carry out measurements on their
respective systems in a space-like separated fashion (i.e., signaling is excluded), and this will allow them to
conclude privacy directly from the correlations of their resulting data. The proofs then hold for whatever
quantum systems the devices operate on; no Hilbert space formalism is used, only classical information theory.
Actually, the assumption is not even necessary that the possibilities of what an adversary can do is limited
by quantum physics. The latter guarantees the protocol to work, i.e., leads to the expected correlations,
the occurrence of which can be veried, but the security is completely independent of quantum physics. An
interesting consequence is that protocols can be given which are secure if either quantum physics or relativity
(or both, of course) is correct.
But how can it be possible to derive secrecy from correlations alone? In quantum physics, this is well-
known: Quantum correlations, called entanglement, are monogamous to some extent [25]. If Alice and Bob
are maximally entangled, then Eve must be out of the picture. But classically, we do not know such an eect:
If Alice and Bob have highly correlated bits, Eve can nevertheless know them. The point is that we have to
look at correlations of bipartite systems, characterized by their joint input-output behavior.
John Bell has proven in 1964 [3] that entangled quantum states can have non-local behavior under
measurements. More precisely, the system consists of the choice of the particular measurement to be carried
out the inputs and the corresponding outcomes the outputs. Bells work was a reply to Einstein,
Podolsky, and Rosens claim [11] that quantum physics was incomplete and should be augmented by classical
variables determining the behavior of every system under any possible measurement. Bell proved that such
a thing is impossible: these variables do not exist. That is what can be exploited cryptographically: If they
do not exist, then no adversary can know them!
We explain this concept in more detail and start with a closer look at systems and correlations.
1.3 Systems, Correlations, and Non-Locality
In order to explain the essence of non-locality, we introduce the notion of two-partite systems, dened by their
joint input-output behavior P
XY |UV
(see Figure 1). We classify systems by the correlation they introduce,
and by the resource that is required to explain the behavior of its parts.
Denition 1. A system P
XY |UV
is independent if there exist P
X|U
and P
Y |V
such that P
XY |UV
= P
X|U

P
Y |V
. It is local if
P
XY |UV
=
n

i=1
w
i
P
i
X|U
P
i
Y |V
1
Interestingly, the title of Ekerts celebrated article, Quantum cryptography based on Bells theorem, suits much
more precisely and might have anticipated in some way the idea of relativistic cryptography based on non-
local correlations: Here, the security proof is directly based on Bells theorem, which is not the case for Ekerts
protocol.
P
XY |UV
U V
X Y
Fig. 1: A two-partite system.
holds for for some weights w
i
0 and conditional distributions P
i
X|U
and P
i
Y |V
, i = 1, . . . , n. A system is
signaling if it allows for message transmission: There exist distributions P
U
and P
V
such that I(X; V |U) +
I(Y ; U|V ) > 0 holds.
In terms of classical resources required to establish them, these categories correspond to no resources at
all, shared information and message transmission, respectively. Of interest for us will be systems that are
neither local nor signaling. Communication is required to explain their behavior classically, but for some of
them, distributed quantum information is sucient. Because they are non-signaling, this does not contradict
relativity. We give an alternative characterization of locality.
Lemma 1. For any system P
XY |UV
, where U and V are the ranges of U and V , respectively, the following
conditions are equivalent:
1. P
XY |UV
is local,
2. there exist random variables X
u
(u U) and Y
v
(v V) with a joint distribution that is such that the
marginals satisfy P
XuYv
= P
XY |U=u,V =v
.
Proof. Assume that P
XY |UV
is local, i.e., P
XY |UV
=

w
i
P
i
X|U
P
i
Y |V
. For U = {u
1
, u
2
, . . . , u
m
} and V =
{v
1
, v
2
, . . . , v
n
}, dene
P
Xu
1
Xum
Yv
1
Yvn
(x
1
, . . . , x
m
, y
1
, . . . , y
n
) :=

w
i
P
i
X|U=u1
(x
1
) P
i
X|U=um
(x
m
) P
i
Y |V =v1
(y
1
) P
i
Y |V =vn
(y
n
) .
This distribution has the desired property. The reverse direction is obvious.
Intuitively speaking, we can simply forget about the inputs, and all the alternative outputs can be put
under the roof of a single joint distribution (see Figure 2).
P
XY |UV
u v
X
u
1
, ..., X
um
Y
v
1
, ..., Y
vn
Fig. 2: Locality is realism.
Lemma 1 connects locality with so-called realism: All the outputs to the alternative inputs co-exist
and can, hence, be pre-selected in a consistent way. We are interested in the contraposition of the
statement: As soon as a system behaves non-locally, all these classical pieces of information cannot pre-
exist.
1.4 Non-Locality Implies Secrecy
In order to explain this more explicitly, let us consider a specic example of a system, the so-called non-local
box.
Denition 2. [23] A non-local box (or NL box for short) is the following two-partite system P
XY |UV
: The
random variable X is a random bit, given the pair (U, V ), and we have
Prob [X Y = U V ] = 1 . (1)
Bells theorem states that this system is indeed non-local. More precisely, any system that behaves like
an NL box with probability superior to 75% is. Interestingly, quantum states achieve roughly 85%.
Theorem 1. (John Bell, 1964 [3].) Any system that behaves like an NL box with probability > 75% for
random inputs is non-local.
Proof. Lemma 1 states that a system is local only if alternative outputs (i.e., outputs to alternative inputs)
consistently co-exist. In the case of the NL box, this corresponds to a joint distribution of four bits P
X0X1Y0Y1
such that Prob [X
0
= Y
0
] = Prob [X
0
= Y
1
] = Prob [X
1
= Y
0
] = 1 and Prob [X
1
= Y
1
] = 1 hold. These
conditions are contradictory: Only three out of the four can be satised at a time.
Note that although in terms of classical resources, the behavior of an NL box can be explained by
message transmission only, the system is actually non-signaling: X and Y separately are perfectly random
bits and independent of the input pair. On the other hand, a system P
XY |UV
(where all variables are
bits) satisfying (1) is non-signaling only if the outputs are completely unbiased, given the input pair, i.e.,
P
X|U=u,V =v
(0) = P
Y |U=u,V =v
(0) = 1/2. In other words, the output bit cannot be pre-determined, not even
slightly biased. The outputs are, hence, perfectly random and the randomness must have been generated
after input reception. This is what we can make use of for key agreement: Assume that Alice and Bob
share any kind of physical system, carry out space-like separated measurements (hereby excluding message
transmission), and measure data having the statistics of an NL box. (In order to test this, they exchange all
the input bits and some randomly chosen outputs.) The resulting data are then perfectly secret bits, because
even conditioned on an adversarys complete information, the correlation between Alice and Bob must be
non-signaling!
Unfortunately, however, perfect NL boxes do not exist in nature: Quantum physics is non-local, but
not maximally
2
. Can we still obtain virtually secret bits from weaker, quantum-physically achievable, non-
locality? Barrett, Hardy, and Kent [2] have shown that the answer is yes; but their protocol is inecient: In
order to reduce the probability that the adversary learns a generated bit shared by Alice and Bob below ,
they have to communicate (1/) Qbits. Barrett et. al.s protocol and its analysis are based on a type on
non-locality dierent from the one modeled by the NL box the latter is typically referred to as CHSH [8]
non-locality.
Masanes and Winter [20] proposed to use a number of 85%-approximations to the NL box (this is achiev-
able with so-called singlets, i.e., maximally entangled Qbit pairs). Indeed, any, even weak, non-locality implies
some secrecy, but no perfect secrecy in general. In order to illustrate this, consider a system approximating
an NL box with probability 1 for all inputs. More precisely, we have
Prob [X Y = U V |U = u, V = v] = 1 (2)
2
It is a fundamental question, studied by many researchers, why this is the case. Is there a classical signicance to
the 85%-bound?
for all (u, v) {0, 1}
2
. Then, what is the maximal possible bias p := Prob [X = 0|U = 0, V = 0] such that
the system is non-signaling?
x P
X|U=u,V =v
(0) P
Y |U=u,V =v
(0) y
0 p p 0
0 p p 1
1 p 2 p 0
1 p 2 p 1
We explain the table: Because of (2), the bias of Y , given U = V = 0, must be at least p . Because of
non-signaling, Xs bias must be p as well when V = 1, and so on. Finally, condition (2) for U = V = 1
implies p (1 (p 2)) , hence, p 1/2 + 2. For any < 1/4, this is a non-trivial bound. (This
reects the fact that = 1/4 is the local limit, as we have seen in the proof of Bells theorem.) If we apply
this, conditioned on Eves knowledge, we obtain a lower bound on her uncertainty which is the better the
stronger the non-locality is. (A special case is what we have seen above already: maximal CHSH non-locality
leads to perfect secrecy.)
Masanes and Winters idea was to apply privacy amplication a concept well-known from classical [13],
[4] and quantum [16] cryptography to increase secrecy. In order to achieve this, they made some additional
assumptions, such as a short secret key. The resulting secrecy is thus not satisfactory.
In [14] is has been pessimistically argued that privacy amplication of no-signaling secrecy is impossible,
the problem being that certain collective attacks exist that leave the adversary with signicant information
about the nal key, however, it is obtained from the raw key. This results suggests that the protocol of
Barrett, Hardy, and Kent might be optimal.
Fortunately, the situation changes completely when one considers space-like separation of measurement
events even within Alices as well as Bobs laboratories. In [19], Masanes has shown that in that case privacy
amplication is possible in principle. However, his privacy amplication protocol needs an exponential number
of communicated bits and is therefore not realisable in practise.
We show here, that it is in that case possible to apply usual privacy-amplication techniques using a set
of two-universal hash functions and we give a protocol which is ecient both in terms of classical as well as
quantum communication.
1.5 Our Result: Ecient Relativistic Key Agreement
We show that there exists a protocol for eciently generating a virtually secret key, where this secrecy can
be derived from the no-signaling postulate only. The protocol consists of measuring n copies of a maximally
entangled state, where all 2n measurement events are supposed to be space-like separated.
Main Result. There exists a key-agreement protocol the security of which is solely based on the impos-
sibility of superluminal signaling, and where the adversarys entire information about the resulting key is
2
(C)
if C is the protocols communication complexity.
Note that this protocol is secure against the most general so-called coherent attacks and even if
the adversary is post-quantum, i.e., not limited be the laws of quantum physics. The resulting security is
universally composable. It is of practical signicance that it is device-independent as well: Secrecy is implied
by the observed correlations alone, and no assumptions on what happens within the devices are necessary;
their manufacturer need not be trusted. Moreover, a certain amount of noise can be tolerated: Our scheme has
a positive key-generation rate as soon as the correlations approximate NL boxes with an accuracy exceeding
80% and the output bits are correlated with more than 99% when Alice and Bob both choose to measure in
the rst basis (see Figure 3).
Fig. 3: The parameter regions for which key agreement is possible (red), reachable by quantum mechanics (blue) and
their intersection (green). is the probability to violate the CHSH condition for uniform inputs, the probability not
to have the same output bits on input (0, 0).
2 The Model and the General Attack
When Alice, Bob, and Eve carry out measurements on a (joint) physical system, they can choose their
measurement settings and receive their respective outcomes. It is, therefore, natural to model the situation
by a three-partite input-output system, characterized by a conditional distribution P
XY Z|UV W
. This system
could, for example, be realized by an entangled quantum state. The question we study in the following is:
Interacting with their respective parts of the system, can Alice and Bob agree on a common string that is
unknown to Eve? More specically, this condentiality should be a direct consequence only of the fact that
all measurement events carried out by Alice and Bob are space-like separated.
Abstractly, we can model the tripartite system by a box which takes three inputs (one for Alice, Bob and
Eve corresponding to their choice of measurement) and gives three outputs (the measurement results).
This box is fully characterized by a tri-partite conditional probability distribution.
A E B
U V
X Y
Z W
:= P
XY Z|UV W
If Alices, Bobs, and Eves measurement events are space-like separated, then, according to relativity
theory, the resulting system must be non-signaling: the input/output behavior of one side tells nothing about
the input on the other side(s) (and also, dividing the ends of the box in any two subsets, the input/output
behavior of one subset tells nothing about the input of the other).
Condition 1 ([2]) The system P
XY Z|UV W
must not allow for superluminal signaling:

x
P
XY Z|UV W
(x, y, z, u, v, w) =

x
P
XY Z|UV W
(x, y, z, u

, v, w)

y
P
XY Z|UV W
(x, y, z, u, v, w) =

y
P
XY Z|UV W
(x, y, z, u, v

, w) (3)

z
P
XY Z|UV W
(x, y, z, u, v, w) =

z
P
XY Z|UV W
(x, y, z, u, v, w

)
If a system is non-signaling between its interfaces this also means that its marginal systems are well-
dened: What happens at one of the interfaces does not depend on any other input. This implies that at all
the interfaces, an output can always be provided immediately after the input has been given.
We require Condition 1 to hold even when the inputs and outputs do not actually occur in a space-like
separated way. This corresponds to the assumption that Alice and Bob have secure laboratories [2]. It is clear
that no secure key can be established if this key is sent to the eavesdropper from Alices laboratory. The
non-signaling condition can be seen as the requirement that no information leaks from Alices and Bobs
laboratories that is not supposed to. Another way of interpreting Condition 1 is that the set of possible
inputs (measurements) of Eve does not change in time [2], Eve can only use side-information to choose the
best measurement.
On the other hand, we do allow for Eve to delay her choice of input (measurement) until all of Alices
and Bobs communication is nished - in particular Eve knows the protocol of Alice and Bob and could get
to know Alices and/or Bobs input, hear later communication between Alice and Bob and can adapt her
strategy. From now on, we assume without loss of generality that Alices bit will form the raw key and that
the input was the all-zero input. Similar statements for the other cases follow by symmetry.
We can reduce this tri-partite scenario to a bi-partite one: Because Eve cannot signal to Alice and Bob
(even together) by her choice of input, we must have

z
P
XY Z|UV W
(x, y, z, u, v, w) =

z
P
XY Z|UV W
(x, y, z, u, v, w

) := P
XY |UV
(x, y, u, v)
and this is exactly the marginal box as seen by Alice and Bob. We can therefore see Eves input as a choice of
convex decomposition of Alices and Bobs box and her output as indicating one part of the decomposition.
Informally, we can write
A B = p(z
0
|w) A B
z0
+p(z
1
|w) A B
z1
+. . .
and this also covers all possibilities available to Eve. Formally, we dene:
Denition 3. A box partition of a given box P
XY |UV
is a family of pairs (p
z
,P
z
XY |UV
), where p
z
is a weight
and P
z
XY |UV
is a box, such that
P
XY |UV
=

z
p
z
P
z
XY |UV
(4)
And we describe Eves possibilities as:
Lemma 2. For any given tri-partite box P
XY Z|UV W
any input w induces a box partition parametrized by z:
p
z
:= p(z|w), P
z
XY |UV
:= P
XY |UV,Z=z,W=w
.
Lemma 3. Given a bi-partite box P
XY |UV
let W be the set of all box partitions
W = {(p
z
, P
z
XY |UV
)} .
Then the tri-partite box, where the input w is a box partition, dened by P
XY Z|UV,W=w
(z) := p
z
P
z
XY |UV
is
non-signaling and has marginal box P
XY |UV
.
The condition that even Alice and Eve together must not be able to signal to Bob and vice versa means
that the conditional boxes P
z
XY |UV
must also be non-signaling between Alice and Bob.
Note that the P
z
XY |UV
are Alices and Bobs systems behavior from Eves viewpoint. In particular, biases
in the output distributions correspond to knowledge of her.
3 The Case of a Single Box
Let us take a closer look at the case where the system Alice and Bob share is an NL box. This means that
U, V, X, Y are bits such that X Y = U V and the system is non-signaling. It is easy to see that the
only possible box partition of the NL box is the trivial one, which means that Eve can get no information
whatsoever about Alices output bit even if she knows the inputs, because the output bits of the NL box
need to be unbiased. Alice and Bob can then announce their input bits, if they were (1, 1) Bob ips his bit
and they share a perfectly secure key bit.
In case Alice and Bob share an imperfect NL box one that fullls P(X Y = U V ) = 1 for
uniform inputs Eve can get some knowledge depending on , but the probability that she can guess one
of the outputs correctly is limited by 4 (assuming she gets to know the input).
If Eve has an end of a box taking input W and giving output Z and Alice has a bit-string S then
we measure Eves knowledge by the distinguishing advantage between the real situation, i.e., P
S,Z|W
and
the ideal situation P
U
P
Z|W
(Alices string is uniformly distributed and completely independent of Eves
system). This denition implies that the resulting security is universally composable.
Denition 4. The distinguishing advantage from independent uniformity of a random variable S given a
box E taking input W and giving output Z is
(P
S,E
, P
U
P
E
) = 1/2

s
max
w(s)

z
|P
S,Z|W=w
(s, z) P
U
P
Z|W=w
(z)|,
where w := w(s) is chosen such as to maximize this quantity and P
U
:= 1/|S|.
In our case, we will show that this holds for the box E which takes as input W and gives as output Z and all
other information that Eve possibly knows, such as U, V , the information communicated in the information
reconciliation phase etc. We will write E := (Z, U = u, V = v|W) for this box. Further let us emphasize the
following here: the set of allowed box partitions W only depends on the probability distribution P
XY |UV
and does not depend on the value that X (or even Y , U or V ) have taken. So what we will show is actually
something stronger than what is required by the denition: no matter what the value of s, for all w, the
distinguishing advantage is small. (Which choice of W is the best one might, however, depend on the side
information respectively how the key is obtained from the outputs.)
Lemma 4. Assume a non-signaling probability distribution P
XY Z|UV W
such that the marginal P
XY |UV
is a
non-local box with P(XY = U V ) = 1 for uniform inputs. Then the distance from uniform independent
of the output bit X given E := (Z, U = u, V = v|W) is at most 1/2 4.
Proof. First we generalize the table from Section 1.4 to the case where P(XY = U V ) = on average for
uniform inputs (and it is not necessarily for every single input). In that case, the maximal probability that
X = x for a certain input is still 1/2 + 2. Let
z
denote the average probability that X Y = U V holds,
of the box given Z = z. Because this box must still be non-signaling, the bias of X given Z = z, U = u and
V = v is at most 1/2 4
z
by the above argument. However, because P
XY |UV
=

z
p
z
P
z
XY |UV
, we also have
=

z
p
z

z
and, therefore, the distance from uniform independent of X given E := (Z, U = u, V = v|W)
is at most 1/2

z
p
z
4
z
= 1/2 4.
It can be shown that for a xed guessing probability, the best type of knowledge Eve can have is provided
by a binary erasure channel [26]; it is, therefore, the best thing for Eve to choose a box partition with
Z {0, 1, }, P(X = 0|Z = 0) = P(X = 1|Z = 1) = 1, and P(X = 0|Z = ) = 1/2 for a certain input pair
u, v. However, the probability that she obtains 0 or 1 is limited as follows.
Lemma 5. Assume a non-signaling probability distribution P
XY |UV
with binary inputs and outputs and
such that P(X Y = U V ) = 1 for uniform inputs and a box partition such that Z {0, 1, }
and P(X = 0|Z = 0) = P(X = 1|Z = 1) = 1 and P(X = 0|Z = ) = 1/2 for the input u, v. Then

z{0,1}
p
z
4
Proof. Assume

z{0,1}
p
z
> 4. Then the distance from uniform independent of X given E := (Z, U =
u, V = v|W) is larger than 1/2 4, which contradicts Lemma 4.
Note that there exists a box partition which reaches this bound, and that can be found through a
straight-forward maximization.
Systems P
XY |UV
that approximate an NL box with error [0, 0.25) are non-local. We see that for
any non-local box, Eve cannot obtain perfect knowledge about Alices output bit, and the box, therefore,
contains some secrecy.
4 The General Case of Several Boxes: The Gain of Space-Like Separation
Between Dierent Events on Each Side
When Alice and Bob share several systems (which we assume, were provided by Eve) they cannot know
whether these systems are independent, or they just look independent. In fact, each system could really just
correspond to one input/output end of a large non-signaling system. We therefore need to assume that Eve
will be able to attack the whole big system as one, as given in Figure 4.
.
.
.
.
.
.
un
xn
vn
yn
u2
x2
v2
y2
u1
x1
v1
y1
w z
Fig. 4: Alice and Bob share n seemingly independent NL boxes. Eve can attack all of them at once.
However, even if Alice and Bob only share dierent ends of a single large system and not independent
systems, they can bring the dierent ends far apart and make the inputs in a space-like separated way.
This is possible because we are looking at non-signaling systems and therefore all marginal input/output
distributions are well-dened. Providing the inputs and making sure the outputs are given in a space-like
separated way assures that the output of the second system on Alices side cannot depend on her input in
the rst, etc., i.e., the system must be non-signaling among all 2n interfaces by relativity theory
3
. We call
such a system 2n+1-partite non-signaling. The non-signaling condition between all 2n ends then even needs
to hold given Eves output z, i.e. P
z
XY |UV
must not allow for signaling between any of the n NL boxes shared
between Alice and Bob. This limits Eves possible choices of a box partition. It further means that each of
the marginal distributions P
XiYi|UiVi
is well-dened and in case X
i
, Y
i
, U
i
, V
i
are bits can be characterized
by a probability to fulll the CHSH condition 1
i
.
3
Instead of measuring in a space-like separated way, Alice and Bob could also ensure the non-signaling condition by
placing each of their n systems in a separate shielded laboratory. As we assume that Alice and Bob have a secure
laboratory (Condition 1) it seems reasonable to assume that they can also build several secure laboratories.
.
.
.
.
.
.
un
xn
vn
yn
u2
x2
v2
y2
u1
x1
v1
y1
Fig. 5: The dashed lines mean space-like separation.
5 The Power of Individual Attacks
Assume now that we are in the situation as given in Figure 4. We will show in this section, that the probability
that Eve knows all of Alices output bits cannot be made higher by making a coherent attack as opposed to
an individual one. We will do this in two steps: First we show that, without loss of generality, we can assume
that Eves output Z gives information of binary erasure type about every single output bit of Alice. Then
we will show that the probability to know all outputs of a set K of boxes is limited by the value that can be
reached through an individual attack.
Lemma 6. For any box partition (p
z
,P
z
XY |UV
) such that the box P
z
XY |UV
is still non-signaling between all 2n
input/output pairs, it is possible to dene another box partition (p
z

,P
z

XY |UV
) with z

= (z

1
, ..., z

n
) {0, 1, }
n
where given U
i
= u
i
, V
i
= v
i
Z

i
gives binary erasure information about X
i
and such that the original box
partition can be recovered by forgetting information.
Proof. Because the box given outcome z P
z
XY |UV
is still non-signaling between all ends, every marginal box
P
z
XiYi|UiVi
is well-dened and has an associated probability that X
i
Y
i
= U
i
V
i
, which we denote by
z
i
. The
situation is therefore the same as before any box partition occurred: n boxes with a certain (now updated)
CHSH non-locality are to be partitioned. Start with the rst box P
z
X1Y1|U1V1
, it is either:
fully non-local, in which case we write Z

1
=
fully local, which means knowing U
i
= u
i
, V
i
= v
i
X
1
is completely determined and we write Z

1
= {0, 1}
something in between, in which case we can split it up into a local and non-local part
The newly dened box partition now gives binary erasure information about the rst box (knowing U
1
=
u
1
, V
1
= v
1
) and we can continue with the second marginal box. Notice that when continuing with the second
box, the rst will stay local or non-local whichever one it was at the beginning. We continue until we
get binary erasure information about each of the n boxes. All the information that could be obtained from
the original box partition z can now be obtained from the ner box partition z

with Z

i
n
{0, 1, }
n
(and
maybe randomness if the same Z

occurred in dierent Zs) and by forgetting information.

Remark 1. Note that in case Z

i
= {0, 1} (the box i is completely local) it is actually possible to make an even
ner box partition, such that Eve knows exactly which local deterministic strategy has occurred. However,
as we are only interested in Alices outcome X, we only write Z

i
= 0 or Z

i
= 1.
The probability that Eve knows all of Alices outcomes of a certain set of boxes can be bounded by the
following lemma.
.
.
.
.
.
.
un
xn
vn
yn
u2
x2
v2
y2
u1
x1
v1
y1
w
z = z
n
i
{0, 1, }
n
Fig. 6: Without loss of generality, we can assume that Z is of the form Zi {0, 1, } and where Zi gives information
about Xi.
Lemma 7. Assume a 2n+1-partite non-signaling probability distribution P
XY Z|UV W
such that the marginal
P
XY |UV
corresponds to n non-local boxes each with an associated error
i
and consider a box partition induced
by an input w such that Z = (Z
1
, ..., Z
n
) with Z
i
giving binary erasure information about X
i
(knowing
U
i
= u
i
, V
i
= v
i
). Then for every subset K of boxes the probability that Z gives information about all the X
i
in the set is bounded by

{z|iK:zi{0,1}}
p
z

iK
(4
i
), (5)
where p
z
are the probabilities associated with the output z.
Remark 2. In case all boxes have the same non-locality, this means that for every subset of size k, P(z
i

{0, 1} i K) (4)
k
.
Proof. The probability that all of the k boxes in the set do not fullll the CHSH condition (i.e. X
i
Y
i
= U
i
V
i
for all i K) is

iK

i
(and cannot be changed by the choice of box partition W because of the non-
signaling condition). By Lemma 6, the box given Z
i
{0, 1} is local, and therefore can at most fulll the
CHSH condition with probability 3/4. This means that the probability to never fulll the CHSH condition
given Z
i
{0, 1} for all i is lower-bounded by P
XiYi=UiVi i|zi{0,1} i
(1/4)
k
. The box given Z
i
=
is completely non-local and therefore always fullls the CHSH condition. This means P
XiYi=UiVi i
=
P
Zi{0,1} i
P
XiYi=UiVi i|Zi{0,1} i
=

i
and therefore P(Z
i
{0, 1} i)

i
(4
i
).
From now on we will only consider 2n+1-partite non-signaling systems P
XY Z|UV W
such that the marginal
P
XY |UV
corresponds to n non-local boxes with error
i
and such that := 1/n

i
. Further, w.l.o.g. we
only consider box partitions induced by an input W such that the output is such that Z = (Z
1
, ..., Z
n
) with
Z
i
giving binary erasure information about X
i
.
Lemma 8. Equality can be reached by an individual attack.
This is a direct consequence of the attack on a single box.
This means that if Alice takes the XOR of all the outcomes of her boxes, then Eve knows almost nothing
about this bit, as stated in the following Lemma 9.
Lemma 9. The distinguishing advantage from independent uniformity of XOR(X
i
) given E := (Z, U =
u, V = v|W) is at most (P
XOR(Xi),E
, P
U
P
E
)
1
2
(4)
n
Proof. Follows from Lemma 7 and the fact that

i
(4
i
) for a given average is maximized when
i
= for
all i.
Alice can therefore create a bit from her output bits, which is highly secret from Eve. But the problem
is that Bob might not have the same bit as Alice and they can therefore not use this bit as a key. In fact,
Alice and Bob have correlated output bits, but not perfectly correlated output bits. They therefore need
to do information reconciliation, to obtain a highly correlated bit-string, before doing privacy amplication.
Eve can hear the information exchanged between Alice and Bob over the public but authentic channel and
she can use it to correct missing information or to choose a better box partition. The question is therefore,
whether the best attack Eve can do is still an individual attack? It is possible to give an example which shows
that this is in general not the case, however, Lemma 7 does give us a limit on the knowledge an adversary
can possibly reach.
6 Information Reconciliation / Error Correction
Alice and Bob use a two-universal hash function [7] from n to m bits to correct the errors in their raw
key [6]. They randomly choose a m n matrix with coecients in GF(2) and such that for every entry
p(0) = p(1) = 1/2. Then Alice calculates Ax (where x is her raw key and we write for the multiplication
over GF(2)) and sends it to Bob over the classical authentic channel.
_
_
_
_
0 0 1 0 1 1 0
1 1 0
0 1
_
_
_
_

_
_
_
_
_
_
_
_
_
_
0
1
1
0
1
0
0
_
_
_
_
_
_
_
_
_
_
=
_
_
_
_
0
1
1
0
_
_
_
_
We need a result from [7] about two-universal sets of hash functions.
Theorem 2 ([7]). The set of functions f
A
(x) := A x, where A is any m n-matrix over GF(2) is
two-universal.
In the limit of large n, m = n h(), where is the probability that Bobs bit is dierent from Alices
and h the binary entropy function, is both necessary and sucient for Bob to correct the errors in his raw
key, as described by the following theorem.
Theorem 3 ([6]). Suppose an n-bit string x another n-bit string y obtained by sending x over a binary
symmetric channel with error parameter . Assume the function f : {0, 1}
n
{0, 1}
m
is choosen at random
amongst a set of two-universal functions. Choose y

such that d
H
(y, y

) is minimal among all strings r with

f(r) = f(x). Then P
x=y
1 e
2
nh(+)m
+
(log n)
2
(1)
n
.
This shows that for n and m = n h() the protocol is

-correct for any

> 0.
Remark 3. There is no known ecient (in terms of computation) decoding algorithm for the above infor-
mation reconciliation scheme. However, there exists an interactive scheme, where Alice and Bob leek an
arbitrarily small amount of additional information which is ecient. We expect that it should be possible to
change our protocol such as to use this ecient scheme.
7 Privacy Amplication
To do privacy amplication Alice and Bob proceed exactly the same way as for the information reconciliation:
they choose a random sn-matrix B and Bx is the secret key of length s. Every key bit is therefore given
by b x with b a random n-bit vector such that p(0) = p(1) = 1/2.
To show that this key is secure, we will rst show something stronger: every single bit of the key is still
secure, even if Eve knows all other key bits (and the information reconciliation). The security of the key
string then follows by the triangle inequality. We assume that Eve knows A

x, where A

is a random
matrix of size m+s 1 n that includes both the information reconciliation and the other key bits. Let us
now calculate, when b x is still secure.
We will arbitrarily distinguish dierent cases:
Case 1 from the lines of A

it is possible to form a vector v such that d

H
(v, b) k
Case 2 from the lines of A

it is not possible to form a vector v such that d

H
(v, b) k
Now we bound the probabilities of the dierent situations:
Lemma 10. Assume m

:= m+s1 n-bit vectors a

i
, i = 1, ..., m

are randomly chosen such that p((a

i
)
j
=
0) = p((a
i
)
j
= 1) = 1/2 for all i, j. The probability that a linear combinations of these random vectors over
GF(2) can form a vector with hamming distance at most k < n/2 from another randomly chosen n-bit vector
b is bounded by
P
A

,b
(Case 1) 2
m

ik
_
n
i
_
2
n
2
m

2
nh(k/n)n
=
_
2
m

/n+h(k/n)1
_
n
, (6)
where the probability is taken over the choices of A

and b.
Proof. There are at most 2
m

1 dierent non-trivial linear combinations of the m

vectors. Every linear

combination (over GF(2)) of a random n-bit vectors will again be a random n-bit vector with p(0) = p(1) =
1/2. The probability that a random n-bit vector v has d
H
(v, b) k for k < n/2 and a certain vector b is
bounded by
P[random n bit vector contains at most k 1

s] =

ik
_
n
i
_
2
n
2
nh(k/n)n
. (7)
The probability that the trivial linear combination (the all-zero vector) has hamming distance less than k
from b is exactly the probability that b contains at most k 1s and is again given by (7). We obtain the claim
by the union bound.
Let us now also bound the probability that Eve knows the key bit in Case 2: Assume that all of the
2
m

linear combinations can reach hamming distance exactly k (for some k < n/2) from the vector b (this
includes the case that b itself only contains a few 1s, because this is exactly the case when the trivial linear
combination of the m

vectors has hamming distance less than k from b).

Lemma 11. Assume A

and b were chosen such that we are in Case 2. Then the distinguishing advantage
from independent uniformity of the bit b X given E := (Z, A

, b, U = u, V = v, A

X = A

x|W) when
Case 2 happend is bounded by
(P
bX,E,Case 2
, P
U
P
E,Case 2
) 1/2 2
m

(4)
k
= 1/2
_
2
m

/n
(4)
k/n
_
n
(8)
Remark 4. It is important to notice that our result holds for any box partition w, in particular also for one
that can be adaptively chosen after hearing the information released in the information reconciliation phase.
Proof. From m

random vectors, we can at most form 2

m

dierent linear combinations. By assumption, we

are in Case 2, that is, each of these linear combinations has hamming distance larger than k from b. This
means, for each of the vectors, there is a set of size at least k, such that we must have z
i
{0, 1} for all
i K in order to now b x. The probability p
z
of such a Z is bounded by (5). The Lemma follows by the
union bound over all of the 2
m

vectors.
We can nally bound the total probability that Eve knows the key bit in either case.
Lemma 12. The distinguishing advantage from independent uniformity of the bit bX given E := (Z, A

, b, U =
u, V = v, A

X = A

x|W) is bounded by
(P
bX,E
, P
U
P
E
) 1/2
__
2
m

/n+h(1k/n)1
_
n
+
_
2
m

/n
(4)
k/n
_
n
_
Proof. Follows directly from Lemma 10 and 11 and
(P
bX,E
, P
U
P
E
) = P(Case 1) (P
bX,E,Case 1
, P
U
P
E,Case 1
) +
P(Case 2) (P
bX,E,Case 2
, P
U
P
E,Case 2
)
1/2 P(Case 1) +(P
bX,E,Case 2
, P
U
P
E,Case 2
)
.
From Lemma 12 we obtain a bound on the distinguishing advantage from independent uniformity of the
whole bit-string by the triangle inequality.
Lemma 13. The distinguishing advantage from independent uniformity of the bit-string B X given E :=
(Z, A, B, U = u, V = v, A X = Ax|W) is bounded by
(P
BX,E
, P
U
P
E
) 1/2 s
__
2
m

/n+h(1k/n)1
_
n
+
_
2
m

/n
(4)
k/n
_
n
_
(9)
(notice that P
U
is given by 1/2
s
).
This shows that for n the protocol is

-secret for any

> 0 whenever there exists a k/n < 1/2 such

that m

/n +h(1 k/n) < 1 and 2

h()
(4)
k/n
< 1 and implies the following lemma.
Lemma 14. The above protocol reaches a positive secret key rate whenever
log
4
(2
h()
) < 1/2, and (10)
h() +h(log
4
(2
h()
)) < 1. (11)
Remark 5. In our scheme Alice and Bob choose the matrix A, B used for information reconciliation and
privacy amplication at random after they have measured the boxes. Alternatively they could use a xed
function, but apply a (common) random permutation to their raw bit string after measurement.
8 Key Generation Protocol in the Quantum Regime
If Alice and Bob share a box which has the same probability to fulll the CHSH condition for all inputs
(such as it happens for example for the quantum system giving the highest violation of the Bell inequality),
then = and our protocol does not reach a positive secret key rate in the quantum regime ( 0.15).
However, there exist other boxes which can be made quantum mechanically with lower error probability in
the raw key and Alice and Bob therefore need to do less error correction. for that box on the other hand is
slightly higher. Alice and Bob therefore choose the following box and generate their raw key only from the
outputs when they have given input (0, 0) .
@
@
@
V
U
0 1
@
@
@
Y
X
0 1 0 1
0
0
1
2

2
3
8

2
1
8
+

2
1

2
1
2

2
1
8
+

2
3
8

2
1
0
3
8

2
1
8
+

2
1
8
+

2
3
8

2
1
1
8
+

2
3
8

2
3
8

2
1
8
+

2
(12)
Note that this distribution can be achieved (even for , = 0) by measuring a singlet state (see Section 9).
We have introduced and to allow for noise in the state and/or measurement. In a noiseless setting Alice
and Bob will have perfectly correlated bits (and therefore wouldnt need to do any error correction) and the
probability of the box to violate the CHSH condition would be = 0.1875 (and this is also the parameter
which limits Eves knowledge). Including noise, = 0.2 and = 0.01 are parameters which can be attained in
the quantum regime and which yield a positive secret key rate. The whole parameter region is characterized
in Figure 3.
9 The New Key-Generation Protocol
The following protocol allows for unconditionally secure key agreement based on relativity theory.
Protocol for Relativity-Based Key Agreement
1. Alice creates n + k maximally entangled states |

=
1

2
(|01 |10), for some k = (n), and sends
one Qbit of every state to Bob.
2. Alice and Bob randomly measure the ith system in either the basis U
0
or U
1
(for Alice) or V
0
and V
1
(Bob); the four bases are shown in Figure 2
4
. All the 2(n+k) measurement events are pairwise space-like
separated.
3. They randomly choose n of the measurement results when both measured U
0
, V
0
to form the raw key..
4. For the remaining k measurements they announce the results over the public authentic channel and
estimate the parameters and (see [17],[15]). They also check whether they have obtained roughly the
same number of 1s and 0s (for IR scheme) If the parameters are such that key agreement is possible
(Figure 3) they continue; otherwise they abort.
5. information reconciliation and privacy amplication: Alice randomly chooses a (m + s) n-matrix M
such that p(0) = p(1) = 1/2 for all entries and communicates M to Bob over the authentic channel.
Then she calculates M x (where x is Alices raw key) and communicates the rst m := n h() bits
to Bob. The remaining bits form the secret key.
Theorem 4. The above protocol achieves a positive secret-key-generation rate as soon as the parameter
estimation shows an approximation of NL boxes with an accuracy exceeding 80% and a correlation of the
outputs on input (0, 0) higher than 99%. There exists an event A with probability Prob[A] = 2
(n)
such
that given A does not occur and the protocol is not aborted, then Alice and Bob share a common key that is
perfectly secret, where this secrecy based on the sole assumption that signaling faster than light is impossible.
The above protocol also allows for quantum key agreement ` a la Ekert. Therefore, we have the following.
Corollary 1. The above protocol allows for ecient information-theoretic key agreement if quantum OR
relativity theory is correct.
4
Alice and Bob will actually select the bases with a bias towards zero, such that in roughly n+k

cases they measure

U0, V0 because the raw key will only be formed from these outcomes.
30

30

U
0
U
1
V
0
V
1
Fig. 7: Alices and Bobs measurement bases in the polarization basis
10 Concluding Remarks and Open Questions
We propose an ecient both in terms of classical as well as quantum communication protocol for
generating a secret key between two parties connected by a quantum channel. The resulting (classical) key
can be proven secret under the sole assumption that the no-signaling postulate of special relativity holds.
Practical advantages of such a scheme are that security of quantum key distribution can be made device-
independent, and that a certain noise level can be tolerated which is a feature previously unattained
under such assumptions.
The main idea of our protocol is to have space-like separation not only between events happening on
Alices and Bobs side, but also between events in the same laboratory. It is a natural open question whether
the space-like-separation conditions can be relaxed. For instance, is it sucient if they hold on one of the
two sides? Or in one direction among the n events on each side? Obviously, the latter would be very easy to
guarantee in practice.
References
1. A. Acn, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani. Device-independent securit of quantum
cryptography against collective attacks. Physical Review Letters, 98:230501, 2007.
2. J. Barrett, L. Hardy, and A. Kent. No signalling and quantum key distribution. Physical Review Letters,
95:010503, 2005.
3. J. S. Bell. On the Einstein-Podolsky-Rosen paradox. Physics, 1:195200, 1964.
4. C. Bennett, G. Brassard, C. Crepeau, and U. Maurer. Generalized privacy amplication. In Proc. 1994 IEEE
International Symposium on Information Theory (Abstracts), page 350, 1994.
5. C. H. Bennett and G. Brassard. Quantum cryptography: public key distribution and coin tossing. In Proceedings
of International Conference on Computers, Systems and Signal Processing, 1984.
6. G. Brassard and L. Salvail. Secret-key reconciliation by public discussion. In EUROCRYPT 93: Workshop on
the theory and application of cryptographic techniques on Advances in cryptology, pages 410423, 1994.
7. J. L. Carter and M. N. Wegman. Universal classes of hash functions (extended abstract). In STOC 77: Proceedings
of the ninth annual ACM symposium on Theory of computing, pages 106112, 1977.
8. J. F. Clauser, M. A. Horne, A. Shimony, and R. A. Holt. Proposed experiment to test local hidden-variable
theories. Physical Review Letters, 23(15):880884, 1969.
9. I. Csiszar and J. Korner. Broadcast channels with condential messages. IEEE Transactions on Information
Theory, 24(3):339348, May 1978.
10. S. Dziembowski and U. Maurer. The bare bounded-storage model: The tight bound on the storage requirement
for key agreement. IEEE Transaction on Information Theory, 54(6):27902792, 2008.
11. A. Einstein, B. Podolsky, and N. Rosen. Can quantum-mechanical description of physical reality be considered
complete? Physical Review, 47:777780, 1935.
12. A. K. Ekert. Quantum cryptography based on Bells theorem. Physical Review Letters, 67(6):661663, 1991.
13. J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function.
SIAM Journal on Computing, 28(4):13641396, 1999.
14. E. Hanggi, R. Renner, and S. Wolf. The impossibility of non-signaling privacy amplication. submitted, 2008.
15. K. Horodecki, M. Horodecki, P. Horodecki, D. Leung, and J. Oppenheim. Quantum key distribution based on
private states: unconditional security over untrusted channels with zero quantum capacity, 2006.
16. R. Koenig, U. Maurer, and R. Renner. On the power of quantum memory, 2003.
17. R. Koenig and R. Renner. A de Finetti representation for nite symmetric quantum states. Journal of Mathe-
matical Physics, 46(122108), December 2005. see also http://arxiv.org/abs/quant-ph/0410229.
18. R. Landauer. Irreversibility and heat generation in the computing process. IBM Journal of Research and
Development, 5:183, 1961.
19. Ll. Masanes. Universally-composable privacy amplication from causality constraints, 2008.
20. Ll. Masanes and A. Winter. Unconditional security of key distribution from causality constraints, 2006.
21. U. Maurer. A provably-secure strongly-randomized cipher. In Advances in Cryptology EUROCRYPT 90,
volume 473 of Lecture Notes in Computer Science, pages 361373, 1990.
22. U. Maurer. Conditionally-perfect secrecy and a provably-secure randomized cipher. Journal of Cryptology,
5(1):5366, 1992.
23. S. Popescu and D. Rohrlich. Quantum nonlocality as an axiom. Foundations of Physics, 24(3):379385, 1994.
24. R. Renner. Security of quantum key distribution. PhD thesis, Swiss Federal Institute of Technology (ETH) Zurich,
2005. available at http://arxiv.org/abs/quant-ph/0512258.
25. B. M. Terhal. Is entanglement monogamous? IBM Journal of Research and Development, 48(1):7178, 2004.
26. S. Wolf. Reducing oblivious string transfer to universal oblivious transfer. In Proceedings of ISIT 2000, page 311,
2000.
27. A. D. Wyner. The wire-tap channel. Bell System Technical Journal, 54(8):13551387, 1975.