ebook img

Quantum Information-Flow Security: Noninterference and Access Control PDF

0.24 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Quantum Information-Flow Security: Noninterference and Access Control

Quantum Information-Flow Security: Noninterference and Access Control MingshengYing,YuangFeng and NengkunYu 3 1 0 QCIS,FEIT,UniversityofTechnology,Sydney,Australia 2 and n a TNList,Dept. ofCS,TsinghuaUniversity,China J Email:[email protected],[email protected] 8 2 ] Abstract R C Quantumcryptographyhas been extensivelystudied in the last twenty years, but . information-flowsecurityofquantumcomputingandcommunicationsystemshasbeen s c almost untouched in the previous research. Duo to the essential difference between [ classical and quantum systems, formal methods developed for classical systems, in- cluding probabilistic systems, cannot be directly applied to quantum systems. This 1 v paperdefinesanautomatamodelinwhichwecanrigorouslyreasonaboutinformation- 4 flowsecurityofquantumsystems. ThemodelisaquantumgeneralisationofGoguen 0 andMeseguer’snoninterference. Theunwindingprooftechniqueforquantumnonin- 8 terferenceisdeveloped,andacertaincompositionalityofsecurityforquantumsystems 6 isestablished.Theproposedformalismisthenusedtoprovesecurityofaccesscontrol . 1 inquantumsystems. 0 3 1 1 Introduction : v i X It is well-known that quantum cryptography has a great advantage over its classical coun- r a terpart that the security and ability to detect the presence of eavesdropping are provable, basedontheprinciples ofquantum mechanics. Butithasbeen rarelynoticed thatquantum computing and communication systems also face a new security challenge that would not ariseinclassicalsystems: entanglementisindispensable inquantumcomputationandcom- munication, butinformation leakage can becaused byanentanglement (ormoreprecisely, a computational mechanism that can generate an entanglement, e.g. the CNOT gate; see Examples 3.1 and 4.1), and thus the Trojan Horse may exploit an entanglement between itselfandauserwithsensitive information asacovertchannel. Information-flowsecuritypoliciesareusuallyenforcedtopreventimproperinformation leakage in classical computing and communication system [20]. A general framework for specifying and analysing information-flow security is the noninterference formalism first introduced byGoguenandMeseguer[7]. Thebasicideaofnoninterference [7]is: 1 “One group of agents, using a certain set of commands, is non-interfering with an- • othergroupofagentsifwhatthefirstgroupdoeswiththosecommandshasnoeffect onwhatthesecond groupcansee.” Then information leakage from agroup of agents to another group of agents isunderstood as interference of the first group with the second group, and security is defined as non- interference of the agents with sensitive information with those malicious agents. In the original formulation [7]of noninterference, its system model isadeterministic automaton. This model has been generalised to a nondeterministic automaton by Sutherland [21] and McCullough [14]andfurthertoaprobabilistic automatonby Grag[9]. This paper aims at extending further the noninterference formalism so that it can be used to reason about information-flow security of quantum systems. A quantum system is in asense a probabilistic system, but the theory of probabilistic noninterference [9]cannot bedirectlyapplied toitduetothefollowingtworeasons: 1. Inaquantum systemaprobability distribution ofoutputs onlyappears afteracertain measurement. Anyobservation about aclassical orprobabilistic system by an agent does not disturb the state of the observed system and thus has no interference with other agents. However, a basic postulate of quantum mechanics stipulates that the only way for acquiring information about a quantum system is quantum measure- ment, which will alter the state of the observed system. Thus, interference between different agentswillbeintroduced duringobservation onquantumsystems. 2. The computational steps of a quantum system are governed by unitary operators or moregenerallysuper-operators, whichareessentiallydifferentfromstochasticmatri- cesthatarecommonlyusedtomodelthedynamicsofprobabilistic systems. Inother words,themathematicaldescriptionofcommandsexecutedbyanagentinaclassical orprobabilistic systemsisdifferent fromthatinaquantum system. To appropriately incorporate quantum features into the noninterference formalism, we de- fineasystem modelintermsofquantum automata[15]. Di Pierro, Hankin and Wiklicky [2] observed that absolute noninterference can hardly ever be achieved in real systems, and thus they proposed a novel notion of approximate noninterference based on a quantitative measure of process behaviour equivalence. The non-appropriateness ofabsolute noninterference is even truer in the quantum case because quantumgatesformacontinuumandnoiseintheirphysicalimplementationisunavoidable. So,wedefineaquantitativeversionofnoninterference(orapproximatenoninterference)for quantum systems,followingDiPierro,HankinandWiklicky[2]. (Anotionofapproximate behaviour equivalence was also adopted by the authors in their work on both classical and quantum processalgebras [26],[24],[25,4].) Themaintechnical contribution ofthispaperare: Unwinding proof technique: Itisoften hardtoestablish noninterference security be- • cause noninterference is defined as a property over sequences of commands of arbi- trary length. A unwinding technique was proposed by Goguen and Meseguer [8], 2 which can prove noninterference by checking only certain single-step conditions. Thistechnique wasgeneralised byRushby[19]andvanderMeyden[22]tothecase of intransitive noninterference. We further generalise this technique and provide a methodforestimatingtheupperboundofinsecurity degreeofquantumsystem. Compositionality of security: A research line on compositionality of security was • initiated by McCullough [14] and recently systemised by Mantel [13], showing that secure components with appropriate interface can be hooked up to form a secure system. As a quantum generalisation of their compositionality theorems, we prove thattheinsecuritydegreeofacomposedquantumsystemdoes notexceedthesumof the insecurity degrees oftheircomponents provided noentanglement existsbetween thosecomponents. As an application of the proposed formalism, we consider access control of quantum data. Theoperatingsystemsofallmoderncomputersinclude certainformofaccesscontrol to protect confidential data. Access control of quantum data will certainly be an important issue in the design of an operating system for future quantum computers. The simplest access control policy is usually defined in terms of access control matrix, which specifies theaccessrightsofagentstoindividualstoragelocations. Aquantumaccesscontrolmatrix ismuch more complicated than itsclassical counterpart due to asubtle difference between classical andquantum information: “1+1 < 2”: Accesstothequantuminformationstoredinacomposite AB systemis • not granted by access tothe information stored in subsystem Aand access to that in subsystem B (seeExample6.1). More precisely, a quantum access control matrix has to specify the access rights of agents not only to individual storage locations but also to different combinations of individual lo- cations. Rushby [19] showed by the unwinding technique that security of access control can be properly interpreted in the noninterference formalism with the Reference Monitor Assumptions. Asaquantum generalisation ofRushby’s result [19], weshow that the inse- curity degree of quantum access control is bounded by a linear function of the degree that theReferenceMonitorAssumptionsaresatisfied. Thepaperisorganisedasfollows. SincethemajorityofComputerSecurityFoundations community mayhavenobackground inquantum computation, webriefly reviewitsbasics includingthemathematicalformalismofthestatespaceanddynamicsofaquantumsystem andquantum measurement inSec.2;formoredetails wereferto[16]. Anotherpurpose of Sec. 2istofixnotationsusedinthelatersections. Theautomatamodelofquantumsystems and a noninterference measure in such a model are introduced in Sec. 3. In Sec. 4, we definethecorenotion-securitydegreeofquantumsystems-intermsofthenoninterference measure, and the unwinding technique for proving security is generalised to the quantum setting. A compositionality theorem for quantum security is established in Sec. 5. The security properties of access control of quantum data are examined in Sec. 6. A brief conclusion is drawn in Sec. 7, including several problems for further research. For the readability, wepostpone alltheproofsoftheoremstotheAppendix. 3 2 Basics of Quantum Theory 2.1 HilbertSpaces According toabasicpostulate ofquantum mechanics, thestatespace ofaquantum system isrepresented byaHilbertspace. Inthispaper,weonlyconsiderfinite-dimensional Hilbert spaces, whichareindeed complex vectorspaces withinnerproduct. Weassume thereader isfamiliarwiththenotionofvectorspaceinLinearAlgebra. Aninnerproductoveravector space isamapping : Csatisfying thefollowingproperties: H h·|·i H×H → 1. ϕϕ 0withequality ifandonlyif ϕ = 0; h | i ≥ | i 2. ϕψ = ψ ϕ ;and ∗ h | i h | i 3. ϕλ ψ +λ ψ =λ ϕψ +λ ϕψ 1 1 2 2 1 1 2 2 h | i h | i h | i for any ϕ , ψ , ψ , ψ and for any λ ,λ C, where C is the field of complex 1 2 1 2 | i | i | i | i ∈ H ∈ numbers, and stands for the conjugate of complex numbers. A vector ψ is called a ∗ | i unit vector if ψ ψ = 1. A pure state of a quantum system is described by a unit vector h | i in its state space. Two vectors ϕ and ψ are said to be orthogonal, written ϕ ψ if | i | i | i⊥| i ϕψ = 0. Afamily ψ n 1 ofunitvectorsiscalledanorthonormal basisof if h | i {| ii}i=−0 H 1. ψ ψ foranyi= j;and i j | i⊥| i 6 2. |ψi = in=−01hψi|ψi|ψiiforall|ψi ∈ H. Inthiscase, Pissaidtoben dimensional,eachelement ψ of canberepresented bya H − | i H column vector ψ = (a ,...,a )T, where a = ψ ψ for 0 i < n, and T stands for 0 n 1 i i | i − h | i ≤ transpose. Example2.1 Quantum bit, or qubit for short, is the quantum counterpart of the bit in classical computation. Thestatespaceofqubitsisthe2 dimensional Hilbertspace − = α0 +β 1 : α,β C . 2 H { | i | i ∈ } Theinnerproductof ψ = α0 +β 1 and ϕ = α 0 +β 1 is ′ ′ | i | i | i | i | i | i ψ ϕ = α α +β β . ∗ ′ ∗ ′ h | i Thevectors 1 0 0 = , 1 = | i 0 | i 1 (cid:18) (cid:19) (cid:18) (cid:19) formanorthonormalbasisof ,calleditscomputationalbasis. Aqubitcanbeinthebasis 2 H states 0 and 1 aswellastheirsuperpositions | i | i α α0 +β 1 = | i | i β (cid:18) (cid:19) 4 where α2+ β 2 = 1,suchas | | | | 1 1 1 + = (0 + 1 ) = , | i √2 | i | i √2 1 (cid:18) (cid:19) 1 1 1 = (0 1 ) = . |−i √2 | i−| i √2 1 (cid:18) − (cid:19) (cid:4) The state space of a composite quantum system is defined to be the tensor product of thestatespacesofitssubsystems. Let beaHilbertspacewith ψ asanorthonormal i ij H {| i} basis for each 1 i n. Then the tensor product of (1 i n)is the Hilbert space i ≤ ≤ H ≤ ≤ with ψ ...ψ asanorthonormal basis,i.e. {| 1j1 njni} n = α ψ ...ψ : Hi { j1...jn| 1j1 njni Oi=1 j1X,...,jn α Cforallj ,...,j j1...jn ∈ 1 n} where ψ ...ψ = ψ ...ψ is the product of basis states ψ ,..., ψ of the subsyst|em1js1. Innpjanrtiicula|r,1ijf1i |=njniforall 1 i n,then n | 1jw1illbe| anbjbnrieviated Hi H ≤ ≤ i=1Hi to n. ⊗ H N Example2.2 The state space of two-qubits is 2, and a two-qubit system can be in a H2⊗ separable statelike 00 , 1+ , anditcanalsobeinanentangled stateliketheEPRpair | i | i 1 β = (00 + 11 ). 00 | i √2 | i | i (cid:4) 2.2 Density Operators We also assume the reader is familiar with the notion of linear operator. If i n 1 is a {| i}i=−0 (fixed) orthonormal basis of an n dimensional Hilbert space , then an operator A on it − H canberepresented by n nmatrixA =(A )wheretheentries A isdefinedby ij ij × n 1 − Ai = A j ji | i | i j=0 X forevery0 i < n. Anoperator Aon issaidtobepositiveif ψ Aψ 0forallstates ≤ H h | | i ≥ ψ . Thetraceofanoperator Aisdefinedtobe | i ∈H tr(A) = ψ Aψ , i i h | | i i X 5 where ψ is an orthonormal basis of . If the operator is represented by an n n i {| i} H × matrixA= (A ),thenitstraceisthesumoftheentriesonthediagonalofA,i.e. tr(A) = ij n A .Amixedstateofaquantum system canbedescribed asadensity operatorwhen i=1 ii itisnotcompletelyknown. Let ψ beafamilyofstatesin . Ifasystemisinstate ψ i i P {| i} H | i withprobability p foreachi,and p = 1,thenthestateofthesystemisrepresented by i i i P ρ= p ψ ψ , i i i | ih | i X where ψ ψ is an operator defined as follows: (ψ ψ )ϕ = ψ ϕ ψ for each i i i i i i | ih | | ih | | i h | i| i ϕ . We say that ρ is a mixed state generated by the ensemble (p , ψ ) of pure i i | i ∈ H { | i } states. A density operator ρ on a Hilbert space is defined to be a positive operator with H tr(ρ) = 1. An operator is a density operator if and only if it can be generated by an ensembleofpurestates. Inparticular, weidentify apurestate ψ withthedensityoperator | i ψ ψ . | ih | Example2.3 Themixedstateofaqubitgenerated byensemble (2, 0 ),(1, 1 isrepre- { 3 | i 3 | i} sentedbydensityoperator 2 1 1 5 1 ρ = 0 0 + = − (1) 3| ih | 3|−ih−| 6 1 1 (cid:18) − (cid:19) (cid:4) 2.3 Unitary Operators Foranoperator Aon ,ifanother operator A satisfies(ϕ ,Aψ ) = (A ϕ , ψ ) forall † † H | i | i | i | i ϕ , ψ , then A is called the adjoint of A, where (χ , ζ ) stands for the inner produce † | i | i | i | i χ ζ . An operator U is called a unitary operator if U U = I , where and in the sequel † h | i H I stands fortheidentity operator on . Thebasic postulate of quantum mechanics about H H evolution ofsystemsmaybestatedasfollows: Supposethatthestatesofaclosedquantum system attimes t and tare ψ and ψ , respectively. Then they are related toeach other 0 0 | i | i byaunitaryoperator U whichdepends onlyonthetimest andt: 0 ψ = U ψ . 0 | i | i This postulate can be reformulated in the language of density operators as follows. The state ρofaclosed quantum system attimetisrelated toitsstate ρ attimet byaunitary 0 0 operator U whichdepends onlyonthetimestandt : 0 ρ= Uρ U . 0 † A unitary transformation of a state in a finite-dimensional Hilbert space can be calculated bymatrixmultiplication. 6 Example2.4 Anexample ofunitary operator ononequbit istherotation about x axis of − theBlochsphere(see[16],page19): cos θ isin θ Rx(θ)= isin2θ −cos θ2 (cid:18) − 2 2 (cid:19) where0 θ < 2π. Ittransformsthebasisstate 0 intoasuperposition of 0 and 1 : ≤ | i | i | i cos θ isin θ 1 Rx(θ)|0i = isin2θ −cos θ2 0 (cid:18) − 2 2 (cid:19)(cid:18) (cid:19) cos θ θ θ = 2 = cos 0 isin 1 . isin θ 2| i− 2| i (cid:18) − 2 (cid:19) Thecontrolled-NOT isaunitaryoperator ontwoqubits: I 0 CNOT = , 0 X (cid:18) (cid:19) whereI,0are2 2unitandzeromatrices, respectively, and × 0 1 X = 1 0 (cid:18) (cid:19) istheNOTgate. TheCNOTgatecanproduce entanglement: CNOT( +0 ) = β , 00 | i | i meaningthatseparable state +0 = + 0 istransformed toEPRpair β (cid:4) 00 | i | i| i | i 2.4 Super-Operators A quantum computing or communication system is often not a closed system because it may suffer from unwanted interactions from the environment. The dynamics of an open quantum system cannot be described by a unitary operator, and one of its mathematical formalisms is the notion of super-operator. A super-operator on a Hilbert space is a H linear operator from the space of linear operators on into itself which satisfies the E H followingtwoconditions: 1. tr[ (ρ)] 1foreachdensityoperator ρ; E ≤ 2. Completepositivity: foranyextraHilbertspace ,( )(A)ispositiveprovided R R H I ⊗E Aisapositiveoperatoron ,where istheidentityoperation on . R R R H ⊗H I H If condition 1) isstrengthened to tr[ (ρ)] = 1forall density operators ρ, then issaid to E E be trace-preserving. In this paper, we only consider trace-preserving super-operators. For anyunitaryoperator U,ifwedefine (ρ) = UρU forallρ,thenU canbeseenasaspecial † E super-operator . E 7 Example2.5 Thebitflipchannel iswidelyusedinquantum communication. Thischannel flips the state of a qubit from 0 to 1 and vice versa, with probability 1 p, 0 p 1. | i | i − ≤ ≤ Itisdescribed bythesuper-operator onthe2 dimensional HilbertspaceH ,definedas 2 E − follows: (ρ) = E ρE +E ρE 0 0 1 1 E for all density operator ρ, where E0 = √pI, E1 = √1 pX, and I,X are the 2 2 − × unit matrix and the NOT gate, respectively. For example, ifρis given by Eq. (1), then it is transformed by toanotherdensity operator E 1 + 2p 1 (ρ) = 6 3 −6 E 1 5 2p. (cid:18) −6 6 − 3 (cid:19) (cid:4) 2.5 Quantum Measurements To acquire information about a quantum system, a measurement must be performed on it. In quantum computing, measurement is usually used toread out a computational result. A quantummeasurementonasystemwithstatespace isdescribedbyacollection M of λ H { } operators satisfying Mλ†Mλ = I , H λ X where M are called measurement operators, and the indices λ stand forthe measurement λ outcomes. If the state of a quantum system is ψ immediately before the measurement, | i thentheprobability thatresult λoccursis p(λ)= hψ|Mλ†Mλ|ψi andthestateofthesystemafterthemeasurementis M ψ λ ψ = | i. λ | i p(λ) We can also formulate the quantum measurempent postulate in the language of density op- erators. If the state of a quantum system was ρ immediately before measurement M is λ { } performed onit,thentheprobability thatresult λoccuris p(λ) = tr(Mλ†Mλρ), andthestateofthesystemafterthemeasurementis ρ = MλρMλ†. λ p(λ) 8 Example2.6 The measurement on a qubit in the computational basis 0 , 1 is M = {| i | i} M ,M ,where 0 1 { } 1 0 0 0 M = 0 0 = , M = 1 1 = 0 | ih | 0 0 1 | ih | 0 1 (cid:18) (cid:19) (cid:18) (cid:19) Ifweperform M onaqubitin(mixed)stateρgiveninEq.(1),thentheprobability thatwe getoutcome0is 5 0 5 p(0) = tr(M ρ)= tr 6 = 0 0 0 6 (cid:18) (cid:19) and the probability of outcome 1 is p(1) = 1. In the case that the outcome is 0, the qubit 6 willbeinstate 0 afterthemeasurement,andinthecasethattheoutcomeis1,itwillbein | i state 1 . (cid:4) | i 2.6 POVM Measurements In defining noninterference, agents observe the system only at the end, and thus the post- measurement state of the system is of little interest. The Positive-Operator Valued Mea- sure (POVMforshort) formalism isespecially suited totheanalysis of noninterference. A POVM measurement on Hilbert space consists of a family of positive operators E λ H { } suchthat E = I . λ H λ X Ifitisperformedonasysteminpurestate ψ ,thentheprobability ofoutcome λis | i p(λ) = ψ E ψ ; λ h | | i and if the system is in mixed state ρ before measurement, then the probability of outcome λis p(λ)= tr(E ρ). λ Eachordinary quantum measurement M definedinSubsec.2.5canbeseenasaspecial λ { } POVMmeasurementifweputEλ = Mλ†Mλ forallλ. Example2.7 Let √2 √2 E = 1 1, E = 1 2 1+√2| ih | 1+√2|−ih−| and E = I E E , where I is the identity operator on the 2 dimensional Hilbert 3 1 2 − − − space. Then E ,E ,E isaPOVMmeasurement. Ifweperformitonaqubitinthestate 1 2 3 { } ρgiveninEq.(1),thentheprobabilities ofoutcomes1,2and3are,respectively, √2 √2 2+√2 p(1) = , p(2) = , p(3) = . 6(1+√2) 3(1+√2) 2(1+√2) (cid:4) 9 3 Noninterference in Quantum Systems 3.1 An Automata Model ofQuantum Systems FollowingGoguen andMeseguer’s original formulation [7], thesystem modelsused inthe studiesofnoninterference havebeenmainlyautomata. Aprobabilistic automatamodelwas employedbyGray[9]inhisworkonprobabilistic (non)interference. Here,weintroducean automatamodelforquantum systems. Definition3.1 Aquantum systemisa6 tuple − S= ,ρ ,A,C,do,measure , 0 hH i where: 1. isaHilbertspace,anditisthestatespaceofthesystem; H 2. ρ isadensityoperator in ,anditistheinitialstate; 0 H 3. Aisasetofagents; 4. C isasetofcommands; 5. do = a A and c C , and for each a A and for each c C, a,c a,c {E | ∈ ∈ } ∈ ∈ E is a super-operator on , specifying how states are updated by agent a executing H commandc; 6. measure = M a A , andfor eacha A, M isasetofPOVMmeasurements a a { | ∈ } ∈ on ,andintuitively,M consistsofallPOVMmeasurementsthatagentaisallowed a H toperform. The above automata model is defined in a way much more general than that in the majority of quantum automata literature, forexample [15], where only pure states, unitary operators and ordinary (even projective) quantum measurements are considered. Here, we workwiththelanguageofdensityoperators(mixedstates), super-operatorsareemployedto specifytheexecutionsofcommands,andPOVMmeasurementsareusedtodescribeagents’ observation. Themajormotivationforsuchageneralmodelisthatdensityoperators,super- operatorsandPOVMmeasurementsarecommonlyadoptedinquantuminformationtheory, see for example [16], Chapter 12. We hope that our results presented in this paper can besmoothly incorporated withquantum information theory toanalyse security ofquantum computing andcommunication systems. Several essential differences between classical and quantum systems deserve careful explanations. First,thestatespaceofaclassicalautomatonisusuallyassumedtobediscrete and even finite. In this paper, we only consider finite-dimensional quantum automata. But even so, their state Hilbert spaces are a continuum and thus deem-to-be infinite. Second, in the system models of both classical and probabilistic noninterference, the outcomes of agents’ observations are deterministic. However, an observation on a quantum system is 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.