Cryptography and Security 9 JAN, 2025

Limits of privacy amplification against non-signalling memory attacks

Limits of privacy amplification against non-signalling memory attacks

The task of privacy amplification, in which Alice holds some partially secret information with respect to an adversary Eve and wishes to distill it until it is completely secret, is known to be solvable almost optimally both in the classical and quantum world. Unfortunately, when considering an adversary who is only limited by non-signalling constraints such a statement cannot be made in general. We here prove that under the natural assumptions of time-ordered non-signalling system, which allow past subsystems to signal future subsystems (using the device’s memory for example), super-polynomial privacy amplification by any hashing is impossible. This is in great relevance when considering practical device independent key distribution protocols which assume a super-quantum adversary.

💡 Research Summary

The paper investigates the fundamental limits of privacy amplification (PA) when the adversary is only constrained by the no‑signalling principle but is allowed to exploit memory across successive rounds of a protocol. In the standard setting, both classical and quantum adversaries can be dealt with by applying a suitable hash function to a partially secret string held by Alice, thereby extracting a nearly perfect secret key. However, this guarantee breaks down for a “super‑quantum” adversary limited solely by non‑signalling constraints, especially when the devices used by Alice and Bob may retain internal memory and thus enable past subsystems to influence future ones. The authors formalize this situation as a time‑ordered non‑signalling model: the overall system consists of n rounds, each round producing outputs that may depend arbitrarily on all previous rounds’ outputs, while still respecting the global no‑signalling condition (future rounds cannot affect past rounds).

Within this model they prove an impossibility theorem: for any hash function H (deterministic or random) that compresses the raw n‑bit string S into ℓ bits, where ℓ can be as large as polylog n, an adversary equipped with a time‑ordered non‑signalling strategy can retain a non‑negligible advantage in guessing H(S). More precisely, the adversary’s success probability is bounded below by 1/poly(n), meaning that super‑polynomial privacy amplification (i.e., achieving security that decays faster than any inverse polynomial in n) is impossible. The proof proceeds by constructing a “fake” input distribution that is indistinguishable from the honest distribution under the no‑signalling constraints, yet is correlated with the chosen hash output. The adversary uses the device’s memory to adaptively shape each round’s conditional behaviour, effectively compensating for the information loss that the hash function would otherwise cause. Consequently, the adversary can maintain a polynomial‑level knowledge about the final key even after the PA step.

The result has immediate implications for device‑independent quantum key distribution (DI‑QKD) protocols that assume an adversary no more powerful than a non‑signalling one. Many existing DI‑QKD schemes rely on a final PA stage that simply hashes the raw key. According to the paper, if the devices employed in the protocol have any memory that can be exploited across rounds, this PA stage does not provide the claimed security boost; the final key may still be partially known to the adversary. To restore security, the authors suggest several possible counter‑measures: (i) enforce strict memory‑lessness in the devices, either physically or by protocol‑level “reset” operations; (ii) introduce multi‑round refresh mechanisms that randomize internal states between blocks of rounds; (iii) replace linear hash functions with more complex, possibly non‑linear, transformations that are harder for a memory‑aided non‑signalling adversary to predict.

The paper also situates its contribution within the broader literature. Prior works on non‑signalling adversaries typically assumed a global non‑signalling condition where no subsystem could signal any other, which precludes the memory‑based attacks considered here. By relaxing this to a time‑ordered version, the authors capture a more realistic threat model for practical implementations, where devices naturally retain information. Their impossibility theorem therefore closes a gap in the security analysis of DI‑QKD and highlights a new class of attacks that must be addressed.

Future research directions proposed include: (a) designing concrete PA protocols that are provably secure against time‑ordered non‑signalling adversaries, possibly using interactive or adaptive techniques; (b) developing experimental methods to certify that a given device truly lacks exploitable memory, or to quantify the residual memory‑induced leakage; and (c) exploring hybrid security models that combine non‑signalling constraints with additional physical assumptions (e.g., bounded storage or limited communication) to regain strong PA guarantees.

In summary, the paper demonstrates that under the natural and practically relevant assumption of time‑ordered non‑signalling systems, any hashing‑based privacy amplification can only achieve at best polynomial‑level secrecy. This negative result forces a re‑examination of the security foundations of device‑independent cryptographic protocols that aim to be secure against super‑quantum, non‑signalling adversaries.