Happy new year!

]]>have you read this paper?

https://arxiv.org/abs/1610.06164

Do you have any comments?

I must say I do not belong to the set of authors of this paper and don’t really like this paper.

I wish you luck for the new year.

]]>I’ve taken a look at the paper, and the explanation for our disagreement is very simple: you’re not doing statistics at all, you’re only working in the asymptotic limit. Well then of course the prior does not matter, you are always assuming that you simply know the exact probability. It is not about Bayesian versus frequentist statistics.

The prior matters when we’re talking about a realistic scenario, where you made a finite number of measurements, and you want to make a conclusion about your security from that. This blog post is about the finite case.

]]>And ah, I am very familiar with the default limitations of the frequentist framework, and I certainly understand that it may not give good answers to the question you picked – but this doesn’t mean it can’t give good answers to different questions. I suppose this is not the easiest format for discussing how Abstract Cryptography avoids these issues, so maybe we can just discuss it if we have a chance to meet at a workshop sometime (…eventually? hopefully?). :) But to take a very brief shot at it, the security definitions we use specifically avoid answering anything like the question of “what strategy is the adversary using?”, because that runs into the default issues you mentioned. Instead, we prove statements of the form (informally) “for any strategy by Eve, the actual state produced in the protocol will be close in trace distance to a state that has the same probability of producing the abort outcome, but otherwise produces a perfect secret key” – the formal expression is basically just page 20 of https://arxiv.org/pdf/1409.3525.pdf (specifically Eq. (12), though the definitions of the individual terms are on the rest of the page).

Hopefully, it at least looks possible to you that such a statement could be rigorously proven over all strategies (or in other words, any prior! I must insist we are not using a flat prior!) by Eve – the trick here is that the abort probability is a function of the strategy/prior, and when this probability is high, the abort event completely dominates the state and so the trace distance discussed above can still be small. (In particular, this is why it holds even for the “stupid prior” of Eve always setting w=0.75.) But certainly, one can question whether such a trace-distance bound is practically useful – that would be the much longer discussion, though I have to say I am myself surprised by how powerful a statement one can eventually extract from such a bound. :)

]]>I’m not sure I understood what you meant by “Eve always implements a completely insecure classical behaviour in the devices”. Are you saying that Alice and Bob’s devices screw up the privacy amplification part of the protocol, thus making it insecure? Well you just need to assume that they don’t, otherwise the protocol is insecure period, independent of any security proofs you’re using.

Let me give you a concrete example about why a prior is necessary. Suppose you are given a coin with bias towards heads promised to be either $L=3/4$ or $Q=(2+\sqrt{2})/4$, and you want to know which is the case. You then flip a coin 100 times, and observe 85 heads. It must have bias $(2+\sqrt{2})/4$, right? Well, no, it depends on the prior. If the prior of having bias $3/4$ is $p$, then

\[\frac{p(L)}{p(Q)} = \frac{L^{85}(1-L)^{15}}{Q^{85}(1-Q)^{15}}\frac{p}{1-p},\]which will be larger than 1 if $p \ge 0.96$.

How would you solve this the “frequentist” way? Simply taking the likelihood ratio and pretending there is no prior? Well, this is just arbitrarily and implicitly assuming that the prior is flat. Which I’m sure is what the Abstract Cryptography framework is doing. Not because I’ve looked at it, but because every time I’ve seen a frequentist claiming that they are doing away with the prior they were simply assuming it is flat.

Let’s change the description of the problem. Instead of simply being promised that the prior is either $L$ or $Q$, we’re also promised that it was chosen by a genuine QRNG with bias $p$ towards $L$. Would you then accept using the prior?

]]>In the Bayesian version, I don’t see a comfortable way to address the question of how to handle the prior being “Eve always implements a completely insecure classical behaviour in the devices”, because in that case, as you said, conditioning on the protocol accepting still does not let one bound the probability of basically any “bad” event as less than 1. One could claim that this is a stupid prior, and…well, it is “obviously” stupid, but really, why? It seems hard to give a clear reason why it should be ignored, because it is something Eve could really choose to do. In contrast, the trace-distance security property under the Abstract Cryptography framework is really proven to hold for all strategies by Eve, or in this language, for all priors on Eve’s behaviour – we genuinely do not choose a prior when proving this property holds. (To discuss how it handles the specific “Eve always implements an entirely classical behaviour” prior/strategy might be a bit too much of a diversion, but basically the high abort probability ensures that it remains sufficiently indistinguishable from the ideal functionality. One could perhaps incorporate similar ideas into a Bayesian approach to handle the “stupid prior”, but if we’re at the point where we’re proving statements that hold for various choices of prior, we might as well go all the way and prove statements that hold for all choices of prior.)

And as you observe, I feel the situation regarding the priors gets worse when you consider the non-IID case, because the set of strategies increases dramatically. Indeed one could partition the set into families parametrized by a smaller number of parameters, such as what you described, but again it doesn’t seem particularly clear to me why a particular parametrization might be more “natural” or what prior one should take on the parameters. (I also agree that the security proofs here would be much more of a pain…to my knowledge, any self-testing results that might be candidates for what you described are not very robust. Although perhaps that’s not your goal.)

]]>Funny you mention the non-IID case, it is something that I’m working on right now. Conceptually it’s easy, you just redefine the $n$ rounds of the CHSH game as a single nonlocal game. You win at the combined game if you win more than $(3/4+\delta)n$ rounds of the individual games ($\delta$ is a fixed parameter). Then this winning probability is well-defined, even in the non-IID case, and if $(3/4+\delta)$ is close to the Tsirelson bound, a victory in the combined game does imply that you have a very entangled state and therefore Eve has very little information. Technically, though, it is a nightmare to transform this into a proper security proof.

]]>So to work around this, we instead ask the valid frequentist question of “what is the probability that the observed frequency is at least p, conditioned on the true parameter value at most q?” (the reversal of bound direction in the second half of the statement is intentional; essentially the case being analyzed here is the abort-with-high-probability case), and construct a security proof based on that. However, it’s not completely trivial to construct an argument using only this direction of the conditional probabilities, and life is much easier if (in this statement) p and q are fixed constants rather than functions of the observed frequency (which could introduce an unpleasant risk of “cyclic” dependencies in the argument).

Off the top of my head, I believe that trying to get bounds that depend on the observed frequencies would be possible in principle, but one would face the unpleasant task of handling an entire family of such statements parametrized by carefully chosen values for p and q, and generally I try to avoid such headaches. :)

]]>I’m very surprised that Bierhorst got the opposite result from me. To be precise, my statistical test consists of simply counting the number of victories in the CHSH (or CH) game, and he is doing something more complicated, so it is possible that the results would flip. But still I would expect the general intuition to hold true, that if you are sensitive to signalling you are just polluting your data with noise and reducing the statistical significance of your violation.

]]>To our (nonsignaling) loophole free data (in Table S-III of arXiv:1511.03189), Peter applied his p-value calculation method using both the CH and the CHSH inequality and obtained a much lower p-value using the CH inequality.

I do not know if the data with back-reflection errors that appeared when we allowed timelike connection violated the CHSH inequality or not. Judging from the physics of the error mechanism, it probably did violate the no-signaling constraints.

Your use of the CHSH inequality to remove the influence of signaling when the possibility of causal connection cannot be avoided is very interesting. It reminds me of work by people studying contextuality (for example Ehtibar Dzhafarov’s arXiv:2108.05480), who decompose distributions into a signaling part, a nonsignaling contextual part, and a noncontextual part.

]]>