A probabilistic quantum key transfer protocol

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 013; 6: Published online 13 March 013 in Wiley Online Library (wileyonlinelibrary.com)..736 RESEARCH ARTICLE Abhishek Parakh* Nebraska University Center for Information Assurance, University of Nebraska at Omaha, Omaha, NE 6818, U.S.A. ABSTRACT We propose a protocol to transfer a one-time pad (in a probabilistic manner) from Alice to Bob, over a public channel. The proposed protocol is unique because Bob merely acts as a receiver of the pad (secret key); that is, Bob does not need to send any message back to Alice unless he detects eavesdropping. Such a secure transfer of one-time pad, over public channel, is not possible in classical cryptography, and in quantum cryptography, all previous protocols require Bob to send almost as many messages back to Alice as she does to Bob to establish a key. Copyright 013 John Wiley & Sons, Ltd. KEYWORDS quantum cryptography; quantum key distribution; probabilistic protocol; quantum network security *Correspondence Abhishek Parakh, Nebraska University Center for Information Assurance, University of Nebraska at Omaha, 6001 Dodge St., Omaha, NE 6818, U.S.A. aparakh@unomaha.edu 1. INTRODUCTION The security of all known pubic key cryptographic algorithms is based on unproven mathematical assumptions [1]. Their security stems from the fact that we currently do not have efficient algorithms to solve hard mathematical problems, such as factoring numbers and finding discrete logarithms in finite fields. Consequently, classical public key algorithms only provide computational security. Although not practical today, efficient quantum algorithms to factor numbers and to find discrete logarithms exist [], casting a dark shadow over classical cryptography as we know it. There is one known classical secret key cryptographic system that provides perfect (information theoretic) security [3] one-time pad. One-time pad works by XORing a stream of true random bits with the bit stream of plaintext. However, this requires the encryption key (also called as one-time pad) to be as long as the plaintext itself. Now, if one had a secure channel to transmit a one-time-pad key from sender to receiver, then one may use that channel to send the plaintext securely in the first place. In other words, although one-time pads provide perfect security that is not based on any computational assumptions, they are impractical in classical communication. Example one-time pad:let M = be the message and K = be the randomly chosen key, then the cipher C is the bitwise XOR of M and K, that is, c i = m i k i ; C= Cipher C canbesent over the public channel; however, key K has to be sent to the receiver over a secure (private) channel. While classical systems preclude the use of one-time pads over public channels, laws of quantum physics make it possible to securely generate the key for a one-time pad over a public channel with perfect security. Such a quantum key agreement technique was first proposed by Bennett and Brassard [] (BB8) where a classical communication channel was used in conjunction with a quantum channel to establish a shared secret key. In BB8, Alice generates a random string of bits and sends each bit to Bob as a photon in a randomly chosen basis (rectilinear or diagonal). Bob, not knowing which of the two bases each photon is in, measures them randomly in rectilinear or diagonal basis. After measuring all the photons, Bob discloses his choice of bases of measurement to Alice, and she tells Bob which of their bases agree. The final key is made up of bits that were received by Bob in the matching bases. A subset of these bits is used to check if there was any eavesdropping [,5]. Here, disclosure of bases is carried out over a classical communication channel. Ekert [6] proposed the use of entangled photons measured randomly in three coplanar axes. While Ekert s protocol used Bell s inequality to demonstrate its security against eavesdropping, Bennett, Brassard, and Mermin [7] proposed a protocol that used entangled pairs and did not depend on Bell s inequality for detection of eavesdropping. Bennett [8] in another scheme showed that any two non-orthogonal states suffice for key agreement. A protocol by Kartalopoulus [9] used two quantum channels for key agreement in conjunction with classical channel. In Kartalopoulus protocol, Copyright 013 John Wiley & Sons, Ltd. 1389

2 A. Parakh Alice sends the same information on both the quantum channels, and Bob measures the photons on these channels, randomly, in complementary bases (rectilinear on one and diagonal on other). They compare their chosen bases publicly and determine the key. Almost all quantum protocols have a similar concept behind them in which photons are first measured in random bases and then the chosen bases are compared publicly. Consequently, the final key to be used cannot be decided in advance and depends on Bob s measurements as well. Further, all the protocols require Bob to actively send messages back to Alice in a back and forth communication. A three-stage quantum key agreement protocol based on the idea of commuting transformations was proposed in [10], much as in classical commutative cryptography [11]. However, it requires Bob to choose a basis of rotation of his own and thus a two-way exchange of messages for the key agreement process. The protocol proposed in [1] requires repeated transmission and measurements in both directions to establish a key. Because we only send messages in one direction, the protocol proposed here is at least twice as efficient as that proposed in [1]. Further, the proposed protocol is unique as compared with previous protocols because it is one sided in the sense that Alice sends a one-time-pad key to Bob and Bob receives it correctly with a very high probability. Bob does not send any message back to Alice unless he detects an eavesdropping. Such transfer of one-time pad over public channels is impossible in classical communication and classical cryptography, and none of the previous quantum key agreement protocols allow Bob to act as a passive receiver. Therefore, the contributions of the proposed protocol are as follows: (1) It enables Alice to transfer a secretly chosen onetime pad to Bob over a public channel. The key is entirely chosen by Alice. () Probabilistic nature of transfer: the one-time pad is transferred to Bob correctly with a very high probability (a parameter chosen by the participants). (3) Bob sends a message back to Alice only if he detects eavesdropping and does not need to disclose his bases of measurement. Consequently, unlike previous protocols, there is no two-way exchange of messages to establish a key. () Unlike other protocols, where only Alice can detect eavesdropping because only she knows the original values of the bits she sent, in the proposed protocol, Bob is able to detect eavesdropping. (5) The probability of detecting an eavesdropper is higher than that in BB8. Further, we assume that Alice and Bob have agreed on bases of measurement and encoding of photons long before Alice decides to transmit a one-time pad to Bob. Such arrangements can be a part of global standards that communicating parties follow. Also, assume that Alice has quantum systems capable of producing single photons in desired polarization and there is no loss of photons during transmission or elsewhere.. QUANTUM COMMUNICATION AND QUANTUM CRYPTOGRAPHY One of the fundamental concepts in classical computation and classical information is the notion of a bit. Quantum computations are, therefore, built upon an analogous concept of quantum bit or qubit for short [13]. Similar to classical bit, a qubit hasstates 0i and 1i corresponding to 0 and 1 for a classical bit. However, unlike the classical bit, a qubit can exist in states other than 0i or 1i. It is also possible to form linear combination of states, often called superpositions, jc >¼ ajiþ 0 bj1i where a and b are complex numbers. Therefore, the state of a qubit is a vector in a two dimensional complex vector space. The special states 0i and 1i are known as rectilinear computational basis states (+) and form an orthogonal basis for this vector space. Further, when we measure a qubit, we get either the result 0, with probability a, or the result 1, with probability b ; a + b = 1. A qubit can exist in a continuum of states between 0i and 1i until it is measured, however when measured, it only ever gives 0 and 1 as a measurement result probabilistically. For example, a qubit can be in the state j0iþj1i pffiffiffi which when measured in rectilinear basis gives result zero, 50% of the time and result one, 50% of the time. In communication using optical channels, quantum states are represented using polarized photons. Any two orthogonal states that can be distinguished from one another form a basis of measurement. For example, photons in states 0i and 1i are implemented using photons polarized at 0 (!) and 90 ("), respectively, and are said to represent 0 and 1 in rectilinear basis (+). Similarly, photons in states j0iþj1i pffiffi and j0ij1i pffiffi are implemented using photons polarized at 5 ( ) and 135 ( ), respectively, and are said to represent 0 and 1 in diagonal basis (). Further, a photon that is in diagonal basis, when measured by a detector aligned in rectilinear basis, randomly collapses to 0 or 1 with a probability of one-half, and vice versa [13]..1. The BB8 quantum key distribution protocol BB8 was the first quantum cryptography protocol proposed and employs a classical as well as quantum channel to establish a shared key. It uses two conjugate bases: a rectilinear basis of 0 (!) and 90 (") polarization states 1390 Security Comm. Networks 013; 6: John Wiley & Sons, Ltd.

3 A. Parakh and a diagonal basis of 5 ( ) and 135 ( ) polarization states. Bit 0 corresponds to polarization states (!) or( ), and 1 corresponds to (") or( ) polarization states. The secret key is established as follows: (1) Alice chooses n random key bits. () Alice chooses a random sequence of n polarization bases (rectilinear or diagonal) and sends Bob a sequence of n photons encoding one bit of the key stream in the basis chosen for that position. (3) Bob, upon receiving the stream of photons, measures them in randomly chosen bases of his own. If Alice s basis of encoding for a given photon and Bob s basis of measurement for that photon match, then Bob receives Alice s encoded bit correctly, else Bob will see a random collapse of the state of the photon and will lose all information about the bit. () Alice and Bob publicly compare the bases of their choice for all the photons The final key is made up of bits that were received by Bob in the same bases as that of Alice s. Eavesdropping is detected in BB8 because Eve not knowing the original bases of the photons, like Bob, measures them in random bases. This will make 75% of the photons collapse randomly at Bob s end. However, Bob expects 50% of his random bases to agree with that of Alice and hence see only 50% of the photons collapse randomly. After all the measurements are performed, Alice and Bob randomly select a subset of the bits received by Bob in the correctly aligned bases and check for errors. If Eve has made measurements, they would expect to see disagreements in some of the bit values [,5]. Further, the number of bits that are usable by Bob for a key are expected to be only n/... Key generation rather than key distribution protocol As seen in the aforementioned protocol, the final key that is used cannot be decided in advance by Alice. Consequently, quantum key cryptography protocols are often thought of not as secret key exchange or transfer but rather as secret key generation because, fundamentally, neither Alice nor Bob can pre-determine the key they will ultimately end up with upon completion of the protocol..3. Need for authenticated channels Fundamentally, all key exchange schemes over public channels are vulnerable to man-in-the-middle attacks [1]. Often, digital signatures are used to solve this problem, with the use of a trusted third party (such as Symantec or GeoTrust, which certifies the signatures). These trusted third parties form a part of the public key infrastructure. We do not go into details of digital signatures here but assume that there exist authenticated channels between Alice and Bob. 3. THE PROPOSED PROTOCOL Assume that Alice wishes to send Bob, over a public channel, a random bit string of length n to be used as a one-time pad. We assume that Alice and Bob have, long before the start of the protocol, agreed to use polarized photons for communication and two bases for measurements. The protocol proceeds as follows (Figure 1): (1) Alice chooses a random sequence of polarization bases (rectilinear or diagonal) and sends Bob a stream of photons representing one bit of the key in the basis chosen for that bit position. () Bob, upon receiving the stream of photons, randomly and independently measures each photon in rectilinear or diagonal basis. (3) Alice re-encodes her key as a stream of photons in the same sequence of bases as before and sends it to Bob again. () Bob measures the stream of photons in the same sequence of bases that he chose in the previous iteration. (5) Alice and Bob repeat steps 3 and, k 1 number of times. (6) Alice sends one final copy of the key as a stream of photons to Bob. At this point, Alice has sent k + 1 copies of the key as polarized photons to Bob. For the first k iterations, Bob keeps his sequence of bases constant and notes all the measurements for all the iterations in a table. If for photon i, the measured value changes at least once over k iterations, then Bob concludes that his measurement basis for that photon is not the same as that of Alice s and changes his basis of measurement for that photon to the complementary basis. Bob receives the (k + 1)th transmission in the realigned bases. Alice then sends to Bob all the original sequence of bases for her photons. Bob checks for eavesdropping: - If eavesdropping is detected, Bob sends an abort signal to Alice. - Else, Alice sends the encrypted message to Bob. Bob keeps track of all measurements he makes and notes them as shown in Tables I and II. When Bob s basis of measurement matches with Alice s chosen basis for a photon, Bob retrieves the same exact result for that bit in all k iterations. However, if Bob s basis differs from that of Alice, Bob will lose all information about that bit (photon will randomly collapse to 0 or 1 with probability one-half). Security Comm. Networks 013; 6: John Wiley & Sons, Ltd. 1391

4 A. Parakh Figure 1. Illustration of the flow of the proposed protocol. Table I. Sample execution of the proposed protocol. Raw key bit stream generated by Alice Step 1: Alice randomly chooses bases and encodes the key as a stream of photons in those bases! " " " " "!!!! "! Alice sends the stream of photons to Bob Step : Bob s randomly chooses bases for measurement Bob measures the received photon in the basis chosen for that bit position Bob receives 0 0/1 0/ /1 0/1 1 0/ /1 0 0/1 0 0/1 0/1 0/ /1 1 0/1 0/1 0/1 0 Step 3: Alice resends another copy of the key as a stream of photons in the exactly same bases as before Step : Bob measures the new stream of photos received in exactly the same bases as before Step 5: Repeat k 1 times: Steps 3 and Step 6: Alice sends one final copy of the key as stream of photons to Bob At this point, Alice has sent k + 1 copies of the key encoded as stream of photons to Bob Because both Alice and Bob are choosing their measurement bases randomly and independently, Bob expects to see 50% of his bases agree with that of Alice s. Consequently, Bob will see the other 50% of the photons collapse to a random value. This is shown in Table II. After k iterations Bob will have determined with a very high probability which of his bases align with those Alice and which do not align. For the bases that do not align with those of Alice, he changes them to the complementary bases. When Alice sends the (k + 1)th transmission of photons, Bob measures it in his newly aligned basis to determine the secret key.. THE VALUE OF K Bob s aim is to determine which of his bases align with those of Alice. If, for a given photon, Bob s basis is not aligned with Alice s basis, then Bob will see a random collapse of the photon. The probability that Bob s basis is wrongly aligned, and yet, he sees that photon collapse to the exact same value over k + 1 iterations is 1 k.ifk = 1, Bob is more than 99.98% confident of his basis for a photon for which his measured value remained constant over k iterations. 139 Security Comm. Networks 013; 6: John Wiley & Sons, Ltd.

5 A. Parakh Table II. Bob s observations over 13 iterations for the example shown in Table I. Results obtained by Bob in misaligned bases are shown in italics. Iteration Iteration Iteration Iteration Iteration Iteration Iteration Iteration Iteration Iteration Iteration Iteration Bob realigns the bases to match those of Alice s Iteration PROBABILISTIC NATURE OF KEY TRANSFER It is clear from the aforementioned description that the key transfer is probabilistic in the sense that Bob has a residual probability of error for the final key. This is because Alice discloses her bases only after Bob has made all the measurements. Therefore, bits that did not change their value in k + 1 iterations have a probability of 1 of being measured in the wrong basis, and k hence, Bob does not gain any information about them. When Alice sends Bob her original bases of encoding, Bob can check if any of his bases were wrongly aligned. For a large k and depending on the value of n, the addition of a small error correcting checksum to the end of the transmitted key would suffice. 6. EAVESDROPPING We assume that an eavesdropper has same capabilities as that in BB8 [], in which case the probability of detection of eavesdropper is greater than that in BB8. Here, the eavesdropper, Eve, can only make measurements on the photons that are being sent to Bob. Consequently, not knowing the basis of the photons, Eve will make measurements in random bases before sending the photons to Bob and hence introduce errors in Bob s measurements. The difference from previous protocols is that Bob himself will be able to detect these errors as compared with sending a subset (or a function of the subset) of the bits to Alice for verification. Irrespective of whether Eve eavesdrops on all the k iterations or just one iteration (or any number in between), Eve s measurements will force 75% of the photons to collapse randomly (at Bob s end), whereas Bob is expecting to see only 50% of the photons to collapse randomly. In other words, because Alice later sends Bob the correct bases of the photons, he can go back and check his table for the bits whose values were supposed to stay constant through all k iterations. Table III shows that in absence of Eve, Bob has a 50% chance of getting a basis correct and hence expects to see only 50% of the bits change values over the iterations. However, from Table IV, we see that in presence of Eve, Bob will observe 75% of the bits change values over k iterations Expected number of bits correctly received by Bob We first compute the expected number of bits correctly received by Bob in the absence of Eve and then in the presence of Eve. Consider a single iteration of the protocol Without Eve Let b i a be Alice s basis of encoding photon i and bi b Bob s basis of measurement of photon i. The probability that Alice and Bob will choose the same bases is given by P(b i a = bi b )=1. Further, their choices are independent of each other, that is, P b i j ¼ g=bi k ¼ h ¼ P b i j ¼ g where j, k {a,b}, j 6¼ k, and g, h {+,}. Let X be the random variable that denotes the number of photons received by Bob that collapse at random and let E Table III. Possible choices of bases that Alice and Bob can make for any given qubit. Bob will observe random result for two out of four possible cases. Possible choice of basis between Alice and Bob for any given qubit (no Eve present) Alice + + Bob + + Bob s observed result Constant Random Random Constant Security Comm. Networks 013; 6: John Wiley & Sons, Ltd. 1393

6 A. Parakh Table IV. Possible choices of bases that Alice, Eve and Bob can make for any given qubit. Bob will observe random result for six out of eight possible cases. Possible choice of bases between Alice, Eve, and Bob for any give qubit Alice Eve Bob Bobs observed result Constant Random Random Random Random Random Random Constant (X) be the expectation of X, then EX ð Þ ¼ Pb i a 6¼ 1 bi b n ¼ n With Eve present Let b i e be Eve s basis of measurement for a given photon i. The probability that any two parties have the same bases for a given photon Pb i a ¼ bi b ¼ Pb i a ¼ b i e ¼ Pb i e ¼ b i 1 b ¼ Further, Alice, Bob, and Eve choose their bases independent of each other P b i j ¼ g=bi k ¼ h ¼ P b i j ¼ g where j, k {a,b,c}, j 6¼ k, and g, h {+,} Consequently, the probability that all of them will choose the same bases is given by Pb i a ¼ bi e ¼ 1 bi b ¼ 1 ¼ 1 In other words, the probability that at least one of them, for a given photon, will choose a basis of measurement different from the others is given by P r ¼ 1 Pb i a ¼ bi e ¼ 3 bi b ¼ Whenever Bob s or Eve s bases of measurement differ from that of Alice s basis of encoding, the photon will collapse randomly resulting in a random bit at Bob s end. Let X r be the random variable that denotes the number of photons received by Bob, with Eve present, that collapse at random and let E(X r ) be the expectation of X r, then EX ð r Þ ¼ P r n ¼ 3 n Probability of detecting Eve s presence From the previous section, we see that if Y is the random variable that represents the additional number of photons that collapse at random with and without Eve present, then the expectation of Y is given by EY ð Þ ¼ EX ð r ÞEX ð Þ ¼ 3n n ¼ n Assume that at any given instance (of Y), y ¼ n are the additional number of photons that collapse randomly as a result of Eve s presence. Eve s presence will go undetected if all of these photons collapse to the correct bit value. This happens with the probability n P Eve undetected ¼ 1 Therefore, probability that Eve s presence will be detected is P Eve _ detected =1P Eve _ undectected. Because one-time pad keys are as long in length as the data itself, we expect n to be quite large. For example, for a 1-kB (819 bits) file being transferred, the probability that Eve s presence will be detected is given by P Eve detected ¼ Eve eavesdrops on more than one iteration of the protocol If Eve eavesdrops on more than one iteration of the protocol, the probability of eavesdropping going undetected is decreases. For example, if Eve eavesdrops on t iterations then, probability of Eve s presence will be detected is given by P Eve detected ¼ 1 1 n t 6.3. Eve eavesdrops on only a fraction of photons In the case that Eve only measures a fraction of the photons, rather than all the n photons, in a given iteration, the analysis of eavesdropping remains the same. We computed probabilities of bases matching between Alice, Bob, and Eve for a given photon i, in the previous section. The probability that at least one of the bases between Alice, Bob, and Eve, for a given photon i, is different from the others, was given by P r ¼ 1 Pb i a ¼ bi e ¼ 3 bi b ¼ Consequently, if Eve eavesdrops on m out of n photons, then if X rm is the random variable that denotes the number 139 Security Comm. Networks 013; 6: John Wiley & Sons, Ltd.

7 A. Parakh of photons that collapse randomly at Bob s end, then the expectation of X rm is given by EX ð rm Þ ¼ P r m ¼ 3 m The analysis of probability of detection of Eve s presence remains the same (as in the previous section), and we simply replace n with m. m P Eve dectected m ¼ 1 1 and if Eve eavesdrops on m n photons on t iterations, then the probability that Eve will be detected is given by P Eve detected m ¼ CONCLUSIONS m t In this article, we have presented a protocol, based on quantum mechanics, that can be used to transfer a one-time pad over a public channel. The proposed protocol demonstrates phenomenon that is not possible in classical communication and has not been discussed previously in quantum cryptography. For example, unlike previous protocols, Bob s communication back to Alice is minimum (only an abort signal upon detection of eavesdropping). Also, in the proposed protocol, Bob is able to detect eavesdropping, whereas in all previous protocols, Alice detected eavesdropping as she is the one who knows the original bit values that were sent. The probability of detection of eavesdropping in the proposed protocol is higher than that in BB8 because the proposed protocol results in more number of usable bits at Bob s end. Further, the transfer of the key is probabilistic in nature, and Bob s confidence in the final key can be made arbitrarily high. Also, Alice chooses the entire key that is to be used. With a small modification of the protocol, one can eliminate the requirement of Alice s classical communication (to Bob), thus making the protocol an all quantum protocol where no bases need to be disclosed. REFERENCES 1. Menezes AJ, Vanstone SA, Oorschot PCV. Handbook of Applied Cryptography (1st edition). CRC Press, Inc.: Boca Raton, FL, USA, Shor P. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 1997; 6 (5): Shanon C. Communication theory of secrecy systems. Bell System Technical Journal 199; 8: Bennett CH, Brassard G. Quantum cryptography: public key distribution and coin tossing. In Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing. IEEE Press: New York, 198 pages; Shor PW, Preskill J. Simple proof of security of the BB8 quantum key distribution protocol. Physical Review Letters 000; 85:1. 6. Ekert AK. Quantum cryptography based on Bell s theorem. Physical Review Letters 1991; 67: Bennett CH, Brassard G, Mermin ND. Quantum cryptography without Bell s theorem. Physical Review Letters 199; 68: Bennett CH. Quantum cryptography using any two nonorthogonal states. Physical Review Letters 199; 68: Kartalopoulos SV. K08: a generalized BB8/B9 protocol in quantum cryptography. Security and Communication Networks 009; (6): Kak S. A three-stage quantum cryptography protocol. Foundations of Physics Letters 006; 19: Shamir A. On the power of commutativity in cryptography. In Proceedings of the 7th Colloquium on Automata, Languages and Programming. Springer- Verlag: London, UK, 1980 pages; Zamani F, Verma P. A QKD protocol with a two-way quantum channel. In Advanced Networks and Telecommunication Systems (ANTS), 011 IEEE 5th International Conference on, pages 1 6, Dec Nielsen MA, Chuang IL. Quantum Computation and Quantum Information. Cambridge University Press: New York, NY, USA, 000. Security Comm. Networks 013; 6: John Wiley & Sons, Ltd. 1395