Information theoretic security by the laws of classical physics

Transcription

1 The important thing is not to stop questioning! Curiosity has its own reason for existing. (Albert Einstein) Information theoretic security by the laws of classical physics R. Mingesz 1), L.B. Kish 2), Z. Gingl 1), C.G. Granqvist 3), H. Wen 2,4), F. Peper 5), T. Eubanks 6), G. Schmera 7) 1) Department of Technical Informatics, University of Szeged, Hungary 2), College Station, TX, USA 3) Department of Engineering Sciences, The Ångström Laboratory, Uppsala University Sweden 4) Hunan University, College of Electrical and Information Engineering, Changsha, China 5) National Institute of Information and Communication Technology, Kobe Japan 6) Sandia National Laboratories, Albuquerque, NM, USA 7) Space and Naval Warfare Systems Center, San Diego, CA, USA Quantum computing seminar, CS, TAMU, September 18, Keynote-Invited Talk at the IEEE's International Workshop on Soft Computing Applications ( SOFA) August 23, 2012, Szeged, Hungary

2 Content 1. Information theoretic security (unconditional security) 2. Security provided by the laws of physics 3. Few words about quantum key exchange 4. On cracking practical (non-ideal) quantum key exchange systems 5. The Kirchhoff-Law-Johnson-(like)-Noise (KLJN) secure key exchange 6. Attacks against practical (non-ideal) KLJN systems and defense against them 7. Potential applications and perspectives 8. Live demonstration

3 Introduction: Secure network communication by encryption Secure key (shared by A & B) A (Alice) Communicator, Cipher Eavesdropper (Eve) Secure key (shared by A & B) B (Bob) Communicator, Cipher Encrypted information The eavesdropper (Eve) does not have the secure key thus she is unable to decrypt the information. But how to share the secret key securely through the line when Eve is watching? The generating/sharing of the secret key should itself be a secure communication. Today's commonly used internet keys are not unconditionally secure, they are only conditionally (computationally) secure. The condition is that Eve's computing hardware or algorithm are not advanced enough and/or only short-term security is enough. It is not Future-Proof security. Example: if Eve could use and efficient prime number factoring algorithm or computer, such as a quantum computer, these methods would offer no security at alland, in even with a regular computer and algorithm, it is only a question of time to break the whole message, 100% of encrypted bits.

4 Security by the laws of physics (classical or quantum) Physical secure key exchange Alice Channel Bob An enlightening discussion with Prof. Vincent Poor about imperfect unconditional security is appreciated. Eve Eve's information: Originates from Measurement Data Eve will use the measurement data to guess the key bits. This serves Eve's information depending on how successful Eve is with the guessing. If Eve's bit-error-probability of guessing is E then her fidelity is p = 1 - E Note: p = 1 (E = 0) means total success by Eve which means Zero Security p = E = 0.5 corresponds to a random coin, which means Perfect Security 0.5 < p < 1 is Imperfect Security (common for all practical physical system)

5 Specifically about Eve's information. The fidelity p is the probability of successful guessing of bits. Shannon's binary channel capacity: C e = f s [ 1+ plog 2 p + (1 p)log 2 (1 p) ] bit/s p = C e /f s = 10-8 bit Eve's information that she extracts from a single bit: C e / f c 0.4 Perfect security 0.2 Perfect security p (probability of correct guess by Eve)

6 Conditional versus Unconditional security. Information-leak: K = C AE /C AB = C BE /C AB K 1 Perfect, Conditional Laws of physics RSA, etc network keys K 1 Imperfect, Conditional Laws of physics some earlier hardware-based techniques 0 Eve's resources 0 Eve's resources 1 Laws of physics 1 Laws of physics K Perfect, Unconditional ideal QKD and KLJN K Imperfect, Unconditional Realistic QKD and KLJN 0 0 Eve's resources Eve's resources Note: "Reaslistic" implies finite key length and process duration. Infinite key length would be perfect security via privacy amplification.

7 Privacy amplifier: from a long weakly leaking key it makes a short key with improved security. Originally developed for quantum encryption: [C.H. Bennett, G. Brassard, J.-M. Robert, "Privacy amplification by discussion", SIAM J. Computing 17 (1988) ] In the case of imperfect security, privacy amplification will help to approach perfect security (but never reach it.) It is basically a bit-error enhancer. Eve's fidelity will approach 0.5. Serious precondition: The fidelity between Alice-Bob must be large because their bit errors are also enhanced. Thus quantum communicators use first error correction because of their limited fidelity. K 1 0 Imperfect, Unconditional Laws of physics Eve's resources Realistic QKD and KLJN Eve's information that she extracts from a single bit: Perfect security C e / f c C e = f s [ 1 + p log 2 p + (1 p) log 2 (1 p) ] Perfect security p (probability of correct guess by Eve) Privacy amplifier

8 Privacy amplifier: from a long weakly leaking key it makes a short key with improved security. A simple privacy amplifier by XOR-ing the pairs of key bits is studied in: T. Horvath, L.B. Kish, J. Scheuer, "Effective Privacy Amplification for Secure Classical Communications", EPL 94 (2011) 28002; p = K = 10-8 Practically Perfect Security k = number of steps for K = 10-8

9 Introduction: Generic quantum communicator scheme (for quantum key distribution) A (Alice) Quantum communicator "Dark" optical fiber B (Bob) Quantum communicator Single photons carry single bits Actually, one photon effectively has less than a bit information due to noise in the detection, channel and detector.

10 Introduction: Generic quantum communicator scheme (for quantum key distribution) Base of security: quantum no-cloning theorem: copies of single photons will be noisy. After making a sufficient error statistics, the eavesdropping can be discovered. A (Alice) Quantum communicator Single photons carry single bits B (Bob) Quantum communicator Extra noise is introduced when the cloned photon is fed back. Eavesdropper (Eve)

11 Introduction: Generic quantum communicator scheme (for quantum key distribution) Base of security: quantum no-cloning theorem: copies of single photons will be noisy. After making a sufficient error statistics, the eavesdropping can be discovered. Classical, authenticated, public channel A (Alice) Quantum communicator Single photons carry single bits B (Bob) Quantum communicator Extra noise is introduced when the cloned photon is fed back. Eavesdropper (Eve)

12 Introduction: Some practical problems at the conceptual level Conceptual weakness of quantum communication is the need of making a statistics to discover the eavesdropping. One-time eavesdropping on a single photon cannot be detected. This is also information leak. A (Alice) Quantum communicator Single photons carry single bits B (Bob) Quantum communicator Eavesdropper (Eve) Not only single photons Channel noise Detector noise Quantum efficiency <1 Solution (by Ch. Bennett): Privacy Amplifier (classical information software-tool) to make a short, highly secure key from a long poorly secure key. This can reduce the information leak arbitrarily, by orders of magnitude, provided the fidelity of the communication is high-enough.

13 Quantum hackers. only imperfect conditional security: hackers utilized naive (curable) weaknesses, such as blinding detectors. Condition of security before fix: their attack methods are not used by Eve.

14 These papers indicate that practical quantum crypto offered only imperfect conditional security: hackers utilized naive weaknesses, such as blinding detectors. After building defense against these naive errors, practical quantum crypto could potentially become imperfect unconditional as before. [1] Merali Z (29 August 2009) Hackers blind quantum cryptographers. Nature News, DOI: /news [2] Gerhardt I, Liu Q, Lamas-Linares A, Skaar J, Kurtsiefer C, Makarov V (2011) Full-field implementation of a perfect eavesdropper on a q uantum cryptography system. Nature Communications 2; article number 349. DOI: /ncomms1348. [3] Lydersen L, Wiechers C, Wittmann C, Elser D, Skaar J, Makarov V (2010) Hacking commercial quantum cryptography systems by tailored bright illumination. Nature Photonics 4: DOI: /NPHOTON [4] Gerhardt I, Liu Q, Lamas-Linares A, Skaar J, Scarani V, Makarov V, Kurtsiefer C ( 2011) Experimentally faking the violation of Bell's inequalities. Phys. Rev. Lett. 107: DOI: /PhysRevLett [5] Makarov V, Skaar J (2008) Faked states attack using detector efficiency mismatch on SARG04, phase-time, DPSK, and Ekert protocols. Quantum Information and Computation 8: [6] Wiechers C, Lydersen L, Wittmann C, Elser D, Skaar J, Marquardt C, Makarov V, Leuchs G (2011) After-gate attack on a quantum cryptosystem. New J. Phys. 13: DOI: / /13/1/ [7] Lydersen L, Wiechers C, Wittmann C, Elser D, Skaar J, Makarov V (2010) Thermal blinding of gated detectors in quantum cryptography. Optics Express 18: DOI: /OE [8] Jain N, Wittmann C, Lydersen L, Wiechers C, Elser D, Marquardt C, Makarov V, Leuchs G (2011) Device calibration impacts security of quantum key distribution. Phys. Rev. Lett. 107: DOI: /PhysRevLett [9] Lydersen L, Skaar J, Makarov V (2011) Tailored bright illumination attack on distributed-phase-reference protocols. J. Mod. Opt. 58: DOI: / [10] Lydersen L, Akhlaghi MK, Majedi AH, Skaar J, Makarov V (2011) Controlling a superconducting nanowire singlephoton detector using tailored bright illumination. New J. Phys. 13: DOI: / /13/11/ [11] Lydersen L, Makarov V, Skaar J (2011) Comment on Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography. Appl. Phys. Lett. 99: DOI: / [12] Sauge S, Lydersen L, Anisimov A, Skaar J, Makarov V (2011) Controlling an actively-quenched single photon detector with bright light. Opt. Express 19: [13] Lydersen L, Jain N, Wittmann C, Maroy O, Skaar J, Marquardt C, Makarov V, Leuchs G (2011) Superlinear threshold detectors in quantum cryptography. Phys. Rev. Lett. 84: DOI: /PhysRevA [14] Lydersen L, Wiechers C, Wittmann C, Elser D, Skaar J, Makarov V (2010) Avoiding the blinding attack in QKD; REPLY (COMMENT). Nature Photonics 4: DOI: /nphoton [15] Makarov V (2009) Controlling passively quenched single photon detectors by bright light. New J. Phys. 11: DOI: / /11/6/

15 Something much more fundamental is coming up by a leading quantum crypto expert at Northwestern University:

16 Something much more fundamental is coming up by a leading quantum crypto expert at Northwestern University: Its Conclusions: A disconcertingly large number of papers, both on theory and on experiment, have made claims that the QKD system they discuss is unconditionally secure. In the case of theory, the claim sometimes is based on nothing more than a simple declaration, with perhaps a flimsy qualitative reason that is far from a proof. That is the case, for, example, on why a lossy channel merely changes the throughput but not the security of singlephoton BB84, as discussed in [15]. Much effort has been spent on the decoy states approach with claimed unconditional security, but it simply does not give such guarantee as we show in this paper. The important point in this connection is not who have made errors, we all do. It is that, as discussed above, there simply has never been a proof offered. At best, only a specific kind of PNS attack is thwarted. Why can one then claim unconditional security? This is a major problem in almost every aspect of QKD security [12 16]. Since general security cannot be established by experiment, we have to deal with it much more seriously and critically.

17 Conditional versus Unconditional security. Information-leak: K = C AE /C AB = C BE /C AB K 1 Perfect, Conditional Laws of physics RSA, etc network keys K 1 Imperfect, Conditional Laws of physics Recent full cracking of QKD 0 Eve's resources 0 Eve's resources 1 Laws of physics 1 Laws of physics K Perfect, Unconditional ideal QKD and KLJN K Imperfect, Unconditional Realistic QKD and KLJN 0 0 Eve's resources Eve's resources Note: "Reaslistic" implies finite key length and process duration. Infinite key length would be perfect security via privacy amplification.

18 Kirchhoff-Law-Johnson-Noise (KLJN) Science Magazine, 2005 secure key exchange (first scheme: 2005) Ny Teknik, 2005 New Scientist, 2007

19 They are as bad as "Kish cypher" on Wikipedia

20 History of new results Unpublished manuscript featured in the Science magazine, by Adrian Cho, "Simple noise may stymie spies without quantum weirdness" Science 309, p (September 30, 2005). L.B. Kish, "Totally Secure Classical Communication Utilizing Johnson (-like) Noise and Kirchoff's Law"; Physics Letters A 352 (March, 2006) L.B. Kish, "Protection against the man-in-the-middle-attack for the Kirchhoff-loop-Johnson(-like)-noise cipher and expansion by voltage-based security", Fluctuation and Noise Letters 6 (2006) L57-L63. L.B. Kish, R. Mingesz, "Totally secure classical networks with multipoint telecloning (teleportation) of classical bits through loops with Johnson-like noise", (March 5, 2006). L.B. Kish, "Methods for using existing and currently used wire lines (power lines, phone lines, internet lines) for totally secure classical communication utilizing Kirchhoff's loop and Johnson-like noise", (October 2, 2006) Unpublished manuscript featured in the New Scientist magazine, by D. Jason Palmer, "Noise keeps spooks out of the loop" New Scientist, issue 2605, p. 32, (23 May 2007) R. Mingesz, Zoltan Gingl, Laszlo Kish, "Realization and Experimental Demonstration of the Kirchhoff-loop-Johnson(-like)-Noise Communicator for up to 2000 km range", Physics Letters A 372 (2008) pp. 978 to 984. L.B. Kish, O. Saidi, Unconditionally secure computers, algorithms and hardware. Fluct. Noise Lett. 8 (2008) L95-L98. L.B. Kish, T. Horvath, "Notes on recent approaches concerning the Kirchhoff-law-Johnson-noise-based secure key exchange", Phys. Lett. A 373 (2009) L.B. Kish, J. Scheuer, "Noise in the wire: The real impact of wire resistance for the Johnson(-like) noise based secure communicator", Phys. Lett. A 374 (2010) T. Horvath, L.B. Kish, J. Scheuer, "Effective privacy amplification for secure classical communications", Europhys. Lett. 94 (2011) L.B. Kish, F. Peper, "Information networks secured by the laws of physics", IEICE Trans. Commun. E95-B (2012) Unpublished SOFA manuscript featured in MIT Technology Review, Quantum Cryptography Outperformed By Classical Technique", June 14, 2012, Unpublished SOFAmanuscript featured in Extreme Tech, "Move over, quantum cryptography: Classical physics can be unbreakable too", June 15, 2012, The present SOFA manuscript

21 SOFA manuscript featured: June 15, 2012

22 SOFA manuscript featured; June 14, 2012

23 Controversial? For whom?

24 Controversial? For whom? For those: - Who don't understand unconditional (information theoretic) security (especially in physical systems); - Who don't understand this particular system.

25 Secure Key Generation and Exchange. Basic idea: resistor loop (Kirchhoff loop) At the beginning of each clock period, one of the resistors gets contacted to the line. Possible loop resistance R loop values: R loop = 2*R S, 2*R L, R S + R L R A Communicator A Information channel (wire) R B Communicator B R S R L R S R L

26 Basic idea: resistor loop (Kirchhoff loop): secure key generation and sharing Possible loop resistance R loop values: R loop = 2*R S, 2*R L, R S + R L If Alice and Bob could measure the loop resistance R loop in a way that does not uncover their own resistance then secure key exchange can be established. Note, the loop resistance will be a public information. R A Communicator A R B = R loop - R A ; R A = R loop - R B Information channel (wire) Eavesdropper R B Communicator B R S R L R S R L

27 Similar situation as in the "Who feeds the cat" problem. If both neighbors feed it or neither of them, the situation is obvious. But if only one of them is feeding the cat, it is not obvious which one does that.

28 Note: many believes that the role of noise here is to scramble the information. Wrong. The role of noise here is the measure the public information of bit states, LL, HH, or LH/HL Such "secure" measurement of the loop resistance can be done by utilizing the thermal noise (Johnson noise) of the resistors. The loop resistance can be evaluated in two different ways: Johnson-Nyquist formulas for this Kirchhoff loop: S u,r ( f ) = 4kT (a) R A R B R A + R B S i,r ( f ) = (b) 4kT R A + R B R A R B R A + R B U Ch S Ch (f) R A + R B U A +U B S usa (f)+s urb (f) I Ch S ich (f)

29 SECURE KEY GENERATION AND EXCHANGE BY VOLTAGE MEASUREMENTS S u,ch HH HL/LH LL time SECURE KEY BIT IS GENERATED/SHARED A B U Ch, I Ch S u,ch S i,ch R 1 R 0 R 0 R 1 U 1A S u1a (f) U 0SA S u0a (f) U 0B S u1b (f) U 1B S u1b (f)

30 Eavesdropper's Passively Observed/Extracted Information: Resistances but not their locations R 1,2 = 4kTS u,ch ± ( 4kTS ) 2 3 u,ch - 4S u,ch S i,ch 2S u,ch S i,ch A B U Ch, I Ch S u,ch S i,ch R 1 R 0 R 0 R 1 U 1A S u1a (f) U 0A S u0a (f) U 0B S u1b (f) U 1B S u1b (f)

31 Eavesdropper's Passively Observed/Extracted Information: Resistance values but not their locations. Perfect security, independently of Eve's measurement resources: she can have infinite accuracy and speed. Perfect Unconditional Security in the ideal system. The information is simply not present in the voltage and current: Information Theoretic Security Also essential that Gaussian processes allow distribution functions up to the second order only. For example, the power density spectrum or two-point autocorrelation provides a full characterization of the process. The most efficient tool to analyze the transport are the voltage-current crosscorrelation and crosspectrum. No higher order correlations or spectra provide more information. However, these are zero because the net power flow is zero. The Johnson-Nyquist formula of thermal noise is based on the Fluctuation-Dissipation Theorem which originates from the Second Law of Thermodynamics that prohibits net power flow between systems of identical temperature and the construct a perpetual motion machine of the second kind. Therefore it is as impossible to crack this ideal system as to construct perpetual motion machine (of the second kind). A Directional information: U ch I ch U ch I ch = 0 U Ch, I Ch S u,ch S i,ch (similar to Poynting vector) B R 1 R 0 R 0 R 1 U 1A S u1a (f) U 0A S u0a (f) U 0B S u1b (f) U 1B S u1b (f)

32 Hacking into the key exchange: Active (invasive) Eavesdropping Only the exact situation defined by the above circuitry has perfect security. Any deviation from that situation causes information leak: typically imperfect but unconditional security. Note: all the non-ideal features of elements (see later) show up as a hacking attacks and the defense features against invasive attacks work against them, too. For example, the circuitry can be modified by installing extra elements to the wire; or a small stochastic current or a short large current pulse (etc) can be injected there. A I B U Ch, I Ch S u,ch S i,ch R 1 R 0 R 0 R 1 U 1A S u1a (f) U 0A S u0a (f) U 0B S u1b (f) U 1B S u1b (f)

33 Defense against hacking by comparing instantaneous voltage and current data at the ends Foundation: in the ideal circuit, instantaneous current and voltage amplitudes are uniform all along the line. That is the requirement for perfect security. Only classical physics can do this. THE EAVESDROPPER IS DISCOVERED LATEST AFTER EXTRACTING A SINGLE BIT OF INFORMATION. The stochastic current method can extract zero bit, a large current pulse method can extract one bit. ADVANTAGE TO KNOWN QUANTUM COMMUNICATION SCHEMES THAT NO KEY-STATISTICS IS REQUIRED. Public channel, broadcasting for comparing instantaneous local current (A) and voltage (V) data SENDER Alice A DI ES DI ER A RECEIVER Bob V DU E,Ch V DI E R 1 R 0 R 0 R 1 U 1S S u1s (f) U 0S S u0s (f) Eve U 0R S u1r (f) U 1R S u1r (f)

34 Defense against invasive attacks or hacking (non-ideality) attacks: publishing and comparing current and voltage data at the two ends Multiple public broadcast channels or a single authenticated channel Public broadcast channels Alice Channel Bob Perfect authentication needs only the order of log(m) secret bits to authenticate an m-bit long message. (D.R. Hjelme, L. Lydersen, V. Makarov, "Quantum Cryptograhy", in "A Multidisciplinary Introduction to Information Security" CRC Press (2011/2012), )

35 Example the attack "below the belt": Man-In-The-Middle (MITM) attack The original current/voltage-comparison naturally defends against it SENDER Alice I S,Ch I R,Ch RECEIVER Bob R 0 R 1 R 0 R 1 R 1 R 0 R 0 R 1 U 1,S S u1,s (f) U 0,S S u0,s (f) U 0,E S u0,e (f) U 1,E S u1,e (f) U 0,E S u0,e (f) U 1,E S u1,e (f) U 0,R S u1,r (f) U 1,R S u1,r (f)

36 Let us suppose 7 bits resolution of the measurement (a pessimistic value), then P 0 = 1/ 128, which is less than 1% chance of staying hidden. On the other hand, P 0 is the probability that the eavesdropper can stay hidden during the correlation time t of the noise, where t is roughly the inverse of the noise bandwidth. Because the KLJN cipher works with statistics made on noise, the actual clock period T is N >>1 times longer than the correlation time of the noise used [1]. Thus, during the clock period, the probability of staying hidden is: P clock = P 0 N Supposing a practical T =10t (see [1]) the probability at the other example P < This is the estimated probability that, in the given system the eavesdropper can extract a single bit without getting discovered. The probability that she can stay hidden while extracting 2 bits is P < 10-40, for 3 bits it is P < 10-60, etc. In conclusion, we can safely say that the eavesdropper is discovered immediately before she can extract a single bit of information. At 7 bit current comparison, the probability of staying hidden for a single clock period is less than 10-20

37 Suppose the eavesdropper synchronizes the current values with twin current generators during the MITM attack. She can extract at most one bit while she is discovered. She will be discovered because the high-resistance end will see a large voltage and interpret the situation as it is a non-secure-bit communication case. The other end will interpret it as a secure bit communication. This contradiction uncovers the eavesdropper. However: she can extract zero bit if the voltage values are also compared at the two ends. Alice SENDER Bob RECEIVER V V R 1 R 0 R 0 R 1 U 1,S S u1,s (f) U 0,S S u0,s (f) U 0,R S u1,r (f) U 1,R S u1,r (f)

38 Suppose, the eavesdropper synchronize the voltage values with two twin voltage generators during the MITM attack? Then she can extract zero bits because the current values are compared at the two ends, already in the original scheme. SENDER Alice RECEIVER Bob R 1 R 0 R 0 R 1 U 1,S S u1,s (f) U 0,S S u0,s (f) U 0,R S u1,r (f) U 1,R S u1,r (f)

39 Uncovering the eavesdropper by Comparing the instantaneous current data (authenticated channel and/or broadcasting) THE EAVESDROPPER IS DISCOVERED DURING EXTRACTING A SINGLE BIT OF INFORMATION. The stochastic current method can extract zero bit, a large current pulse method can extract one bit. ADVANTAGE TO KNOWN QUANTUM COMMUNICATION SCHEMES THAT NO KEY-STATISTICS IS REQUIRED. Public channel, broadcasting for comparing instantaneous local current (A) and voltage (V) data SENDER Alice A DI ES DI ER A RECEIVER Bob V DU E,Ch V DI E R 1 R 0 R 0 R 1 U 1S S u1s (f) U 0S S u0s (f) Eve U 0R S u1r (f) U 1R S u1r (f)

40 Passive listening at practical, non-ideal situation - Only the ideal circuit has perfect unconditional security. Real ones are imperfect unconditional. - Real circuitry is never ideal thus its security can only be imperfect unconditional: there will be a small information leak that stays small even for the maximum resources of Eve that are allowed by the laws of physics. Laws of physics K 1 0 Imperfect, Unconditional Eve's resources Realistic QKD and KLJN - Depending on resources and conditions, the circuit can approach the ideal limit and perfect security but it can never reach it. For example the information leak due to non-zero wire resistance is inversely proportional to the 4-th power of wire diameter. Thus thicker wires provide progressively higher security. - However, it can be much more economical to use a thin wire with a few privacy amplification steps, lose some speed and still get the same security. -Note: all the non-ideal features of elements shows up as a hacking attack and the defense features against invasive attacks work against them, too.

41 Practical limits (slide from the very first seminar, CS, TAMU, October 18, 2005) For perfect security, the loop must be exactly the same as defined by its circuit diagram. Any deviation may give information to the eavesdropper. The situation is similar to the case of quantum communication: The more we approach the ideal conditions, the more secure the system is. Therefore the security of the system can be designed to the required level depending on resources. f max L <<c 1. Wave situation should be avoided. Moreover, the clock frequency should be low-enough to make a sufficient statistics: For a practical estimation, let us suppose that c = 2*10 8 meter/s, f maxl = 0.1* c, and f c = 0.1* f max. Then the effective bandwidth-distance product f L = c 2*106 meterhz. This is slightly (factor of 2-3) better than present quantum communicator arrangements [8] I. Marcikic, H. de Riedmatten, W. Tittel, H. Zbinden, and N. Gisin, Long distance teleportation of qubits at telecom wavelength, Nature 421, 509 (2003). f c << f max MULTI WIRE+CHIP high speed! 2. Inaccuracies: Wire resistance should be much less than any of the bit resistances. The bit resistances and noise generators should be as identical at Alice and Bob as possible. 3. Wire capacitance and inductance should not effect the loop impedance. This is another constraint on the frequency bandwidth (but should be easy to handle it with artificial noise generators). 4. Transients. Caused much concern and generated fundamental questions among colleagues but easiest to deal with this problem in the practice (especially for non-stealth communications

42 Any deviation from the system defined by this circuitry or deviations from the thermal (-like) noise behavior compromises security! Assuming waves, serial resistance (Bergou-Scheuer-Yariv), different noise temperatures (Hao), etc, are deviations from basic assumptions and imply different circuitries which are not totally secure. Such assumptions are allowed at the practical considerations but they have nothing to do with the security at the conceptual level. A distributed RLC network U Ch, I Ch S u,ch S i,ch B The same defense mechanism as for hacking will reveal the information leak. Alice and Bob will know Eve's information, which is a new situation in cryptography. Public channel, broadcasting for comparing instantaneous local current (A) and voltage (V) data R 1 R 0 R 0 R 1 SENDER Alice A DI ES DI ER A RECEIVER Bob U 1A S u1a (f) U 0SA S u0a (f) U 0B S u1b (f) U 1B S u1b (f) V DU E,Ch DI E V R 1 R 0 R 0 R 1 U 1S S u1s (f) U 0S S u0s (f) U 0R S u1r (f) U 1R S u1r (f)

43 Example for generic practical line driving. Low-pass filters secure the sufficiently slow operation and defend against possible high-frequency probing signals by Eve that may be out of the range of the current/voltage measurement systems. Alice Bob

44 Major published attack attempts. (They were somewhat disappointing because the current/voltage defense system has automatically defended against all these from the very beginning by showing Eve's extracted information. (Funny that these and many similar ones have been known and shown in seminars, and some were even published at the very beginning.) Public channel, broadcasting for comparing instantaneous local current (A) and voltage (V) data SENDER Alice A DI ES DI ER A RECEIVER Bob V DU E,Ch V DI E R 1 R 0 R 0 R 1 U 1S S u1s(f) U 0S S u0s(f) U 0R S u1r(f) U 1R S u1r(f) Scheuer-Yariv (PLA, 2006): (Note, current/voltage defense works against both attacks). - Wave propagation effects in long cables. Valid. Also, this issue has been excluded already in the very first paper on KLJN by requiring slow operation (wave-free limit). - Wire resistance issue (already listed in first seminar and by Bergou in the 2005 Science report). Incorrect calculations resulting in wrong units of results and a 1000 times larger signal for Eve than in reality. The correct calculations with 1000 times smaller leak signal were published by Kish-Scheuer in 2010). The measurements of Mingesz, et al (PLA 2008), showed 0.19% information leak at 99.98% fidelity: a situation where 2 privacy amplification step suppresses the leak below Feng Hao (IEEIS, 2006): - Pointing out that different temperatures at Alice and Bob yield information leak. Valid observation (but funny that was already noted though not published at the first seminar as the need of accurate noise generators). Analysis, in the response by Kish (FNL 2006), shows that the inaccuracy of resistor values is a much bigger practical problem. The measurements of Mingesz, et al (PLA 2008), showed a nondetectable information leak at the 14 bit resolution of noise generators used.

45 Major published attack attempts, continued Pao-Lo Liu (2009): - Computer simulation of wave propagation effects in long cables (same issue as Scheuer-Yariv 2006). At certain conditions, which were indicated as practical, fidelity of Eve as large as 78% was shown by the simulations. Invalid simulations. These claims were refuted by Kish-Horvath (2009) by showing the the simulations parameters were violating physical rules such as, for a 2 km long wire line the implied cable diameter was 28,000 times greater than the diameter of the known universe. It was surprising that Eve's fidelity was not higher due to the unphysical situation. k = number of steps for C e = 10-8 Note: even at such huge information leak, four step of privacy amplification (resulting in a 16 times slowdown) would restore the "practically perfect" security of 10-8 relative information leak.

46 Inaccuracies. How large is the impact of 1% inaccuracy? Scheuer-Yariv's only meaningful point. They indicate 1% voltage drop on the wire at certain practical conditions. They say that is enough for the eavesdropper to decode the signal. Here is the proof that their claim is not true. Shannon's channel coding theorem: C = f c [ 1+ plog 2 p+(1- p) log 2 (1- p) ] results in relative standard deviation 0.2 of the voltage and current statistics [14]. The results are summarized in Figure 2. Note, only the relative positions and the shape of the curves have meaning, not the actual x and y values. During the clock period, due to Eq. (2), the time is enough only for a few statistically independent sampling of these distribution functions. This sampling is enough for the sender and the receiver, see Figure 2 (a), to decide between the two functions with 0.3% error rate [7]. However the eavesdropper, who measures the voltage drop, has to decide between the two situations by sampling the f(x) and g(x) density functions given in Fig. 2 (b) and that must be done with the same small number of independent samples. The characteristics width (standard deviation) of these curves (20% of the peak's x coordinate) is 20 times greater than the difference of the locations of the x coordinates of the peaks (1%). The eavesdropper's task seems to be hopeless by the naked eye however, by using proper statistical tools, she can still extract some information. A deeper analysis based on Shannon's channel coding theorem [7] concludes that in this case the upper limit of information leak is 0.7% of the transmitted bits. This is close to but less than the information leak of quantum communicators without privacy amplifier software (see above). Thus Sch-Y's 1% drop of the MS voltage yields a lower information leak than that of quantum communicators. Model study of distribution functions [7]. (a): Amplitude distribution functions sampled by the sender and receiver. (b): Amplitude distribution functions sampled by the eavesdropper at the two ends of the wire. Though we accept the 1% drop of the MS voltage as a realistic practical goal [7] we disagree with Sch-Y's claim that the eavesdropper can easily detect this 1% drop. With the very same voltage drop, we have carried out a model study [7] of the distribution functions of the voltages, currents and the drop of the MS voltage for R 1 / R 0 =10, with a linear full-wave detector [14] and clock period t c = 3/ f max S u,ch time

47 The realized communicator pair. Statistics at Alice's side during clock cycles. At a BSchY attack, the eavesdropper will have only a single clock cycle to distinguish between LH and HL. The wire resistance is about 2% of the loop resistance during the LH or HL states: R L =2 kohm, R H =11kOhm, R w =200 Ohm. (a) (b) (c)

48 Statistics at Alice's side during a BSchY attack, single clock cycle. (a) The wire resistance is about 2% of the loop resistance, 10% of the smallest resistance, during the LH or HL states: R L =2 kohm, R H =11kOhm, R w =200 Ohm. The poor statistics seen in figures (a) and (b) are enough for Alice and Bob to identify secure bit alignment with 0.02% error rate (99.88% 99.98% fidelity). However when Eve tries to identify the bits from the two histogram recorded at the two ends of the line (see figure (c)) she must work with these distributions which are very stochastic, almost identical and totally overlapping with a 1% or less shift of their centers [7] which results in less than 0.19% eavesdropped bit / transmitted secure bit. Three independent statistics of LH and HL at Alice's side Single clock stats of each states at Alice's side (c) (b)

49 R. Mingesz, Z. Gingl, L.B. Kish, Realization and Experimental Demonstration of the Kirchhoff-loop-Johnson(-like)- Noise Communicator for up to 2000 km range;

50 R. Mingesz, Z. Gingl, L.B. Kish, Realization and Experimental Demonstration of the Kirchhoff-loop-Johnson(-like)- Noise Communicator for up to 2000 km range; PLA, in press; DSP Unit Analog Unit KLJN Line Analog Unit DSP Unit Computer The computer control parts of the communicator pair have been realized by ADSP-2181 type Digital Signal Processors (DSP) (Analog Devices). Robert Mingesz Zoltan Gingl The communication line current and voltage data were measured by (Analog Devices) AD-7865 type AD converters with 14 bits resolution from which 12 bits were used. The DA converters were (Analog Devices) AD-7836 type with 14 bits resolution. The Johnson-like noise was digitally generated in the Gaussian Noise Generator unit where digital and an alog filters truncated the bandwidth in order to satisfy the KLJN preconditions of removing any s purious frequency components. The major bandwidth setting is provided by an 8 -th order Butterworth filter with sampling frequency of 50 khz. The remaining small digital quantization noise components are removed by analog filters. The experiments were carried out on a model-line, with assumed cable velocity of light of 2*10 8 m/s, with ranges up to 2000 km, which is far beyond the range of direct quantum channels, or of any other direct communication method via optical fibers. The device has bit rates of 0.1, 1, 10, and 100 bit/second for ranges 2000, 200, 20 and 2 km, respectively. The wire diameters of the line model are selected so that they resulted in about 200 Ohm internal resistance for all the different ranges. The corresponding copper wire diameters are reasonable practical values for the different ranges are 21 mm (2000 km), 7 mm (200 km), 2.3 mm (20 km) and 0.7 mm (2 km). Inductance effects are negligible with the selected resistance values, R 0 and R 1, at the given ranges and the corresponding bandwidths. If the wire is a free hanging one with a few meters separation from earth, such as power lines, parasitic capacitances are not a problem up to 10% of the nominal range. For longer ranges than that, either coaxial cables driven by the capacitor killer are needed or the speed/bandwidth must be decreased accordingly.

51 R. Mingesz, Z. Gingl, L.B. Kish, Realization and Experimental Demonstration of the Kirchhoff-loop-Johnson(-like)- Noise Communicator for up to 2000 km range; The noise bandwidth is selected so that the highest possible Fourier component in the line is at frequency 10 times lower than the lowest frequency standing-wave mode in the line. That condition results in noise bandwidths 5, 50, 500 and 5000 Hz for ranges 2000, 200, 20 and 2 km, respectively. Transient wave effects at the end of clock period are avoided in the Gaussian Noise Generator unit by driving the envelope of the time functions of noise voltage and current to zero before the switching using a linear ramp amplitude modulation (via 8% of the clock duration); and the reverse process is done at the beginning of the next clock cycle after the switching of resistors. Moreover a short pause (8 % of the clock time) with no data collection, except for security check, after the initial linear ramp at the beginning of stationary noise, is applied in order to avoid possible other types of transient effects of stochastic nature (though we have not seen any transients). All these are done before the filtering process to avoid any spurious frequency components due to the linear ramp. Because the security protection based on current and voltage comparison was effective up to 50 khz bandwidth, 1 nf capacitors at the two ends of the line were satisfactory line filters. Furthermore, these capacitors would have removed possible switching spikes originating from capacitive coupling in the analog switches due to possibly unbalanced parasitic capacitors; therefore there were no detectable switching transients in the line. The 11 kohm resistor is composed by connecting a 9 kohm serial resistor to the 2 kohm resistor. The 2 kohm resistors are two serial 1kOhm resistors with a 1 nf capacitor shunting their joint point to the ground to remove possible digital quantization noise. The 1 kohm resistor at the generator dive end was also used as a probe to measure the current in the line. The value of K is selected so that the noise voltage of the greater resistor is 1 Volt for all noise bandwidths. This resulted in S u ( f ) values of the greater resistor 0.2, 0.02, 0.002, V 2 /Hz for ranges 2000, 200, 20 and 2 km, respectively. Note: cable capacitance provides a further filtering but we cannot rely on that alone because of eavesdropping possibility.

52 R. Mingesz, Z. Gingl, L.B. Kish, Realization and Experimental Demonstration of the Kirchhoff-loop-Johnson(-like)- Noise Communicator for up to 2000 km range; Eavesdropping tests. Sample size: 74,497 clock cycle C eav C trans = 1+ p log 2 p + (1 - p) log 2 (1 - p) TYPE OF BREAKING MEASURED NUMBER, OR RATIO, OF EAVESDROPPABLE BITS WITHOUT SETTING ON THE CURRENT-VOLTAGE ALARM (TESTED THROUGH BITS) REMARKS BSchY (i) [2,6] attack in the present KLJN system 0.19% % at 1 0 times thicker wire (theoretical extrapolation). Arbitrarily can be enhanced by privacy amplification [12,13]; the price is slowing down. Hao (iii) [ 8] attack in the present KLJN system Zero bit Below the statistical inaccuracy. Considering the 12 bit effective resolution of noise generation accuracy, it is theoretically: < % Kish (iv) [ 9] attack utilizing resistor inaccuracies in the present KLJN system Zero bit Below statistical inaccuracy. Theoretically, when pessimistically supposing 1% resistance inaccuracy, it is: < 0.01% Current pulse injection (Kish) [1] in the present KLJN system Zero bit One bit can be extracted while the alarm goes on thus the bit cannot be used.

53 Presently (2012) i would not call practical quantum encryption unconditionally secure, however, this is only a temporary situation. After the proper defense methods will be developed against all these and similar other "naive"quantum-security-vulnerabilities, the following comparison should hold: Table 1. Comparison of relevant security levels for existing key exchange systems. Practical physically secure key distributions can never have perfect security, they can only approach it. Perfect Imperfect Information the o retic or unconditional Conditional QKD the o retical Yes for the whole key No for a single bit No for the whole key Yes for a single bit Yes No KLJN the o retical Yes for both the whole key and a single bit No Yes No QKD practical No Yes Yes No KLJN practical No Yes Yes No Software and prime number based Yes No No Yes

54 Quantum telecloning to 2 Units, Fidelity 60%, at Furusawa's Lab (Tokyo) Kirchhoff-Johnson network element 2006 Fidelity 99.98% Present Kirchhoff-Johnson network element

55 Prospective applications Unconditionally secure communication within computers, video games, iphones, and other instrumentations to secure algorithm and data. Using existing and currently used wires, such as power lines, phone lines, internet wire lines to build a unconditionally secure chain network of users.

56 The security of data and that of the algorithms in computers and hardware is vulnerable

57 Unconditional security of computers and hardware is possible. RESTRICTED

58 Unconditionally secure computers and hardware by thermal-like noise. Kish and Saidi, "Unconditionally secure computers and hardware, such as memories, processors, and hard drives", (FNL 2008) Example. Red arrows: Secure key generation and exchange by KLJN lines. The bus has a classical authenticated line for current/voltage comparison. Due to the short distances, the situation is very close to the ideal. No privacy amplification is required. PCU H Drive 1 RAM H Drive 2 BUS

59 Which one can be integrated on a silicon chip? Quantum telecloning to 2 network Units, Fidelity 60%, at Furusawa's Lab (Tokyo) Kirchhoff-Johnson network element tested (2006) Fidelity 99.98% Present Kirchhoff-Johnson network element

60 How to utilize existing wire lines currently in use for KLJN key exchange. Line Filter Box Line BE 1 BP 3 BE Line BP BE BE BP 2 R L R H R N R H R L External Line In External Line Out 1 3 Line Filter Box 2 Local line (e.g. to household line input) The line filter box (see Figure 1) should be installed at each intersection of the line to separate the non-kljn communicator loads from the KLJN frequency band. Communicator A Communicator B Example for how to use KLJN frequency Band Excluder (BE) and Band Pass (BP) filters to preserve a single Kirchhoff loop in the KLJN frequency band between two KLJN communicators with one intersection between them. Thick (blue) lines: original line current; thin (red) line: KLJN current; double (green) lines: both types of currents.

61 Power Station A Power Station B Communicator A (KLJN) Communicator B (KLJN) Communication via idealized 3-phase power lines with symmetric loads of the 3-phase transformers at Power Stations A and B, respectively.

62 Power Station A Power Station B BP BP Communicator A (KLJN) BE BE Communicator B (KLJN) Communication via practical 3-phase power lines. (asymmetric load)

63 Protocol example for "telecloning" ("teleportation") of bits to build a chain network (Kish-Mingesz, FNL, 2006) L 1 R 1 L 2 R 2 L 3 R 3 Coordinator-server (CS) and regular network Note: the Coordinator-server is also connected by a KLJN wire to one of the units, say to Unit 1. The Units run their KLJN ciphers until a secure bit exchange is reached. Then each Unit reports to the CS the logic relation, G [ = +1 (same bit) or -1 (opposite bit)], between their own left port and the bit at the left port of the right hand neighbor. If the Nth Unit wants to clone the bit at the left hand side of Unit 1, then he sends a request to the CS. F = Π N 1 G k The CS calculates 1 and send F to Unit N. Then Unit N multiplies his own left bit (+/-1) with F and gets the teleclone of the left bit of Unit 1. This cloned bit exists only at Unit 1 and Unit N. It does not exist at the other Units at the CS: teleportation type transfer.

64 The important thing is not to stop questioning! Curiosity has its own reason for existing. (Albert Einstein) Information theoretic security by the laws of classical physics R. Mingesz 1), L.B. Kish 2), Z. Gingl 1), C.G. Granqvist 3), H. Wen 2,4), F. Peper 5), T. Eubanks 6), G. Schmera 7) 1) Department of Technical Informatics, University of Szeged, Hungary 2), College Station, TX, USA 3) Department of Engineering Sciences, The Ångström Laboratory, Uppsala University Sweden 4) Hunan University, College of Electrical and Information Engineering, Changsha, China 5) National Institute of Information and Communication Technology, Kobe Japan 6) Sandia National Laboratories, Albuquerque, NM, USA 7) Space and Naval Warfare Systems Center, San Diego, CA, USA Quantum computing seminar, CS, TAMU, September 18, Keynote-Invited Talk at the IEEE's International Workshop on Soft Computing Applications ( SOFA) August 23, 2012, Szeged, Hungary

65 End of talk