5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Similar documents
Introduction to Quantum Cryptography

LECTURE NOTES ON Quantum Cryptography

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

Security Implications of Quantum Technologies

Cryptography in a quantum world

Lecture 1: Introduction to Public key cryptography

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Quantum Cryptography and Security of Information Systems

Ping Pong Protocol & Auto-compensation

Practical quantum-key. key- distribution post-processing

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

+ = OTP + QKD = QC. ψ = a. OTP One-Time Pad QKD Quantum Key Distribution QC Quantum Cryptography. θ = 135 o state 1

Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel

10 - February, 2010 Jordan Myronuk

Chapter 13: Photons for quantum information. Quantum only tasks. Teleportation. Superdense coding. Quantum key distribution

John Preskill, Caltech Biedenharn Lecture 2 8 September The security of quantum cryptography

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science Quantum Optical Communication

Introduction to Quantum Key Distribution

An Introduction to Quantum Information. By Aditya Jain. Under the Guidance of Dr. Guruprasad Kar PAMU, ISI Kolkata

A probabilistic quantum key transfer protocol

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

Physics is becoming too difficult for physicists. David Hilbert (mathematician)

High Fidelity to Low Weight. Daniel Gottesman Perimeter Institute

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

APPLICATIONS. Quantum Communications

Public-Key Cryptosystems CHAPTER 4

C. QUANTUM INFORMATION 111

A New Wireless Quantum Key Distribution Protocol based on Authentication And Bases Center (AABC)

arxiv:quant-ph/ v2 17 Sep 2002

Security of Quantum Key Distribution with Imperfect Devices

Quantum Cryptography

arxiv:quant-ph/ v1 13 Mar 2007

C. QUANTUM INFORMATION 99

Ph 219/CS 219. Exercises Due: Friday 3 November 2006

arxiv:quant-ph/ v2 2 Jan 2007

RSA RSA public key cryptosystem

Analysis of the Influenceof the Rate of Spies Measure on the Quantum Transmission

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Quantum Cryptography

Entanglement and Quantum Teleportation

Quantum key distribution for the lazy and careless

Notes for Lecture 17

A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols

Problem Set: TT Quantum Information

Lecture 28: Public-key Cryptography. Public-key Cryptography

A Matlab Realization of Shor s Quantum Factoring Algorithm

Advanced Cryptography Quantum Algorithms Christophe Petit

Research, Development and Simulation of Quantum Cryptographic Protocols

Quantum Cryptography. Marshall Roth March 9, 2007

CPSC 467: Cryptography and Computer Security

Key distillation from quantum channels using two-way communication protocols

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Quantum cryptography -the final battle?

Practice Assignment 2 Discussion 24/02/ /02/2018

CPSC 467b: Cryptography and Computer Security

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Error Reconciliation in QKD. Distribution

Entanglement. arnoldzwicky.org. Presented by: Joseph Chapman. Created by: Gina Lorenz with adapted PHYS403 content from Paul Kwiat, Brad Christensen

Quantum Information Transfer and Processing Miloslav Dušek

Unconditionally secure deviceindependent

Research Proposal for Secure Double slit experiment. Sandeep Cheema Security Analyst, Vichara Technologies. Abstract

Secrecy and the Quantum

MATH 158 FINAL EXAM 20 DECEMBER 2016

arxiv:quant-ph/ v2 7 Nov 2001

Security of Quantum Cryptography using Photons for Quantum Key Distribution. Karisa Daniels & Chris Marcellino Physics C191C

CS120, Quantum Cryptography, Fall 2016

Attacks against a Simplified Experimentally Feasible Semiquantum Key Distribution Protocol

Quantum secret sharing based on quantum error-correcting codes

arxiv:quant-ph/ v1 27 Dec 2004

Quantum Simultaneous Contract Signing

Lecture Notes, Week 6

Detection of Eavesdropping in Quantum Key Distribution using Bell s Theorem and Error Rate Calculations

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

arxiv:quant-ph/ v2 3 Oct 2000

Entanglement and information

arxiv:quant-ph/ v1 25 Dec 2006

Quantum Cryptography

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Deterministic secure communications using two-mode squeezed states

Enigma Marian Rejewski, Jerzy Róz ycki, Henryk Zygalski

Quantum Cryptography

RIVF 2006 Tutorial. Prof. Patrick Bellot PhD. Dang Minh Dung. ENST (Paris) & IFI (Hanoi) RIVF 2006 Tutorial. "Quantum Communications"

arxiv:quant-ph/ v1 13 Jan 2003

Notes 10: Public-key cryptography

Simulation of BB84 Quantum Key Distribution in depolarizing channel

Supplementary Material I. BEAMSPLITTER ATTACK The beamsplitter attack has been discussed [C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smol

Secure quantum key distribution using squeezed states

Tutorial: Device-independent random number generation. Roger Colbeck University of York

Number theory (Chapter 4)

Realization of B92 QKD protocol using id3100 Clavis 2 system

arxiv:quant-ph/ v1 6 Dec 2005

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Quantum key distribution with 2-bit quantum codes

Security and implementation of differential phase shift quantum key distribution systems

Quantum Cryptography: A Short Historical overview and Recent Developments

Practical aspects of QKD security

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Transcription:

5th March 2004 Unconditional Security of Quantum Key Distribution With Practical Devices Hermen Jan Hupkes

The setting Alice wants to send a message to Bob. Channel is dangerous and vulnerable to attack. Message must remain secret, even if intercepted or copied. Eve Alice Bob 2

Vernon One Time Pad The Vernon One Time Pad is a classic example of an encryption scheme. HI BOB 000000 00000 0000000 000000 000 000000 Msg 0000 000 000000 0000 0000 0000 Key 0000 000 00000 00 00000 0000 Encryp 0000 000 00000 00 00000 0000 Encryp 0000 000 000000 0000 0000 0000 Key 000000 00000 0000000 000000 000 000000 Msg HI BOB 3

Vernon One Time Pad II If Eve does not know the key, she knows practically nothing about the message, in the following sense. Let N be the length of the message, m org {0, } N F N 2 message and m enc F N 2 be the encrypted message. be the original Write P m org m enc for the probability that the original message is m org given that the encrypted message is m enc. Then P m org m enc = 2 N. This is the best possible sense of privacy. Other encryption schemes exist which are more efficient in use of key. Sharing secret messages is thus reduced to the problem of sharing secret keys. 4

Key Distribution Alice and Bob can always physically meet and exchange a long secret key. Impractical in current society, where millions of users are involved giving rise to billions of pairs of users. Alice and Bob could use third person Charlie to intermediate. Can Charlie be trusted? Answer: Public Key Distribution Protocols Alice and Bob share no initial information. All communication between Alice and Bob is public and can be monitored. At end of procedure Alice and Bob should share a secret key, which cannot be reconstructed from their public messages. 5

Diffie and Hellman Key Exchange Alice and Bob choose a large prime p and a generator g. Alice chooses randomly k A p 2 and announces g k A mod p. Bob chooses randomly k B p 2 and announces g k B mod p. Alice calculates key κ = g k B k A mod p. Bob calculates key κ = g k A k B mod p. Theorem. Breaking Diffie-Helman is equivalent to the Discrete Logarithm Problem, i.e. given a prime p, a number 2 g p and a power g x mod p, find x = Disc log g x. Example: Let p = 7 and g = 3. Then Disc log 6 = 3 since 3 3 = 27 6 mod 7 6

Security of Diffie & Hellman Security of Diffie and Hellman key exchange protocol is thus determined by hardness of the Discrete Logarithm Problem, which has been studied at great length. Theorem 2. The best known classical algorithm for solving the Discrete Logarithm Problem takes exponential time proportional to Lp = exp ln p ln ln p. This result means that making the prime p one digit longer increases the time needed to crack Diffie and Hellman by roughly a constant factor. However Theorem 3. The best known quantum algorithm for solving DLP takes polynomial time. This roughly means that you have to double the number of digits of p every time for a fixed factor of extra running time. 7

Quantum Key Distribution QKD Goal is to define key distribution protocol which only relies on laws of nature for its security and NOT on assumed limitations of computing power. Use of vulnerable quantum channel in addition to public classical channel. Alice prepares quantum states. Alice sends states to Bob along quantum channel. Bob performs measurements. Alice and Bob perform classical negotiation to define a key. 8

BB84 Protocol I Already in 984 Brennett and Brassard proposed the BB84 QKD protocol. Based upon idea by Wiesner in 960 s!. He proposed to use non-orthogonal quantum states to protect bank notes from forgery. No Cloning theorem. It is impossible to make a copy of an unknown quantum state. Today we cannot store quantum states for a long time. QKD only requires sending & measuring quantum states and is feasible today! Practical implementation over 60 km has been realized. 9

BB84 Protocol II - Ideal Source Protocol requires quantum source capable of producing quantum state given basis-bit a {+, } and key-bit g {0, } F 2. Possible implementation using polarization encoding on photons. 0 deg 90 deg 45 deg 35 deg Ψ 0 + Ψ + Ψ 0 Ψ ψ 0 + = 0 ψ + = 0 ψ 0 = 2 ψ = 2 0

BB84 Protocol III - Ideal Source ψ 0 + = 0 ψ + = 0 ψ 0 = 2 ψ = 2 The states ψ 0 + and ψ + can be perfectly distinguished from one another by measurement in σ + = σ x basis. The states ψ 0 and ψ can be perfectly distinguished from one another by measurement in σ = σ z basis. However, ψ 0 = 2 ψ 0 + + ψ +, ψ = 2 ψ 0 + ψ +. Measuring in wrong basis thus gives outcome 0 or with equal probability.

BB84 Protocol IV - The Idea Choose number of photons N to exchange. Alice chooses N secret basis-bits a {+, } N. Bob chooses N secret basis-bits b {+, } N. Alice chooses N secret key-bits g {0, } N = F N 2. For i N, Alice prepares quantum state Ψ g[i] a[i] and sends to Bob. Bob measures photon in b[i] basis and thus determines key-bits h[i]. Alice and Bob announce all their basis-bits a and b. Note that for every position i on which Bob s and Alice s basis-bit agree, i.e. a[i] = b[i], in absence of noise g[i] = h[i]. Alice key-bits g 0 0 0 0 0 0 0 0 Alice basis-bits a + + + + + + + + Bob basis-bits b + + + + + + + + Bob key-bits h 0 0 0 0 0 0 0 0 0 In principle, Alice and Bob can use these shared bits to define a key. 2

Detecting Eve Alice and Bob need some way of checking whether Eve interfered. Interference = Errors. No cloning theorem guarantees that Eve cannot completely know state of photon Alice sends to Bob. Example If Eve measures in σ + basis while Alice prepared in basis, she will know nothing about key-bit Alice. Eve will also have messed up the photon that goes to Bob. Correlation between g and h destroyed! 3

The Check After photon exchange, Alice & Bob discard all photons for which their bases did not agree. Alice & Bob randomly choose subset R Revealed containing half of the remaining photons. Alice announces her key-bits g[r] for the photons in R and Bob announces his key-bits h[r]. Alice and Bob count the number of discrepancies between g[r] and h[r]. If number of errors > max, protocol is aborted. Either Eve has been caught or too much noise. 4

Defining the key If number of errors is tolerable, Alice and Bob can use remaining secret key-bits g[r] and h[r] to define a common key. Two extra steps are necessary before this can be done. Error Correction Due to presence of noise, must be able to compensate for a limited number of discrepancies between g[r] and h[r]. Privacy Amplification Increases further the privacy of the extracted key. 5

Error correction Goal is to protect Bob s secret key-bits from a small number of errors. Achieved by supplying extra information called the syndrome. Example: bit-strings x, x 2, x 3 of length 3. Syndrome of length two s = x x 2, x x 3. One error can be corrected. g = 0 0 Alice, s A = 0 Alice announces syndrome s A over public channel. h = 0 0 h = 0 h = 0 h = 0 0,,,, s B = s B = s B = s B = Bob 0 0 0, h corr = 0 0, h corr = 0 0, h corr = 0 0, h corr = 0.... 6

Privacy Amplification Goal is to reduce information Eve has about the key. A private final key of length m < n is constructed from Alice and Bob s n secret key-bits g[r] = h corr [R]. Choose a binary m n binary matrix K. Alice and Bob define their final private key κ by κ A = K g, κ B = K h corr. If error correction was succesfull, we have κ A = κ B. 0 0 m = 2, n = 4, K = g = 0 = κ A = K g = 0 0 0 0 0 = 0 Even if Eve happens to know one bit of g, this helps her nothing! 7

BB84 Summary Alice & Bob choose number of photons to exchange N. Alice & Bob choose random secret strings a, b {+, } N and g F N 2. Alice sends photons in state ψ g[i] a[i] and Bob measures, determining h F N 2. Alice & Bob discard useless photons, choose subset R and perform eavesdropping test. If error rate is too high, protocol is aborted. Alice & Bob agree on error-correcting code. Alice announces syndrome s and Bob applies error correction. Alice & Bob choose privacy amplification matrix K and calculate the final key κ = K g K h corr. 8

Privacy I Need exact and suitable notion of privacy. Eve can never infer Alice and Bob s key with more than X% confidence. Too strong. Consider an attack in which Eve always measures in σ + basis and resends a photon to Bob polarized according to the measurement result. If a = +, +,..., +, Eve is lucky and gets to know key. Eve can always randomly guess the key κ. She will then have probability 2 m of success, where m is the length of the final key κ. Need probabilistic notion of privacy, saying that Eve can not do much better than simply guess the key. Thus we want P succ 2 m. 9

'&% Eve s attack U U U "$#! +,-/. 0 3254 * 687 9 :<; =?> @ Collective attack. Eve attaches probe to each photon individually. Eve stores probe during classical communication between Alice & Bob. Eve allowed to perform combined measurement on the probes afterwards. 20

32 N Eve s strongest attack % $!#" UK L M * + &' 0/,.- 465 78:9;<>=? @BA C DFEGIH J Coherent attack. Most general option available to Eve. Eve can perform any measurement she wants on photons, probes and external systems. Includes random attacks! 2

Privacy II After eavesdropping, Eve has obtained some information v V and the final key κ is determined by Alice. κ 0 P! κ" Key κ κ Eve s n o Eve s tactic defines a probability distribution P on the set F m 2 V. P κ, v denotes the probability that the final key is κ while the information gathered by Eve is v. We want independence of κ and v, i.e. P κ, v P κp v = 2 m P v. 22

Entropy The two-bin entropy 0.8 H 2 p = p log 2 p + p log 2 p. Hp 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 p Maximal value for p = 2 i.e. equal distribution over the bins. Entropy measures flatness of distribution! Measure for privacy: Conditional Shannon Entropy H = v V P v κ F m 2 P κ v log 2 P κ v = v V P vhv. Key κ and Eve s view v independent = P κ v = 2 m = H = m. For every v, we want flat P κ v, i.e. large Hv. Conditional Entropy H can be seen as weighted average over these flatnesses. Want H m, the maximal value. 23

Privacy III Definition. The BB84 protocol is private if there exist positive C, λ, N min such that, for any eavesdropping strategy employed by Eve for fixed ratio m/n. m H Ce λn for all N N min, Recall m is length of final private key and N is number of exchanged photons. The ratio m/n is called the key-generation rate. Increasing N with fixed key-generation rate thus exponentially increases the level of privacy. 24

History <984 Brennett and Brassard propose BB84 scheme. <998 Many particular types of attacks analyzed e.g. collective attack. No general privacy result. <998 Mayers gives first proof of privacy against arbitrary attack by Eve. However, he assumes that the quantum source is perfect. The detector is left uncharacterized. Beautiful separation between privacy and practicality how often does the verification test pass. <2002 More privacy proofs Shor, Preskill for specific source / detector models. <2002 Koashi and Preskill prove privacy for perfect detector. <2004 Hupkes: Extension of Mayers result to include class of non-perfect sources. Detector is left uncharacterized. 25

Quasi-Perfect Sources - Example 0 deg + spread 90 deg + spread γ 35 + deg + spread 45 + γ deg + spread Ψ 0 + Ψ + Ψ 0 Ψ No longer require exact polarization. No longer require exact 45 degree difference between bases. However, both two states corr. to same basis-bit must have same spread. 26

{ z Possible Implementation "! 2 β β + π 2 β + φ 2 β Entangled photon pair with orthogonal polarizations produced by e.g. parametric downconversion. Alice sets α = a π 4. α +*-,/. 024357698/:; <'=?> @ A7BDCFEHGJIKL M N c]d ef g2hjiklnmop Q-RSTUV qsr7tvu7wxy O P WYXZ[]\_^`a b #$ %'& Alice performs polarization measurement on her photon to determine g. Other photon sent to Bob. Bob s photon polarized at α or α + π 2, depending on outcome measurement Alice. 27

{ z Why Quasi-Perfect Source α +*-,/. 024357698/:; <'=?> @ A7BDCFEHGJIKL M N "! 2 β β + π 2 β + φ 2 β c]d ef g2hjiklnmop Q-RSTUV qsr7tvu7wxy O P WYXZ[]\_^`a b #$ %'& In practice, perfect polarization encoding is impossible. Need to deal with uncertainties in equipment for example, rotation angle α. This is covered by introduction of spreads around ideal value. Need to deal with possibility that Eve might have tampered with source. She might have chosen to set α = π 4 + γ if a =. 28

Main Result 0 deg + spread 90 deg + spread 45 + γ deg + spread 35 + γ deg + spread 0.8 0.6 0.4 0.2 m/n 0. 0.08 0.06 0.04 β = 2% spread ±8 o sin γ = % γ 2o = δ 9% m/n = % 0.02 0 0.02 0.04 0.06 0.08 0. δ Theorem 4. For small offset angles γ and small spreads in the distributions, the BB84 protocol is private under suitable operating conditions. One can generate keys with the rate m/n = 4 H 2 δ H 2 δ + β + sin γ, where δ is the threshold for the validation test and β =< sin 2 spread > measures the distribution spread. 29

Remaining Issues How can one test if a source is quasi-perfect? -Mayers et al introduced way to check if source is an ideal BB84 source. However, they need an exact measurement. Can possibly be usefully generalized to quasi-perfect sources. What about multi-photon emissions? In practice, single photon sources very hard to make. -Mayers et al. : Small number of multi-photon pulses does not destroy privacy for perfect polarization encoding. Can hopefully easily be adapted to quasi-perfect sources. 30

The End The End 3

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback