Ping Pong Protocol & Auto-compensation Adam de la Zerda For QIP seminar Spring 2004 02.06.04
Outline Introduction to QKD protocols + motivation Ping-Pong protocol Security Analysis for Ping-Pong Protocol Vulnerabilities Encoding methods Auto compensation Auto compensation in Ping pong 2
QKD protocols motivation Alternative to public key cryptography. (i.e. RSA) QKD + Block ciphers. (i.e.: Use QKD to transmit key for DES, and have the rest of conversation classically encrypted in DES) 3
Introducing: Ping Pong protocol Uses: QKD Quantum Key Distribution Means: Quantum channel, Authenticated classic channel 4
Scheme Ping Pong Alice wants to send Bob bit: Xi = {0, 1} Bob creates EPR pair: 01 + 10 Ψ + = 2 Bob sends Alice the traveling qubit and keeps the home qubit Bob Traveling qubit - T> Alice >Home qubit H Ψ 0 = Ψ + = 01 HT + 2 10 HT 5
Scheme cont. Alice received qubit: T> and returns to Bob: ~ T = T σ z T,, X X i i = 0 = 1 Bob Alice Home qubit - H> Traveling qubit - T> 6
Scheme cont. Notice that after Alices transformation: Ψ 1 HT = Ψ 1σ + z HT Ψ + HT = Ψ HT,, X X i i = 0 = 1 7
Scheme cont. Bob receives and measures H> and T> in bell-states base. T ~ Bob Traveling qubit Alice Home qubit - H> 8
Scheme cont. Bob knows Xi! Bob s result: + Ψ X = 0 HT i Ψ X = 1 HT i 9
Eavesdropping Eve has nothing to do with T> on the way to Alice. Eve can learn NOTHING about Xi from T> on it s way back to Bob because: We KNOW + { Ψ Ψ } Ψ, 1 Tr Bob 2 { } ± ± Ψ Ψ = I By Passive attack, Eve knows NOTHING on Xi 10
Eavesdropping cont. But what about man in the middle attack? Eve can stall the traveling qubit, send Alice: + Ψ, Alice will give her: Ψ + or Ψ, that is, the classical bit. Eve will encode on the traveling qubit the same, so Bob wouldn t even notice! Eve Bob Home qubit - H> Alice Traveling qubit - T> Note: without Bob s help, Alice can t notice Eve s trick. 11
Eavesdropping cont. Let s define 2 modes for the protocol! 1. Control mode to detect eavesdropping. 2. Message mode to transmit messages/keys.? Are they in control mode or message?mode Eve Bob Alice Home qubit - H> Traveling qubit - T> 12
Eavesdropping cont. Control mode: Alice measures the qubit she received in 0>, 1> base. Contact Bob in classic channel to let him know she chose control mode. Bob measures his home qubit in 0>, 1> base. Alice and Bob compares their result. Eve is detected if the results coincide. 13
Conclusion Alice wants to send X = (X1 X2 Xn) to Bob. Bob creates a singlet, and send one of the qubits to Alice. Alice switches to Control mode with probability c Else, Alice encode her bit onto the traveling qubit and sends back to Bob. Bob receives the qubit from Alice, and measure his home qubit with the traveling qubit in Bell-states base. Bob now knows Xi. Return until all bits are delivered to Bob. 14
Conclusion cont. 15
Von-neumann Entropy Definition of Von-neumann entropy Where are the eigen values of ρ Bounds the maximum information can be gained from a state. Give examples: pure states, completely mixture states 16
security analysis Ping Pong 2 main parts In control mode: Eve detection probability. In message mode: Bound information available to Eve (given that she attacked on the way to Alice) The Attack: Bob sent 0 : Eˆ0, E = α 0, E 00 + β 1, E 01 Bob sent 1 : Eˆ1, E = γ 0, E 10 + δ 1, E 11 17
security analysis Ping Pong 1. Control mode For Eve, the state of the traveling qubit is complete mixture. Bob sends 0> and 1> with probability ½. Consider the case where Bob sends 0> Eve has an ancilla qubit E After Eve s attack: Ψ = Eˆ 0, E Alice measures the qubit in = α 0, E + { 0, 1 } 00 β 1, basis. E 01 Probability for Eve to get caught is: d = β 2 = 1 α 2 18
security analysis - cont. (if Bob sent 0> ) 2. Message Mode The new state after Eve s attack is: in basis: { 0, E, 1 E } 00, 01 2 * α α β ρ = Ψ Ψ = 2 * α β α Assuming Alice encodes a random bit (P0 = P1 = ½, in QKD schemes), the state after Alice s encoding operation: 2 1 1 = + = α 0 ρ ρ σˆ ˆ z ρ σ z 2 2 2 0 β 19
security analysis - cont. A non-tight bound on the information Eve can gain from the state is given by Von-Neumann entropy: We get: I max I max = S ρ ) = Tr{ ρ log ρ } ( 2 ( d) = d log2 d (1 d)log2 (1 d) 1 0 ½ 1 d Note: This is also the Shannon entropy of a binary channel 20
security analysis - cont. If Eve wants full information, she is detected with probability ½: d( I max = 1) = 1 2 Question: what is the probability for Eve s detection in BB84 if Eve wants full information too? 21
security analysis n bits attack s( c, d) = (1 Define c: The probability for control mode. r = 1 c : The probability for message mode. The probability for Eve not to get caught until the next message mode is: c) + After n independent identical attacks Eve maximally gains: bits of information. Eve survives with probability: I = ni max ( d) c(1 d)(1 c) + c 2 (1 d) 2 (1 c) +... = 1 c 1 c(1 d ) s n = s I I max ( d ) = 1 c 1 c(1 d ) I I max ( d ) 22
security analysis - cont. After n independent identical attacks Eve maximally gains: ( ) bits of information. Eve survives with probability: I = ni max d s = f (bits) bits 23
security analysis - discussion Discussion 2. What is missing in the Security Analysis? 3. Would it help to use secret sharing schemes? 4. Can we exploit line disturbance to have perfect eavesdropping? (non detectable eavesdropping) 24
Vulnerabilities - Overview Attacking without eavesdropping: Denial of service Vulnerabilities in lossy channel 25
Vulnerabilities DoS attack Eve can stop connection from Alice to Bob (Pong) and send Bob trash instead. The protocol won t detect Eve! Improved version of classical DoS Bob trash Eve Alice Question?: Can we overcome the vulnerability 26
Vulnerabilities DoS attack cont. Question: Can we overcome the vulnerability? YES! Define additional mode for the protocol in which: 1. Bob measures his qubits. (message mode) 2. Alice informs Bob to move to the new test mode. 3. Alice and Bob compares their bits. 4. If the results do not coincide, Eve is detected! Note: this is a variation of an extension to the protocol suggested in: quant-ph/0402052 - Cai, Qing-yu The ping-pong protocol can be attacked without eavesdropping 27
Various Optical Encodings Polarization encoding Phase encoding ϕ 28
Auto-compensation Sergienko et al., One-Way Entangled-Photon Autocompensating Quantum Cryptography, Quant-ph/0207167. Donald S. Bethune, William P. Risk, An Autocompensating Fiber-Optics Quantum Cryptography Systems Based on Polarization Splitting of Light IEEE journal of quantum electronics, vol. 36 no. 3 march 2000. A. V. Sergienko et al., Symmetric Autocompensating Quantum Key Distribution quant-ph / 0309050. 29
Auto-compensation motivation Various optical encodings for qubits: Polarization Qubit Time bin Qubit The quantum channel posses disturbances for both encodings. We cannot control the disturbances (i.e. a train has just passed near the optical fiber..) We do not want to calibrate our systems every time. 30
Process Polarization encoding: Faraday Mirror - Device that reflects light in a 90 degree rotation from the input light. (i.e. without regard to the polarization of the input light) Phase encoding: AT Attenuator PM Phase modulator L Laser D - Detector 31
Process phase encoding Bob sends Alice strong laser pulse. Alice attenuates it, selects a base and encode bit by phase shifting. Bob guesses Alice s base and measures the qubit. Note: Each PM is used once! 32