Fundamental Security Issues in Continuous Variable Quantum Key Distribution

Similar documents
Deterministic secure communications using two-mode squeezed states

FUNDAMENTAL AND PRACTICAL PROBLEMS. OF QKD SECURITY-THE ACTUAL AND THE arxiv: v4 [quant-ph] 4 Jun 2012 PERCEIVED SITUATION

Security Issues Associated With Error Correction And Privacy Amplification In Quantum Key Distribution

Continuous Variable Quantum Key Distribution with a Noisy Laser

arxiv:quant-ph/ v2 7 Nov 2001

Continuous-Variable Quantum Key Distribution Protocols Over Noisy Channels

QCRYPT Saturation Attack on Continuous-Variable Quantum Key Distribution System. Hao Qin*, Rupesh Kumar, and Romain Alléaume

Novel Side Channel Attacks in Continuous Variable Quantum Key Distribution arxiv: v2 [quant-ph] 18 Jun 2015

Trustworthiness of detectors in quantum key distribution with untrusted detectors

arxiv: v2 [quant-ph] 24 Jan 2011

Security of Quantum Cryptography using Photons for Quantum Key Distribution. Karisa Daniels & Chris Marcellino Physics C191C

High Fidelity to Low Weight. Daniel Gottesman Perimeter Institute

Chapter 13: Photons for quantum information. Quantum only tasks. Teleportation. Superdense coding. Quantum key distribution

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

TWO-LAYER QUANTUM KEY DISTRIBUTION

Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

Realization of B92 QKD protocol using id3100 Clavis 2 system

arxiv:quant-ph/ v1 25 Dec 2006

Practical Quantum Key Distribution

Noiseless Linear Amplifiers in Entanglement-Based Continuous-Variable Quantum Key Distribution

Practical Quantum Coin Flipping

Security of Quantum Key Distribution with Imperfect Devices

Deterministic Quantum Key Distribution Using Gaussian-Modulated Squeezed States

Ping Pong Protocol & Auto-compensation

Quantum Hacking. Feihu Xu Dept. of Electrical and Computer Engineering, University of Toronto

Experimental realization of quantum cryptography communication in free space

Simulation of BB84 Quantum Key Distribution in depolarizing channel

Quantum Information Transfer and Processing Miloslav Dušek

High rate quantum cryptography with untrusted relay: Theory and experiment

APPLICATIONS. Quantum Communications

State Decoding in Multi-Stage Cryptography Protocols

An Introduction to Quantum Information. By Aditya Jain. Under the Guidance of Dr. Guruprasad Kar PAMU, ISI Kolkata

Practical aspects of QKD security

Measurement-Device Independency Analysis of Continuous-Variable Quantum Digital Signature

Photon-number-splitting versus cloning attacks in practical implementations of the Bennett-Brassard 1984 protocol for quantum cryptography

Quantum Key Distribution. The Starting Point

Practical quantum-key. key- distribution post-processing

Quantum Correlations as Necessary Precondition for Secure Communication

arxiv:quant-ph/ v1 26 Mar 2001

LECTURE NOTES ON Quantum Cryptography

PERFECTLY secure key agreement has been studied recently

Security bounds for the eavesdropping collective attacks on general CV-QKD protocols

Quantum Cryptography

A New Wireless Quantum Key Distribution Protocol based on Authentication And Bases Center (AABC)

Secure Quantum Signatures Using Insecure Quantum Channels

A semi-device-independent framework based on natural physical assumptions

Key Generation: Foundations and a New Quantum Approach

arxiv:quant-ph/ v1 13 Mar 2007

Tutorial: Device-independent random number generation. Roger Colbeck University of York

Problems of the CASCADE Protocol and Renyi Entropy Reduction in Classical and Quantum Key Generation

Enigma Marian Rejewski, Jerzy Róz ycki, Henryk Zygalski

Quantum Cryptography: A Short Historical overview and Recent Developments

Unconditionally secure deviceindependent

Device-independent Quantum Key Distribution and Randomness Generation. Stefano Pironio Université Libre de Bruxelles

Entanglement and information

Realization of Finite-Size Continuous-Variable Quantum Key Distribution based on Einstein-Podolsky-Rosen Entangled Light

Ground-Satellite QKD Through Free Space. Steven Taylor

Practical Quantum Coin Flipping

Continuous-variable quantum key distribution with a locally generated local oscillator

National Institute of Standards and Technology Gaithersburg, MD, USA

Secure heterodyne-based QRNG at 17 Gbps

Fundamental rate-loss tradeoff for optical quantum key distribution

Device-Independent Quantum Information Processing (DIQIP)

Security and implementation of differential phase shift quantum key distribution systems

Stop Conditions Of BB84 Protocol Via A Depolarizing Channel (Quantum Cryptography)

Continuous-variable quantum key distribution with non-gaussian quantum catalysis

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Supplementary Material I. BEAMSPLITTER ATTACK The beamsplitter attack has been discussed [C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smol

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science Quantum Optical Communication

Talk at 4th ETSI/IQC workshop on quantum-safe cryptography, September 19-21, 2016

Quantum Symmetrically-Private Information Retrieval

Communication Engineering Prof. Surendra Prasad Department of Electrical Engineering Indian Institute of Technology, Delhi

SUPPLEMENTARY INFORMATION

arxiv: v1 [quant-ph] 18 Sep 2010

Attacks against a Simplified Experimentally Feasible Semiquantum Key Distribution Protocol

arxiv: v2 [quant-ph] 4 Sep 2007

Introduction to Quantum Key Distribution

This is a repository copy of Parameter estimation with almost no public communication for continuous-variable quantum key distribution.

Experimental continuous-variable cloning of partial quantum information

A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols

Chapter 5. Quantum Cryptography

Final Report. Grant/Contract Title: PHYSICAL CRYPTOGRAPHY: A NEW APPROACH TO KEY GENERATION AND DIRECT ENCRYPTION

Introduction to Quantum Cryptography

N C-0002 P13003-BBN. $475,359 (Base) $440,469 $325,413

Quantum key distribution over 25 km with an all-fiber continuous-variable system

Security Implications of Quantum Technologies

arxiv: v3 [quant-ph] 25 Feb 2015

Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel

Design of Raptor Codes in the Low SNR Regime with Applications in Quantum Key Distribution

ON THE POSSIBILITY OF USING OPTICAL Y-SPLITTER IN QUANTUM RANDOM NUMBER GENERATION SYSTEMS BASED ON FLUCTUATIONS OF VACUUM

Continuous-Variable Quantum Key Distribution with Gaussian Modulation The Theory of Practical Implementations

Quantum Cryptography

10 - February, 2010 Jordan Myronuk

Asymptotic Analysis of a Three State Quantum Cryptographic Protocol

Quantum key distribution: theory for application

arxiv:quant-ph/ v2 2 Jan 2007

Quantum key distribution

Research, Development and Simulation of Quantum Cryptographic Protocols

Device-Independent Quantum Information Processing

Counterfactual Quantum Deterministic Key Distribution

Transcription:

Fundamental Security Issues in Continuous Variable Quantum Key Distribution arxiv:1208.5827v1 [quant-ph] 29 Aug 2012 Horace P. Yuen Department of Electrical Engineering and Computer Science Department of Physics and Astronomy Northwestern University, Evanston Il. 60208 yuen@eecs.northwestern.edu November 16, 2016 Abstract Several fundamental issues in establishing security in continuous variable quantum key distribution are discussed, in particular on reverse reconciliation and security under heterodyne attack. It appears difficult to derive quantum advantage in a concrete realistic protocol due to source and loss uncertainties, apart from the problem of bounding Eve s information after reconciliation. The necessity of proving robust security for QKD protocols is indicated. 1

I INTRODUCTION Continuous variable quantum key distribution (CV-QKD) was introduced [1-4] as an alternative QKD approach to the discrete signal BB84 protocol for quantum key generation [5]. The original 3 db loss limit [1] under beamsplitter attack is extended to arbitrary loss under reverse reconciliation (RR) in [2-4]. In this paper we will point out several fundamental security issues in a finite realistic implementation which are intrinsic to the physics of CV-QKD, as well as the basic cryptographic issue of bounding Eve s information after reconciliation before privacy amplification. It appears that a net key can be generated in CV-QKD not from quantum advantage, but only by classical postdetection processing [5,6], which is very inefficient and in fact its general security has never been fully established. However, coherent detection used in CV-QKD has the advantage of being not susceptible to the detector blinding attacks [7] on single-photon avalanche detectors widely employed in BB84 protocols. Perhaps the combination of coherent detection and BB84 signals in [8-9] would be useful for such purpose. More significantly, CV-QKD brings out clearly the important point that proof of robust security is needed in physical cryptography. II CV-QKD AND RR For simplicity we consider the use of coherent states in CV-QKD homodyne protocols. Squeezed states is highly susceptible to all the linear loss in the system and also would, as are other CV-QKD protocols, be subject to all the security points we will make in this paper. Let T be the transmittance of the transmission link which does not include the loss in other system components. Generally our analysis is carried out under the assumption 2

that everything else is perfect unless indicated otherwise. In CV-QKD the coherent state complex amplitude x + ip is drawn from a circularly symmetric Gaussian distribution of zero mean and variance V in units of 1/4 photon for the field mode, which is the level of noise when x or p is measured in homodyning. The user A sends a long sequence of such pulses, each independently drawn, to user B who checks the noise variance of a randomly chosen subsequence by asking A for the corresponding x or p in each such pulse. This is to establish an advantage, over a possible attacker Eve, on the rest of the pulses to obtain key generation. Then B measures either x or p randomly on the other pulses. Common key bit values are to be derived from reconciliation between A and B s quadrature values before privacy amplification to bring down Eve s information per bit. Mutual information is used to measure the users advantage over Eve, which has numerous problems in crypto-security, especially for a finite system. See [5,10,11]. However, that is not our real concern here, and the difficulties we will point to cannot be overcome by a mutual information argument. In direct reconciliation, the users derive key bits by B trying to estimate what A sent in the measured quadrature. This is often accomplished by sliced error correction [3-4]. There is then a 3 db loss limit on getting quantum advantage [1], due to Eve s beamsplitter attack in which she splits off half of the signal and delivers the other half via a lossless link to B. Eve would then get an identical copy of the signal at B, and any resulting advantage that may result is of a classical nature from the different noises that B and Eve suffer in their measurements [6,12]. In reverse reconciliation (RR), it is A who tries to guess what B has measured. The rationale is that A clearly knows the sent values of x or p better than Eve, and thus an 3

advantage over Eve is assured whe they both try to estimate what B has measured. The sliced error correction protocol for reconciliation is also often used [3-4], though other error correction approaches have been suggested [5]. Indeed, it is often maintained that RR would in principle ensure net key generation for any value of T. To represent the RR situation, let m be the parameter value of x or p that A intends for the pulse. Let m B and m E be the homodyne result of B and Eve s measurement at the receiving and split-off part of the signal. Then m B = Tm+n B (1) m E = 1 Tm+n E (2) where the additive noises n B and n E have var n B = var n E = 1 (3) It is clear the users have no advantage in direct reconciliation under the beamsplitter attack (1)-(2) when T 1. 2 Even if the parameters T and m are precisely known to the users, it is clear from (1)-(3) that for a sufficiently small T the user A would just be guessing at the value of n B in RR which has nothing to do with the signal or any quantum advantage over E! Also, for T 1, Eve knows m basically as well as A does. Since the numerical value of an analog quantity does not have physical meaning after a certain number of decimal places, and indeed is often known to only, say within 1% of its nominal value, one may say instead there is very much an in-principle limit on T in RR also. Equally significantly, if a system does not possess robustness in performance within the parameter accuracy limit, it is unstable to operate and is not a viable design for real world 4

applications. In the case of QKD, there is the added issue of false alarm that has never been quantitatively studied, in which the users abort a round although there is no Eve present. In the case of a supersensitive (very much not robust) protocol, false alarm would occur so frequently that it would prevent its operation altogether. In the following we will consider the situation in which Eve launches a heterodyne intercept-resend attack near the transmitter, which does not require the unrealistic lossless link replacement underlying (1)-(2) and is readily implementable. We will also indicate that the leak of information to Eve from reconciliation in QKD has never been correctly quantified [11]. Indeed, from (1)-(3) it appears that even for moderate values of T, in RR Eve would learn about m B as much as A would up to many decimal places, in either open exchange or forward error correction. Certainly there is no justification that the leak is given by the usual leak EC expression [4] which is not generally applicable to begin with. III HETERODYNE ATTACK AND ROBUSTNESS Eve can easily launch an intercept-resend attack by heterodyne measurement on both x and p near the transmitter and resend the measured value as the complex amplitude in a coherent state through the link. Again consider RR with m being A s launching value of B s chosen quadrature. As explained in the following, in a realistic system A only knows m as m A to within an additive noise n A, the variance of which depends on exactly what A does at the transmitter. In place of (1)-(2) we now have, with var ñ E = 2, m B = T(m+ñ E )+n B (4) m E = m+ñ E (5) 5

m A = m+n A (6) It is clear from (4)-(6) that Eve could determine m better than B in direct reconciliation. In RR, Eve could determine m B better than A from whatever reconciliation algorithm even when n A = 0. Thus security is totally breached unless Eve is caught heterodyning. However, the latter seems practically impossible and the cryptosystem is in principle supersensitive, because link and other system component losses need to be very accurately determined and, moreover, to remain the same over all the pulses in the round, as follows. First, consider the V value chosen by A that leads to m in a coherent state from a laser, with m 2 far lower than the laser output intensity when it is operating far above threshold for suppressed intensity fluctuation. Large m values would mean the added unity heterodyne noise compared to homodyne is totally insignificant. Large laser output needs to be strongly attenuated to get the chosen V, the variance of m. For sufficiently small attenuation coefficient the relative fluctuation of its value is huge and A cannot know m at all to within a few units of quantum noise. It appears necessary to split the pulse and homodyne on one part to determine the quadrature value on the transmitted pulse. In fact, due to the relatively large (typically a few percent) margin of accuracy in all laser output power, though it is stable over a long duration, such measurement by A is necessary for pinning down m. Thus n A is at least one unit strong even if there is no other imperfection such as the value of the beamsplitter transmittance. The serious problem, however, comes from the accuracy of loss and m values. To check the presence of Eve s heterodyne attack, B would use (4) and (6) to detect possible added fluctuation from Tñ E. It has been appreciated from the beginning of CV-QKD that excess 6

noise and homodyne detection efficiency need to be carefully monitored[5,13]. An experiment on heterodyne attack was carried out [14]. What seems not appreciated is that all the loss values need to be very accurate and stable. To include other system losses such as detector quantum efficiency and homodyne efficiency, one can interprete T in (4) as the total transmittanceinsteadofjustlinkloss. IfT deviates fromthepresumedvalueby2%, anm 2 = 25 photons commonly employed [3] would imply Eve s heterodyne attack cannot be detected even apart from finite statistical fluctuation. For a proper security analysis, one would need to represent exactly how each loss parameter enters into the system representation, with finite fluctuation fully accounted for in a complete statistical analysis. For example, if A uses a 50/50 beamsplitter to determine the m value after the laser output is strongly attenuated, the beamsplitter transmittance cannot be smaller by 0.1% for m = 10 and total 10 db user loss in order not to confuse Eve s added noise as part of the signal. In the other direction, false alarm would result. It does not appear such a supersensitive cryptosystem can be practically similar to the cases of classical resolution beyond the diffraction limit and singular detection in non-white Gaussian noise. IV OTHER SERIOUS ISSUES A most serious problem is Eve s information gain from reconciliation. Under (1)-(2) in which Eve s presence cannot be detected in principle, Eve still would learn a lot since m E and m A from (2) and (6) imply Eve and A are in similar positions with respect to m B, that there is really no advantage to A. Even when n A = 0, the advantage seems small and it is not clear why the users can derive a net key in a finite protocol. The problem can be traced in part to 7

the lack of a quantitative bound on Eve s information gain in any reconciliation procedure [11], except asymptotically for linear error correcting codes under collective attacks in BB84. There is no definite proven result for CV-QKD either in [4]. Collective attack, however, is very unreasonably restrictive in both BB84 and CV-QKD. For example, when Eve attacks a portion of the pulses and leaves the rest intact, it is outside the scope of collective attack. On the other hand, Eve may well choose to do that to escape detection while gaining a considerable amount of information. It is intuitively impossible that collective attack is optimal for Eve, and the known proofs that it is are not valid. This and the many general inadequacies of QKD security proofs in BB84 and CV-QKD are to be treated elsewhere, while a glimpse can be found in [11]. V ROBUST SECURITY Robustness with respect to parameter accuracy and fluctuation is crucial in engineering systems. Quantum information system is often very sensitive to disturbance, which is likely one main reason why it is so difficult to realize experimentally. Security is something that can only be established theoretically if at all, because there are an unlimited number of possible attack scenarios and the history of cryptography shows that relying on security from past experience can be dangerous. In physical cryptography such as QKD where security depends on physics at least as much as on mathematics, it is therefore mandatory to establish robust security carefully on a complete representation of the physical cryptosystem. This has not beendoneincv-qkdorbb84, andmust beaddressed ifqkdisever goingtobepractically useful. 8

ACKNOWLEDGEMENT This work was supported by the Air Force Office of Scientific Research. I would like to thank T. Hirano for useful discussions. References [1] F. Grosshans and P. Grangier, Phys. Rev. Lett. 88, 057902 (2002) [2] F. Grosshans and P. Grangier, arxiv:0204127, 2002. [3] F. Grosshans, G. Van Assche, J. Wngler, R. Tualle-Brouri, N. Cerf, and P. Grangier, Nature 421, 238, 2003. [4] G. Van Assche, J. Cardinal, and N. Cerf, IEEE Trans. Inform. Theory 50, 394, 2004. [5] V. Scarani, H. Bechmann-Pasquinucci, N. Cerf, M. Dusek, N. Lutkenhaus, and M. Peev, Rev. Mod. Phys. 81, 1301, 2009. [6] H. P. Yuen and A. Kim, Phys. Lett. A 241, 135, 1998. [7] I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtseifer, and V. Makarov, Nat. Commun. 2, 349, 2011. [8] H. P. Yuen, in Proceedings of the Fourth International Conference on Squeezed States and Uncertainty Relations, NASA Conference Publication 3322, pp. 363-368, 1995. [9] H. P. Yuen, Quantum Communication, Computing, and Measurement 2, ed. by Kumar et al, Luwer Academic/Plenum Publisher, New York, pp. 399-404, 2000. 9

[10] H. P. Yuen, IEEE J. Sel. Topics in Quant. Electron. 15, 1630, 2009. [11] H. P. Yuen, arxiv:1205.3820, 2012. [12] U. M. Maurer, IEEE Trans. Inform. Theory 39, 733, 1993. [13] R. Namiki and T. Hirano, Phys. Rev. Lett. 92, 117901 (2002). [14] J. Lodewyck, T. Debuisschert, R. Garcia-Patron, R. Tualle-Brouri, N. Cerf, and P. Grangier, Phys. Rev. Lett. 98, 030503 (2007). 10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback