Transcript Quantum Cryptography - Queen's University Belfast

Quantum Cryptography
Cryptography
Quantum Key Distribution
Main Point
Cryptography
Quantum Key Distribution
BB84
continuous
Security
Attack model
Information
Introduction
What is Cryptography?
Cryptography is the art of rendering a
message unintelligible to any
unauthorized party
dkssudgktpdy
안녕하세요(Korean)
It is part of the broader field of
cryptology, which also includes
cryptoanalysis, the art of code breaking
Introduction
 Why do we need cryptography?
 Suppose Mark want to send a secret message to
his girl friend over an insecure channel!
Insecure
secure
Cryptography
 Key : What’s key?
 Encryption : combine a message with some
additional information - known as the “key” –
and produce a cryptogram.
 Decryption : combine a cryptogram with
some additional information - known as the
“key” – and produce a message.
Cryptography
Asymmetrical(public-key) cryptosystem
Symmetrical(secret-key) cryptosystem
Cryptography
Asymmetrical(public-key) cryptosystem
ElGamal Cryptosystem
Elliptic curve Cryptosystem
The Merkle-Hellman Knapsack Cryptosystem
RSA(Ronald Rivest, Adi Shamir,Leonard
Adleman)
etc..
Cryptography
 RSA(Ronald Rivest, Adi Shamir,Leonard
Adleman)
If Bob wants to be able to receive messages
encrypted with a public key cryptosystem, he must
first choose a "private" key, which he keeps secret.
Then, he computes from this private key a "public"
key, which he discloses to any interested party. Alice
uses this public key to encrypt her message. She
transmits the encrypted message to Bob, who
decrypts it with the private key
Cryptography
 RSA(Ronald Rivest, Adi Shamir,Leonard
Adleman)
Big Prime number factorization is so difficult problem
Public-key cryptosystems are convenient and they
have thus become very popular over the last 20
years
 What is problem?
Not proven security
Shor’s algorithm
Cryptography
Symmetrical(secret-key) cryptosystem
Block type
DES
AES
etc..
Stream type
LFSR
One-time pad
etc..
Cryptography
One-time pad
first proposed by Gilbert Vernam in 1926
This cryptosystem is thus provably secure in
the sense of information theory (Shannon
1949)
Actually, this is today the only provably
secure cryptosystem
What is problem?
Difficult to implementation
Cryptography
One-time pad
Difficult to
implementation
00101000..
+
Secret channel
01000101..
01000101..
=
+
01101101..
01101101..
Classical channel
=
00101000..
Quantum Key Distribution
sending a “secret key” by using the laws
of physics to warrant the complete
security of the transmission
Discrete variable
BB84
B92
Etc..
Continuous variable
Squeezed state
Gaussian distribution
Quantum Physics
•
•
•
•
Principle of Complementary
Heisenberg Uncertainty Principle
Correspondence Principle
etc..
Quantum Key Distribution
Cryptography
Number theory, Algebra..
Asymmetric
symmetric
RSA
One-time pad
Quantum Mechanics
Quantum Cryptography
Descrete
Continuous
Quantum Key Distribution
BB84
proposed by Charles H. Bennett and Gilles
Brassard in 1984
Two state( |0>, |1>), but four bases(|0,V>,
|1,H>, |0,L>, |1,R>)
0, L 1,V 
Bases with such a property are called
conjugate => Unpredictable
1
2
Quantum Key Distribution
BB84(Protocol)
Alice sends random “bits” (0 or 1) encoded in
two 2 different “basis”
Bob randomly chooses either the “+” or the
“×” basis and records the transmitted and
reflected photons
Bob announces openly his choice of basis
(but not the result!) and Alice answers “ok” or
“no”. Bits with different basis are discarded
The remaining bits give the secret key
Quantum Key Distribution
BB84(without Eve, no noise)
Quantum Key Distribution
Attack model
Intercept-resend model (opaque
eavesdropping)
Error rate
Coherent or joint
Optimal individual
Collective
Quantum Key Distribution
BB84(with Eve, no noise)
Quantum Key Distribution
BB84(with Eve, no noise)
Raw key extraction
 Over the public channel, Bob communicates to Alice
which quantum alphabet he used for each of his
measurements
 Alice and Bob then delete all bits for which they used
incompatible quantum alphabets to produce their
resulting raw keys
Error estimation
 Over the public channel, Alice and Bob compare small
portions of their raw keys to estimate the error-rate R,
and then delete the disclosed bits from their raw keys
to produce their tentative final keys
R0
Quantum Key Distribution
BB84(with Eve, no noise)
If one guesses correctly, then Alice’s
transmitted bit is received with
probability 1. On the other hand, if one
guesses incorrectly, then Alice’s
transmitted bit is received correctly with
probability 1/2 . Thus in general, the
probability of correctly receiving Alice’s
1
1 1 3
transmitted bit is
P  1   
2
2 2 4
Quantum Key Distribution
BB84(with Eve, no noise)
If there is no intrusion, then Alice’s and
Bob’s raw keys will be in total
agreement. However, if Eve has been at
work, then corresponding bits of Alice’s
and Bob’s raw keys will not agree with
probability
m
1
 1 
Pe  
P  1   
4
 4 
Quantum Key Distribution
BB84(with Eve, with noise)
We must assume that Bob’s raw key is
noisy
Since Bob can not distinguish between errors
caused by noise and by those caused by Eve’s
intrusion, the only practical working assumption
he can adopt is that all errors are caused by
Eve’s eavesdropping
Under this working assumption, Eve is always
assumed to have some information about bits
transmitted from Alice to Bob. Thus, raw key is
always only partially secret
Quantum Key Distribution
BB84(with Eve, with noise)
 Over the public channel, Alice and Bob
compare small portions of their raw keys to
estimate the error-rate R, and then delete the
disclosed bits from their raw key to produce
their tentative final keys. If R exceeds a
certain threshold R max, then privacy
amplification is not possible If so, Alice and
Bob return to stage 1 to start over. On the
other hand, if R  R max, then Alice and Bob
proceed to Reconciliation
Quantum Key Distribution
Reconciliation Key
Alice and Bob publically agree upon a
random permutation, and apply it to what
remains of their respective raw keys
Alice and Bob partition the remnant raw key
into blocks of length L
For each of these blocks, Alice and Bob
publically compare overall parity checks,
making sure each time to discard the last bit
of each compared block
Quantum Key Distribution
Privacy amplification
Alice and Bob compute from the error-rate R
an upper bound k of the number of bits of
reconciled key known by Eve
Alice and Bob publically select n−k−s
random subsets of reconciled key, without
revealing their contents. The undisclosed
parities of these subsets become the final
secret key
I  ,    I  ,  
Quantum Key Distribution
BB84(with noise)
Noise?
R=0?
No
Key!
Yes
No
Yes
R  R max
Resend
No
Yes
Reconciliation
Privacy amplification
Key!
Quantum Key Distribution
Security by Information theory
I. Csiszar, and J. Korner, IEEE Trans. Inf.
Theory, 24, 330 (1978)
Alice and Bob can establish a secret key
(using error correction and privacy
amplification) if and only if
I  ,    I  ,  
I  ,    I  ,  
Quantum Key Distribution
Security by Information theory
Shannon’s formula
I  H X   H X | Y 
  px log 2 px    q y  px | y log 2 px | y 
x
y
x
IAB  1  Pe log 2 Pe  1  Pe log 21  Pe 
Quantum Key Distribution
Security by Information theory
A Generic Security Proof for Quantum Key
Distribution by M. Christandl et al, quantph/0402131
Shannon’s formula IAB
Von Neumann’s formula (Quantum
information) S  
Key Rate R
R  IAB  max S  
Quantum Key Distribution
Where is quantum?
Measurement
every measurement perturbs a system
No-cloning theorem
It is impossible to copy an arbitrary quantum state
chosen among a set of non-orthogonal states
No perturbation
No measurement
No eavesdropping
Quantum Key Distribution
Experiment
“Experimental Quantum Cryptography”
(C.Bennett et al, J.Cryptology 5, 3-28, 1992)
etc..
What is problem?
Photon Generation
Reliable?
Quantum Key Distribution
Essential feature : quantum channel
with non-commuting quantum
observables
not restricted to single photon polarization!
New QKD protocol where :
The non-commuting observables are the
quadrature operators X and P
i.e. continuous variable
Quantum Key Distribution
Quantum cryptography with Squeezed
states(Mark Hillery, PRA, 61, 022309)
Quantum distribution of Gaussian keys
using squeezed states(N.J.Cerf et al,
PRA, 63, 052311)
The non-commuting observables are the
quadrature operators X and P
Quantum Key Distribution
Using Squeezed state
The non-commuting observables are
the quadrature operators X and P
Reconciliation(sliced)
P
Privacy Amplification
X
Quantum Key Distribution
Continuous Variable Quantum
Cryptography Using Coherent States(F.
Grosshans et al, PRL 88, 057902(2002))
The non-commuting observables are the
quadrature operators X and P
The transmitted light contains weak coherent
pulses(about 100 photons) with a gaussian
modulation of amplitude and phase
The detection is made using shot-noise limited
homodyne detection
Quantum Key Distribution
Using Coherent state
The non-commuting observables are
the quadrature operators X and P
Reconciliation(sliced)
P
Privacy Amplification
X
Quantum Key Distribution
Attack model(Continuous variable)
Intercept-resend model (opaque
eavesdropping)
Error rate
Coherent
Individual Optimal
Collective
Quantum Key Distribution
Security by Information theory
Shannon, von Neumann
I  H X   H X | Y 
  px log 2 px    qM  px | M log 2 px | M 
x
M
x
IAB  1  Pe log 2 Pe  1  Pe log 21  Pe 
1
1
IAE  1  Pe  log 21  Pe   1  Pe  log 21  Pe 
2
2
I  IAB  IAE  0
Quantum Key Distribution
Security by Information theory
Gaussian distribution
I  H X   H X | Y 
  px log 2 px    qM  px | M log 2 px | M 
x
1
I  log 21   
2
M
x
Quantum Key Distribution
Security by Information theory
Gaussian state

V  1  V  1  V 1  V 1 
H
log
log


2
2
 2 
 2 
Information
I  IAB  H  0
Conclusion
One-time pad(QKD)
Where is quantum?
Measurement(Discrete, Continuous)
every measurement perturbs a system
No-cloning theorem(Discrete, Continuous)
It is impossible to copy an arbitrary quantum state
chosen among a set of non-orthogonal states
Quantum Information theory for Security
Acknowledgement
 Many Thanks..(M.S. Kim, Jingak Jang,
Wonmin Son..)
Also Many
Thanks for all
who attend
our seminar
Reference
Quantum cryptography, N.Gisin et al,
quant-ph/0101098