Quantum Cryptography - Queen's University Belfast
Download
Report
Transcript Quantum Cryptography - Queen's University Belfast
Quantum Cryptography
Cryptography
Quantum Key Distribution
Main Point
Cryptography
Quantum Key Distribution
BB84
continuous
Security
Attack model
Information
Introduction
What is Cryptography?
Cryptography is the art of rendering a
message unintelligible to any
unauthorized party
dkssudgktpdy
안녕하세요(Korean)
It is part of the broader field of
cryptology, which also includes
cryptoanalysis, the art of code breaking
Introduction
Why do we need cryptography?
Suppose Mark want to send a secret message to
his girl friend over an insecure channel!
Insecure
secure
Cryptography
Key : What’s key?
Encryption : combine a message with some
additional information - known as the “key” –
and produce a cryptogram.
Decryption : combine a cryptogram with
some additional information - known as the
“key” – and produce a message.
Cryptography
Asymmetrical(public-key) cryptosystem
Symmetrical(secret-key) cryptosystem
Cryptography
Asymmetrical(public-key) cryptosystem
ElGamal Cryptosystem
Elliptic curve Cryptosystem
The Merkle-Hellman Knapsack Cryptosystem
RSA(Ronald Rivest, Adi Shamir,Leonard
Adleman)
etc..
Cryptography
RSA(Ronald Rivest, Adi Shamir,Leonard
Adleman)
If Bob wants to be able to receive messages
encrypted with a public key cryptosystem, he must
first choose a "private" key, which he keeps secret.
Then, he computes from this private key a "public"
key, which he discloses to any interested party. Alice
uses this public key to encrypt her message. She
transmits the encrypted message to Bob, who
decrypts it with the private key
Cryptography
RSA(Ronald Rivest, Adi Shamir,Leonard
Adleman)
Big Prime number factorization is so difficult problem
Public-key cryptosystems are convenient and they
have thus become very popular over the last 20
years
What is problem?
Not proven security
Shor’s algorithm
Cryptography
Symmetrical(secret-key) cryptosystem
Block type
DES
AES
etc..
Stream type
LFSR
One-time pad
etc..
Cryptography
One-time pad
first proposed by Gilbert Vernam in 1926
This cryptosystem is thus provably secure in
the sense of information theory (Shannon
1949)
Actually, this is today the only provably
secure cryptosystem
What is problem?
Difficult to implementation
Cryptography
One-time pad
Difficult to
implementation
00101000..
+
Secret channel
01000101..
01000101..
=
+
01101101..
01101101..
Classical channel
=
00101000..
Quantum Key Distribution
sending a “secret key” by using the laws
of physics to warrant the complete
security of the transmission
Discrete variable
BB84
B92
Etc..
Continuous variable
Squeezed state
Gaussian distribution
Quantum Physics
•
•
•
•
Principle of Complementary
Heisenberg Uncertainty Principle
Correspondence Principle
etc..
Quantum Key Distribution
Cryptography
Number theory, Algebra..
Asymmetric
symmetric
RSA
One-time pad
Quantum Mechanics
Quantum Cryptography
Descrete
Continuous
Quantum Key Distribution
BB84
proposed by Charles H. Bennett and Gilles
Brassard in 1984
Two state( |0>, |1>), but four bases(|0,V>,
|1,H>, |0,L>, |1,R>)
0, L 1,V
Bases with such a property are called
conjugate => Unpredictable
1
2
Quantum Key Distribution
BB84(Protocol)
Alice sends random “bits” (0 or 1) encoded in
two 2 different “basis”
Bob randomly chooses either the “+” or the
“×” basis and records the transmitted and
reflected photons
Bob announces openly his choice of basis
(but not the result!) and Alice answers “ok” or
“no”. Bits with different basis are discarded
The remaining bits give the secret key
Quantum Key Distribution
BB84(without Eve, no noise)
Quantum Key Distribution
Attack model
Intercept-resend model (opaque
eavesdropping)
Error rate
Coherent or joint
Optimal individual
Collective
Quantum Key Distribution
BB84(with Eve, no noise)
Quantum Key Distribution
BB84(with Eve, no noise)
Raw key extraction
Over the public channel, Bob communicates to Alice
which quantum alphabet he used for each of his
measurements
Alice and Bob then delete all bits for which they used
incompatible quantum alphabets to produce their
resulting raw keys
Error estimation
Over the public channel, Alice and Bob compare small
portions of their raw keys to estimate the error-rate R,
and then delete the disclosed bits from their raw keys
to produce their tentative final keys
R0
Quantum Key Distribution
BB84(with Eve, no noise)
If one guesses correctly, then Alice’s
transmitted bit is received with
probability 1. On the other hand, if one
guesses incorrectly, then Alice’s
transmitted bit is received correctly with
probability 1/2 . Thus in general, the
probability of correctly receiving Alice’s
1
1 1 3
transmitted bit is
P 1
2
2 2 4
Quantum Key Distribution
BB84(with Eve, no noise)
If there is no intrusion, then Alice’s and
Bob’s raw keys will be in total
agreement. However, if Eve has been at
work, then corresponding bits of Alice’s
and Bob’s raw keys will not agree with
probability
m
1
1
Pe
P 1
4
4
Quantum Key Distribution
BB84(with Eve, with noise)
We must assume that Bob’s raw key is
noisy
Since Bob can not distinguish between errors
caused by noise and by those caused by Eve’s
intrusion, the only practical working assumption
he can adopt is that all errors are caused by
Eve’s eavesdropping
Under this working assumption, Eve is always
assumed to have some information about bits
transmitted from Alice to Bob. Thus, raw key is
always only partially secret
Quantum Key Distribution
BB84(with Eve, with noise)
Over the public channel, Alice and Bob
compare small portions of their raw keys to
estimate the error-rate R, and then delete the
disclosed bits from their raw key to produce
their tentative final keys. If R exceeds a
certain threshold R max, then privacy
amplification is not possible If so, Alice and
Bob return to stage 1 to start over. On the
other hand, if R R max, then Alice and Bob
proceed to Reconciliation
Quantum Key Distribution
Reconciliation Key
Alice and Bob publically agree upon a
random permutation, and apply it to what
remains of their respective raw keys
Alice and Bob partition the remnant raw key
into blocks of length L
For each of these blocks, Alice and Bob
publically compare overall parity checks,
making sure each time to discard the last bit
of each compared block
Quantum Key Distribution
Privacy amplification
Alice and Bob compute from the error-rate R
an upper bound k of the number of bits of
reconciled key known by Eve
Alice and Bob publically select n−k−s
random subsets of reconciled key, without
revealing their contents. The undisclosed
parities of these subsets become the final
secret key
I , I ,
Quantum Key Distribution
BB84(with noise)
Noise?
R=0?
No
Key!
Yes
No
Yes
R R max
Resend
No
Yes
Reconciliation
Privacy amplification
Key!
Quantum Key Distribution
Security by Information theory
I. Csiszar, and J. Korner, IEEE Trans. Inf.
Theory, 24, 330 (1978)
Alice and Bob can establish a secret key
(using error correction and privacy
amplification) if and only if
I , I ,
I , I ,
Quantum Key Distribution
Security by Information theory
Shannon’s formula
I H X H X | Y
px log 2 px q y px | y log 2 px | y
x
y
x
IAB 1 Pe log 2 Pe 1 Pe log 21 Pe
Quantum Key Distribution
Security by Information theory
A Generic Security Proof for Quantum Key
Distribution by M. Christandl et al, quantph/0402131
Shannon’s formula IAB
Von Neumann’s formula (Quantum
information) S
Key Rate R
R IAB max S
Quantum Key Distribution
Where is quantum?
Measurement
every measurement perturbs a system
No-cloning theorem
It is impossible to copy an arbitrary quantum state
chosen among a set of non-orthogonal states
No perturbation
No measurement
No eavesdropping
Quantum Key Distribution
Experiment
“Experimental Quantum Cryptography”
(C.Bennett et al, J.Cryptology 5, 3-28, 1992)
etc..
What is problem?
Photon Generation
Reliable?
Quantum Key Distribution
Essential feature : quantum channel
with non-commuting quantum
observables
not restricted to single photon polarization!
New QKD protocol where :
The non-commuting observables are the
quadrature operators X and P
i.e. continuous variable
Quantum Key Distribution
Quantum cryptography with Squeezed
states(Mark Hillery, PRA, 61, 022309)
Quantum distribution of Gaussian keys
using squeezed states(N.J.Cerf et al,
PRA, 63, 052311)
The non-commuting observables are the
quadrature operators X and P
Quantum Key Distribution
Using Squeezed state
The non-commuting observables are
the quadrature operators X and P
Reconciliation(sliced)
P
Privacy Amplification
X
Quantum Key Distribution
Continuous Variable Quantum
Cryptography Using Coherent States(F.
Grosshans et al, PRL 88, 057902(2002))
The non-commuting observables are the
quadrature operators X and P
The transmitted light contains weak coherent
pulses(about 100 photons) with a gaussian
modulation of amplitude and phase
The detection is made using shot-noise limited
homodyne detection
Quantum Key Distribution
Using Coherent state
The non-commuting observables are
the quadrature operators X and P
Reconciliation(sliced)
P
Privacy Amplification
X
Quantum Key Distribution
Attack model(Continuous variable)
Intercept-resend model (opaque
eavesdropping)
Error rate
Coherent
Individual Optimal
Collective
Quantum Key Distribution
Security by Information theory
Shannon, von Neumann
I H X H X | Y
px log 2 px qM px | M log 2 px | M
x
M
x
IAB 1 Pe log 2 Pe 1 Pe log 21 Pe
1
1
IAE 1 Pe log 21 Pe 1 Pe log 21 Pe
2
2
I IAB IAE 0
Quantum Key Distribution
Security by Information theory
Gaussian distribution
I H X H X | Y
px log 2 px qM px | M log 2 px | M
x
1
I log 21
2
M
x
Quantum Key Distribution
Security by Information theory
Gaussian state
V 1 V 1 V 1 V 1
H
log
log
2
2
2
2
Information
I IAB H 0
Conclusion
One-time pad(QKD)
Where is quantum?
Measurement(Discrete, Continuous)
every measurement perturbs a system
No-cloning theorem(Discrete, Continuous)
It is impossible to copy an arbitrary quantum state
chosen among a set of non-orthogonal states
Quantum Information theory for Security
Acknowledgement
Many Thanks..(M.S. Kim, Jingak Jang,
Wonmin Son..)
Also Many
Thanks for all
who attend
our seminar
Reference
Quantum cryptography, N.Gisin et al,
quant-ph/0101098