Quantum Information as a Tool

Download Report

Transcript Quantum Information as a Tool 

Quantum Key Distribution
Kommentare
Chances and Restrictions
Norbert Lütkenhaus
Emmy Noether Research Group
Institut für Theoretische Physik I
Universität Erlangen-Nürnberg
Institut für Optik, Information und Photonik
Max-Planck Forschungsgruppe, Erlangen
Overview
• What does Quantum Key Distribution do?
• QKD and Correlations
• Security intuition based on Quantum Mechanics
• Performance in real implementations
• Current Problems
animieren
What is QKD about?
EVE
Classical Channel
Bob
Alice
initial secret key
010110101
key (X): 010110101
???
Generated key:
informtion theoretic security
secure: I(X;Eve)=0
random: H(X) = n (maximal)
universally composable
Additional Resources:
Correlations via
Quantum Channel
Restrictions:
-initially point-to-point
-max range 20 km (150km?)
-key rate e.g. 100 bits/sec,
increase to 100 kbits or more?
Correlations and information
theoretic security
Alice
Bob
E
EveIBE
IAE
Eve obtains degraded
copy of message
Alice and Bob can
perform secure communication
Lower bound on secrecy capacity CS:
PABE(a,b,e)
A
Wyner Wire Tap
(rate of secret communication between Alice and Bob)
B
- Csiszar, Körner, IEEE, IT 24, 339 (1978).
IAB
CS > max {IAB - IAE, IAB -IBE }
Upper Bounds on secrecy capacity CS:
- U. M. Maurer, IEEE Trans. Inf.Theo. 39, 1733 (1993);
-U. Maurer and S. Wolf, IEEE T. I. T. 45, 499 (1999).
Cs  I(A;BE)
• Intrinsic Information: I(A;BE)
I(A,BE) = minEE I(A;B|E)
with I(A;B|E) = H(A,E) + H(B,E) – H(A,B,E) – H(E)
Exploiting the
Csiszar-Körner bound
(one-way communication)
E
IAE
A
B
IAB
E
A
I‘(AB)E
1)
2)
3)
[C. Cachin, U.M. Maurer,IEEE Trans. Inf. Theo. 39, 1733 (1993).]
IAE  IAB E  IAE  1  IAB   1  (IAB  IAE )
B
I‘AB = 1
Alice‘s bit string defines the key
Amount of required classical communication AB to allow Bob
to correct his errors:
(1-IAB) bits
Estimate Eve‘s relevant information
4)
Privacy amplification:
Shorten key by fraction 
CS  1   1  IAB E
E I‘‘
(AB)E=0
A
B
I‘‘AB = 1
CS  I AB  I AE
Quantum Mechanics
•Signal states are represented by complex vectors, represented by
•(dual vectors are represented by


)
•Measurements correspond to set of positive, hermitian operators F ,
i
one for each possible outcome ‘i’, that form the resolution of the identity operator
 F  Id
i
i
•Quantum mechanics predicts the probability of a measurement outcome as the
expectation value
Pr(i)   Fi 
• Composed systems are described by state vectors that can be expressed as linear
combination of tensor products of basis vectors of each individual system

A, B
  cn,m n
~


m
A
B
n,m
• Measurement on only one subsystem: use
Fi  IdB
Eavesdropping


Eve
E

U
A
A, E
U unitary
If  A, E can be verified to behave like the input states locally on system A
for two non-orthogonal input states  and  ' , then we can show that
~ A  
~


E
~
A
 '
holds for any linear combination  Aof
P(A,B,E) = P(A,B) P(E).
No errors for non-orthogonal
states Only trivial operation
by Eve  no leakage of
information
A
A
U

E
A
and  '
A
.
Eavesdropper
Bennett Brassard Protocol
Quantum Part:
Create random key:
random signals
random measurements
Public discussion over
faithful classical channel:
distinguish deterministic
from random processes
Alice:
Bob:
Sifting
(public discussion)
0:
1:
1
0
1
No errors:
transmitted
faithfully  Key is secure
1
Shor-Preskill type security proof
basis 0110…
data 0101…
Encoding into
QECC code
Quantum Error
Correction Code
Detector
Decoding of
QECC code
noisy channel
noisy channel
noisy channel
Quantum/classical procedure for CSS codes:
Phase I: Quantum
basis 0101…
basis 0110…
data 0101…
noisy channel
Detector
data 0101…
Phase II: Classical
data 0101…
1)
2)
data 0100…
classical error correction
classical privacy amplification
data 0101…
data 0101…
secret key
Gain formula
The gain formula gives the number of secure bits after error correction
and privacy amplification per signal sent by Alice:
1
G  1  h[e]  h[e]
2
privacy amplification
(Eve‘s additional information
gained during error correction)
privacy amplification
(Eve‘s information gain that caused errors)
11 %
Realistic Signals
Multi-photon signals
Several copies of signal state
No single photon sources (though
getting there!)
Source
Eve can single out a copy
1
No errors are caused
Delayed measurement gives
full information to Eve
Eve
Weak laser pulse (without phase reference)
Laser
Pr(n)  Exp[  ]
n
n!
Alice
Bob
Multi-photon signals are a
nuisance, but not an obstacle 
privacy amplification takes care of
extra information
Unconditional security proof
Inamori, NL, Mayers, quant-ph/0107017
Assumptions and settings:
•Mixture of vacuum, single and multi-photon
signals
•Ideal polarization preparation (or equivalent)
•No optical intrusion into Alice and Bob
•No restrictions on Eve acting on signals
•Detection probability independent of signal or
basis choice
Conservative approach:
•Eve responsible for all observed errors and all
loss
 

 2e  
G   rep pexp  R1  h     he
 R 
 

1
2
(only limit of long keys shown)
hx   x log 2 x  1  x log 2 1  x 
Eve’s optimal strategy:
•Split one photon off all multi-photon
signals (no error, but full information)
•Eavesdrop on a few single photon signals
to maintain expected number of detected
signals
•Block remaining single photon signals
Eve knows a lot, but we know how
much she knows:
Error correction
Privacy Amplification
unconditionally secure key
R
pexp  pmulti
Minimal fraction of contributing
single photon signals
pexp
e: error rate in sifted key
pexp: detection rate
Pmulti multi-photon probability
υrep repetition rate
Optical implementation
Example: Townsend, Opt. Fib. Tech. 4, 345-370 (1998)
Polarization:
Relative phase between
two optical modes
low error rate over
long distances (>150
km)
Problem: Bob
receives weak signals
 need excellent
photo detectors
Achievable Rates as of 2000
Rates per time slot, optical fiber based implementations.
Commercial Applications
© MagiQ Technologies
Commercial product:
operation on installed optical fiber
European effort:
IdQuantique (Geneva)
EU IP “Secure Communication using Quantum Cryptography”
Quantum Communication and
Correlations
Phase I: Physical Set-Up
Generation of correlations between Alice and Bob
 possibly containing hidden correlations with Eve
Physics:
correlated data with a promise.
Which type of correlations are
useful for Quantum Communication?
(Classical) Computer Science:
Solve Communication Problem with
classically correlated data …
Phase II: Classical Communication Protocol
Advantage distillation (e.g. announcement of bases in BB84 protocol)
Error Correction ( Alice and Bob share the same key)
Privacy Amplification ( generates secret key shared by Alice and Bob)
Potential for correlations
secret bits
per signal
not secure
(proven)
Regime of Hope
not secure
(proven)
protocol
independent
secure
(proven)
protocol
e.g. weak coherent pulse BB84
- [Inamori, NL, Mayers quant-ph/0107017]
- [Gottesman, Lo, NL, Preskill quant-ph/0212066]
 typically 20 – 40 km
distance
(channel model)
e.g about 100 km for BB84 signals
[Dusek, Jahma, NL, PRA 62 022306 (2000)]
Conclusions
Quantum Key Distribution offers information theoretic secure key.
It can be implemented with todays technology.
We are still in the learning process to ramp up rate and distance.
Warning: need to secure devices against side-channel attacks.
QKD seems ideal topic for interface Physics and Computer Science:
physics generates correlations with a promise
computer science offers public discussion protocols to extract key