Transcript Document
Quantum Cryptography
Brandin L Claar
CSE 597E
5 December 2001
Overview
Motivations for Quantum Cryptography
Background
Quantum Key Distribution (QKD)
Attacks on QKD
7/21/2015
Brandin L Claar
2
Motivations
Desire for privacy in the face of unlimited
computing power
Current cryptographic schemes based on
unproven mathematical principles like the
existence of a practical trapdoor function
Shor’s quantum factoring algorithm could
break RSA in polynomial time
Quantum cryptography realizable with current
technology
7/21/2015
Brandin L Claar
3
Photons
Photons are the discrete bundles of energy
that make up light
They are electromagnetic waves with electric
and magnetic fields represented by vectors
perpendicular both to each other and the
direction of travel
The behavior of the electric field vector
determines the polarization of a photon
7/21/2015
Brandin L Claar
4
Polarizations
A linear polarization is always parallel to a
fixed line, e.g. rectilinear and diagonal
polarizations
A circular polarization creates a circle around
the axis of travel
Elliptical polarizations exist in between
7/21/2015
Brandin L Claar
5
The Poincaré Sphere
z
(0,0,1)
(-1,0,0)
(0,-1,0)
(0,1,0)
(1,0,0)
x
y
Any point resting on the
surface of the unit sphere
represents a valid
polarization state for a
photon
The x, y, and z axes
represent the rectilinear,
diagonal, and circular
polarizations respectively
(0,0,-1)
x2 y 2 z 2 1
7/21/2015
Brandin L Claar
6
Bases
z
P
-Q
y
Q
x
-P
7/21/2015
Diametrically opposed
points on the surface of the
sphere form a basis
Here, {P,-P} and {Q,-Q}
represent bases
Bases correspond to
measurable properties
Conjugate bases are
separated by 90
Brandin L Claar
7
Quantum Uncertainty
Quantum mechanics is simply the study of
very small things
Heisenburg’s uncertainty principle places
limits on the certainty of measurements on
quantum systems
Inherent uncertainties are expressed as
probabilities
7/21/2015
Brandin L Claar
8
Measuring Polarization
z
P
Imagine a photon in state Q,
measured by {P,-P} where
is the angle between P and Q
It behaves as P with
probability:
y
1 cos
cos
2
2
2
Q
x
-P
It behaves as -P with
probability:
1 cos
sin 2
2
2
7/21/2015
Brandin L Claar
9
Measuring Polarization
z
P
y
Q
x
-P
7/21/2015
This phenomenon produces
some interesting behavior
for cryptography
Prob(P) + Prob(-P) = 1
If is 90 or 270,
Prob(P) = Prob(-P) = .5
If is 0 or 180,
Prob(P) = 1
Brandin L Claar
10
Properties for Cryptography
Given 2 conjugate bases, a photon polarized
with respect to one and measured in another
reveals zero information
Dirac: this loss is permanent; the system
“jumps” to a state of the measurement basis
Only measurement in the original basis
reveals the actual state
7/21/2015
Brandin L Claar
11
Key to Quantum Cryptography
z
(0,0,1) 1
(-1,0,0)
0
(0,-1,0)
(0,1,0)
(1,0,0)
1
x
(0,0,-1)
7/21/2015
y
0
Imagine a bit string
composed from 2 distinct
quantum alphabets
It is impossible to retrieve
the entire string without
knowing the correct bases
Random measurements by
an intruder will necessarily
alter polarization resulting in
errors
Brandin L Claar
12
History
Conjugate Coding, Stephen Wiesner (late
60’s)
CRYPTO ’82: Quantum Cryptography, or
unforgeable subway tokens
Charles H. Bennett, Gilles Brassard: use
photons to transmit instead of store
7/21/2015
Brandin L Claar
13
Quantum Key Distribution
Experimental Quantum Cryptography,
Bennett, Bessette, Brassard, Salvail, Smolin
(1991)
Allows Alice and Bob to agree on a secure
random key of arbitrary length potentially for
use in a one-time pad
7/21/2015
Brandin L Claar
14
The Protocol
Communication over the Quantum
Channel
Key Reconciliation
Privacy Amplification
7/21/2015
Brandin L Claar
15
The Quantum Channel
lens
free air optical
path (~32cm)
Wollaston
prism
LED
pinhole
7/21/2015
interference
filter
Pockels
cells
Brandin L Claar
photomultiplier
tubes
16
Basic Protocol
Alice sends random sequence of 4 types of polarized
photons over the quantum channel: horizontal,
vertical, right-circular, left-circular
Bob measures each in a random basis
After full sequence, Bob tells Alice the bases he used
over the public channel
Alice informs Bob which bases were correct
Alice and Bob discard the data from incorrectly
measured photons
The polarization data is converted to a bit string
(↔ = ↶ = 0 and ↕ = ↷ = 1)
7/21/2015
Brandin L Claar
17
Basic Protocol Example
↶
↷
↔
↕
↷
↔
↔
↷
↷
+
o
+
+
o
o
+
+
o
↕
↷
↔
↕
↶
↔
↷
+
o
+
+
o
+
o
Y
Y
Y
Y
↷
↔
↕
↷
1
0
1
1
7/21/2015
Brandin L Claar
18
Key Reconciliation
Data is compared and errors eliminated by
performing parity checks over the public channel
Random string permutations are partitioned into
blocks believed to contain 1 error or less
A bisective search is performed on blocks with
incorrect parity to eliminate the errors
The last bit of each block whose parity was exposed
is discarded
This process is repeated with larger and larger block
sizes
The process ends when a number of parity checks of
random subsets of the entire string agree
7/21/2015
Brandin L Claar
19
Privacy Amplification
A hash function h of the following class is randomly
and publicly chosen:
h : {0,1}n {0,1}nl s
With n bits where Eve’s expected deterministic
information is l bits, and an arbitrary security
parameter s, Eve’s expected information on h(x) will
be less than
2 s
ln 2
h(x) will be the final shared key between Alice and
Bob
7/21/2015
Brandin L Claar
20
Attacking QKD
Intercept/Resend Attack
Beamsplitting Attack
Estimating Eve’s Information
7/21/2015
Brandin L Claar
21
Intercept/Resend Attack
Allows Eve to determine the value of each bit with
probability 1
2
At least 25% of intercepted pulses will generate
errors when read by Bob
All errors are assumed to be the result of
intercept/resend
Hence, a conservative estimate of Eve’s information
on the raw quantum transmission (given t detected
errors) is
4t
5 (4 2 2 )t
2
7/21/2015
Brandin L Claar
22
Errors with Intercept/Resend
Error Counts for Various Eavesdropping Methods
6000
5000
4000
Errors (out of
~10000 basis 3000
matches)
2000
bob
1000
eve
bob
breidbard
circular
diagonal
eve
rectilinear
no eavesdropping
0
Eve's Measurement Basis
7/21/2015
Brandin L Claar
23
Beamsplitting Attack
Ideally, each pulse sent by Alice would consist of
exactly 1 photon
The number of expected photons per pulse is
Eve is able to learn a constant fraction of the bits by
splitting a pulse
Given N pulses, the number of bits lost to Eve
through beamsplitting is estimated to be less than
N 5 N (1 )
7/21/2015
Brandin L Claar
24
Estimating Eve’s Information
Given a bit error rate p and a pulse intenstity , Eve
is expected to learn a fraction of the raw key:
4p
2
Alice and Bob can estimate the number of leaked bits
and use this to eliminate Eve’s information in the
privacy amplification stage:
l N 5 N ( (1 ) (4 2 2 ) p)
7/21/2015
Brandin L Claar
25
Other protocols
Quantum Oblivious Transfer
Einstein-Podolsky-Rosen (EPR) effect
7/21/2015
Brandin L Claar
26