Transcript Document

Quantum Cryptography
Brandin L Claar
CSE 597E
5 December 2001
Overview




Motivations for Quantum Cryptography
Background
Quantum Key Distribution (QKD)
Attacks on QKD
7/21/2015
Brandin L Claar
2
Motivations




Desire for privacy in the face of unlimited
computing power
Current cryptographic schemes based on
unproven mathematical principles like the
existence of a practical trapdoor function
Shor’s quantum factoring algorithm could
break RSA in polynomial time
Quantum cryptography realizable with current
technology
7/21/2015
Brandin L Claar
3
Photons



Photons are the discrete bundles of energy
that make up light
They are electromagnetic waves with electric
and magnetic fields represented by vectors
perpendicular both to each other and the
direction of travel
The behavior of the electric field vector
determines the polarization of a photon
7/21/2015
Brandin L Claar
4
Polarizations



A linear polarization is always parallel to a
fixed line, e.g. rectilinear and diagonal
polarizations
A circular polarization creates a circle around
the axis of travel
Elliptical polarizations exist in between
7/21/2015
Brandin L Claar
5
The Poincaré Sphere
z

(0,0,1)
(-1,0,0)
(0,-1,0)
(0,1,0)
(1,0,0)
x
y

Any point resting on the
surface of the unit sphere
represents a valid
polarization state for a
photon
The x, y, and z axes
represent the rectilinear,
diagonal, and circular
polarizations respectively
(0,0,-1)
x2  y 2  z 2  1
7/21/2015
Brandin L Claar
6
Bases
z

P

-Q
y

Q
x
-P
7/21/2015

Diametrically opposed
points on the surface of the
sphere form a basis
Here, {P,-P} and {Q,-Q}
represent bases
Bases correspond to
measurable properties
Conjugate bases are
separated by 90
Brandin L Claar
7
Quantum Uncertainty



Quantum mechanics is simply the study of
very small things
Heisenburg’s uncertainty principle places
limits on the certainty of measurements on
quantum systems
Inherent uncertainties are expressed as
probabilities
7/21/2015
Brandin L Claar
8
Measuring Polarization
z

P

Imagine a photon in state Q,
measured by {P,-P} where 
is the angle between P and Q
It behaves as P with
probability:
y
   1  cos
cos   
2
2
2
Q
x
-P

It behaves as -P with
probability:
   1  cos
sin 2   
2
2
7/21/2015
Brandin L Claar
9
Measuring Polarization
z

P

y
Q
x
-P
7/21/2015


This phenomenon produces
some interesting behavior
for cryptography
Prob(P) + Prob(-P) = 1
If  is 90 or 270,
Prob(P) = Prob(-P) = .5
If  is 0 or 180,
Prob(P) = 1
Brandin L Claar
10
Properties for Cryptography



Given 2 conjugate bases, a photon polarized
with respect to one and measured in another
reveals zero information
Dirac: this loss is permanent; the system
“jumps” to a state of the measurement basis
Only measurement in the original basis
reveals the actual state
7/21/2015
Brandin L Claar
11
Key to Quantum Cryptography
z
(0,0,1) 1

(-1,0,0)

0
(0,-1,0)
(0,1,0)
(1,0,0)

1
x
(0,0,-1)
7/21/2015
y
0
Imagine a bit string
composed from 2 distinct
quantum alphabets
It is impossible to retrieve
the entire string without
knowing the correct bases
Random measurements by
an intruder will necessarily
alter polarization resulting in
errors
Brandin L Claar
12
History


Conjugate Coding, Stephen Wiesner (late
60’s)
CRYPTO ’82: Quantum Cryptography, or
unforgeable subway tokens

Charles H. Bennett, Gilles Brassard: use
photons to transmit instead of store
7/21/2015
Brandin L Claar
13
Quantum Key Distribution


Experimental Quantum Cryptography,
Bennett, Bessette, Brassard, Salvail, Smolin
(1991)
Allows Alice and Bob to agree on a secure
random key of arbitrary length potentially for
use in a one-time pad
7/21/2015
Brandin L Claar
14
The Protocol



Communication over the Quantum
Channel
Key Reconciliation
Privacy Amplification
7/21/2015
Brandin L Claar
15
The Quantum Channel
lens
free air optical
path (~32cm)
Wollaston
prism
LED
pinhole
7/21/2015
interference
filter
Pockels
cells
Brandin L Claar
photomultiplier
tubes
16
Basic Protocol






Alice sends random sequence of 4 types of polarized
photons over the quantum channel: horizontal,
vertical, right-circular, left-circular
Bob measures each in a random basis
After full sequence, Bob tells Alice the bases he used
over the public channel
Alice informs Bob which bases were correct
Alice and Bob discard the data from incorrectly
measured photons
The polarization data is converted to a bit string
(↔ = ↶ = 0 and ↕ = ↷ = 1)
7/21/2015
Brandin L Claar
17
Basic Protocol Example
↶
↷
↔
↕
↷
↔
↔
↷
↷
+
o
+
+
o
o
+
+
o
↕
↷
↔
↕
↶
↔
↷
+
o
+
+
o
+
o
Y
Y
Y
Y
↷
↔
↕
↷
1
0
1
1
7/21/2015
Brandin L Claar
18
Key Reconciliation






Data is compared and errors eliminated by
performing parity checks over the public channel
Random string permutations are partitioned into
blocks believed to contain 1 error or less
A bisective search is performed on blocks with
incorrect parity to eliminate the errors
The last bit of each block whose parity was exposed
is discarded
This process is repeated with larger and larger block
sizes
The process ends when a number of parity checks of
random subsets of the entire string agree
7/21/2015
Brandin L Claar
19
Privacy Amplification



A hash function h of the following class is randomly
and publicly chosen:
h : {0,1}n  {0,1}nl s
With n bits where Eve’s expected deterministic
information is l bits, and an arbitrary security
parameter s, Eve’s expected information on h(x) will
be less than
2 s
ln 2
h(x) will be the final shared key between Alice and
Bob
7/21/2015
Brandin L Claar
20
Attacking QKD



Intercept/Resend Attack
Beamsplitting Attack
Estimating Eve’s Information
7/21/2015
Brandin L Claar
21
Intercept/Resend Attack




Allows Eve to determine the value of each bit with
probability 1
2
At least 25% of intercepted pulses will generate
errors when read by Bob
All errors are assumed to be the result of
intercept/resend
Hence, a conservative estimate of Eve’s information
on the raw quantum transmission (given t detected
errors) is
4t
 5 (4  2 2 )t
2
7/21/2015
Brandin L Claar
22
Errors with Intercept/Resend
Error Counts for Various Eavesdropping Methods
6000
5000
4000
Errors (out of
~10000 basis 3000
matches)
2000
bob
1000
eve
bob
breidbard
circular
diagonal
eve
rectilinear
no eavesdropping
0
Eve's Measurement Basis
7/21/2015
Brandin L Claar
23
Beamsplitting Attack




Ideally, each pulse sent by Alice would consist of
exactly 1 photon
The number of expected photons per pulse is 
Eve is able to learn a constant fraction of the bits by
splitting a pulse
Given N pulses, the number of bits lost to Eve
through beamsplitting is estimated to be less than
N  5 N (1  )
7/21/2015
Brandin L Claar
24
Estimating Eve’s Information

Given a bit error rate p and a pulse intenstity , Eve
is expected to learn a fraction of the raw key:


4p
2
Alice and Bob can estimate the number of leaked bits
and use this to eliminate Eve’s information in the
privacy amplification stage:
l  N  5 N (  (1   )  (4  2 2 ) p)
7/21/2015
Brandin L Claar
25
Other protocols


Quantum Oblivious Transfer
Einstein-Podolsky-Rosen (EPR) effect
7/21/2015
Brandin L Claar
26