Transcript Quantum Key Distribution, Practical Implications

QUANTUM KEY DISTRIBUTION,
PRACTICAL IMPLICATIONS &
VULNERABILITIES
Seyed Ali Hosseini Lavasani
Seyed Alireza Seif Tabrizi
B92 PROTOCOL


Let |𝑢0 > and |𝑢1 > be two distinct, nonorthogonal states, and let
𝑃0 = 1 − |𝑢1 >< 𝑢1 | and 𝑃1 = 1 − |𝑢0 >< 𝑢0 | be projection
operators onto subspaces orthogonal to |𝑢1 > and |𝑢0 > ,
respectively. Thus 𝑃0 annihilates |𝑢1 >, but yields a positive result
with probability 1 − < 𝑢0 𝑢1 > |2 > 0 when applied to |𝑢0 >, and
vice versa for 𝑃1 .
To begin the key distribution, Alice prepares and sends Bob a
random binary sequence of quantum systems, using states |𝑢0 >
and |𝑢1 > to represent the bits 0 and 1, respectively. Bob then
decides randomly and independently of Alice for each system,
whether to subject it to a measurement of 𝑃0 or 𝑃1 . Next Bob
publicly tells Alice in which instances his measurement had a
positive result (but not, of course, which measurement he made),
and the two parties agree to discard all the other instances.

If there has been no eavesdropping, the remaining instances , a
1
fraction approximately 2 (1 − < 𝑢0 𝑢1 > |2 ) of the original trials
should be perfectly correlated, consisting entirely of instances in
which Alice sent |𝑢0 > and Bob measured 𝑃0 , or Alice sent |𝑢1 >
and Bob measured 𝑃1 . However, before Alice and Bob can trust
this data as key, they must, as in other key distribution schemes,
sacrifice some of it to verify that their versions of the key are
indeed identical. This also certifies the absence of eavesdropping,
which would necessarily have disturbed the states |𝑢0 > or |𝑢1 >
in transit, causing them sometimes yield positive results when
later subjected to measurements 𝑃1 or 𝑃0 , respectively.
AN EXAMPLE OF B92 QKD

For example Alice preparing a polarized photon for each of her
bits according to the rules:
and sending it over the “quantum channel” to Bob.

Bob makes a polarization measurement on each photon he
receives, according to the value of his bit as given by:
and records the result (“pass” = Y, “fail” = N).

In this experiment we see that for the first and fourth bits
Alice and Bob had different bit values, so that Bob’s result is
"N" in each case. However, for the second and third bits, Alice
and Bob have the same bit values and the protocol is such that
there is a probability of 0.5 that Bob’s result is a “Y” in each
case. Of course, we cannot predict in any particular
experiment which one will be a “Y,” but in this example the
second bit was a “N” and the third bit was a “Y.”
EXPERIMENTAL REALIZATION IN
OPTICAL FIBER

The probability that a photon injected by Alice is
detected by Bob at his “L” detector
depends on both paths. Thus, if Alice and Bob use
the phase angles (𝜑𝐴 , 𝜑𝐵 ) = (0, 3𝜋/2) for their “0”
bits (respectively) and (𝜑𝐴 , 𝜑𝐵 ) = (𝜋 /2, 𝜋) for their
“1” bits they have an exact representation of B92
when Bob records photon arrivals at his “L”
detector. Each path length is analogous to one of
the polarizer angles in the explanation of B92 in
the previous section.

The BB84 protocol can be realized with a detector
in the “upper” output port, for which the singlephoton detection probability is
Then, Alice transmits (0, 1) in either the first basis
as 𝜑𝐴 = (0, 𝜋), or the second basis as 𝜑𝐴 = (𝜋 /2, 3
𝜋 /2), and Bob measures for photon detections at
“U” or “L” with either the first basis, 𝜑𝐵 = 0, or the
second basis, 𝜑𝐵 = 𝜋 /2. When Alice and Bob use the
same basis, Bob’s “U” detector will fire to identify
“1”s and his “L” detector will fire to identify “0”s.
TIME-MULTIPLEXED INTERFEROMETER
FOR QUANTUM KEY DISTRIBUTION
FREE SPACE QUANTUM KEY DISTRIBUTION
IMPLICATIONS:
EXPERIMENTAL


The highest bit rate system currently demonstrated exchanges
secure keys at 1 Mbit/s (over 20 km of optical fiber) and 10 kbit/s
(over 100 km of fiber), achieved by a collaboration between the
University of Cambridge and Toshiba using the BB84 protocol
with decoy pulses.
As of March 2007 the longest distance over which quantum key
distribution has been demonstrated using optic fiber is 148.7 km,
achieved by Los Alamos National Laboratory/NIST using the
BB84 protocol. Significantly, this distance is long enough for
almost all the spans found in today's fiber networks. The distance
record for free space QKD is 144 km between two of the Canary
Islands, achieved by a European collaboration using entangled
photons (the Ekert scheme) in 2006, and using BB84 enhanced
with decoy states in 2007. The experiments suggest transmission
to satellites is possible, due to the lower atmospheric density at
higher altitudes. For example although the minimum distance
from the International Space Station to the ESA Space Debris
Telescope is about 400 km, the atmospheric thickness is about an
order of magnitude less than in the European experiment, thus
yielding less attenuation compared to this experiment.
IMPLICATIONS:
COMMERCIAL



There are currently three companies offering
commercial quantum key distribution systems; id
Quantique (Geneva), MagiQ Technologies (New York)
and QuintessenceLabs (Australia). Several other
companies also have active research programs,
including Toshiba, HP, IBM, Mitsubishi, NEC and
NTT
Quantum encryption technology provided by the
Swiss company Id Quantique was used in the Swiss
canton (state) of Geneva to transmit ballot results to
the capitol in the national election occurring on
October 21, 2007.
In 2004, the world's first bank transfer using
quantum key distribution was carried in Vienna,
Austria.
THE EPR PROTOCOL




Alice and Bob share a set of n entangled pairs of qubits in the
EPR state:
Each of them make measurements in {| +> , | −>} basis or {|0 > ,
|1 > } basis randomly and store the results.
Then Alice and Bob announce the bases they’ve made their
measurements over a public channel
They discard any bits that Bob measured different basis than
Alice prepared.
AN EXAMPLE OF EPR PROTOCOL
Alice’s
polarization
0
1
-
+
1
0
+
Alice’s bit
value
0
1
0
1
1
0
1
Bob’s
polarization
+
+
-
1
1
+
+
Bob’s bit
value
1
1
0
1
1
1
1
THE ORIGIN OF KEY BITS

Since it is symmetric – Alice and Bob perform
identical tasks on their qubits, even possibly
simultaneously – it cannot be said that either Alice or
Bob generates the key. Rather, the key is truly
random. In fact the same applies to the BB84
protocol, since it can be reduced to an instance of a
generalized version of the EPR protocol key is
undetermined until Alice or Bob performs a
measurement on their EPR pair half. Similar
observations can be made about the B92 protocol. For
this reason, quantum cryptography is sometimes
thought of not as secret key exchange or transfer, but
rather as secret key generation, since fundamentally
neither Alice nor Bob can pre-determine the key they
will ultimately end up with upon completion of the
AN EXAMPLE OF VULNERABLE QKD
PROTOCOL

Li describes a QKD protocol using Greenberger-Horne-Zeilinger (GHZ)
states that requires no classical communication. The protocol is described
as follows, for communicating parties Alice and Bob:


Li shows that this protocol is secure with respect to an attack in which
Eve measures qubits returning from Bob to Alice, with a probability that
Eve escapes detection of 2−𝑛 , for n qubits. It is also shown that the
protocol is secure with respect to an attack where Eve executes a
controlled-NOT operation on the qubits sent from Bob to Alice.
Unfortunately, the protocol is vulnerable to a quantum version of a classic
man- in-the- middle attack, which we will refer to as an EPR man-in-themiddle attack, conducted as follows:
Quantum Money
Ever since there’s been money, there’ve been people trying to
counterfeit it
Previous work on the physics of money:
In his capacity as Master of the Mint, Isaac Newton added
milled edges to English coins to make them harder to
counterfeit
(Newton also personally oversaw hangings of counterfeiters)
Today: Holograms, embedded
strips, “microprinting,” special
inks…
Leads to an arms race with no
obvious winner
Problem: From a CS perspective, uncopyable cash
seems impossible for trivial reasons
Any printing technology the good guys can
build, bad guys can in principle build also
x  (x,x) is a polynomial-time operation
What’s done in practice: Have a trusted third party
authorize every transaction
(BitCoin: “Trusted third party” is
distributed over the Internet)
OK, but sometimes you want cash, and that seems
impossible to secure, at least in classical physics…
First Idea in the History of Quantum Info
Wiesner 1969: Money that’s information-theoretically
impossible to counterfeit, assuming quantum mechanics
Each banknote contains
(Recent) Theorem:
A secretly
n qubits,
counterfeiter who doesn’t
know
prepared
in one of the 4
the state can copy
it with
states
|0,|1,|+,|-
probability at most (3/4)n
In a giant database, the bank remembers how it prepared
every qubit on every banknote
Want to verify a banknote? Take it to the bank. Bank uses
its knowledge to measure each qubit in the right basis:
OR
DRAWBACKS OF WIESNER’S SCHEME
1. Banknotes could decohere in microseconds in your
wallet—the “Schrödinger’s money problem”!
The reason why quantum money isn’t yet practical, in
contrast to (say) quantum key distribution
2. Bank needs a big database describing every banknote
Solution (Bennett et al. ‘82): Pseudorandom functions
3. Only the bank knows how to verify the money
4. Scheme can be broken by interacting with the bank
Future Direction: Quantum Copy-Protection
Finally, a serious use for quantum computing
Goal: Quantum state |f that lets you compute an
unknown function f, but doesn’t let you efficiently
create more states with which f can be computed
QUANTUM CRYPTOGRAPHY COMES TO
SMART PHONES


A smart phone can do pretty much anything a PC can. But, aside from
password protection, phones have very little security—a real problem
with more and more people using phones for online banking and
shopping.
But researchers at Los Alamos National Lab hope quantum encryption
can help. Quantum encryption typically requires a lot of processing
power and covers only short distances. But Los Alamos says it's
developed a minitransmitter that encodes the encryption key on a single
photon. They call it the QKarD transmitter, short for Quantum Smart
Card. Any change in the photon’s quantum information reveals an
attempted hack and cancels the transaction.
QKarD faces a few challenges. You'd still need a
password or some biometric security to make
sure someone doesn't use your lost or stolen
phone to make their own encrypted transactions.
Also, Google's Wallet mobile payment service
already uses encryption. It may not be as secure
as quantum encryption, but many people may
decide it’s good enough.
 One thing’s for sure: we're going to need more
mobile gadget security to keep a step ahead of
info-hungry hackers.

REFERENCES


C. H. Bennett, Phys. Rev. Lett. 68, 3121 (1992).
C. H. Bennett and G. Brassard, Proceedings of IEEE International
Conference on Computers, Systems and Signal Processing, Bangalore
(New York, IEEE, 1984).

arXiv:quant-ph/9904038v1

arXiv:quant-ph/0206092v1

arXiv:quant-ph/0305076v1

M. A. Nielsen an d I.L.Chuang, Quantum Computation and Quantum
Information, Cambridge University Press, UK, 2000.

http://en.wikipedia.org/wiki/Quantum_key_distribution

www.scottaaronson.com/talks/money-hs.ppt

www.scottaaronson.com/talks/qmoney-uw.ppt

http://www.scientificamerican.com/podcast/episode.cfm?id=quantumcryptography-comes-to-smart-12-02-02