Quantum Cryptography

innocentsickAI and Robotics

Nov 21, 2013 (3 years and 11 months ago)

81 views

Quantum Cryptography

Cryptography

Quantum Key Distribution

Main Point


Cryptography


Quantum Key Distribution


BB84


continuous


Security


Attack model


Information

Introduction


What is Cryptography?


Cryptography is the art of rendering a
message unintelligible to any
unauthorized party


dkssudgktpdy


안녕하세요
(Korean)


It is part of the broader field of
cryptology, which also includes
cryptoanalysis, the art of code breaking

Introduction


Why do we need cryptography?


Suppose Mark want to send a secret message to
his girl friend over an insecure channel!

Insecure

secure

Cryptography


Key : What

s key?


Encryption : combine a message with some
additional information
-

known as the

key




and produce a cryptogram.


Decryption : combine a cryptogram with
some additional information
-

known as the

key




and produce a message.


Asymmetrical(public
-
key) cryptosystem





Symmetrical(secret
-
key) cryptosystem

Cryptography

Cryptography


Asymmetrical(public
-
key) cryptosystem


ElGamal Cryptosystem


Elliptic curve Cryptosystem


The Merkle
-
Hellman Knapsack Cryptosystem


RSA(Ronald Rivest, Adi Shamir,Leonard
Adleman)


etc..

Cryptography


RSA(Ronald Rivest, Adi Shamir,Leonard
Adleman)


If Bob wants to be able to receive messages
encrypted with a public key cryptosystem, he must
first choose a "private" key, which he keeps secret.
Then, he computes from this private key a "public"
key, which he discloses to any interested party. Alice
uses this public key to encrypt her message. She
transmits the encrypted message to Bob, who
decrypts it with the private key

Cryptography


RSA(Ronald Rivest, Adi Shamir,Leonard
Adleman)


Big Prime number factorization is so difficult problem


Public
-
key cryptosystems are convenient and they
have thus become very popular over the last 20
years


What is problem?


Not proven security


Shor

s algorithm

Cryptography


Symmetrical(secret
-
key) cryptosystem


Block type


DES


AES


etc..


Stream type


LFSR


One
-
time pad


etc..

Cryptography


One
-
time pad


first proposed by Gilbert Vernam in 1926


This cryptosystem is thus provably secure in
the sense of information theory (Shannon
1949)


Actually, this is today the only provably
secure cryptosystem


What is problem?


Difficult to implementation

Cryptography

00101000..

01000101..

01101101..


One
-
time pad

01000101..

+

=

Secret channel

Classical channel

01101101..

+

=

00101000..

Difficult to
implementation


sending a

secret key


by using the laws
of physics to warrant the complete
security of the transmission


Discrete variable


BB84


B92


Etc..


Continuous variable


Squeezed state


Gaussian distribution

Quantum Key Distribution

Quantum Physics




Principle of Complementary



Heisenberg Uncertainty Principle



Correspondence Principle



etc..

Quantum Key Distribution

Cryptography

Asymmetric

symmetric

One
-
time pad

Quantum Mechanics

Quantum Cryptography

Descrete

Continuous

RSA

Number theory, Algebra..

Quantum Key Distribution


BB84


proposed by Charles H. Bennett and Gilles
Brassard in 1984


Two state( |0>, |1>), but four bases(|0,V>,
|1,H>, |0,L>, |1,R>)




Bases with such a property are called
conjugate

=> Unpredictable

2
1
,
1
,
0

V
L
Quantum Key Distribution


BB84(Protocol)


Alice sends random “bits” (0 or 1) encoded in
two 2 different “basis”


Bob randomly chooses either the “+” or the

×
” basis and records the transmitted and
reflected photons


Bob announces openly his choice of basis
(but not the result!) and Alice answers “ok” or
“no”. Bits with different basis are discarded


The remaining bits give the secret key

Quantum Key Distribution


BB84(without Eve, no noise)

Quantum Key Distribution


Attack model


Intercept
-
resend model (opaque
eavesdropping)


Error rate


Coherent or joint


Optimal individual


Collective

Quantum Key Distribution


BB84(with Eve, no noise)

Quantum Key Distribution


BB84(with Eve, no noise)


Raw key extraction


Over the public channel, Bob communicates to Alice
which quantum alphabet he used for each of his
measurements


Alice and Bob then delete all bits for which they used
incompatible quantum alphabets to produce their
resulting raw keys


Error estimation


Over the public channel, Alice and Bob compare small
portions of their raw keys to estimate the error
-
rate R,
and then delete the disclosed bits from their raw keys
to produce their tentative final keys

0

R
Quantum Key Distribution


BB84(with Eve, no noise)


If one guesses correctly, then Alice

s
transmitted bit is received with
probability 1. On the other hand, if one
guesses incorrectly, then Alice

s
transmitted bit is received correctly with
probability 1/2 . Thus in general, the
probability of correctly receiving Alice

s
transmitted bit is

4
3
2
1
2
1
1
2
1





P
Quantum Key Distribution


BB84(with Eve, no noise)


If there is no intrusion, then Alice

s and
Bob

s raw keys will be in total
agreement. However, if Eve has been at
work, then corresponding bits of Alice

s
and Bob

s raw keys will not agree with
probability


4
1

e
P
m
4
1
1









P
Quantum Key Distribution


BB84(with Eve, with noise)


We must assume that Bob

s raw key is
noisy


Since Bob can not distinguish between errors
caused by noise and by those caused by Eve

s
intrusion, the only practical working assumption
he can adopt is that all errors are caused by
Eve

s eavesdropping


Under this working assumption, Eve is always
assumed to have some information about bits
transmitted from Alice to Bob. Thus, raw key is
always only partially secret

Quantum Key Distribution


BB84(with Eve, with noise)


Over the public channel, Alice and Bob
compare small portions of their raw keys to
estimate the error
-
rate R, and then delete the
disclosed bits from their raw key to produce
their tentative final keys. If R exceeds a
certain threshold , then privacy
amplification is not possible If so, Alice and
Bob return to stage 1 to start over. On the
other hand, if , then Alice and Bob
proceed to Reconciliation

max
R
R

max
R
Quantum Key Distribution


Reconciliation Key


Alice and Bob publically agree upon a
random permutation, and apply it to what
remains of their respective raw keys


Alice and Bob partition the remnant raw key
into blocks of length L


For each of these blocks, Alice and Bob
publically compare overall parity checks,
making sure each time to discard the last bit
of each compared block

Quantum Key Distribution


Privacy amplification


Alice and Bob compute from the error
-
rate R
an upper bound k of the number of bits of
reconciled key known by Eve


Alice and Bob publically select n−k−s
random subsets of reconciled key, without
revealing their contents. The undisclosed
parities of these subsets become the final
secret key









,
,
I
I

Quantum Key Distribution


BB84(with noise)

Noise?

max
R
R

Reconciliation

Privacy amplification

Resend

R=0?

No

No

No

Yes

Yes

Key!

Yes

Key!

Quantum Key Distribution


Security by Information theory


I. Csiszar, and J. Korner, IEEE Trans. Inf.
Theory, 24, 330 (1978)


Alice and Bob can establish a secret key
(using error correction and privacy
amplification) if and only if









,
,
I
I









,
,
I
I

Quantum Key Distribution


Security by Information theory


Shannon

s formula





e
e
e
e
AB
P
P
P
P
I





1
log
1
log
1
2
2






















y
x
x
y
x
p
y
x
p
y
q
x
p
x
p
Y
X
H
X
H
I
|
log
|
log
|
2
2
Quantum Key Distribution


Security by Information theory


A Generic Security Proof for Quantum Key
Distribution by M. Christandl et al, quant
-
ph/0402131


Shannon

s formula


Von Neumann

s formula (Quantum
information)


Key Rate R





S
I
R
AB
max


AB
I



S
Quantum Key Distribution


Where is quantum?


Measurement


every measurement perturbs a system


No
-
cloning theorem


It is impossible to copy an arbitrary quantum state
chosen among a set of non
-
orthogonal states

No perturbation

No measurement

No eavesdropping

Quantum Key Distribution


Experiment



Experimental Quantum Cryptography


(C.Bennett et al, J.Cryptology 5, 3
-
28, 1992)


etc..


What is problem?


Photon Generation


Reliable?

Quantum Key Distribution


Essential feature :
quantum channel
with non
-
commuting quantum
observables


not restricted to single photon polarization!


New QKD protocol where :


The non
-
commuting observables are the
quadrature operators X and P


i.e. continuous variable

Quantum Key Distribution


Quantum cryptography with Squeezed
states(Mark Hillery, PRA, 61, 022309)


Quantum distribution of Gaussian keys
using squeezed states(N.J.Cerf et al,
PRA, 63, 052311)


The non
-
commuting observables are the
quadrature operators X and P

Quantum Key Distribution


Using Squeezed state


The non
-
commuting observables are
the quadrature operators X and P


Reconciliation(sliced)


Privacy Amplification


P

X

Quantum Key Distribution


Continuous Variable Quantum
Cryptography Using Coherent States(F.
Grosshans et al, PRL 88, 057902(2002))


The non
-
commuting observables are the
quadrature operators X and P


The transmitted light contains weak coherent
pulses(about 100 photons) with a gaussian
modulation of amplitude and phase


The detection is made using shot
-
noise limited
homodyne detection

Quantum Key Distribution


Using Coherent state


The non
-
commuting observables are
the quadrature operators X and P


Reconciliation(sliced)


Privacy Amplification

P

X

Quantum Key Distribution


Attack model(Continuous variable)


Intercept
-
resend model (opaque
eavesdropping)


Error rate


Coherent


Individual Optimal


Collective

Quantum Key Distribution


Security by Information theory


Shannon, von Neumann





e
e
e
e
AB
P
P
P
P
I





1
log
1
log
1
2
2






















M
x
x
M
x
p
M
x
p
M
q
x
p
x
p
Y
X
H
X
H
I
|
log
|
log
|
2
2








e
e
e
e
AE
P
P
P
P
I






1
log
1
2
1
1
log
1
2
1
2
2
0




AE
AB
I
I
I
Quantum Key Distribution


Security by Information theory


Gaussian distribution






1
log
2
1
2
I






















M
x
x
M
x
p
M
x
p
M
q
x
p
x
p
Y
X
H
X
H
I
|
log
|
log
|
2
2
Quantum Key Distribution


Security by Information theory


Gaussian state





Information




















2
1
log
2
1
2
1
log
2
1
V
V
V
V
H

0




H
I
I
AB
Conclusion


One
-
time pad(QKD)


Where is quantum?


Measurement(Discrete, Continuous)


every measurement perturbs a system


No
-
cloning theorem(Discrete, Continuous)


It is impossible to copy an arbitrary quantum state
chosen among a set of non
-
orthogonal states


Quantum Information theory for Security

Acknowledgement


Many Thanks..(M.S. Kim, Jingak Jang,
Wonmin Son..)

Also Many
Thanks for all
who attend
our seminar

Reference


Quantum cryptography, N.Gisin et al,
quant
-
ph/0101098