Quantum cryptography

Transcription

Physics of Nanophotonic Systems
Lecture 5
June, 10 th 2010
Quantum cryptography
Single photons in action
Prof. Jonathan J. Finley
Dr. Michael Kaniber
Thu, 15:30–17:30
S101 (WSI)
Physics of Nanophotonic Systems SS 2010
Lecture 5 – Quantum cryptography
1
What is cryptography
•
The art of rendering a message unintelligible to any unauthorized party…
2
Historical overview: Cryptography
http://en.wikipedia.org/wiki/History_of_cryptography
Literature: Simon Singh, “The Code Book”, Fourth Estate, 2000
3
Classical Cryptography
Complexity theory
Information theory
(Asymmetric cryptosystem)
(symmetric cryptosystems)
Two keys needed – public key for
encryption and private key for
decryption
The “public key” contains a private
“decoding key”
Security based on “one-way” functions
(no one knows whether one way
functions really exist)
easy
The key is secret
Message is encrypted and decrypted
using a decoding key: only the two
partners have a copy !
Easy to crack if key is repeatedly used
Only “Vernam cypher” is has been
mathematically proven to be secure
f(x)
message + public key = cipher
Difficult
(unless private key known)
Sometimes called RSA cryptography
128 bit key  2128 ≈ 1038 numbers to check using brute force !
4
Vernam cipher or one-time-pad
key
0101110010100011
Alice
0101110010100011
Bob
Message: 1000100011110101
Key:
0101110010100011
Cipher: 1101010001010110
1000100011110101
message
1000100011110101
Sent: sum mod 2
Contains NO info!
Unbreakable… unless the eavesdropper knows the key!!!
 How to distribute the key among the partners?
Q-cryptography is a protocol for secure key distribution!
i.e., purpose: establish two identical lists of secret bits.
G. Vernam, J. Am. Inst. Elect. Eng. 45, 109 (1926)
Lecture 5 – Quantum cryptography 5
Pro’s and con’s of the one-time-pad
•
Major advantage
– Provides unbreakable security (can be
mathematically proven)
•
Disadvantages
– Key must be as long as the message – otherwise
insecure…
– Key must be absolutely random
– Key must never be reused – otherwise security is
compromised…
– Alice and Bob must have a secure channel to
exchange key beforehand…
– Multi-party key exchange is a nightmare…
Here QC comes into play: mathematically secure way to distribute a key between two parties
QUANTUM KEY DISTRIBUTION
6
Remark: Random number generator
Applications: Cryptography, confidentiality, authentication, simulation of complex
systems, lotteries and gambling, etc.
How to generate “randomness”?
• Software solutions  pseudo-random numbers
• Classical physics (e.g. flip a coin)
• Quantum physics (e.g. single photon emission
http://www.idquantique.com/
Introductory article on idquantique.com  “white paper”
 Create long random key to use as a one-time-pad
7
QKD – historical remarks
•
Founding ideas of “quantum cryptography” first proposed in the 1970’s by S.
Wiesner (not published until 1982!) – advanced by Bennet and Brassard
EPR Pairs
(entanglement)
S. Wiesner
C. H. Bennett
G. Brassard
A. Ekert
••
Fundamental
tenetsofofquantum
quantummechanics
mechanics(N. Gisin)
Fundamental “negative”
“positive” tenets
–
–
–
–
–
You
make aa quantum
measurement
without
perturbing
If youcan’t
measure
system,
you change
it…the system
You
can’t simultaneously
measure quantum
conjugatevariables
variables(energy-time,
with arbitrarypositionprecision
Information
encoded on conjugate
You
cannot duplicate
an unknown
quantum state
momentum,
circular-horizontal
polarization)
is difficult to measure unless you know
the basis in which it is encoded…
– Information encoded on quantum states is secure against copying…
For a detailed review see - N. Gisin et al., Rev. Mod. Phys. 74, 145 (2002)
8
Key arguments of QKD
• If Eve tries to eavesdrop a "quantum communication channel", she has
to perform some measurements on individual quanta (single photon
pulses) to gain any information…
The "quantum communication channel" is not used to transmit a
message (information), only a "key" is transmitted (no information).
• But, quantum mechanics tells us: every measurement projects the
quantum system into an eigenstate….
If it turns out that the key is corrupted, they simply disregard this key and
no information is really lost.
• Hence, Eve’s "reading" of the "quantum signal“ reduces the correlation
between Alice's and Bob's data…
If the key passes successfully the control test then Alice and Bob (or
George and Tony) can use it safely.
• Alice and Bob can thus detect any undesired third party by comparing
(on a public channel) part of their "quantum signal“…
9
“Stern-Gerlach” type experiment for photons
Reminder Stern-Gerlach experiment:
 Magnet deflects particles with spin quantum number of ½
 Depending on its spin, particle is deflected up or down
Analogue phenomenon for photons: polarisation
Vertically
polarised
photon
Propability to detect
either |↕ or |↔ :
𝑃𝑣 = ↕ Θ
𝑃ℎ = ↔ Θ
2
= cos 2 Θ
2
= sin2 Θ
Quantum state:
horizontally
polarised
photon
Normalisation
condition:
𝑐𝑜𝑠𝜃
2
+ 𝑠𝑖𝑛𝜃
2
=1
10
Quantum properties of light
Polarization is a quantum number for each photon
The state of polarisation determines the direction of oscillation of
macroscopic field
0
H-V basis
1
1
(0 1)
2
1
(0 1)
2
+45/-45 basis
11
State preparation and read-out
Alice’s preparation
0
450
1
(0 1)
2
Bob’s measurement
1
RC
-450
A
E
1
(0 1)
2
N
R
1
(0 1)
2
1
(0 1)
2
D
T
O
A
M
I
!
N
0
00
0
1
900
1
0
1
12
BB84 protocol for quantum key exchange
BB84 (Bennett + Brassard in 1984, first demonstrated in 1989
See also B92 protocol – C. H. Bennett, PRL 68, 3121 (1992))
– Polarization encoding system using 4 quantum states that are typically
polarization states of single photons
45 , 45
H ,V
– The based are “maximally conjugate” – any two states, one from each
basis, have the same overlap
H 45
2
 V 45
2
 H 45
2
 V 45
2

1
2
– One attaches binary values to each quantum state within one basis
H
,V
  0,1
 45
,  45
  0,1
13
BB84 coding
Alice’s bit
0=
1=
0=
1=
Bob’s measurement basis
|V>
|H>
|+45>
|-45>
Bob’s result
or
50:50
or
50:50
or
50:50
or
50:50
Essential: use two sets of non-orthogonal states.
14
BB84 scheme in action
1) Alice sends individual, randomly chosen “spins” to Bob from the 4 basis states
0 0
0
1
1
0
0
1 0
1
0
2) Bob “measures” these spins in one of the two bases chosen at random
,, …
This produces
the “raw key”
0 ?
0
1
1
0
?
1 0
?
0
Whenever Alice and Bob’s bases randomly coincide they obtain correlated results
BUT whenever they do not coincide the measurements are 50:50 (uncorrelated)
 The “raw” key has a high (25%) probability that an error occurs
3) The “raw” key is then “sifted” by exchanging some classical information*
*Alice and Bob exchange just the choice of bases not the result
Bit 2 was measured in
Not OK, OK…
, bit 3 was
….
Sifted key
Discard bits where they
used different bases
0
0
1
1
0
1
0
0
completely random
determined by Alice and
Bobs random choices
15
Apparatus for quantum cryptography
Pockels cell: voltage controlled
waveplate/polariser
 Alice applies voltages to her Pockels cell and produces polarization rotations
- 0° = |↕
- 90° = |↔
- 45° = |↗
- 135°= |↙
 Bob randomly applies voltages to his Pockels cell and switches between the
H/V- and +45/-45-basis
16
First experimental demonstration
The first prototype implementation of quantum cryptography (IBM, 1989)
C. H. Bennett, Proceedings of IEEE International Conference on Computers, Systems and Signal processing (1984)
- Quantum Cryptography: Public key distribution and coin tossing -
17
Eve is on the line…
• Let us now consider the security of this “ideal” protocol
Beam-splitter
Alice sends her qubit
on a supposedly
secure line…
Bob chose the “good basis”
according to his conversation
with Alice
Eve intercepts the photon and tries to
gain information about it
She has a 50/50 chance of measuring
in the wrong basis and, thus, resending
the wrong basis to Bob
nevertheless he got the
wrong result?
 There are some errors in the
communication?
After revealing the bases, Alice and Bob reveal also some results, and check the correlations.
By measuring the error, they can estimate the amount of information Eve received
Eve cannot make a copy of the original photon sent by Alice due to the NO-CLONING theorem
of quantum mechanics – it is impossible to “clone” a quantum state
Imperfections in the losses in the quantum channel, Alice’s single photon generator and Bob’s
single photon detector also introduce errors – how to distinguish from the action of Eve ?
18
Intercept-resend attack
Alice sends her qubits on a quantum
channel that has been “tapped”…
Beam-splitter
or
50:50
On average HALF of the
qubits intercepted by Eve are
wrongly measured
Alice and Bob discover Eve’s
intervention for 50% of all
qubits sent between them
since they get uncorrelated
results
If Eve uses this “interceptresend” strategy, she gets 50%
information, while Alice and Bob
have about a 25% error rate in
their sifted key
Bob chose the “good basis”
according to his conversation
with Alice
Eve intercepts all photons from Alice (exactly as Bob
does in the secure case)
EVE is lucky
 Bob gets the “right result”
EVE chooses the wrong basis
 Bob obtains the “wrong
result”
has a 50/50 chance of measuring in the correct
basis  she then resends a photon to Bob in the
“correct basis”
When she chooses the “wrong basis” she gains no
information and resends in the wrong basis
However, if Eve applies this strategy to only a fraction of the communication (say, 10%)
then the error rate will be only ~2.5%, whilst Even ends up with 5% of the qubits sent
Even if they eliminate the cases where they
used incompatible bases there is still 25% error
in the sifted key and they “detect” Eve’s attack
How can Alice and Bob counter such attacks ?
19
Potential error sources
 Random error deletion:
• Absorption/scattering
• Inefficient light collection
• Limited detector QE
 Not lowering security!
 Birefringence:
• Medium in which the photons propagate
from Alice to Bob change the polarization
 Bob obtains wrong result even if the basis
was correct!
 Alice and Bob exchange bits and perform error
correction: Shannon’s noisy channel coding theorem
C. E. Shannon, Bell Syst. Tech. J. 27, 379 (1948)
Needed bits
for error correction
Number of bits
 Detector dark counts:
• Random photons due to
thermal noise
Error rate
100 dark counts/s
 Detector gating!
20
Error correction and privacy amplification
•
Alice and Bob share a sifted key that contains errors which are caused by
technical imperfections as well as by Eve’s intervention
–
–
•
Realistic error rates in the sifted key using today’s technologies (SPS, Q-channels and
SP-detectors) are typically a few percent
How to distinguish between Eve and errors ?
Consequently the final steps in all QKD protocols are:
1. Error correction
2. Reduce Eve’s information on the final key used via “privacy amplification”
“SIMPLE” ERROR CORRECTION
Alice randomly chooses pairs of bits and
announces publically to Bob their XOR value
(sum modulo 2)
Bit 1
Bit 2
XOR
0
0
0
If they get the same XOR value then Alice
and Bob keep the first of the two bits and
disregard the second
0
1
1
1
0
1
They continue to repeat this protocol until
they have a shorter sifted key that now
contains no errors…
1
1
0
21
Classical error correction in QKD
1001110111001101110010
0
REPEAT
0010100101010101010001
0⊕0=0
“accept”
“reject”
0010110110010001010011
Alice and Bob end up with a shorter, but error free, key 
0 0
1
0 …
In reality XOR operations are performed on larger bit sets but principles are similar
22
Error correction and privacy amplification
•
Alice and Bob share a sifted key that contains errors which are caused by
technical imperfections as well as by Eve’s intervention
–
–
•
Realistic error rates in the sifted key using today’s technologies (SPS, Q-channels and
SP-detectors) are typically a few percent
How to distinguish between Eve and errors?
Consequently the final steps in all QKD protocols are:
1. Error correction
2. Reduce Eve’s information on the final key used via “privacy amplification”
“SIMPLE” PRIVACY AMPLIFICATION
“SIMPLE” ERROR CORRECTION
Alice again randomly chooses pairs of bits and computes their XOR value
Alice randomly chooses pairs of bits and
announces publically to Bob their XOR value
(sum modulo 2)
She does NOT announce the XOR value, but instead only the bits she
chose (e.g. bits number 7 and 555)
If they get the same XOR value then Alice
and Bob keep the first of the two bits and
disregard the second
They continue to repeat this protocol until
they have a shorter sifted key that now
contains no errors…
Alice and Bob then replace the two bits by their XOR value and, thus,
shorten their key whilst keeping it error free
BUT – Eve only has partial information on the two bits, her information on
the XOR value is even less.
Example: If Eve knows the value of both bits chosen with 60% probability
then the probability that she correctly guesses the XOR value is only
0.62+0.42=52%  by repeating many times Eve’s information is
continuously
reduced
Lecture
5 – Quantum cryptography 23
Privacy amplification?
1000110100101010010
REPEAT
10100101
Error free
10100101
10
10
24
Summary of QKD
• Quantum cryptography is really a method to reliably send a quantum
key that is subsequently used with the “one time pad” Vernam cipher
• Many “protocols” have been developed for QKD each of which use nonorthogonal basis sets
– E.g. BB84 which uses (H,V) and (+45,-45) polarization states of light
– “Send and measure” with some classical communication resources
– Final steps consist of a “classical” error correction and privacy amplification
• To detect the effects of Eve, Alice selects a random subset of the qubits to be
announced as test bits. Alice and Bob compare these bits to learn the error rate.
• If the error rate is small enough, the test is “passed” and Alice announces the
error correction information so Bob can correct his errors.
• Now, Alice and Bob have the same strings, but Eve may have some information.
Alice announces privacy amplification information to reduce Eve’s information to
zero.
25
Lecture 5
J. J. Finley
Fundamentals of photonic crystals
26

Quantum cryptography

Transcription

Similar documents

• 2 Virtual quantum shift Packages in 2016 • C Cedona Holly C www

RINITA SINGH | QUANTUM CONSUMER SOLUTIONS Twenty years

Programme QBio Cambridge 2015

Is reality a quantum hocus pocus?

Monaghan Jig

Pg 9

•voioo

The Quantum Pool Brochure

Cryptography`s Past, Present, and Future Role in Society