Documente Academic
Documente Profesional
Documente Cultură
Chapter 2
Quantum Cryptography
Fundamentals
Electromagnetic waves such as light waves can exhibit the phenomenon of polarization,
in which the direction of the electric field vibrations is constant or varies in some
definite way.
2.1
Photon
According to quantum theory, light waves are propagated as discrete particles known
as photons. A photon is a massless particle, the quantum of the electromagnetic field,
carrying energy, momentum, and angular momentum. The polarization of the light
is carried by the direction of the angular momentum or spin of the photons[7]. A
photon either will or will not pass through a polarization filter, but if it emerges
it will be aligned with the filter regardless of its initial state; there are no partial
photons. Information about the photons polarization can be determined by using a
photon detector to determine whether it passed through a filter.
2.2
Entanglement
Entangled pairs are pairs of photons generated by certain particle reactions[7]. Each
pair contains two photons of different but related polarization. Entanglement affects
the randomness of measurements. If we measure a beam of photons E1 with a polarization filter, one-half of the incident photons will pass the filter, regardless of its
orientation[5]. Whether a particular photon will pass the filter is random.
section 2.3
2.3
section 2.3
0 at q = 90 deg (i.e., the second filter is horizontal). When q = 45 deg, the chance of
the photon passing through the second filter is precisely 1/2. This is the same result
as a stream of randomly polarized photons impinging on the second filter, so the first
filter is said to randomize the measurements of the second.
The principle of photon polarization states that, an eavesdropper
cannot copy unknown qubits, due to no-cloning theorem.
0
1
section 2.4
2.4
Bits vs Qubits
A classical computer has a memory made up of bits, where each bit represents either a
one or a zero. A quantum computer maintains a sequence of qubits. A single qubit can
represent a one, a zero, or, crucially, any quantum superposition of these; moreover,
a pair of qubits can be in any quantum superposition of 4 states, and three qubits
in any superposition of 8. In general a quantum computer with n qubits can be in
an arbitrary superposition of up to 2n different states simultaneously (this compares
to a normal computer that can only be in one of these 2n states at any one time).
A quantum computer operates by manipulating those qubits with a fixed sequence
of quantum logic gates. The sequence of gates to be applied is called a quantum
algorithm.
section 2.4
Chapter 3
Quantum Key Exchange
Quantum communication involves encoding information in quantum states, or qubits,
as opposed to classical communications use of bits. Usually, photons are used for
these quantum states. Quantum cryptography exploits certain properties of these
quantum states to ensure its security. There are several different approaches to quantum key distribution, but they can be divided into two main categories depending on
which property they exploit.
Prepare and measure protocols
In contrast to classical physics, the act of measurement is an integral
part of quantum mechanics. In general, measuring an unknown quantum state will
change that state in some way. This is known as quantum indeterminacy, and underlies
results such as the Heisenberg uncertainty principle, information-disturbance theorem
and no cloning theorem. This can be exploited in order to detect any eavesdropping
on communication (which necessarily involves measurement) and, more importantly,
to calculate the amount of information that has been intercepted[4].
Entanglement based protocols
The quantum states of two (or more) separate objects can become
linked together in such a way that they must be described by a combined quantum
state, not as individual objects. This is known as entanglement and means that, for
example, performing a measurement on one object will affect the other. If an entangled pair of objects is shared between two parties, anyone intercepting either object
will alter the overall system, allowing the presence of the third party (and the amount
of information they have gained) to be determined.
These two approaches can each be further divided into three families
of protocols; discrete variable, continuous variable a nd distributed phase reference
Dept. of CSE, GEC, Thrissur
10
section 3.1
coding. Discrete variable protocols were the first to be invented, and they remain
the most widely implemented. The other two families are mainly concerned with
overcoming practical limitations of experiments. The two protocols described below
both use discrete variable coding.
3.1
The first published paper to describe a cryptographic protocol using these ideas to
solve the key distribution problem was written in 1984 by Charles Bennett and Gilles
Brassard. In it, Bennett and Brassard described an unconditionally secure quantum
key distribution system.
This protocol, known as BB84 after its inventors and year of publication, was originally described using photon polarization states to transmit the
information. However, any two pairs of conjugate states can be used for the protocol,
and many optical fibre based implementations described as BB84 use phase encoded
states[2,6]. The sender (traditionally referred to as Alice) and the receiver (Bob) are
connected by a quantum communication channel which allows quantum states to be
transmitted. In the case of photons this channel is generally either an optical fibre
or simply free space. In addition they communicate via a public classical channel, for
example using broadcast radio or the internet. Neither of these channels need to be
secure; the protocol is designed with the assumption that an eavesdropper (referred
to as Eve) can interfere in any way with both.
The security of the protocol comes from encoding the information
in non-orthogonal states. Quantum indeterminacy means that these states cannot in
general be measured without disturbing the original state. BB84 uses two pairs of
states, with each pair conjugate to the other pair, and the two states within a pair
orthogonal to each other. Pairs of orthogonal states are referred to as a basis. The
usual polarization state pairs used are either the rectilinear basis of vertical (0) and
horizontal (90), the diagonal basis of 45 and 135 or the circular basis of left- and
right-handedness. Any two of these bases are conjugate to each other, and so any two
can be used in the protocol.
The first step in BB84 is quantum transmission. Alice creates a
random bit (0 or 1) and then randomly selects one of her two bases (rectilinear or
diagonal in this case) to transmit it in. She then prepares a photon polarization state
depending both on the bit value and basis, as shown in the table to the left. So for
example a 0 is encoded in the rectilinear basis (+) as a vertical polarization state,
11
section 3.2
and a 1 is encoded in the diagonal basis (x) as a 135 state. Alice then transmits a
single photon in the state specified to Bob, using the quantum channel. This process
is then repeated from the random bit stage, with Alice recording the state, basis and
time of each photon sent.
As Bob does not know the basis the photons were encoded in, all
he can do is select a basis at random to measure in, either rectilinear or diagonal.
He does this for each photon he receives, recording the time, measurement basis used
and measurement result. After Bob has measured all the photons, he communicates
with Alice over the public classical channel. Alice broadcasts the basis each photon
was sent in, and Bob the basis each was measured in. They both discard photon
measurements (bits) where Bob used a different basis, which will be half on average,
leaving half the bits as a shared key.
Alices random bit
Alices random sending basis
Photon polarization alice sends
Bobs random measuring basis
Photon polarization Bob measures
PUBLIC DISCUSSION OF BASIS
Shared secret key
0 1
1
0
+ + +
+
0
1
0
+
0
1
+
+ +
To check for the presence of eavesdropping Alice and Bob now compare a certain subset of their remaining bit strings. If a third party (usually referred
to as Eve, for eavesdropper) has gained any information about the photons polarization, this will have introduced errors in Bobs measurements. If more than p bits
differ they abort the key and try again, possibly with a different quantum channel,
as the security of the key cannot be guaranteed. p is chosen so that if the number of
bits known to Eve is less than this, privacy amplification can be used to reduce Eves
knowledge of the key to an arbitrarily small amount, by reducing the length of the
key.
3.2
The Ekert scheme uses entangled pairs of photons. These can be created by Alice,
by Bob, or by some source separate from both of them, including eavesdropper Eve.
The photons are distributed so that Alice and Bob each end up with one photon from
each pair.
The scheme relies on two properties of entanglement. First, the
Dept. of CSE, GEC, Thrissur
12
section 3.2
entangled states are perfectly correlated in the sense that if Alice and Bob both
measure whether their particles have vertical or horizontal polarizations, they will
always get the same answer with 100 % probability. The same is true if they both
measure any other pair of complementary (orthogonal) polarizations. However, the
particular results are completely random; it is impossible for Alice to predict if she
(and thus Bob) will get vertical polarization or horizontal polarization.
Second, any attempt at eavesdropping by Eve will destroy these
correlations in a way that Alice and Bob can detect.
13
Chapter 4
Privacy Amplification and
Information Reconciliation
The quantum cryptography protocols described above will provide Alice and Bob with
nearly identical shared keys, and also with an estimate of the discrepancy between the
keys. These differences can be caused by eavesdropping, but will also be caused by
imperfections in the transmission line and detectors. As it is impossible to distinguish
between these two types of errors, it is assumed all errors are due to eavesdropping
in order to guarantee security. Provided the error rate between the keys is lower
than a certain threshold (20 % as of April 2007), two steps can be performed to first
remove the erroneous bits and then reduce Eves knowledge of the key to an arbitrary
small value. These two steps are known as information reconciliation and privacy
amplification respectively, and were first described in 1992.
Information reconciliation is a form of error correction carried out
between Alice and Bobs keys, in order to ensure both keys are identical. It is conducted over the public channel and as such it is vital to minimize the information
sent about each key, as this can be read by Eve. A common protocol used for information reconciliation is the cascade protocol, proposed in 1994. This operates in
several rounds, with both keys divided into blocks in each round and the parity of
those blocks compared. If a difference in parity is found then a binary search is performed to find and correct the error. If an error is found in a block from a previous
round that had correct parity then another error must be contained in that block; this
error is found and corrected as before. This process is repeated recursively, which is
the source of the cascade name. After all blocks have been compared, Alice and Bob
both reorder their keys in the same random way, and a new round begins. At the
end of multiple rounds Alice and Bob will have identical keys with high probability,
however Eve will have gained additional information about the key from the parity
information exchanged.
Dept. of CSE, GEC, Thrissur
14
section 4.0
Privacy Amplification is a method for reducing (and effectively eliminating) Eves partial information about Alice and Bobs key. This partial information
could have been gained both by eavesdropping on the quantum channel during key
transmission (thus introducing detectable errors), and on the public channel during
information reconciliation (where it is assumed Eve gains all possible parity information). Privacy amplification uses Alice and Bobs key to produce a new, shorter key,
in such a way that Eve has only negligible information about the new key. This can
be done using a universal hash function, chosen at random from a publicly known set
of such functions, which takes as its input a binary string of length equal to the key
and outputs a binary string of a chosen shorter length. The amount by which this
new key is shortened is calculated, based on how much information Eve could have
gained about the old key (which is known due to the errors this would introduce), in
order to reduce the probability of Eve having any knowledge of the new key to a very
low value.
15
Chapter 5
Implementations
The highest bit rate system currently demonstrated exchanges secure keys at 1 Mbit/s
(over 20 km of optical fibre) and 10 kbit/s (over 100 km of fibre), achieved by a collaboration between the University of Cambridge and Toshiba using the BB84 protocol
with decoy pulses.
As of March 2007 the longest distance over which quantum key
distribution has been demonstrated using optic fibre is 148.7 km, achieved by Los
Alamos/NIST using the BB84 protocol. Significantly, this distance is long enough for
almost all the spans found in todays fibre networks. The distance record for free space
QKD is 144 km between two of the Canary Islands, achieved by a European collaboration using entangled photons (the Ekert scheme) in 2006, and using BB84 enhanced
with decoy states in 2007[3]. The experiments suggest transmission to satellites is possible, due to the lower atmospheric density at higher altitudes. For example although
the minimum distance from the International Space Station to the ESA Space Debris
Telescope is about 400 km, the atmospheric thickness is about an order of magnitude
less than in the European experiment, thus yielding less attenuation compared to this
experiment[6].
The DARPA Quantum Network, a 10-node quantum cryptography
network, has been running since 2004 in Massachusetts, USA. It is being developed
by BBN Technologies, Harvard University, Boston University and QinetiQ[2].
There are currently four companies offering commercial quantum
cryptography systems;id Quantique (Geneva), MagiQ Technologies (New York), Smart
Quantum (France) and Quintessence Labs (Australia). Several other companies also
have active research programmes, including Toshiba, HP, IBM, Mitsubishi, NEC and
NTT.
Quantum encryption technology provided by the Swiss company Id
Quantique was used in the Swiss canton (state) of Geneva to transmit ballot results
to the capitol in the national election occurring on Oct. 21, 2007.
Dept. of CSE, GEC, Thrissur
16
section 5.0
17
Chapter 6
Attacks
6.1
The simplest type of possible attack is the intercept-resend attack, where Eve measures
the quantum states (photons) sent by Alice and then sends replacement states to Bob,
prepared in the state she measures.
18
section 6.1
incorrectly then the state she measures will be random, and the state sent to Bob will
not be the same as the state sent by Alice. If Bob then measures this state in the
same basis Alice sent he will get a random result, as Eve has sent him a state in the
opposite basis, instead of the correct result he would get without the presence of Eve.
Alices random bit
0
Alices random sending basis
+
Photon polarization Alice sends
Error in key
1
+
1
0
1
+
+ +
+
0
0
1
+
+ +
+ +
The probability Eve chooses the incorrect basis is 50 percent (assuming Alice chooses her basis randomly), and if Bob measures this intercepted photon
in the basis Alice sent he will get a random result, i. e. an incorrect result with
probability of 50pecrent. The probability an intercepted photon generates an error
in the key string is then 50 % x 50 % = 25 %. If Alice and Bob publicly compare n
of their key bits (thus discarding them as key bits, as they are no longer secret) the
probability they find disagreement and identify the presence of Eve is:
3
Pd = 1 ( )n
4
(6.1)
19
section 6.3
2. The random number generators used by Alice and Bob must be trusted and
truly random (for example a Quantum random number generator).
3. The classical communication channel must be authenticated using an unconditionally secure authentication scheme.
6.2
Quantum cryptography is vulnerable to a man-in-the-middle attack when used without authentication to distinguish friend from foe. As in the classical case, Alice and
Bob cannot authenticate each other and establish a secure connection without some
means of verifying each others identities (such as an initial shared secret). If Alice
and Bob have an initial shared secret then they can use an unconditionally secure authentication scheme (such as Carter Wegman) along with quantum key distribution
to exponentially expand this key, using a small amount of the new key to authenticate the next session. Several methods to create this initial shared secret have been
proposed, for example using a third party or chaos theory.
6.3
In the BB84 protocol Alice sends quantum states to Bob using single photons. In
practice many implementations use laser pulses attenuated to a very low level to send
the quantum states. These laser pulses contain a very small number of photons,
for example 0.2 photons per pulse, which are distributed according to a Poissonian
distribution. This means most pulses actually contain no photons (no pulse is sent),
some pulses contain one photon (which is desired) and a few pulses contain two or
more photons. If the pulse contains more than one photon, then Eve can split off the
extra photons and transmit the remaining single photon to Bob. This is the basis
of the photon number splitting attack, where Eve stores these extra photons in a
quantum memory until Bob detects the remaining single photon and Alice reveals the
encoding basis. Eve can then measure her photons in the correct basis and obtain
information on the key without introducing detectable errors.
Even with the possibility of a PNS attack a secure key can still be
generated, as shown in the GLLP security proof, however a much higher amount of
privacy amplification is needed reducing the secure key rate significantly (with PNS
the rate scales as t2 as compared to t for a single photon sources, where t is the
transmittance of the quantum channel).
There are several solutions to this problem. The most obvious is to
20
section 6.5
use a true single photon source instead of an attenuated laser. While such sources
are still at a developmental stage QKD has been carried out successfully with them.
However as current sources operate at a low efficiency and frequency key rates and
transmission distances are limited. Another solution is to modify the BB84 protocol,
as is done for example in the SARG04 protocol, in which the secure key rate scales
3
as t 2 . The most promising solution is the decoy state idea, in which Alice randomly
sends some of her laser pulses with a lower average photon number. These decoy
states can be used to detect a PNS attack, as Eve has no way to tell which pulses
are signal and which decoy. Using this idea the secure key rate scales as t, the same
as for a single photon source. This idea has been implemented successfully in several
QKD experiments, allowing for high key rates secure against all known attacks.
6.4
Hacking attacks
6.5
Denial of service
Because currently a dedicated fibre optic line (or line of sight in free space) is required
between the two points linked by quantum cryptography, a denial of service attack can
be mounted by simply cutting or blocking the line or, perhaps more surreptitiously,
by attempting to tap it.
21
Chapter 7
Prospects
The current commercial systems are aimed mainly at governments and corporations
with high security requirements. Quantum cryptography has the ability to detect any
interception of the key, whereas with courier the key security cannot be proven or
tested. Advances in processing power is also a relevant feature. Hence,the technology
has the potential to make a valuable contribution to the network security among
government, business, and academic environment.
QKD (Quantum Key Distribution) systems also have the advantage
of being automatic, with greater reliability and lower operating costs than a secure
human courier network. In few years, the technology might help to protect the security
of satellite television broadcasts.
Factors preventing wide adoption of quantum cryptography outside
high security areas include the cost of equipment, the lack of a demonstrated threat
to existing key exchange protocols and the lack of a security certification process or
standard for the equipment. However, with optic fibre networks already present in
many countries the infrastructure is in place for a more widespread use.
Quantum cryptography promises to revolutionize secure communication by providing security based on the fundamental laws of physics, instead of the
current state of mathematical algorithms or computing technology. The devices for
implementing such methods exist and the performance of demonstration systems is
being continuously improved. Within the next few years, if not months, such systems
could start encrypting some of the most valuable secrets of government and industry.
22
References
[1] Mehrdad . S. Sharbaf, Quantum Cryptography : A New Generation of
Information Technology Security System , 2009
http://ieeexplore.ieee.org/xpl/freeabs all?arnumber=5070885
[5] Kurochkin .V. L., Meizvestny. I.G , Quantum Cryptography , July 2009
http://ieeexplore.ieee.org/xpl/freeabs all?arnumber=5173960
23