Andreas Poppe AIT - Austrian Institute of...
Transcript of Andreas Poppe AIT - Austrian Institute of...
Quantenkryptographie geknackt?
FacultyFaculty of of PhysicsPhysicsQuantum Quantum OpticsOptics
Andreas PoppeAndreas Poppe
Prof. Anton Zeilinger
AIT AIT -- Austrian Institute of TechnologyAustrian Institute of TechnologyDepartment Department SafetySafety & & SecuritySecurity
Quantum TechnologiesQuantum Technologies
DonauDonau--City Strasse 1City Strasse 11220 1220 ViennaVienna
Austria / EuropeAustria / Europe
[email protected]@ait.ac.at
Quantum Key Distribution
Outlook:1. Introduction + Motivation
2. “Quantum Information” and single photons
3.Quantum systems for QKD
4.Entanglement: concept, generation + QKD
5.Experiments via fibers and over free-space & space
6.Permanent QKD-link test-pad in Vienna
7.Quantum Hacking
8.Summary
Quantum Key Distribution
Outlook:1. Introduction + Motivation2. “Quantum Information” and single photons
3.Quantum systems for QKD
4.Entanglement: concept, generation + QKD
5.Experiments via fibers and over free-space & space
6.Permanent QKD-link test-pad in Vienna
7.Quantum Hacking
8.Summary
Cryptographic Primitives
are low level building blocks for implementing cryptographic systems
encryption (confidentiality)authentication (integrity, proof of origin)key distributiondigital signature scheme (proof of origin, integrity, non repudiation)+ other primitives for commitment schemes, oblivious transfer...
For each primitive exist different “flavours” with different security levels
16
Introduction
Security Levels of Cryptographic Primitives
(using the example of an encryption primitive...)
Computational security: there is a lower bound on the number of operations necessary to break a cipher. Achieving the lower bound is beyond current technology
Information theoretical security (ITS): the amount of information in the ciphertext is (without having the key) upper bounded by a constant ε> 0 during encryption. ε can be made arbitrarily small (ε possibly 2-100)
Perfect security: probability to get ciphertext C is exactly the same for all possible plaintext messages Mi, that is C gives exactly zero information about the plaintext (even with unlimited computing power)
15
ciphertextor cryptogram plaintextplaintext decrypt with
cipher and keyencrypt with
cipher and key
Introduction
Some “facts” on ITS
Not only gradually “higher” security - Fundamentally different kind of securityNo speedup in computer technology (quantum computer) will put ITS out of business
Yes, implementations of ITS schemes have side channels (like any other security ICT system implementation)QKD even has additional side channels related to its optical subsystemSide channels can be controlled.
It may occur that QKD systems (specific implementations) be compromised. But QKD by itself, as method, will not be compromised
14
Introduction
Motivations for using ITS primitives
They are definitely not replacements for computationally secure primitives
Requirement of long term confidentiality (forward security)Government, defenseMedical data, health data, genetic codesPersonal data (private data)
Highest security requirementsCritical information - when a break leads to unrecoverable disaster
Additional MotivationsEfficient solution for highest security standardsCompetitive and reputation advantage (confidence)Alternative solution for demanding usersBeing in regulatory conformity
12
Introduction
Collection of ITS Primitives
“Toolkit” for building highly secure applications
Encryption: One Time Pad (is in fact perfectly secure)Authentication: Wegman CarterKey distribution: QKD
Quantum random number generator
13
Introduction
One Time Pad - Vernam
Unconditional security:Unconditional security:• true random key• same length as message• used only once “One time pad”
G. Vernam J. Am. Institute of ElectricalEngineering Vol XLV, 109 (1926)
E.C. Shannon, Bell SystemsTechnicalJournal 28 656 (1949)
T. Jennewein, C. Simon, G. Weihs, H. Weinfurter, and A. Zeilinger „Quantum Cryptographywith Entangled Photons,“Phys. Rev. Lett. 84, 4730 (2000).
But:But:
Key distributionRandom
That calls for That calls for quantum quantum
cryptography! cryptography!
• One time pad• AES• DES
• RSA rely on one-way-functions,a) easy to calculateb) impossible (i.e. „hard“) to solve.
(e.g. factorization of prime-numbers, logarithmic curves)
Symmetric Ciphers:
Public Key Cryptosystems:
Classical Cryptography
21039 − 1
*K. Aoki et al. http://eprint.iacr.org/2007/205
Largest number, year 2007, to be factorized*> 1024 bit (typical RSA modulus)
RSA still secure because of special number
But previous record from 2006 was 913 bits
Why will QKD be needed?
1. Classical algorithmic gets better whileand computational power increased
Why will QKD be needed?
2. Quantum computer may be realized (when?)→ Algorithm by Shor
Presented at QuantumComm 2009, Sorrento
Why will QKD be needed?
3. New (optical) algorithms possible
Alice and Bob want to share a key
Classical Channel
• Eve can easily buy \ steal \ copy classicaldata without being detected
Quantum Channel
• Use of quantum channel
Secure Communication
0110101001010?
Cloning Attack: Eve tries to „amplify“ single qubitIntercept – Resend attack
Alice shares qubits with Bob
Whatever Eve does: Laws of physics prevent herto extract information without disturbing the qubits!
Quantum world:
No-Cloning Theorem !!!!
Attacks from Eve
Alice and Bob must evaluate the errors on the quantum line
Solution for key distribution
plaintext plaintext
secret key
encryptionalgorithm
QKDdeviceAlice
QKDdevice
Bob
key expansion
secret key
decryptionalgorithm
key expansion
Receiver (Bob)Sender (Alice)public channel
(email, ftp, ...)
public data channel
quantum channel
Quantum Key Distribution
Use correlations from entanglement
Quantum Key Distribution
Outlook:1. Introduction + Motivation
2.“Quantum Information” and single photons3.Quantum systems for QKD
4.Entanglement: concept, generation + QKD
5.Experiments via fibers and over free-space & space
6.Permanent QKD-link test-pad in Vienna
7.Quantum Hacking
8.Summary
Information Information isis storedstored as a:as a:
BitBit QubitQubit„„00““ oror „„11““ „„00““ andand „„11““
SchrSchröödingersdingers CatCat
Quantum Information
Separation between |H> and |V>:
| H⟩|V⟩ The electric field vector is perpendicular or parallelto i.e. optical table.
|V⟩
| H⟩
Polarizingbeamsplitter
PBS
+) handling of photons easy -) storage of photons difficult
BIT: Information Encoded inthe Polarization of Light
Laser Modulator
“1” or “0”
or|V⟩ | H⟩
“1” “0”
Superposition of Qubits
Information stored on individual quantum systems = QUBITSe.g. polarized single photons:
=
=
Superposition of qubits:
Detector
Single PhotonSource
0 1
Bennet and Brassard Proc of. Int.Conf. Computers, Systems & Signal Processing, Bangalore India 175 (1984)
The BB84 Protocol
HSPSH
V
measureprepare
PBS 0°
Alice Bob
Eavesdropping
H
Eavesdropping
PBS 0°
HV
measure resend
SPSSPS HH
V
measureprepare
PBS 0°
Case 1: Eve guesses the measurement basis
Alice BobEve
H
PBS 45°
Alice BobEve
PM
measure resend
SPSSPS P
HV
measureprepare
PBS 0°
Case 2: Wrong guess
Error!
Quantum Key Distribution
Outlook:1. Introduction + Motivation
2. “Quantum Information” and single photons
3.Quantum systems for QKD4.Entanglement: concept, generation + QKD
5.Experiments via fibers and over free-space & space
6.Permanent QKD-link test-pad in Vienna
7.Quantum Hacking
8.Summary
Basic BB84-QKD schemes
( , )!
nP n e
nμμμ −=
0 1 2 3 4 50,0
0,2
0,4
0,6
0,8
P(n)
n
<n>=0.1 <n>=1
Poissonian Statistics:
• Decreased pulse energy to single photon level• :-) easy, cheap, reliable• :-( not a real single photon source
Weak Coherent Pulses (WCP)
Solomon, Pelton, Yamamoto, PRL 86 (2001) 3903
Visser, Allaart, Lenstra, quant-ph/0210170
Quantum Dots (“artificial Atoms”)
True Single Photon Sources
Basic QKD schemes
Quantum Key Distribution
Outlook:1. Introduction + Motivation
2. “Quantum Information” and single photons
3.Quantum systems for QKD
4.Entanglement: concept, generation + QKD5.Experiments via fibers and over free-space & space
6.Permanent QKD-link test-pad in Vienna
7.Quantum Hacking
8.Summary
Erwin Schrödinger
• The individual event has no cause• Information is carried by correlations• violates local realism (Bell-Inequality)
Entanglement
Signal(vertical)
Idler(horizontal)
BBO crystal
UV-pump
Kwiat et al, PRL 75, 4337 (1995)
Spontaneous ParametricDownconversion - SPDC
Type II
idlersignal pump ωωω +=
idlersignal pump kkkrrr
+≈
BBOBBO
AliceAlice
SPDC at the breadboard levelSPDC at the breadboard levelLaserLaser
BobBob
BBM92 (Bennet, Brassard and Mermin, PRL (68), 557,1992EPR-QKD protocols are equivalent to BB84
QKD Protocol BBM92
Polarization-Entangled Photons are created, coupledinto optical fibers and sent to Alice and BobAlice and Bob announce their measurement bases. Events measured in different bases are discarded –> Sifted Key.
Sifted Key: 010111…
Alice and Bob measure the polarization of the photonsrandomly in one of two bases (H/V, +/-) -> Raw Key
Entanglement based QKD
Cloning Attack: Eve tries to „amplify“ single qubitIntercept – Resend attack
Alice shares qubits with Bob
Whatever Eve does: Laws of physics prevent herto extract information without disturbing the qubits!
Quantum world:
No-Cloning Theorem !!!!
Attacks from Eve
Alice and Bob must evaluate the errors on the quantum line
( ( , ) ( , ))net siftedR R I a b I a e= −
Eve‘s Information
Bob’s Information
counts allcounts false
=QBER
Mutual information between Alice and Bob
What about errors?
Quantum Key Distribution
Outlook:1. Introduction + Motivation
2. “Quantum Information” and single photons
3.Quantum systems for QKD
4.Entanglement: concept, generation + QKD
5.Experiments via fibers and over free-space & space
6.Permanent QKD-link test-pad in Vienna
7.Quantum Hacking
8.Summary
Bank-Experiment
A. Poppe, et. al., "Practical quantum key distribution with polarizationentangled photons," Opt. Express 12, 3865-3871 (2004)http://www.opticsinfobase.org/abstract.cfm?URI=oe-12-16-3865
Quantum Channel
1.45 km 810 nm OpticalSM–Fiber, Overall attenuation 6dB
Classical Channels
Synchronization: 1.45km 1550 nm SMF
TCP/IP: 2 x 1550nm SMF
A Real-World Scenario
First QKD secured bank wire transfer.
A
B
M. Aspelmeyer, H.R. Böhm, T. Gyatso, T. Jennewein, R. Kaltenbaek, M. Lindenthal, G. Molina-Tereza, A. Poppe, K. Resch, M. Taraba, R. Ursin, P. Walther, A. Zeilinger Science 301 (2003) p621
Outdoor Experiment
8km8km
7,2km
8km
KufnerKufner -- SternwarteSternwarte
TwintowersTwintowersMillenniumstowerMillenniumstower
~5km ~5km ensprichtensprichtSatellitenlinkSatellitenlink
8km8km
K. Resch et. al., "Distributing entanglement and single photons through an intra-city, free-space quantum channel," Opt. Express 13, 202-209 (2005)
144 km
La Palma and Tenerife
International Space Station (ISS)
Columbus laboratory(ESA)
Aspelmeyer et al., quant-ph/0305105Kaltenbaek et al., quant-ph/0308174Pfennigbauer et al., JON 4, 549-560 (2005)
Entangled photon source
Electronics
Two downlink telescops
Space-QUEST
QBB - Physical Nodes
Results
BB 84
Det 810
Sourceentangled
photonpairs
810nm
Det1550
Trigger pulses for Bob’s detector
Optical fiber
BB 84
ALICEEmbedded
systemPower-PC
BOBEmbedded
systemPower-PC
1550nm
public channel
AliceBob
Long-time testin a deployed
fiber of theQKD-network
H. Hübel et al., Opt. Expr. 15, 7853-7862 (2007)
Periodically poled crystals
20000 polarisationentangled pairs
measuredat 810/1550 nm
Visibilities: >95%
Quantum Key Distribution
Outlook:1. Introduction + Motivation
2. “Quantum Information” and single photons
3.Quantum systems for QKD
4.Entanglement: concept, generation + QKD
5.Experiments via fibers and over free-space & space
6.Permanent QKD-link test-pad in Vienna7.Quantum Hacking
8.Summary
Permanent QKD linkUnder construction: a permanent quantum cryptography link between AIT and University of Vienna
Permanent QKD-link
Quantum Key Distribution
Outlook:1. Introduction + Motivation
2. “Quantum Information” and single photons
3.Quantum systems for QKD
4.Entanglement: concept, generation + QKD
5.Experiments via fibers and over free-space & space
6.Permanent QKD-link test-pad in Vienna
7.Quantum Hacking8.Summary
Side Channel Attacks
QKD allows to detect attacks on the single photon
attack other parts of the system, the implementation
Every system leak can be used to gain information!
“Thus, our prototype was unconditionally secure against any eavesdropper who happened to be deaf!”Charles Bennett
First realisation of BB84 protocol (1989)C. Bennet et al., “Experimental Quantum Cryptography”, Journal of Cryptology, 5, 3-28 (1992)
Power supply for Pockels-cell make voltage dependent noise
Historic example:
noise reveals polarisation
1. Detector efficiency mismatch
Practical QKD setup: quantum efficiency of detectors are not perfectly matched
leads to asymmetrical statistics in the raw-key
0 1
50%
0 1
50%
Ideal case: Practical case:
Solutions:
Additional privacy amplification
- Simple (just another component in the PA-function)
- Reduces size of secure key
Adjust bias-voltage of detectors to level count rates
- detectors need interface (RS232, Ethernet … ) to access bias-voltage
- for our system: in work
2. Detector Timing Mismatch
Trigger circuit: detection event creates sync-pulse
WD
M
Problem: practical detectors have different response times
Eve can obtain the bit-value by measuring the time-difference
See also A. Lamas-Linares and C. Kurtsiefer, Opt. Expr. 15, 2007
3. Time Shift Attack
B. Qi, et al., Quant. Info. Compu. 7, 73 (2007)
Eve actively introduces delay tD between gate and photon
Perfectly synchronised detectors: reduced count rates on both detectors
Not perfectly synchronised: different count rates
asymmetric statistic in the raw-key
Quick variation of two delays +tD and –tD
same average rates for both detectors
4. Detector blinding
Vadim Makarov, New J. Phys. 11, 2009
Error in the circuit of Perkin Elmer Si-APDs
Strong laser pulse brings detector from Geiger to linear mode
Eve can control Bob: Eve can decide which detector will fire
SPCM-AQ4C
Applicable to our system? No!
- a SPCM-AQ4C module is used for Alice
- Not connected to quantum channel
Eve cannot apply the attack
Is attack applicable to gated InGaAsdetectors like id201 ???
Attack is easily detectable
Detector blinding
Hacking Perkin-Elmer APDs
Hacking Perkin-Elmer APDs
Kurzer, starker Puls Detektor wechselt in den linear mode
Detektor bleibt im linear mode!
Weiterer Puls Detektor klickt nie oder immer (je nach Leistung!)
Hacking Perkin-Elmer APDs
Fake-State-Attack (modified intercept & resend)
Eve:
1. Measure state of Alice’s photon (=fake Bob)
2. Blind Bob’s detectors (e.g. right-circular bright pulse, some mW)
3. Send fake state (~2*threshold-power)
4. Bob’s measurement outcome is always the same as Eve’s (no 25% error!)
Hacking detectors
Quantum Key Distribution
Outlook:1. Introduction + Motivation
2. “Quantum Information” and single photons
3.Quantum systems for QKD
4.Entanglement: concept, generation + QKD
5.Experiments via fibers and over free-space & space
6.Permanent QKD-link test-pad in Vienna
7.Quantum Hacking
8.Summary
Summary
QKD QuantumSystems
ForQKD
Downconversion Experiments Space
Permanent QKD linkUnder construction: a permanent quantum cryptography link between AIT and University of Vienna
Permanent QKD-link