Quantum Cryptography - Department of Computer Science ... · Quantum Cryptography Bennett and...

1 of 32R. Banach, Computer Science, University of Manchester: Quantum Cryptography

Quantum Cryptography

Bennett and Brassard’s QKD apparatus


Contents:

1. Fake Quantum Theory.

2. Simple Quantum Protocols.

3. More Fake Quantum Theory: Fake Tensor Products, Entanglement.

4. A Glance at Genuine Quantum Theory.

5. Quantum Computing, Shor’s Algorithm and the Threat to RSA.


1. Fake Quantum Theory.

Normal (classical) physical systems are described using the usual kind of appliedmathematics — the descriptions are expressed using variables which take valuesin the real (or maybe complex) numbers, and these variables are constrained byalgebraic or differential equations of a normal kind.

The quantum world is very different.

Developing the full machinery would take time and effort. We can get away with amuch simpler ‘fake’ version of quantum theory that is enough to get the main pointsacross. We will have a quick look at the ‘real’ version of quantum theory at the end,just to show how the fake elements correspond to the more honest picture.

The price to pay for fakery is that we will be restricted to only saying the simplestthings about the simplest kinds of quantum system. Still, it will be enough.

We are restricted to (so called) two state quantum systems (TSS).


Two State System (TSS) Basics

There are two bases, called R and D .

Each basis consists of two states: R consists of |0R⟩ and |1R⟩D consists of |0D⟩ and |1D⟩

The R and D bases give different and incompatible views of the same system.

Thus, a TSS can be in EITHER the |0R⟩ or the |1R⟩ state in the R basis

OR the |0D⟩ or the |1D⟩ state in the D basis

When the TSS is in one or other state of the R basis,then NOTHING CAN BE SAID ABOUT ITS STATE IN THE D BASIS.

When the TSS is in one or other state of the D basis,then NOTHING CAN BE SAID ABOUT ITS STATE IN THE R BASIS.

Quantum physics provides PERFECT CONCEALMENT.

The above facts express the relationship between classical information (i.e. everyday0’s and 1’s) and the quantum world.

王博文�

量子密码学�

王博文�

1.假量子理论。2.简单的量子协议。3.更多假量子理论：假张量积，纠缠。 4.真正的量子理论一瞥。5.量子计算，Shor算法和对RSA的威胁。�


Two State System (TSS) Measurement

The way of getting classical information out of a quantum TSS is measurement.

• You can measure in either the R or the D basis.

• If the TSS is in the |0R⟩ or the |1R⟩ state in the R basis, and you measure in the

R basis, the result is reliable: |0R⟩ yields ‘0’ and |1R⟩ yields ‘1’, and the TSS stays

in the state it was.

• If the TSS is in the |0D⟩ or the |1D⟩ state in the D basis, and you measure in the

D basis, the result is reliable: |0D⟩ yields ‘0’ and |1D⟩ yields ‘1’, and the TSS stays

in the state it was.

• If the TSS is in the D basis, and you measure in the R basis, the result is random:EITHER the TSS state becomes |0R⟩ and yields ‘0’ OR becomes |1R⟩ and yields ‘1’;

and ‘0’ and ‘1’ are equally likely.

• If the TSS is in the R basis, and you measure in the D basis, the result is random:EITHER the TSS state becomes |0D⟩ and yields ‘0’ OR becomes |1D⟩ and yields ‘1’;

and ‘0’ and ‘1’ are equally likely.


Measurement and Preparation

Therefore: If you don’t know which basis the TSS state belongs to, there is no way ofreliably extracting what classical information it might contain.

How do you ever find anything out about a TSS? You measure it!

Once you have measured the TSS you know something about it. If you repeat thesame measurement, you reliably get the same answer.

This gives a method of preparing a TSS in a desired state:

1. Measure the TSS in the basis to which the desired state belongs.

2. If the answer comes out right, that’s it; else repeat 1. (either with a fresh TSS,or with the same TSS having measured in the other basis first to randomise).

Having two incompatible bases gives: two incompatible ways of storing ‘0’ in a TSS(i.e. as either |0R⟩ or |0D⟩), and two incompatible ways of storing ‘1’ in a TSS (i.e. as

either |1R⟩ or |1D⟩). Useful for cryptography!


2. Simple Quantum Protocols.

The PERFECT CONCEALMENT capapbility that the availability of two incompatiblebases for TSS gives, yields a useful cryptographic primitive that can be exploited invarious ways.

We look at a couple of simple protocols.

• Weisner’s Quantum Money.

• Bennett and Brassard’s BB84 Quantum Key Distribution protocol.

• Bennett’s B92 Quantum Key Distribution protocol.


Weisner’s Quantum Money

Weisner’s Quantum Money (WQM) depends on using several TSS as a MAC.

Create a banknote containing:— the value desired,— a normal, classical, serial number,— a series of TSS, each in a random state,

such that only the issuing bank knowsthe state of each TSS (and in particularonly the issuing bank knows the basisthat each state belongs to).

The perfect concealment of the quantum world provides authentication.


Properties of WQM

• If you know the basis that each TSS belongs to, you can measure the stateof the TSS reliably and nondestructively.

• If you don’t know the basis that each TSS belongs to, when you measure,you are likely to guess the basis incorrectly 50% of the time, and any timeyou guess wrong:— you destroy the original state of that TSS,— the classical information you get (i.e. ‘0’ or ‘1’) will be wrong 50% of the time.

Therefore:

• The bank can authenticate an untampered banknote by checking all the TSS statesusing information that only it knows.

• The bank can discover a forgery by checking all the TSS states, since 25% of thestates will come out wrong. The TSS states of the forgery will change as a result.

• A forger can: (a) guess (incorrectly) the TSS belonging to a real serial number, or(b) try to measure the TSS of a genuine banknote, both destroying the genuinenote, and also deriving an incorrect guess for his intended forgery.


Bennett and Brassard’s BB84 Quantum Key Distribution

The BB84 protocol builds on WQM to achieve truly secret key distribution.

Protagonists: Alice and Bob; Eve.

1. Alice and Bob decide in public on an acceptable key length (including a sensible

margin for error); call it N .

2. Alice secretly chooses a random string of length 4N of data bits, d1 ... d4N and a

random string of length 4N of letters drawn from the alphabet {R, D}, a1 ... a4N .

3. Bob secretly chooses a random string of length 4N of letters drawn from the

alphabet {R, D}, b1 ... b4N .

4. For i ∈ 1..4N , Alice does the following: she prepares the i’th TSS in the state

|di,ai⟩ (i.e. the data value of the state is given by di and the basis is given by ai).

Prepared thus, Alice sends the i’th TSS to Bob.

5. For i ∈ 1..4N , Bob receives the i’th TSS and measures it in the basis bi , yielding

a classical bit ei .


6. Alice and Bob exchange in public their basis label strings, a1 ... a4N and b1 ... b4N .

Alice and Bob both now know the indexes at which a1 ... a4N and b1 ... b4N agree,

and the indexes at which a1 ... a4N and b1 ... b4N disagree. They both discard the

elements that disagree, leaving a common string (typically of length about 2N),

c1 ... c~2N .

7. Alice discards the elements of d1 ... d4N that do not correspond with c1 ... c~2N ,

leaving a string of bits (typically of length about 2N), D1 ... D~2N .

8. Bob discards the elements of e1 ... e4N that do not correspond with c1 ... c~2N ,

leaving a string of bits (typically of length about 2N), E1 ... E~2N .

9. Because for each j ∈ 1..~2N , cj is a basis name randomly chosen the same

for the j’th TSS by Alice and Bob (for preparation and measurement respectively),

the value measured by Bob, Ej , equals the value prepared and sent by Alice, Dj .

Thus the two binary strings are equal: D1 ... D~2N = E1 ... E~2N . They can thus

serve as a candidate secret key for communication between Alice and Bob.


Thus far, supposedly common values have been established. But how do Alice and

Bob know that Eve has not been evesdropping?

10. Alice and Bob choose in public a randomly selected subsequence of c1 ... c~2N ,

(typically of length about N), and exchange in public the subsequences of

D1 ... D~2N and E1 ... E~2N that correspond to these values. They should agree

perfectly.

11. If Eve has been evesdropping, then about 25% of these values will disagree.

(Justification as for WQM.) If so, Alice and Bob must start again.

12. If not, the remaining subsequences of D1 ... D~2N and E1 ... E~2N (each of length

typically about N), constitute a common sequence of bits, K1 ... K~N , which is

secretly shared by Alice and Bob, and can serve as a secret key.

In BB84, perfect concealment is used to ensure that Eve has not looked at any of the

quantum states in transit, since if she had, it would have been detected in step 11.


Example

1..4N 1 2 3 4 5 6 7 8 9 10 11 12

Bob’s bi’s D R D D R D R R D D D R

Alice’s ai’s R R D R R R D R D D D R

Alice’s di’s 0 1 1 0 1 1 1 0 1 0 1 0

Alice sends |0R⟩ |1R⟩ |1D⟩ |0R⟩ |1R⟩ |1R⟩ |1D⟩ |0R⟩ |1D⟩ |0D⟩ |1D⟩ |0R⟩

ai = bi ? y y y y y y y y

Bob measures |1R⟩ |1D⟩ |1R⟩ |0R⟩ |1D⟩ |0D⟩ |1D⟩ |0R⟩

Security test 1 0 0 1

Secret Key 1 1 1 0


Bennett’s B92 Quantum Key Distribution

The B92 protocol refines BB84.




2. Alice secretly chooses a random string of length 4N of data bits, d1 ... d4N .



4. For i ∈ 1..4N , Alice does the following: she prepares the i’th TSS in the state

|0R⟩ if di = 0 or the state |1D⟩ if di = 1 . (Different bases are used for 0 and 1!!)

Prepared thus, Alice sends the i’th TSS to Bob (who knows which basis is used

for ‘0’ and which basis is used for ‘1’).

5. For i ∈ 1..4N , Bob receives the i’th TSS and measures it in the basis bi , yielding



For each TSS received, there are now four possibilities: (i), (ii), (iii), (iv).

(i) bi = R and ei = ‘0’: Alice might have sent |0R⟩ (measured reliably), or she might

have sent |1D⟩ and it flipped to |0R⟩ when measured by Bob; verdict uncertain.

(ii) bi = R and ei = ‘1’: Alice never sends |1R⟩; she could also not have sent

|0R⟩ since Bob would have measured it reliably; so she must have

sent |1D⟩ and it flipped to |1R⟩ when measured by Bob; verdict CERTAIN.

(iii) bi = D and ei = ‘0’: Alice never sends |0D⟩; she could also not have sent

|1D⟩ since Bob would have measured it reliably; so she must have

sent |0R⟩ and it flipped to |0D⟩ when measured by Bob; verdict CERTAIN.

(iv) bi = D and ei = ‘1’: Alice might have sent |1D⟩ (measured reliably), or she might

have sent |0R⟩ and it flipped to |1D⟩ when measured by Bob; Verdict Uncertain.

Definite verdict only possible when Bob measures a state NOT USED by Alice.

Good outcomes are ‘the right bit in the wrong basis’.


6. Bob tells Alice which indexes correspond to UNCERTAIN verdicts. Both of them

discard these, leaving a common string of indexes (typically of length about 2N).

7. Alice discards the elements of d1 ... d4N that do not correspond to Bob’s definitive

verdicts, leaving a string of bits (typically of length about 2N), D1 ... D~2N .

8. Bob discards the elements of e1 ... e4N that do not correspond to his definitive

verdicts, leaving a string of bits (typically of length about 2N), E1 ... E~2N .

9. Because only the definitive measurements are retained, the two binary strings

are equal: D1 ... D~2N = E1 ... E~2N . They can thus serve as a candidate secret

key for communication between Alice and Bob.



Bob know that Eve has not been evesdropping?

10. Alice and Bob choose in public a randomly selected subsequence of thier

data (typically of length about N), and exchange in public the subsequences

of D1 ... D~2N and E1 ... E~2N that correspond to these values. They should agree

perfectly.

11. If Eve has been evesdropping, then about 25% of these values will disagree.

(Justification similar to WQM.) If so, Alice and Bob must start again.




In B92, perfect concealment is used to ensure that Eve has not looked at any of the

quantum states in transit, since if she had, it would have been detected in step 11.

B92 also saves a classical communication step, since Alice and Bob don’t both need

to share basis information — part of it is predetermined by the protocol.


Example

1..4N 1 2 3 4 5 6 7 8 9 10 11 12

Alice’s di’s 0 1 1 0 1 1 1 0 1 0 1 0

Alice sends |0R⟩ |1D⟩ |1D⟩ |0R⟩ |1D⟩ |1D⟩ |1D⟩ |0R⟩ |1D⟩ |0R⟩ |1D⟩ |0R⟩

Bob measures |1D⟩ |1R⟩ |1R⟩ |0R⟩ |1R⟩ |0R⟩ |1D⟩ |0D⟩ |1R⟩ |0D⟩ |1R⟩ |0D⟩

definitive ? y y y y y y y y

Definitive states 1 1 1 0 1 0 1 0


Secret Key 1 1 1 0


Quantum Key Distribution in Practice

The first QKD demonstration was built by Bennett and Brassard in 1984.

The original BB84 experimental apparatus.

It so happens that quantum optics provides systems that behave well as regards themanipulations that QKD demands, and this area has developed rapidly, including thecreation of several startup companies offering QKD implementations. These includeidQuantique, Vectis, Magiq.


Among the best knownplaces doing QuantumCryptography researchis the Quantum OpticsLab in the University ofGeneva.

This illustration showsan underwater optic fibreimplementation of QKDconnecting Geneva andLausanne.


This illustration shows a free-air implementation of QKD in the Alps.


3. More Fake Quantum Theory: Fake

Tensor Products, Entanglement.

So far, we have considered a single TSS at a time.

If a TSS is in the R basis, measuring in the D basis can lead to either outcome:

|0R⟩ |0D⟩ ∨ |1D⟩ and |1R⟩ |0D⟩ ∨ |1D⟩

and vice versa:

|0D⟩ |0R⟩ ∨ |1R⟩ and |1D⟩ |0R⟩ ∨ |1R⟩

This depends on knowing which basis the TSS is in, since the other basis leads todefinite outcomes.

When there are several TSS, many more possibilities exist, the majority of whichcannot be described using our tools.


Among the most fascinating of the possibilities are so-called entangled states.Consider two TSS.

They might be independent, in which case they will have states such as |0R⟩|0D⟩ .

This is a tensor product of the |0R⟩ and |0D⟩ states, and means that

the first TSS is in the |0R⟩ state, and the second TSS is in the |0D⟩ state.

Alternatively, the two TSS might be coupled together, and might be in the (joint)maximally entangled state: |0D⟩|0D⟩ ∨ |1D⟩|1D⟩ .

This means that when both TSS are measured in the D basis, either both come out as|0D⟩ , or both come out as |1D⟩ .

Remarkably, this same state is also |0R⟩|0R⟩ ∨ |1R⟩|1R⟩ , so that if both TSS are

measured in the R basis, either both come out as |0R⟩ , or both come out as |1R⟩ .

You don’t have to know which basis applies beforehand. The perfect correlation workseither way.

(There are also many other kinds of joint state, not captured by our classicalinformation approach.)


Eckert’s E91 Quantum Key Distribution

The E91 protocol works on different principles to BB84 and B92. Maximalentanglement plays the role of transmission of TSS from Alice to Bob.




Assumption: Alice and Bob share 4N maximally entangled TSS pairs; such that Alice

has one TSS in each pair, and Bob has the other TSS of the pair. (N.B. There is

nothing in physics that says that the two TSS in an entangled pair need to be close

together — Alice and Bob can be separated by a huge distance.)

2. Alice secretly chooses a random string of length 4N of letters drawn from the

alphabet {R, D}, a1 ... a4N .




4. For i ∈ 1..4N , Alice measures her TSS of the i’th pair in the basis ai , yielding

a classical bit di .

5. For i ∈ 1..4N , Bob measures his TSS of the i’th pair in the basis bi , yielding


6. Alice and Bob exchange in public their basis label strings, a1 ... a4N and b1 ... b4N .

Alice and Bob both now know the indexes at which a1 ... a4N and b1 ... b4N agree,

and the indexes at which a1 ... a4N and b1 ... b4N disagree. They both discard the

elements that disagree, leaving a common string (typically of length about 2N),

c1 ... c~2N .

7. Alice discards the elements of d1 ... d4N that do not correspond with c1 ... c~2N ,

leaving a string of bits (typically of length about 2N), D1 ... D~2N .

8. Bob discards the elements of e1 ... e4N that do not correspond with c1 ... c~2N ,

leaving a string of bits (typically of length about 2N), E1 ... E~2N .


9. Because for each j ∈ 1..~2N , cj is a basis name randomly chosen the same

for the j’th pair by Alice and Bob, and because each pair is maximally entangled,

the value measured by Bob, Ej , equals the value measured by Alice, Dj .

Thus the two binary strings are equal: D1 ... D~2N = E1 ... E~2N . They can thus

serve as a candidate secret key for communication between Alice and Bob.


Bob know that Eve has not been evesdropping (at some point the two TSS in each

pair had to get separated and travel apart)? Even without Eve, the Environment may

have interfered with the perfect maximal entanglement of the two parts of the pairs.

10. Alice and Bob choose in public a randomly selected subsequence of c1 ... c~2N ,

(typically of length about N), and exchange in public the subsequences of

D1 ... D~2N and E1 ... E~2N that correspond to these values. They should agree

perfectly.

11. If Eve has been evesdropping, or the Environment has degraded the maximal

entanglement of the pairs, then a significant proportion of these values will

disagree. If so, Alice and Bob must start again.





In E91, maximal entanglement substitutes for transmission of TSS. The remarkable

long distance correlation that maximally entangled pairs have has no counterpart in

classical physics, and is sufficient for perfect concealment.


Example

1..4N 1 2 3 4 5 6 7 8 9 10 11 12

Alice’s ai’s R R D R R R D R D D D R

Bob’s bi’s D R D D R D R R D D D R

ai = bi ? y y y y y y y y

Alice’s di’s 0 1 1 0 1 1 1 0 1 0 1 0

Bob’s ei’s 1 1 1 0 1 0 0 0 1 0 1 0

Alice’s Di’s 1 1 1 0 1 0 1 0

Bob’s Ei’s 1 1 1 0 1 0 1 0


Secret Key 1 1 1 0


4. A Glance at Genuine Quantum Theory.

For a detailed treatment of this stuff see the COMP30222 course. This is a sketch.

Genuine quntum theory uses probability amplitudes to derive the likelihood thatsomething or other will happen when a measurement is made. Probability amplitudesare complex numbers, so they can be positive, negative, imaginary, etc., and thedetailed description of how quantum systems behave internally —i.e. before youmeasure and extract classical information— works by manipulating them. Soprobability amplitudes get added, subtracted, multiplied, etc.

Probability amplitudes are turned into classical probabilities by squaring the modulus.

Therefore, only very few quantum phenomena —those where it doesn’t make anydifference whether you work with squared moduli from the start, or only square themoduli at the end— can be accurately described in terms of classical probabilities. Wedid more or less everything that can be done this way already.


5. Quantum Computing, Shor’s Algorithm

and the Threat to RSA.

If you do quantum theory right, you can do some amazing things, eg. teleportation, akind of extension of the Eckert protocol that does blind, destructive, transmission.

•⊕

(|00⟩+ |11⟩)1√2

|ψ⟩ =

H 00011011

00: I

01: X10: Z11: X;Z

a |0⟩+b |1⟩

|ψ⟩ =

a |0⟩+b |1⟩


This gets us into the business of quantum computing in general.

Quantum computing potentially offers the possibility of doing certain computing taksmore efficiently than is possible with classical computing.

• Unstructured search (quadratic speedup).

• Factoring of integers (exponential speedup).

In 1994 Shor published a quantum algorithm that could do integer factoring inpoynomial time (whereas every known classical algorithm takes exponential time).

This really caused the world to sit up and take notice of quantum computing, since fastfactoring leads to the breaking of RSA.

In 2001, IBM used a specialised experimental setup to achieve the factoring of 15 byquantum means.

However, the IBM techniques do not scale, and thus far, no practical quantumcomputing system has been built that can tackle factoring on the scale needed tobreak RSA-sized numbers.


So general quantum computing remains out of reach for now, and has not achievedthe same level of development as QKD.

For now we are OK, but if big factoring ever became a practical technique, RSA wouldhave to be abandoned (at least for the most secure applications).

Pictures taken (with appreciation) from:C. Williams, S. Clearwater, Explorations in Quantum ComputingS. Singh, The Code BookD. Bruss, G. Leuchs, Lectures on Quantum Information.

Quantum Cryptography - Department of Computer Science ... · Quantum Cryptography Bennett and...

Documents

Transcript of Quantum Cryptography - Department of Computer Science ... · Quantum Cryptography Bennett and...