Quantum Cryptography: Quantum Key Distribution CSE 825.

Quantum Cryptography:Quantum Key Distribution

CSE 825

Quantum Cryptographyis different than

Quantum Computing.

Confusing because there is only one algorithm for a quantum computer and

it factors large numbers so its primary purpose is to break cryptography.

Michigan State University 2

Michigan State University

Private (secret) Key

A k-bit secret key is shared by two users.

The assumption is that finding a particular key is intractable (brute force).

If advances in computing make it tractable, choose a longer key.

3

Notation

Players: A & BNamed: Alice & BobWho is the bad guy?



Secret Key = one-time pad

Alice converts message into a string of bits and XORs with the key.

5




Each key bit is used once (reuse allows deduction about the message).

6





Bob XORs the key with the received string to extract the original message.

7





Bob XORs the key with the received string to extract the original message.

Without the key an eavesdropper sees random bits.

8


Key Distribution

Key distribution is the problem of getting a secure key to both parties.

9


Quantum Key Distribution

Quantum Cryptography uses quantum properties to securely distribute a secret key.

10


History of Quantum Cryptography

1970s concept proposed by Weisner

1984 Bennett and Brassard developed the first quantum cryptography protocol: BB84

1991 first experimental demonstration (32 cm)

2002 first commercial product available (www.idquantique.com)

11


Quantum Mechanics

Elements of quantum information, typically photons, are put in a particular state by the sender and then observed by the receiver.

Because of the Uncertainty Principle certain quantum information occurs as conjugates that cannot be measured simultaneously.

12


Quantum Mechanics

Polarization of photons can be expressed in any of three different bases:rectilinear, circular, and diagonalbut observing in one basis randomizes the conjugates.

If the sender and receiver are not using the same base, reading the information effectively destroys it (randomizes it) without yielding useful information.

13


• Unpolarized light enters a vertically aligned filter, which absorbs some of the light and polarizes the remainder in the vertical direction. A second filter tilted at some angle q absorbs some of the polarized light and transmits the rest, giving it a new polarization

• If first filter is a + and the second is an X, matched polarization passes through, mismatches pass randomly

14


A quantum cryptography system allows two people, say Alice and Bob, to exchange a secret key.

Alice uses a transmitter to send photons in one of four polarizations: 0, 45, 90 or 135 degrees.

Bob uses a receiver to measure each polarization in either the rectilinear basis (0 and 90) or the diagonal basis (45 and 135); according to the laws of quantum mechanics he cannot simultaneously make both measurements.

Important: photons are sent one at a time!

15


Alice sends photons with one of the four polarizations, chosen at random.

16



For each photon, Bob chooses at random the type of measurement: + or X

17




Bob records the result of his measurements, but keeps it a secret.

18





Bob tells Alice the measurement types used (but not results) in freespace. Alice tells him which were correct.

19




Bob tells Alice the measurement types used (but not results) in freespace. Alice tells him which were correct.

Alice and Bob keep correct cases and translate to 0’s and 1’s


Eve

Since reading a bit destroys it,to eavesdrop Eve must regenerate bits.

21


Eve


Half the time she will read and regenerate correctly.

22


Eve


Half the time she will read and regenerate correctly.Combine that with Bob

reading correctly half the time,means that ¼ of the time Eve will generate an error visible to Bob & Alice.

23


Check

As a check, Alice and Bob choose some bits at random to reveal.

24


Check


If the bits agree, they can use the remaining bits with assurance that they have not been intercepted.

25


Check


If the bits agree, they can use the remaining bits with assurance that they have not been intercepted.

But if they find significant discrepancies, it indicates tampering due to eavesdropping, and they should start over to transmit another key.

26


Why it works?

If eavesdropper Eve observes the data, she disturbs the quantum state.

27


Other options for Eve

Eve could also attempt to listen to only a small number of bits going by in hopes that she can know a few bits and go undetected.

Alice and Bob can prevent this attack by shrinking their secret key down after having established it (“privacy amplification”).

If they shrink their key in the right way, Eve's chances of knowing even one bit would be very small.

28


If Eve is observing, when Alice and Bob compare notes about

the value of observed bits, half the time, their bits will be different when they should be the same.

30


Noise

Noise exists and Eve introduces more noise.

31


Noise

Noise exists and Eve introduces more noise.Alice and Bob eliminate noise with public error

correction: e.g. public communication of the parity

of small subsets of the key. By always withholding the last bit, the public parity discussion is harmless

32


Attacks

• Single photon QKD proven secure against “collective attack”, conjectured to be the strongest “joint attack” (I don’t understand either the terminology or the proof.)

• A “man in the middle” attack protected by “classical privacy amplification” (single photon?)

33

More Attacks

• Actual physical devices aren’t as perfect as assumed in the theorems: occasionally there are multiple photons.

• Can that result in a practical attack?• Privacy amplification can handle Eve knowing a few

bits.• Decoy states can help identify Eve’s snooping by

lowering energy to prevent multiple protons for short periods known to Alice and Bob.


• “Blinding” seemed to be an effective attack, but protection has been found http://www.physorg.com/news/2010-12-detector-quantum-cryptography-defeated.html


MIM

• What about Man-in-the-middle?



Could Eve split a multi-photon stream, reducing its intensity, but not its content?– PNS: Photon Number Splitting attack requires

storage which currently is not possible.– “There are various possible solutions to this

particular problem; it is the unanticipated flaws that present the greatest security hazard.”

37

In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice many implementations use laser pulses attenuated to a very low level to send the quantum states. These laser pulses contain a very small number of photons, for example 0.2 photons per pulse, which are distributed according to a Poissonian distribution. This means most pulses actually contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split off the extra photons and transmit the remaining single photon to Bob. This is the basis of the photon number splitting attack, where Eve stores these extra photons in a quantum memory until Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then measure her photons in the correct basis and obtain information on the key without introducing detectable errors.


Proof assumptions

• Eve cannot physically access Alice and Bob's encoding and decoding devices.

• The random number generators used by Alice and Bob must be trusted and truly random.

• The classical communication channel must be authenticated using an unconditionally secure authentication scheme.

• The message must be encrypted using one-time pad like scheme.


Hacking attacks target vulnerabilities in the operation of a QKD protocol or deficiencies in the components of the physical devices used in construction of the QKD system. If the equipment used in quantum key distribution can be tampered with, it could be made to generate keys that were not secure using a random number generator attack. Another common class of attacks is the Trojan horse attack which does not require physical access to the endpoints: rather than attempt to read Alice and Bob's single photons, Eve sends a large pulse of light back to Alice in between transmitted photons. Alice's equipment reflects some of Eve's light, revealing the state of Alice's basis (e.g., a polarizer). This attack can be detected, e.g. by using a classical detector to check the non-legitimate signals (i.e. light from Eve) entering Alice's system. It is also conjectured that most hacking attacks can similarly be defeated by modifying the implementation, though there is no formal proof.



Real World

• Key exchange is now slow: – 1 Mbits/sec over 20 km of optical fiber– 10 kbits/sec over 100 km of optical fiber

• Distance record is 148.7 km optical fiber (2007)As long as any existing fiber spans.

• Free space distance record 144 km• Photon loss and errors are limiting factors

41

Commercial

• id Quantique (Geneva)• MagiQ Technologies (New York)• QuintessenceLabs (Australia)• SeQureNet (Paris)

World's first bank transfer using quantum key distribution was done in Vienna, Austria (2004). Id Quantique was used in the Swiss canton of Geneva to transmit ballot results to the capital in the 2007 national election.Battelle Memorial Institute used id Quantique to connect their main campus in Columbus, OH and their manufacturing facility in Dublin, OH (2013).


• The 10-node DARPA Quantum network has been running since 2004 in Massachusetts. (BBN Technologies, Harvard, Boston U. and QinetiQ.

• The world's first computer network protected by quantum key distribution was implemented in October 2008, at a scientific conference in Vienna (SECOQC: Secure Communication Based on Quantum Cryptography). The network used 200 km of standard fibre optic cable to interconnect six locations across Vienna and the town of St Poelten located 69 km to the west.

• The Tokyo QKD Network was inaugurated on the first day of the UQCC2010 conference. The network involves an international collaboration between 7 partners; NEC, Mitsubishi Electric, NTT, NICT, Toshiba, Id Quantique, Austrian Institute of Technology (AIT), the Institute for Quantum Optics and Quantum Information (IQOQI) and the University of Vienna.


• A hub-and-spoke network has been operated by Los Alamos National Laboratory since 2011. All messages are routed via the hub. The system equips each node in the network with quantum transmitters–i.e., lasers–but not with expensive and bulky photon detectors. Only the hub receives quantum messages. To communicate, each node sends a one-time pad to the hub, which it then uses to communicate securely over a classical link. The hub can route this message to another node using another one time pad from the second node. The entire network is secure, provided that the central hub is secure. Individual nodes require little more than a laser - prototype nodes are around the size of a box of matches.



BBN + DARPA

46

The current commercial systems are aimed mainly at governments and corporations with high security requirements. Key distribution by courier is typically used in such cases, where traditional key distribution schemes are not believed to offer enough guarantee. This has the advantage of not being intrinsically distance limited, and despite long travel times the transfer rate can be high due to the availability of large capacity portable storage devices. The major difference of quantum key distribution is the ability to detect any interception of the key, whereas with courier the key security cannot be proven or tested. QKD systems also have the advantage of being automatic, with greater reliability and lower operating costs than a secure human courier network.


Factors preventing wide adoption of quantum key distribution outside high security areas:

– the cost of equipment– the lack of a demonstrated threat to existing key

exchange protocols.

However, with optic fiber networks already present in many countries the infrastructure is in place for a more widespread use.


Quantum Cryptography: Quantum Key Distribution CSE 825.

Documents

Transcript of Quantum Cryptography: Quantum Key Distribution CSE 825.