Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

Transcription

1 Areas for Discussion Joseph Spring Department of Computer Science MSc Distributed Systems and Security Introduction Photons Quantum Key Distribution Protocols BB84 A 4 state QKD Protocol B9 A state QKD Protocol Whilst Cryptanalysts await the arrival of quantum computers and the fall of RSA, DES, Cryptographers look to the employment of quantum computation an encryption system that would reestablish privacy It is claimed that QIP offers the possibility for perfect secrecy absolute secrecy for eternity! Quantum cryptography commenced with Stephen Wiesner idea of quantum money in the 960 s which relied upon the physics of photons 3 Photons A photon is a basic unit (or quanta) of light When a photon travels through space it vibrates For photons travelling in the same direction from a light source the angle of vibration is in general found to vary some vibrate up and down, some left to right and others at all angles in between The angle of vibration is referred to as the polarisation of the photon 4 Photons By placing a Polaroid filter in the path of photons it is possible to ensure that the emerging beam of light consists of photons with the same Polarisation Photons polarised in the same direction (say vertical) as the filter will pass through unaffected Photons polarised perpendicular to the filter will be blocked Diagonally polarised photons will pass through 50% of the time to be re-polarised as vertical photons be blocked 50% of the time 5 Photons Although Wiesners idea was not developed in the 60 s he did pass the rejected manuscript to a fellow undergraduate Charles Bennett who was fascinated by the idea (See Singh S., The Code Book, pp33-337) In discussing the idea with a colleague Giles Brassard they gradually saw that Wiesners idea had applications in cryptography and 4 years after Wiesners paper on quantum money had been rejected by the science journals BB84 for QKD was developed 6

2 Quantum Key Distribution QKD is a provably secure protocol, through which private keys bits may be be created between parties over a public channel This is subject to the condition that the qubits are transmitted over a communication channel with an acceptable error rate The security of the resulting key is guaranteed by the properties of quantum information hence conditional upon the correctness of fundamental laws of physics The key bits may be then be used to implement a classical private key cryptosystem Quantum Key Distribution QKD relies in particular upon two concepts: The No-Cloning Theorem The Information Gain implies Disturbance Proposition In addition information reconciliation privacy amplification protocols are employed 7 8 No Cloning (copying) Theorem Theorem An unknown Quantum State cannot be cloned So there is no unitary transformation U, such that for any one-qubit state ψ U (,0 ) = ψ, So you can t copy information sent by Alice to Bob! [Quantum Computing Jozef Gruska p68] 9 Information Gain implies Disturbance Proposition In any attempt to distinguish between two nonorthogonal quantum states, information gain is only possible at the expense of introducing disturbance to the signal So if you try to read what is sent from Alice to Bob you will in general change the information sent creating errors! [Quantum Computation and Quantum Information Nielson & Chuang pp ] 0 What of Eve? Eve cannot gain any information from the qubits transmitted to Bob without disturbing their state. We have seen that this follows by:. The No-Cloning Theorem. Information Gain Implies Disturbance Proposition By. Eve cannot clone/copy qubits sent by Alice hence offline analysis is not an option By. Provided we transmit non orthogonal qubits we can detect eavesdropping What of Eve? As a result of. Alice transmits nonorthogonal states between herself and Bob Check qubits are also interspersed randomly amongst the data qubits to establish an upper bound on any noise or eavesdropping that occurs in the communication channel Finally Alice and Bob perform information reconciliation and privacy amplification protocols

3 Reconciliation and Amplification If Alice and Bob have imperfect keys then they can perform information reconciliation and privacy amplification protocols to obtain a good enough key to conduct a secure cryptographic protocol The method increases the correlation between their key strings Decreases the mutual information that Eve may have about the result to any level of security Information Reconciliation Overview Information Reconciliation is error correction conducted over a public channel It reconciles errors between the two bit strings that Alice and Bob have to obtain a common shared bit string that can be used as the shared key whilst divulging as little as possible to Eve 3 4 Privacy Amplification Overview Following information reconciliation it may be that Eve has a random variable Z which is partially correlated with W, Alice and Bob s shared key Privacy Amplification is a technique that can be used to distill a smaller a smaller set of bits S from W that has the property of being less correlated with Z down to an acceptable level 5 Reconciliation and Amplification We do not look in detail at these steps We do acknowledge their existence We do recognise the benefits of their use within the QKD Protocols 6 BB84 and B9 QKD Protocols BB84 (Bennett and Brassard, 984) A four state protocol Encodings and decodings based on the existence of two non-commuting observables The first fully successful attempt to exploit quantum laws to obtain a fundamental advantage in information processing B9 the minimal protocol (Bennett, 99) A state protocol Encodings based on two non-orthogonal states BB84 and B9 QKD Protocols Protocols BB84 and BB9 are described in terms of Hilbert Space constructs and illustrated using transmissions of single photons randomly polarised. Several stages exist in the quantum generation of a key of length m < n Preparation Phase Quantum Transmission Phase Key Extraction Phase Test for Errors Final key extraction 7 8 3

4 BB84 and B9 QKD Protocols For BB84 two strings a and b of (4 + δ )n random classical bits are established by Alice who then encodes these strings as a block of (4 + δ )n qubits: (4 + δ ) n = ab k k k = the four states used in BB84 are found on the right hand side of the above equation and are defined as: Four States used in BB84 00 = 0 0 = 0 = ( 0 + ) = ( 0 ) the first two states are referred to as the Z basis the last two states are referred to as the X basis 9 0 Four States used in BB84 > +> 0> -> These are unit vectors; each are normalised to unit length Two States used in B9 = 0 0 = ( 0 + ) = + Here Alice prepares a random classical bit a, and depending on the result sends to Bob: 0 if a = 0 = 0 + if a = Two States used in B9 0> +> These are unit vectors; each are normalised to unit length 3 BB84 QKD Protocol. Alice chooses (4 + δ )n random data bits a where n is the length of the sought key. Alice chooses a random (4 + δ )n - bit string b. She encodes each data bit as { 0>, >} if the corresponding bit of b is 0 or { +>, ->} b is 3. Alice sends the resulting state to Bob 4. Bob receives the (4 + δ )n qubits, announces this fact, and measures each qubit in the X or Z basis at random 5. Alice announces b 4 4

5 BB84 QKD Protocol 6. Alice and Bob discard any bits where Bob measured a different basis than Alice prepared. With high probability there are at least n bits left (if not abort the protocol). They keep n bits. 7. Alice selects a subset of n bits that serve as the check bits, a check on Eves interference, and tells Bob which bits were selected 5 BB84 QKD Protocol 8. Alice and Bob announce and compare the values of the n check bits. If more than an acceptable number disagree then they abort the protocol 9. Alice and Bob perform information reconciliation and privacy amplification on the remaining n bits to obtain m shared key bits 6 BB84 QKD Protocol B9 QKD Protocol Example Given in Lecture 7 We consider what happens to one bit at a time. Generalisation to a block follow naturally as with BB84. Alice prepares one random classical bit a, and depending upon the result sends Bob 0 if a = 0 = 0 + if a = 8 B9 QKD Protocol B9 QKD Protocol. Depending upon the random classical bit a that Bob generated, Bob uses either the Z or X basis and obtains his result b - which is either a 0 or a 3. Bob announces b but keeps a secret 4. Alice and Bob conduct a public discussion keeping only those pairs {a, a } for which b =. Note that when a = a, then b = 0. Only when a = a does b = and this occurs with probability ½ 5. The final key is a for Alice and a for Bob 9 This highlights how the impossibility of perfect distinction between non-orthogonal states lies at the heart of quantum cryptography Again eavesdropping is impossible without disruption hence Alice and Bob may create shared key bits and an upper bound for noise and eavesdropping 7. Information reconciliation and privacy amplification may be applied to extract secret bits from their resulting correlated random bit strings 30 5

6 BB9 QKD Protocol Example Given in Lecture Summary Introduction Photons Quantum Key Distribution Protocols BB84 A 4 state QKD Protocol B9 A state QKD Protocol 3 3 References Nielson M.A., Chuang I.L. Quantum Computation and Quantum Information, Cambridge University Press, 00 Bouwmeester et al (ed s), The Physics of Quantum Information, Sringer-Verlag, 000 Gruska J., Quantum Computing, McGraw Hill, 999 Singh S., The Code Book, Fourth Estate Ltd., 999 Penrose R., Shadows of the Mind, Oxford University Press,