Quantum Key Distribution, Practical Implications & Vuln - PowerPoint Presentation

Slide1

Quantum Key Distribution, Practical Implications & Vulnerabilities

Seyed

Ali

Hosseini

Lavasani

Seyed

Alireza

Seif

TabriziSlide2

B92 Protocol

Let

and

be two distinct, nonorthogonal states, and let and be projection operators onto subspaces orthogonal to and , respectively. Thus annihilates , but yields a positive result with probability when applied to , and vice versa for .To begin the key distribution, Alice prepares and sends Bob a random binary sequence of quantum systems, using states and to represent the bits 0 and 1, respectively. Bob then decides randomly and independently of Alice for each system, whether to subject it to a measurement of or . Next Bob publicly tells Alice in which instances his measurement had a positive result (but not, of course, which measurement he made), and the two parties agree to discard all the other instances.

 Slide3

If there has been no eavesdropping, the remaining instances , a fraction approximately

of the original trials should be perfectly correlated, consisting entirely of instances in which Alice sent

and Bob measured

, or Alice sent and Bob measured . However, before Alice and Bob can trust this data as key, they must, as in other key distribution schemes, sacrifice some of it to verify that their versions of the key are indeed identical. This also certifies the absence of eavesdropping, which would necessarily have disturbed the states or in transit, causing them sometimes yield positive results when later subjected to measurements or , respectively. Slide4

An example of B92 qkd

For

example Alice preparing a polarized photon for each of her bits according to the rules

: and sending it over the “quantum channel” to Bob.Bob makes a polarization measurement on each photon he receives, according to the value of his bit as given by: and records the result (“pass” = Y, “fail” = N).Slide5

In

this experiment we see that for the first and fourth bits Alice and Bob had different bit values, so that

Bob’s result

is "N" in each case. However, for the second and third bits, Alice and Bob have the same bit values and the protocol is such that there is a probability of 0.5 that Bob’s result is a “Y” in each case. Of course, we cannot predict in any particular experiment which one will be a “Y,” but in this example the second bit was a “N” and the third bit was a “Y.”Slide6

EXPERIMENTAL REALIZATION IN OPTICAL FIBERSlide7

The probability that a photon injected by Alice is detected by Bob at his “L” detector

depends

on both paths. Thus, if Alice and Bob use the phase angles (

, ) = (0, 3/2) for their “0” bits (respectively) and (, ) = (/2, ) for their “1” bits they have an exact representation of B92 when Bob records photon arrivals at his “L” detector. Each path length is analogous to one of the polarizer angles in the explanation of B92 in the previous section. Slide8

The BB84 protocol

can be realized with a detector in the “upper” output port, for which the

single-photon detection

probability isThen, Alice transmits (0, 1) in either the first basis as = (0, ), or the second basis as = (/2, 3 /2), and Bob measures for photon detections at “U” or “L” with either the first basis, = 0, or the second basis, = /2. When Alice and Bob use the same basis, Bob’s “U” detector will fire to identify “1”s and his “L” detector will fire to identify “0”s. Slide9

Time-multiplexed interferometer for quantum key distributionSlide10
Slide11

Free space quantum key distributionSlide12
Slide13

Implications:

experimental

The highest bit rate system currently demonstrated exchanges secure keys at 1 Mbit/s (over 20 km of optical

fiber) and 10 kbit/s (over 100 km of fiber), achieved by a collaboration between the University of Cambridge and Toshiba using the BB84 protocol with decoy pulses.As of March 2007 the longest distance over which quantum key distribution has been demonstrated using optic fiber is 148.7 km, achieved by Los Alamos National Laboratory/NIST using the BB84 protocol. Significantly, this distance is long enough for almost all the spans found in today's fiber networks. The distance record for free space QKD is 144 km between two of the Canary Islands, achieved by a European collaboration using entangled photons (the Ekert scheme) in 2006, and using BB84 enhanced with decoy states in 2007. The experiments suggest transmission to satellites is possible, due to the lower atmospheric density at higher altitudes. For example although the minimum distance from the International Space Station to the ESA Space Debris Telescope is about 400 km, the atmospheric thickness is about an order of magnitude less than in the European experiment, thus yielding less attenuation compared to this experiment.Slide14

Implications:Commercial

There are currently three companies offering commercial quantum key distribution systems; id

Quantique

(Geneva), MagiQ Technologies (New York) and QuintessenceLabs (Australia). Several other companies also have active research programs, including Toshiba, HP, IBM, Mitsubishi, NEC and NTT Quantum encryption technology provided by the Swiss company Id Quantique was used in the Swiss canton (state) of Geneva to transmit ballot results to the capitol in the national election occurring on October 21, 2007.In 2004, the world's first bank transfer using quantum key distribution was carried in Vienna, Austria.Slide15

The EPR protocol

Alice and Bob share a set of n entangled pairs of

qubits

in the EPR state:Each of them make measurements in {, } basis or {, } basis randomly and store the results.Then Alice and Bob announce the bases they’ve made their measurements over a public channelThey discard any bits that Bob measured different basis than Alice prepared. Slide16

An example of epr protocol

Alice’s polarization

0

1-+10+Alice’s bit value0101101Bob’s polarization++-11++Bob’s bit value1101111Slide17

The origin of key bits

Since it is symmetric –

Alice and

Bob perform identical tasks on their qubits, even possibly simultaneously – it cannot be said that either Alice or Bob generates the key. Rather, the key is truly random. In fact the same applies to the BB84 protocol, since it can be reduced to an instance of a generalized version of the EPR protocol key is undetermined until Alice or Bob performs a measurement on their EPR pair half. Similar observations can be made about the B92 protocol. For this reason, quantum cryptography is sometimes thought of not as secret key exchange or transfer, but rather as secret key generation, since fundamentally neither Alice nor Bob can pre-determine the key they will ultimately end up with upon completion of the protocol.Slide18

An example of vulnerable qkd protocol

Li describes a QKD protocol using Greenberger-Horne-

Zeilinger

(GHZ) states that requires no classical communication. The protocol is described as follows, for communicating parties Alice and Bob: Slide19

Li shows

that this protocol is secure with respect to an attack in which Eve measures

qubits

returning from Bob to Alice, with a probability that Eve escapes detection of , for n qubits. It is also shown that the protocol is secure with respect to an attack where Eve executes a controlled-NOT operation on the qubits sent from Bob to Alice.Unfortunately, the protocol is vulnerable to a quantum version of a classic man- in-the- middle attack, which we will refer to as an EPR man-in-the-middle attack, conducted as follows:  Slide20

Ever since there’s been money, there’ve been people trying to counterfeit it

Previous work on the physics of money:

In his capacity as Master of the Mint, Isaac Newton added milled edges to English coins to make them harder to counterfeit

(Newton also personally oversaw hangings of counterfeiters)

Quantum MoneySlide21

Today:

Holograms, embedded strips, “microprinting,” special inks…

Leads to an arms race with no obvious winner

Problem: From a CS perspective, uncopyable cash seems impossible for trivial reasonsAny printing technology the good guys can build, bad guys can in principle build alsox  (x,x) is a polynomial-time operationSlide22

What’s done in practice:

Have a trusted third party authorize every transaction

OK, but sometimes you want

cash, and that seems impossible to secure, at least in classical physics…(BitCoin: “Trusted third party” is distributed over the Internet)Slide23

First Idea in the History of Quantum Info

Wiesner

1969:

Money that’s information-theoretically impossible to counterfeit, assuming quantum mechanicsEach banknote contains n qubits, secretly prepared in one of the 4 states |0,|1,|+,|-In a giant database, the bank remembers how it prepared every qubit on every banknote

Want to verify a banknote? Take it to the bank. Bank uses its knowledge to measure each qubit in the right basis:

OR

(Recent) Theorem:

A counterfeiter who doesn’t know the state can copy it with probability at most

(3/4)

n

Slide24

Drawbacks of

Wiesner’s

Scheme

Banknotes could decohere in microseconds in your wallet—the “Schrödinger’s money problem”! The reason why quantum money isn’t yet practical, in contrast to (say) quantum key distributionBank needs a big database describing every banknote Solution (Bennett et al. ‘82): Pseudorandom functionsOnly the bank knows how to verify the moneyScheme can be broken by interacting with the bankSlide25

Future Direction: Quantum Copy-Protection

Finally, a serious use for quantum computing

Goal:

Quantum state |f that lets you compute an unknown function f, but doesn’t let you efficiently create more states with which f can be computedSlide26

Quantum Cryptography Comes to Smart Phones

A smart phone can do pretty much anything a PC can. But, aside from password protection, phones have very little security—a real problem with more and more people using phones for online banking and shopping.

But researchers at Los Alamos National Lab hope quantum encryption can help. Quantum encryption typically requires a lot of processing power and covers only short distances. But Los Alamos says it's developed a

minitransmitter that encodes the encryption key on a single photon. They call it the QKarD transmitter, short for Quantum Smart Card. Any change in the photon’s quantum information reveals an attempted hack and cancels the transaction.Slide27

QKarD

faces a few challenges. You'd still need a password or some biometric security to make sure someone doesn't use your lost or stolen phone to make their own encrypted transactions. Also, Google's Wallet mobile payment service already uses encryption. It may not be as secure as quantum encryption, but many people may decide it’s good enough. 

One thing’s for sure: we're going to need more mobile gadget security to keep a step ahead of info-hungry hackers.Slide28

References

C

. H. Bennett, Phys. Rev.

Lett. 68, 3121 (1992).C. H. Bennett and G. Brassard, Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, Bangalore (New York, IEEE, 1984).arXiv:quant-ph/9904038v1arXiv:quant-ph/0206092v1arXiv:quant-ph/0305076v1M. A. Nielsen an d I.L.Chuang, Quantum Computation and Quantum Information, Cambridge University Press, UK, 2000.http://en.wikipedia.org/wiki/Quantum_key_distributionwww.scottaaronson.com/talks/money-hs.pptwww.scottaaronson.com/talks/qmoney-uw.ppthttp://www.scientificamerican.com/podcast/episode.cfm?id=quantum-cryptography-comes-to-smart-12-02-02