Quantum_cryptography.pdf
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Quantum_cryptography.pdf as PDF for free.
More details
- Words: 5,431
- Pages: 47
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/225523069
Quantum Cryptography Chapter in Lecture Notes in Physics · January 1970 DOI: 10.1007/978-3-642-11914-9_9
CITATIONS
READS
4
26
2 authors, including: Dagmar Bruss Heinrich-Heine-Universität Düsseldorf 160 PUBLICATIONS 6,726 CITATIONS SEE PROFILE
Some of the authors of this publication are also working on these related projects:
theory of entanglement View project
All content following this page was uploaded by Dagmar Bruss on 24 November 2014. The user has requested enhancement of the downloaded file.
Quantum cryptography Dagmar Bruß Institute for Theoretical Physics, University of Dusseldorf, ¨ Germany
Lecture 1: Classical cryptography and principles of quantum cryptography Lecture 2: Quantum key distribution protocols and security analysis Lecture 3: Recent developments in quantum key distribution
Quantum Statistical Physics and Quantum Information, Cergy-Pontoise, 21-22 April 2008
Quantum cryptography
I. Introduction II. Classical cryptography III. Quantum cryptography: BB84, Ekert protocol IV. Other quantum cryptography protocols V. General eavesdropping strategies, comparison of protocols VI. Unconditional security (of BB84) VII. Defence against PNS eavesdropping: recent developments VIII. Secret key rate IX. Role of entanglement in QKD
Quantum Statistical Physics and Quantum Information, Cergy-Pontoise, 21-22 April 2008
I. Introduction cryptology = science of secure communication (Greek: “kryptos” = “hidden”; “logos”= “word”)
↓
↓
cryptography
cryptanalysis
(code-making)
(code-breaking)
Aim: secret or “secure” communication between sender Alice and receiver Bob, encoding/decoding via “key” “Secure”: Eavesdropper Eve has no information on message/key
B
A
plain text
encryption key A
cipher text
cipher text
decryption key B
plain text
E
Classical cryptography: Security relies on assumed difficulty to solve certain mathematical tasks Quantum cryptography: Security relies on laws of physics
II. Classical cryptography Examples for “simple” cryptographic techniques: Transposition: re-ordering of message
MESSAGE −→ MSAEESG Skytale, ca. 500 BC Key:
P S K
H I E
Message:
Y S Y
S T T
I H O
C E U
PHYSICS IS THE KEY TO U...
Substitution: replacement of letters in message
MESSAGE −→ NFTTBHF Caesar cipher, ca. 50 BC Key:
A → B → C → ...
Insecure! correlations between letters preserved, frequency analysis
Classical cryptography: Vernam cipher Vernam cipher (1926): add random secret key to message
M E S S A G E
plain text (message)
↓ ↓ ↓ ↓ ↓ ↓ ↓
{mi } random key {ki }
13 05 19 19 01 07 05 + 17 06 14 23 04 11 04
message
———————————-
04 11 07 16 05 16 09
cipher text
{ci = mi + ki } Conditions:
• Key and message have equal length • Key is used only once (“one-time-pad”), otherwise: get information about message (here: binary) (1)
= mi
(2)
= mi
(2)
= mi
ci ci (1)
ci
+ ci
Secure! Perfect security
(1)
+ ki
(2)
+ ki
(1)
+ mi
(2)
⇐⇒ p(m|c) = p(m)
i.e. knowing ciphertext c yields no advantage for retrieval of message m Problem: Key distribution?!? (one key for each message and every pair of parties needed)
Classical cryptography: Public key encryption so far: symmetric cryptosystem, i.e. key A and key B are identical (or key B can be easily derived from key A) Diffie and Hellman (1976): asymmetric cryptosystem, i.e. two distinct keys (public key for encryption, private key for decryption); advantage: only one private key per party needed The idea:
• use one-way function, i.e. “easy” to compute, “difficult” to invert
• more precisely: trap-door function, i.e. with additional information “easy” to invert
• kpublic is announced, kprivate is secret Rivest, Shamir, and Adleman (RSA, 1978): based on problem of factoring large integers (∈
N P)
• public key: p1 · p2 (product of two large prime numbers) • private key: f (p1 , p2 ) Problems:
• 6 ∃ proof for security • quantum computer makes prime factorization “easy” (Shor algorithm)
The RSA-algorithm i) Choose two prime numbers p1 and p2 , calculate product N
= p1 · p2
ii) Calculate Euler function
φ(N ) = (p1 − 1) · (p2 − 1) iii) Choose e with 1
< e < φ(N ) and gcd(e, N ) = 1
iv) Calculate d such that e · d
= 1(mod φ(N ))
The keys: Public key:
N and e
Private key:
d
Encoding of message M :
C = M e mod N Decoding of cipher text C :
(as aed
= a mod N )
M = C d mod N Example: i)
p1 = 11, p2 = 13 ; N = 143
ii)
φ(N ) = 10 · 12 = 120
iii) choose e
= 23, public key
iv) calculate d
= 47 (Euclid’s algorithm), private key
C = M 23 mod 143, Decoding: M = C 47 mod 143
Encoding:
III. Quantum cryptography or better: Quantum key distribution The idea: Use the laws of quantum mechanics to establish a random secret key (Vernam cipher) Two types of protocols: | ψ> |φ >
A. Non-orthogonal quantum states:
ϕ
• N-O states cannot be distinguished perfectly :-) • N-O states cannot be cloned perfectly :-) • single states (“prepare-and-measure”) :-) B. Quantum entanglement: A
1 0 0 1
| ψ−> = |01> − |10>
• perfect entanglement means perfect correlations :-) • interaction destroys entanglement :-) • entanglement difficult to produce and store :-(
1 0 0 1
B
Quantum cryptography: BB84 protocol C. Bennett and G. Brassard; Proc. IEEE Conf. on Comp. Syst. Signal Proc., 175 (1984)
Aim: secret random key for Alice and Bob, using four non-orthogonal quantum states quantum channel
classical channel
|1> |0> + |1>
|0> − |1>
45 o |0>
Conjugate bases:
Basis +
Basis x
(figure: photon polarization) The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A sends random string (2n):
↑ րր→տ ↑→տ
ii) B measures in random basis:
→ ↑ → ↑ տր → ↑ տր տր → ↑ → ↑
iii) Compare bases (class. info),
1 r 0 0 1 r 0 r
keep matching cases:
“sifted key”
iv) subset of sifted key: estimate error rate v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
Some classical tools Authentication: (check identity) Share an initial secret key Error correction: (remove errors) Simple method: A chooses random pair of bits a1 and a2 , tells Bob (a1
⊕ a2 ),
Bob compares with corresponding (b1 if agreement ; both keep 1st bit
⊕ b2 )
if no agreement ; garbage A
B
1
1
0
0
1
1
XOR
XOR
equal?
Privacy amplification: (reduce Eve’s info) C. Bennett et al; IEEE Trans. Inf. Theo. 41, 1915 (1995)
Simple method: A chooses random pair of bits a1 and a2 , replaces pair with (a1
⊕ a2 ),
tells Bob position of pair,
Bob replaces with corresponding (b1
⊕ b2 )
; key still error free, Eve looses info
1
XOR
A
B
1
1
0
0
XOR
1
A little detour: no-cloning theorem Perfect cloning of an unknown quantum state is impossible. W.K. Wootters and W.H. Zurek, Nature 299, 802 (1982)
Reason: Quantum mechanics is linear! Time evolution:
| ψ(t)i = U(t)| ψ(0)i;
i
U(t) = e− h¯ Ht ;
U † U = 1l
Action of copying transformation U on basis states:
U | 0i| ii =
U | 1i| ii =
| 0i| 0i ,
| 1i| 1i .
Action of U on unknown state, | ψi with | α |2
= α| 0i + β| 1i,
+ | β |2 = 1:
U| ψi| ii = U(α| 0i + β| 1i)| ii = α| 0i| 0i + β| 1i| 1i 6= | ψi| ψi
Consequences of the no-cloning theorem The no-cloning theorem is a fundamental difference between classical and quantum information theory. Good news: A spy cannot copy the quantum signal perfectly and send it on without disturbance
; security of quantum cryptography. Bad news: There is no simple error correction scheme and no back-up for a quantum computer.
The spy: Eve Security: Eve has to obey no-cloning theorem!
• Most simple strategy of the spy Eve: “Intercept and resend”
• Eve has correct basis in n cases; n/2 cases: Bob has correct basis and Eve has wrong basis
; Corruption of n/4 bits • Discovery of Eve by comparison of subset of bits
Trade-off between information and disturbance
Eve wins information
↔ disturbs signal
Non-orthogonal states: |1> |1>=|0>-|1>
|0>
Interaction of Eve without disturbance:
U | 0i| Ei = | 0i| E0 i
U | ¯1i| Ei = | ¯1i| E¯1 i Non-orthogonal states, unitarity:
h0| ¯1i hE| Ei = h0| ¯1i hE0 | E¯1 i ; hE0 | E¯1 i = 1 ; E0 and E¯1 are identical, no information! Interaction of Eve with disturbance:
U | 0i| Ei = | 0′ i| E0 i U | ¯1i| Ei = | ¯1′ i| E¯1 i Unitarity:
h0| ¯1i hE| Ei = h0′ | ¯1′ i hE0 | E¯1 i
; decreasing hE0 | E¯1 i means increasing h0′ | ¯1′ i ¨ maximal disturbance ; maximal information fur
|0> = |0>+|1>
Quantum cryptography: Ekert protocol A. Ekert; Phys. Rev. Lett. 67, 661 (1991)
Aim: secret random key for Alice and Bob, using entanglement The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A and B share a singlet state (remember: invariant under rotation of bases!) A
1 0 0 1
1 0 0 1
| ψ−> = |01> − |10>
B
ii) A and B make measurements (figure: Bloch sphere): 1
1 3 Alice
3
2 π /4
π /4 π /4
π /4
2
Bob
iii) Compare bases (class. info) and keep matching cases, i.e. 1 and 3:
; “sifted key”
iv) other results: check for eavesdropper via Bell inequality v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
A little detour: the Bloch sphere Decomposition of any ̺ in Pauli matrices:
̺ = 12 (1l + ~s · ~σ ) with ~ σ
= {σx , σy , σz }, and ~s ≡ Bloch vector |0>
111 000 s 000 111 000 111 000 111 1 0 000 111
Reminder: pure state ⇔
| ~s | = 1 mixed state ⇔ | ~ s| < 1
|1>
Orthogonal states:
hu |vi = 0 ⇔ ϕ(~su , ~sv ) = π Examples: i) BB84
ii) six state |0>
|0>
_ |0>
_ |1>
|1>
_ |1>
_ _ |0>
000 111 111 000 000 111 000 111
_ _ |1>
|1>
_ |0>
A little detour: Bell inequality CHSH inequality: Clauser, Horne, Shimony, and Holt, Phys. Rev. Lett. 23, 880 (1969)
assume:
a, b, c, d variables with values ±1 ; (a + c)b + (−a + c)d = ±2 (ai + ci )bi + (−ai + ci )di = ±2
in each run:
; |h(a + c)b + (−a + c)di| ≤ 2
average:
S = |habi + hbci + hcdi − hdai| ≤ 2 Quantum mechanics: β α π _ 4
π _ 4
CHSH inequality
~ · ~σB )̺] habi = Tr[(~ α · ~σA ) ⊗ (β
γ π _ 4
δ
√ Singlet: S = 2 2 ≥ 2 Back to Ekert protocol:
√ |ha1 b3 i + ha1 b2 i + ha2 b3 i − ha2 b2 i| = 2 2 ?
• violation of Bell inequality ; existence of entanglement • no violation of Bell inequality: possibility of eavesdropper
Summary of Lecture 1
• Classical cryptography: asymmetric methods (e.g. RSA) • Quantum cryptography ≡ quantum key distribution (Vernam cipher, random secret key)
• BB84 protocol: use non-orthogonal quantum states • No-cloning theorem of quantum mechanics gives security • Ekert protocol: use entangled quantum state, test for entanglement via Bell inequality
IV. Other quantum cryptography protocols: B92 C. Bennett; Phys. Rev. Lett. 68, 1581 (1992)
Aim: secret random key for Alice and Bob, using two non-orthogonal quantum states |u > |v >
ϕ
The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A sends random string of | ui and | vi ii) B measures POVM:
E¬u
=
E¬v
=
E?
=
M = {E¬u , E¬v , E? } (1l − | uihu |)/(1 + hu| vi) (1l − | vihv |)/(1 + hu| vi) 1l − E¬u − E¬v
iii) throw away inconclusive cases:
; “sifted key”
iv) subset of sifted key: estimate error rate v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
The six-state protocol D. Bruß, Phys. Rev. Lett. 81, 3018 (1998); H. Bechmann-Pasquinucci and N. Gisin, Phys. Rev. A 59, 4238 (1999)
Aim: secret random key for Alice and Bob, using six non-orthogonal quantum states The bases: |0>
|0> |1>
|0> z
|1>
y
x
|1> Alice’s Zustaende
Bob’s Messungen
The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A sends random string (3n):
| 0x i | 1z i | 1y i | 0y i | 1z i | 0x i | 0y i | 0z i ii) B measures in random basis:
σx σz
σx σz
σz
σy
σy
σx
iii) Compare bases (class. info), keep matching cases:
0
1
r
r
1
r
0
; “sifted key” iv) subset of sifted key: estimate error rate v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
r
QKD protocols with higher-dimensional quantum states H. Bechmann-Pasquinucci and W. Tittel, Phys. Rev. A 61, 062308 (2000); D. Bruß and C. Macchiavello, Phys. Rev. Lett. 88, 127901 (2002) ; N. Cerf, M. Bourennane, A. Karlsson, and N. Gisin, Phys. Rev. Lett. 88, 127902 (2002)
Aim: secret random key for Alice and Bob, using d-dimensional non-orthogonal quantum states The bases: number of bases m between 2 (BB84-like) and
d + 1 (tomographically complete) The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A sends random string of qudits,
∈ {| 0ii , | 1ii , ..., | d − 1ii }, i = 1, ..., m ii) B measures in random basis (generators of SU (d)) iii) Compare bases (class. info), keep matching cases:
; “sifted key” iv) subset of sifted key: estimate error rate v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
V. General eavesdropping strategies, comparison of protocols Possible eavesdropping strategies: A
B
source
detector
det. det. E
Individual attack
det.
A
B
source
detector
Collective attack
det. E
A
B
source
detector
Coherent attack
det.
E
Eavesdropping Eve’s most general strategy (individual attack, qubits): √ √ U | 0i| Ei = F | 0i| Ai + 1 − F | 1i| Bi √ √ U | 1i| Ei = F | 1i| Ci + 1 − F | 0i| Di Constraint: Symmetry equal fidelity for input states | ψi i, i.e.
disturbance D
=1−F
F = hψi |̺Bob | ψi i,
Mutual information:
I(X; Y ) = H(X) + H(Y ) − H(X, Y ) Maximal mutual information: I AB = 1 + D log D + (1 − D) log(1 − D) I AE =
1 (1 2
+ z) log(1 + z) + 12 (1 − z) log(1 − z) with
p
z=2
D(1 − D)
1 I^AB I^AE, BB84
mut. Inf.
0.8
0.6
0.4
0.2
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 D
´ orner-Theorem ¨ Csiszar-K : ´ and J. Korner, ¨ I. Csiszar IEEE-IT 24, 339 (1978)
I AB > I AE ⇒ can extract secret key (up to critical D )
The six-state protocol: mutual info analysis D. Bruß, Phys. Rev. Lett. 81, 3018 (1998); H. Bechmann-Pasquinucci and N. Gisin, Phys. Rev. A 59, 4238 (1999)
This protocol allows Eve less information than BB84!
Constraint: Transformation symmetrical for all three bases Maximal mutual information: I AB = 1 + D log D + (1 − D) log(1 − D);
D =1−F
I AE = 1+(1−D) {f (D) log f (D) + (1 − f (D)) log(1 − f (D))} mit
f (D) =
1 [1 2
1
mut. inf.
0.8
I^AB I^AE, six-states I^AE,BB84
0.6
0.4
0.2
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 D
+
1 1−D
p
D(2 − 3D)]
Higher-dim. protocols: mutual info analysis D. Bruß and C. Macchiavello, Phys. Rev. Lett. 88, 127901 (2002)
Higher dimensions allow Eve less information than qubits! Protocol: Generalisation of six-state protocol to d dimensions, i.e. use
d + 1 mutually unbiased bases (b)
“Mutually unbiased bases”: let | ei
i be vector i of basis b; √ (b) (c) then hei |ej i = 1/ d for b 6= c; known to exist only for d = power of prime Constraint: Transformation symmetrical for all bases Maximal mutual information: I AB = 1+D logd (D/(d−1))+(1−D) logd (1−D); D = 1−F 1−f (D)
d IAE,d = 1+(1−D)[fd (D) logd fd (D)+(1−fd (D)) logd d−1 √ d−2D+ (d−2D)2 −d2 (1−2D)2 with fd (D) = d2 (1−D) 1
],
0.26 I3(AB) I3(AE) I2(AB) I2(AE)
0.8
0.24 0.22 0.2 I
I
0.6
0.4
0.18 0.16 0.14
0.2 0.12 0
0.1 0
0.1
0.2
0.3
0.4 D
0.5
0.6
0.7
2
3
4
5
6 d
7
8
9
fixed disturbance, D
10
= 0.1
Eavesdropping versus cloning strategies
Note:
• So far: optimal eavesdropping strategies coincide with optimal quantum cloning strategies (apart from B92)
• But: different figure of merit used (mutual info for crypto; fidelity for cloning)
• General proof for equivalence/non-equvalence missing ; Open problem Coherent attacks I. Cirac and N. Gisin, Phys. Lett. A 229, 1 (1997)
Coherent eavesdropping for BB84 H. Bechmann-Pasquinucci and N. Gisin, Phys. Rev. A 59, 4238 (1999)
Coherent eavesdropping for six-state protocol
; Coherent eavesdropping does not increase Eve’s Shannon information, but probability of Eve to guess key ¨ ; see recent work by Konig and Renner on Quantum de Finetti theorem
VI. Unconditional security (of BB84)
P. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 (2000)
“Unconditional”: security under any attack allowed by laws of quantum mechanics “Security”: Eve has “no significant” info about key; i.e. probability that A and B agree on key about which Eve has more than exp. small info is exp. small Idea of proof: Relate security of BB84 to entanglement purification and quantum error correcting codes (CSS-codes) Outline: i) entanglement-based version of BB84 ii) CSS-codes iii) security of ent-based version of BB84 iv) equivalence of ent-based and prepare+measure scheme for BB84
Unconditional security (of BB84)
i) Ent-based version of BB84: Aim: create number m of shared perfect Bell states, + + | φ+ i⊗m = | φ i ⊗ · · · ⊗ | φ iAB AB AB
with | φ+ i where | ¯ 0i
=
=
√1 (| 00i 2
√1 (| 0i 2
+ | 11i) =
+ | 1i), | ¯ 1i =
√1 (| ¯ 0¯0i 2
√1 (| 0i 2
+ | ¯1¯1i)
− | 1i)
; perfect correlation for measurement in same basis Method: Alice creates 2n Bell states, sends subsystems to Bob; use half of pairs for a check (estimate error rate); other half: correct errors with CSS code
Trick: Alice sends half of Bob’s subsystems in basis +, half in basis ×
(; prevent eavesdropping)
A little detour: (quantum) error correction
Classical error correction:
• linear [n, k] code C is set of codewords (encoding k bits of info), each code word is binary vector of length n • (n × k)-dim generator matrix G: message x → y = Gx • ((n − k) × n)-dim parity check matrix H : Hy = 0 for all code words y • y = Gx, error e ; y ′ = y + e • Hy ′ = Hy + He = He
error syndrome
• information in error syndrome ; correct error
Quantum errors: bit flip:
σx =
!
0
1
1
0
combined phase-bit-error:
σz =
phase error:
σy =
0 i
!
−i 0
!
1
0
0
−1
ii) quantum CSS codes: Calderbank and Shor, Phys. Rev. A 54, 1098 (1996); A. Steane, Proc. Roy. Soc. Lond. A 452, 2551 (1996).
constructed from binary [n, k1 ] code C1 and [n, k2 ] code C2 with C2
⊂ C1 , suppose C1 and C2⊥ can correct ℓ errors:
• code words (from x ∈ C1 ): P 1 | x + C2 i := √ | x + yi |C2 | y∈C 2
• if x − x′ ∈ C2 then | x + C2 i = | x′ + C2 i,
otherwise (different cosets): code words are orthogonal
• number of cosets of C2 in C1 is |C1 |/|C2 | ; m = k1 − k2 qubits can be encoded • error correction: define σαs = σαs1 ⊗ σαs2 ⊗ · · · ⊗ σαsn ∈ {x, z}, and σα0 = 1l, s = (s1 , s2 , ..., sn ) n-bit vector * measure σzs for each row vector s of H1 (parity check matrix for C1 ) ; syndrome for bit flips s for each row vector s of H2 * measure σx (parity check matrix for C2⊥ ; syndrome for phase flips where α
• important property: error correction for phase errors decoupled from bit flips!
A little detour: Cosets Let G and H be two groups with G
⊂ H.
Coset of G in H , determined by h, is
h + G = {h + g|g ∈ G} Example: additive cyclic group H
= {0, 2} Cosets of G in H : subgroup G
= {0, 1, 2, 3} = Z4 ,
0 + G = {0, 2} = G
1 + G = {1, 3}
2 + G = {2, 0} = G
3 + G = {3, 1}
; two distinct cosets, G itself, and 1+G = 3 + G. The two different cosets of G in H partition H
Ent-based version of BB84:
1. Alice creates 2n qubit pairs in state | φ+ i⊗2n . 2. Alice randomly selects n pairs, will serve as check qubits. 3. Alice selects random 2n bit string b and applies the Hadamard transformation) to her half of each qubit pair whenever b is “1.” 4. Alice sends other half of all qubit pairs to Bob. 5. Alice announces b and which pairs will serve as check qubits. 6. Bob performs Hadamard on those of his qubits where b is “1.” 7. Alice and Bob measure check qubits in the {| 0i, | 1i}
basis to estimate error rate. If more than ℓ results differ, they abort protocol.
8. Remaining qubits: Alice and Bob measure the syndromes for the codes C1 and C2 , correct errors, and obtain
| φ+ i⊗m . 9. They measure | φ+ i⊗m in basis {| 0i, | 1i} basis to obtain a shared secret key.
iii) Security of ent-based version of BB84:
a) “Eve gets exponentially small information”: H.-K. Lo and H. F. Chau, Science 283, 2050 (1999)
If for | ψi
= | φ+ i⊗m F = hψ |̺| ψi ≥ 1 − 2−s
then extractable mutual information of Eve is
S(ρ) ≤ (2m + s + 1/ ln 2)2−s + O(2−2s ) b) “Check bits are representative for real errors”: M. Nielsen and I. Chuang, Quantum Computation and Quantum Information, Cambridge University Press (2000)
Random n-bit check string from 2n-string: for any real positive constants δ and ǫ, the probability of finding less than δn errors on check bits, but more than (δ
+ ǫ)n errors on remaining 2 bits is smaller than e−O(ǫ n) , for sufficiently large n.
iv) Equivalence of ent-based and prepare+measure scheme for BB84: 1. Alice creates random key k and does CSS encoding into
n qubits. 2. Alice randomly selects n positions (out of 2n) as check qubits and the remaining n positions are the code qubits. 3. Alice selects a random 2n bit string b and applies Hadamard to qubit when b is “1.” 4. She sends the resulting state to Bob. 5. Alice announces b, and position and values of check qubits. 6. Bob performs Hadamard on qubit when b is “1.” 7. Bob measures the check qubits in {| 0i, | 1i} basis. If
more than ℓ results disagree with Alice’s prepared state, they abort protocol.
8. Bob decodes the key qubits, gets key k . Remark: Instead of Hadamard, Alice can send at random one of four BB84 states 4n times, Bob measures in random basis, they keep only cases of identical bases.
Summary of Lecture 2
• Other QKD protocols: B92, six-state, higher dimensions • Eavesdropping strategies (individual, collective, coherent) • Comparison of protocols: using more degrees of freedom decreases Eve’s mutual information
• Unconditional security proof for BB84 (Shor-Preskill):
relation to entanglement purification and CSS codes for quantum error correction
• Equivalence of entanglement-based and prepare+measure BB84 protocol
VII. Defence against PNS eavesdropping: recent developments Implementations: Experiment (theoretical): single polarized photons Reality: single photon sources do not exist, use weak laser pulse (each pulse contains typically ν no photon:
= 0.1 photons:
∼ 90%; one photon: ∼ 10%; more than one photon: ∼ 1% )
Poisson distribution:
p(n) = ν n e−ν /n!
1
prob p(n)
0.8
0.6
0.4
0.2
0 0
0.5
1
1.5 2 2.5 no. of photons n
3
3.5
4
Danger: Photon number splitting (PNS) attack of Eve!!! No unconditional security!!! PNS attack: (Eve replaces lossy channel by ideal channel) non-demolition measurement ; photon number
• multi-photon events: split off one photon, get full information (no noise) • one-photon event: block fraction to correct statistics, eavesdrop on others (introduce noise)
• vacuum events: forward
; need new ideas!
New ideas for defence against PNS attack:
• Decoy states: prepare additional states to detect eavesdropping (different ν ) • SARG: modify classical sifting Decoy states: W.Y. Hwang, Phys. Rev. Lett. 91, 057901 (2003); H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 23054 (2005)
• introduce decoy signals at random, differ only in photon number distribution, i.e. ν , not in wavelength etc. • check loss of decoy pulses (abort if necessary) • estimate loss of signal pulses, improve key generation rate −2
10
−3
Key generation rate
10
GYS
−4
10
−5
10
−6
10
GLLP without decoy states
GLLP+Decoy
−7
10
0
20
40
60
80
100
120
140
160
Transmission distance [km]
from: H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 23054 (2005) Note: GLLP refers to D. Gottesmann, H.-K. Lo, N. Lutkenhaus, ¨ and J. Preskill, QIC 4, 325 (2004)
SARG: V. Scarani, A. Ac´ın, G. Ribordy, and N. Gisin, Phys. Rev. Lett. 92, 057901 (2004)
• New public announcement: two “neighbouring” signal states instead of polarization basis;
signal set: {signal, random state of other basis }
• Example: A sends | 0i, announces {| 0i, | +i} • Bob: random measurement basis, if {0, 1}: inconclusive; if {+, −} and finds | −i: sure that signal is | 0i • efficiency: after sifting only 1/4 of raw key (1/2 for BB84) • security: multi-photon events do not give Eve full info 1
δ
δ
BB84
c
c
0.6
BB84 new 4−states protocol
0.4
I
Eve
[bits/pulse]
0.8
0.2
δ
1
0 0
5
10
15
20
25
30
attenuation [dB]
from: V. Scarani, A. Ac´ın, G. Ribordy, and N. Gisin, Phys. Rev. Lett. 92, 057901 (2004) Note: attenuation δ
= αℓ, α = 0.25dB/km, fiber losses ηδ = 10−δ/10 ,
detection rate of Bob:
Rraw (δ) ≃ ηdet ηδ ν
VIII. Secret key rate Remember QKD: i) 1st phase: Effective bipartite quantum state shared:
| ψef f iAB =
X√ i
pi | iiA | ϕi iB
Measurement in basis {| ii}
; effective preparation of | ϕi i with prob. pi ; joint classical probability distribution P (A, B) ii) 2nd phase: classical processing of correlated data, key distillation Eavesdropping:
• Eve does most general interaction: total state | ψABE i, any measurement ; extension: P (A, B) → P (A, B, E) • Mutual information between A and B, given E: X I(A; B|E) = pe [H(A|e) + H(B|e) − H(A, B|e)] e∈E
with conditional Shannon entropy
H(X|e) = −
P
x∈X
p(x|e) log p(x|e)
Intrinsic information and bound for secret key rate U. Maurer and S. Wolf, IEEE Trans. Inf. Theory 45, 499 (1999)
Def. Intrinsic information:
˜ I(A; B ↓ E) = inf I(A; B|E) ˜ E→E
Def. Secret key rate:
S(A; B||E)
Maximal amount of secret key bits extractable asymptotically from P (A, B, E); classical analogue of distillable entanglement Ed
Def. Information of formation:
If orm (A; B|E)
Minimal number of secret key bits needed to create P (A, B), classical analogue of entanglement cost Ec
Upper bound for secret key rate:
S(A; B||E) ≤ I(A; B ↓ E) ≤ If orm (A; B|E)
IX. Role of entanglement in QKD
Entanglement as precondition for secure key M. Curty, M. Lewenstein, and N. Lutkenhaus, ¨ Phys. Rev. Lett. 92, 217903 (2004)
Theorem: Given measurements Ma and Mb and probability distribution P (A, B). Then the correlations in P (A, B) cannot lead to secret key unless one can prove the presence of entanglement in the (effective) distributed state via an
P
⊗ Mb , i.e. P Tr(W σ) ≥ 0 for all separable σ and a,b cab P (a, b) < 0. entanglement witness W
=
a,b cab Ma
Proof: Construct witnesses for QKD protocols (BB84, 6-state)
Equivalence of quantum entanglement and secret bits (If orm
6= 0)
A. Ac´ın and N. Gisin, Phys. Rev. Lett. 94, 020501 (2005)
Theorem: Let P (A, B) be probability distribution of A and B after measuring Ma and Mb . Then P (A, B) has to originate
⇐⇒ for all | ψABE i, compatible with P (A, B), and all measurements Me for Eve, P (A, B, E) contains secret correlations. from an entangled state ̺AB
Proof: Entanglement witnesses.
Secure key from bound entanglement (1) K., M., P. Horodecki, and J. Oppenheim, Phys. Rev. Lett. 94, 160502 (2005)
Bound entanglement: entanglement without distillability
Introduction of private states: produce one bit of secure key (equivalent of singlet for key distillation) Theorem: A state is private ⇔ it is of form + † γm = U | φ+ 2m iAB hφ2m | ⊗ ̺A′ B ′ U Pd + with | φd i = i=1 | iii, and ̺A′ B ′ arbitrary, and “twisting”
unitary
m
U=
2 X
′
i,j=1
AB | ijiAB hij | ⊗ Uij
′
Proof: ask Paweł Example for γ1 -state:
̺ = p| φ+ ihφ+ | ⊗ ̺+ + (1 − p)| φ− ihφ− | ⊗ ̺− with | φ± i
=
√1 (| 00i 2
± | 11i and ̺± orthogonal
= 12 (1 + 1/d), and ̺± symmetric/antisymmetric projectors: ED ≤ log[(d + 1)/d] ; for d → ∞ we have KD ≫ ED ! Surprisingly: for p
Secure key from bound entanglement (2) K., M., P. Horodecki, and J. Oppenheim, Phys. Rev. Lett. 94, 160502 (2005)
Result: Let ̺± be certain “hiding” states (arbitrary indistinguishable by LOCC, arbitrarily orthogonal), and introduce some errors
; certain bound entangled state, from which one secure bit can be extracted! Bounds on KD :
ED ≤ KD ≤ Er∞ ≤ Ec with regularized relative entropy of entanglement
Er∞ (̺) = limn→∞ Er (̺n )/n Possible strict inequalities:
ED < KD < Ec
ED < Er∞
The moral: Secret key distillation ↔ entanglement distillation
Classical Information Theory
Quantum Information theory
Summary of Lecture 3
• Implementations: Photon number splitting attack • New ideas: decoy state, SARG • Secret key rate: number of secret bits that can be distilled • Entanglement ⇔ secret bits in P (A, B, E) • Secret key from bound entanglement
Quantum Information Theory in Dusseldorf ¨ ¨ Dusseldorf, Institut fur ¨ Theoretische Physik III, Universitat ¨ Germany
DB (Coach), Hermann Kampermann, Razmik Unanyan [→ KL] (Postdocs), Matthias Kleinmann, Tim Meyer
[→ Industry], Zahra Shadman (PhD students)
Postdoc and PhD position available!!!
What was it all about???
• Quantum key distribution is secure, due to laws of quantum mechanics
• Protocols: BB84 and Ekert, plus derivatives of them (more non-orthogonal states, higher dimensions)
• Unconditional security proofs exist • Photon number splitting attack as danger for implementations, ; defense via new protocols • Entanglement and secret key rate • Note: exist other quantum cryptographic tasks, such as quantum bit commitment
B
A
plain text
encryption key A
cipher text
cipher text
E
decryption key B
plain text
Some selected literature
View publication stats
Quantum Cryptography Chapter in Lecture Notes in Physics · January 1970 DOI: 10.1007/978-3-642-11914-9_9
CITATIONS
READS
4
26
2 authors, including: Dagmar Bruss Heinrich-Heine-Universität Düsseldorf 160 PUBLICATIONS 6,726 CITATIONS SEE PROFILE
Some of the authors of this publication are also working on these related projects:
theory of entanglement View project
All content following this page was uploaded by Dagmar Bruss on 24 November 2014. The user has requested enhancement of the downloaded file.
Quantum cryptography Dagmar Bruß Institute for Theoretical Physics, University of Dusseldorf, ¨ Germany
Lecture 1: Classical cryptography and principles of quantum cryptography Lecture 2: Quantum key distribution protocols and security analysis Lecture 3: Recent developments in quantum key distribution
Quantum Statistical Physics and Quantum Information, Cergy-Pontoise, 21-22 April 2008
Quantum cryptography
I. Introduction II. Classical cryptography III. Quantum cryptography: BB84, Ekert protocol IV. Other quantum cryptography protocols V. General eavesdropping strategies, comparison of protocols VI. Unconditional security (of BB84) VII. Defence against PNS eavesdropping: recent developments VIII. Secret key rate IX. Role of entanglement in QKD
Quantum Statistical Physics and Quantum Information, Cergy-Pontoise, 21-22 April 2008
I. Introduction cryptology = science of secure communication (Greek: “kryptos” = “hidden”; “logos”= “word”)
↓
↓
cryptography
cryptanalysis
(code-making)
(code-breaking)
Aim: secret or “secure” communication between sender Alice and receiver Bob, encoding/decoding via “key” “Secure”: Eavesdropper Eve has no information on message/key
B
A
plain text
encryption key A
cipher text
cipher text
decryption key B
plain text
E
Classical cryptography: Security relies on assumed difficulty to solve certain mathematical tasks Quantum cryptography: Security relies on laws of physics
II. Classical cryptography Examples for “simple” cryptographic techniques: Transposition: re-ordering of message
MESSAGE −→ MSAEESG Skytale, ca. 500 BC Key:
P S K
H I E
Message:
Y S Y
S T T
I H O
C E U
PHYSICS IS THE KEY TO U...
Substitution: replacement of letters in message
MESSAGE −→ NFTTBHF Caesar cipher, ca. 50 BC Key:
A → B → C → ...
Insecure! correlations between letters preserved, frequency analysis
Classical cryptography: Vernam cipher Vernam cipher (1926): add random secret key to message
M E S S A G E
plain text (message)
↓ ↓ ↓ ↓ ↓ ↓ ↓
{mi } random key {ki }
13 05 19 19 01 07 05 + 17 06 14 23 04 11 04
message
———————————-
04 11 07 16 05 16 09
cipher text
{ci = mi + ki } Conditions:
• Key and message have equal length • Key is used only once (“one-time-pad”), otherwise: get information about message (here: binary) (1)
= mi
(2)
= mi
(2)
= mi
ci ci (1)
ci
+ ci
Secure! Perfect security
(1)
+ ki
(2)
+ ki
(1)
+ mi
(2)
⇐⇒ p(m|c) = p(m)
i.e. knowing ciphertext c yields no advantage for retrieval of message m Problem: Key distribution?!? (one key for each message and every pair of parties needed)
Classical cryptography: Public key encryption so far: symmetric cryptosystem, i.e. key A and key B are identical (or key B can be easily derived from key A) Diffie and Hellman (1976): asymmetric cryptosystem, i.e. two distinct keys (public key for encryption, private key for decryption); advantage: only one private key per party needed The idea:
• use one-way function, i.e. “easy” to compute, “difficult” to invert
• more precisely: trap-door function, i.e. with additional information “easy” to invert
• kpublic is announced, kprivate is secret Rivest, Shamir, and Adleman (RSA, 1978): based on problem of factoring large integers (∈
N P)
• public key: p1 · p2 (product of two large prime numbers) • private key: f (p1 , p2 ) Problems:
• 6 ∃ proof for security • quantum computer makes prime factorization “easy” (Shor algorithm)
The RSA-algorithm i) Choose two prime numbers p1 and p2 , calculate product N
= p1 · p2
ii) Calculate Euler function
φ(N ) = (p1 − 1) · (p2 − 1) iii) Choose e with 1
< e < φ(N ) and gcd(e, N ) = 1
iv) Calculate d such that e · d
= 1(mod φ(N ))
The keys: Public key:
N and e
Private key:
d
Encoding of message M :
C = M e mod N Decoding of cipher text C :
(as aed
= a mod N )
M = C d mod N Example: i)
p1 = 11, p2 = 13 ; N = 143
ii)
φ(N ) = 10 · 12 = 120
iii) choose e
= 23, public key
iv) calculate d
= 47 (Euclid’s algorithm), private key
C = M 23 mod 143, Decoding: M = C 47 mod 143
Encoding:
III. Quantum cryptography or better: Quantum key distribution The idea: Use the laws of quantum mechanics to establish a random secret key (Vernam cipher) Two types of protocols: | ψ> |φ >
A. Non-orthogonal quantum states:
ϕ
• N-O states cannot be distinguished perfectly :-) • N-O states cannot be cloned perfectly :-) • single states (“prepare-and-measure”) :-) B. Quantum entanglement: A
1 0 0 1
| ψ−> = |01> − |10>
• perfect entanglement means perfect correlations :-) • interaction destroys entanglement :-) • entanglement difficult to produce and store :-(
1 0 0 1
B
Quantum cryptography: BB84 protocol C. Bennett and G. Brassard; Proc. IEEE Conf. on Comp. Syst. Signal Proc., 175 (1984)
Aim: secret random key for Alice and Bob, using four non-orthogonal quantum states quantum channel
classical channel
|1> |0> + |1>
|0> − |1>
45 o |0>
Conjugate bases:
Basis +
Basis x
(figure: photon polarization) The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A sends random string (2n):
↑ րր→տ ↑→տ
ii) B measures in random basis:
→ ↑ → ↑ տր → ↑ տր տր → ↑ → ↑
iii) Compare bases (class. info),
1 r 0 0 1 r 0 r
keep matching cases:
“sifted key”
iv) subset of sifted key: estimate error rate v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
Some classical tools Authentication: (check identity) Share an initial secret key Error correction: (remove errors) Simple method: A chooses random pair of bits a1 and a2 , tells Bob (a1
⊕ a2 ),
Bob compares with corresponding (b1 if agreement ; both keep 1st bit
⊕ b2 )
if no agreement ; garbage A
B
1
1
0
0
1
1
XOR
XOR
equal?
Privacy amplification: (reduce Eve’s info) C. Bennett et al; IEEE Trans. Inf. Theo. 41, 1915 (1995)
Simple method: A chooses random pair of bits a1 and a2 , replaces pair with (a1
⊕ a2 ),
tells Bob position of pair,
Bob replaces with corresponding (b1
⊕ b2 )
; key still error free, Eve looses info
1
XOR
A
B
1
1
0
0
XOR
1
A little detour: no-cloning theorem Perfect cloning of an unknown quantum state is impossible. W.K. Wootters and W.H. Zurek, Nature 299, 802 (1982)
Reason: Quantum mechanics is linear! Time evolution:
| ψ(t)i = U(t)| ψ(0)i;
i
U(t) = e− h¯ Ht ;
U † U = 1l
Action of copying transformation U on basis states:
U | 0i| ii =
U | 1i| ii =
| 0i| 0i ,
| 1i| 1i .
Action of U on unknown state, | ψi with | α |2
= α| 0i + β| 1i,
+ | β |2 = 1:
U| ψi| ii = U(α| 0i + β| 1i)| ii = α| 0i| 0i + β| 1i| 1i 6= | ψi| ψi
Consequences of the no-cloning theorem The no-cloning theorem is a fundamental difference between classical and quantum information theory. Good news: A spy cannot copy the quantum signal perfectly and send it on without disturbance
; security of quantum cryptography. Bad news: There is no simple error correction scheme and no back-up for a quantum computer.
The spy: Eve Security: Eve has to obey no-cloning theorem!
• Most simple strategy of the spy Eve: “Intercept and resend”
• Eve has correct basis in n cases; n/2 cases: Bob has correct basis and Eve has wrong basis
; Corruption of n/4 bits • Discovery of Eve by comparison of subset of bits
Trade-off between information and disturbance
Eve wins information
↔ disturbs signal
Non-orthogonal states: |1> |1>=|0>-|1>
|0>
Interaction of Eve without disturbance:
U | 0i| Ei = | 0i| E0 i
U | ¯1i| Ei = | ¯1i| E¯1 i Non-orthogonal states, unitarity:
h0| ¯1i hE| Ei = h0| ¯1i hE0 | E¯1 i ; hE0 | E¯1 i = 1 ; E0 and E¯1 are identical, no information! Interaction of Eve with disturbance:
U | 0i| Ei = | 0′ i| E0 i U | ¯1i| Ei = | ¯1′ i| E¯1 i Unitarity:
h0| ¯1i hE| Ei = h0′ | ¯1′ i hE0 | E¯1 i
; decreasing hE0 | E¯1 i means increasing h0′ | ¯1′ i ¨ maximal disturbance ; maximal information fur
|0> = |0>+|1>
Quantum cryptography: Ekert protocol A. Ekert; Phys. Rev. Lett. 67, 661 (1991)
Aim: secret random key for Alice and Bob, using entanglement The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A and B share a singlet state (remember: invariant under rotation of bases!) A
1 0 0 1
1 0 0 1
| ψ−> = |01> − |10>
B
ii) A and B make measurements (figure: Bloch sphere): 1
1 3 Alice
3
2 π /4
π /4 π /4
π /4
2
Bob
iii) Compare bases (class. info) and keep matching cases, i.e. 1 and 3:
; “sifted key”
iv) other results: check for eavesdropper via Bell inequality v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
A little detour: the Bloch sphere Decomposition of any ̺ in Pauli matrices:
̺ = 12 (1l + ~s · ~σ ) with ~ σ
= {σx , σy , σz }, and ~s ≡ Bloch vector |0>
111 000 s 000 111 000 111 000 111 1 0 000 111
Reminder: pure state ⇔
| ~s | = 1 mixed state ⇔ | ~ s| < 1
|1>
Orthogonal states:
hu |vi = 0 ⇔ ϕ(~su , ~sv ) = π Examples: i) BB84
ii) six state |0>
|0>
_ |0>
_ |1>
|1>
_ |1>
_ _ |0>
000 111 111 000 000 111 000 111
_ _ |1>
|1>
_ |0>
A little detour: Bell inequality CHSH inequality: Clauser, Horne, Shimony, and Holt, Phys. Rev. Lett. 23, 880 (1969)
assume:
a, b, c, d variables with values ±1 ; (a + c)b + (−a + c)d = ±2 (ai + ci )bi + (−ai + ci )di = ±2
in each run:
; |h(a + c)b + (−a + c)di| ≤ 2
average:
S = |habi + hbci + hcdi − hdai| ≤ 2 Quantum mechanics: β α π _ 4
π _ 4
CHSH inequality
~ · ~σB )̺] habi = Tr[(~ α · ~σA ) ⊗ (β
γ π _ 4
δ
√ Singlet: S = 2 2 ≥ 2 Back to Ekert protocol:
√ |ha1 b3 i + ha1 b2 i + ha2 b3 i − ha2 b2 i| = 2 2 ?
• violation of Bell inequality ; existence of entanglement • no violation of Bell inequality: possibility of eavesdropper
Summary of Lecture 1
• Classical cryptography: asymmetric methods (e.g. RSA) • Quantum cryptography ≡ quantum key distribution (Vernam cipher, random secret key)
• BB84 protocol: use non-orthogonal quantum states • No-cloning theorem of quantum mechanics gives security • Ekert protocol: use entangled quantum state, test for entanglement via Bell inequality
IV. Other quantum cryptography protocols: B92 C. Bennett; Phys. Rev. Lett. 68, 1581 (1992)
Aim: secret random key for Alice and Bob, using two non-orthogonal quantum states |u > |v >
ϕ
The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A sends random string of | ui and | vi ii) B measures POVM:
E¬u
=
E¬v
=
E?
=
M = {E¬u , E¬v , E? } (1l − | uihu |)/(1 + hu| vi) (1l − | vihv |)/(1 + hu| vi) 1l − E¬u − E¬v
iii) throw away inconclusive cases:
; “sifted key”
iv) subset of sifted key: estimate error rate v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
The six-state protocol D. Bruß, Phys. Rev. Lett. 81, 3018 (1998); H. Bechmann-Pasquinucci and N. Gisin, Phys. Rev. A 59, 4238 (1999)
Aim: secret random key for Alice and Bob, using six non-orthogonal quantum states The bases: |0>
|0> |1>
|0> z
|1>
y
x
|1> Alice’s Zustaende
Bob’s Messungen
The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A sends random string (3n):
| 0x i | 1z i | 1y i | 0y i | 1z i | 0x i | 0y i | 0z i ii) B measures in random basis:
σx σz
σx σz
σz
σy
σy
σx
iii) Compare bases (class. info), keep matching cases:
0
1
r
r
1
r
0
; “sifted key” iv) subset of sifted key: estimate error rate v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
r
QKD protocols with higher-dimensional quantum states H. Bechmann-Pasquinucci and W. Tittel, Phys. Rev. A 61, 062308 (2000); D. Bruß and C. Macchiavello, Phys. Rev. Lett. 88, 127901 (2002) ; N. Cerf, M. Bourennane, A. Karlsson, and N. Gisin, Phys. Rev. Lett. 88, 127902 (2002)
Aim: secret random key for Alice and Bob, using d-dimensional non-orthogonal quantum states The bases: number of bases m between 2 (BB84-like) and
d + 1 (tomographically complete) The protocol: 0) Authentication: verify that Alice is Alice and Bob is Bob i) A sends random string of qudits,
∈ {| 0ii , | 1ii , ..., | d − 1ii }, i = 1, ..., m ii) B measures in random basis (generators of SU (d)) iii) Compare bases (class. info), keep matching cases:
; “sifted key” iv) subset of sifted key: estimate error rate v) classical error correction and privacy amplification
; Alice and Bob have random secret key!
V. General eavesdropping strategies, comparison of protocols Possible eavesdropping strategies: A
B
source
detector
det. det. E
Individual attack
det.
A
B
source
detector
Collective attack
det. E
A
B
source
detector
Coherent attack
det.
E
Eavesdropping Eve’s most general strategy (individual attack, qubits): √ √ U | 0i| Ei = F | 0i| Ai + 1 − F | 1i| Bi √ √ U | 1i| Ei = F | 1i| Ci + 1 − F | 0i| Di Constraint: Symmetry equal fidelity for input states | ψi i, i.e.
disturbance D
=1−F
F = hψi |̺Bob | ψi i,
Mutual information:
I(X; Y ) = H(X) + H(Y ) − H(X, Y ) Maximal mutual information: I AB = 1 + D log D + (1 − D) log(1 − D) I AE =
1 (1 2
+ z) log(1 + z) + 12 (1 − z) log(1 − z) with
p
z=2
D(1 − D)
1 I^AB I^AE, BB84
mut. Inf.
0.8
0.6
0.4
0.2
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 D
´ orner-Theorem ¨ Csiszar-K : ´ and J. Korner, ¨ I. Csiszar IEEE-IT 24, 339 (1978)
I AB > I AE ⇒ can extract secret key (up to critical D )
The six-state protocol: mutual info analysis D. Bruß, Phys. Rev. Lett. 81, 3018 (1998); H. Bechmann-Pasquinucci and N. Gisin, Phys. Rev. A 59, 4238 (1999)
This protocol allows Eve less information than BB84!
Constraint: Transformation symmetrical for all three bases Maximal mutual information: I AB = 1 + D log D + (1 − D) log(1 − D);
D =1−F
I AE = 1+(1−D) {f (D) log f (D) + (1 − f (D)) log(1 − f (D))} mit
f (D) =
1 [1 2
1
mut. inf.
0.8
I^AB I^AE, six-states I^AE,BB84
0.6
0.4
0.2
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 D
+
1 1−D
p
D(2 − 3D)]
Higher-dim. protocols: mutual info analysis D. Bruß and C. Macchiavello, Phys. Rev. Lett. 88, 127901 (2002)
Higher dimensions allow Eve less information than qubits! Protocol: Generalisation of six-state protocol to d dimensions, i.e. use
d + 1 mutually unbiased bases (b)
“Mutually unbiased bases”: let | ei
i be vector i of basis b; √ (b) (c) then hei |ej i = 1/ d for b 6= c; known to exist only for d = power of prime Constraint: Transformation symmetrical for all bases Maximal mutual information: I AB = 1+D logd (D/(d−1))+(1−D) logd (1−D); D = 1−F 1−f (D)
d IAE,d = 1+(1−D)[fd (D) logd fd (D)+(1−fd (D)) logd d−1 √ d−2D+ (d−2D)2 −d2 (1−2D)2 with fd (D) = d2 (1−D) 1
],
0.26 I3(AB) I3(AE) I2(AB) I2(AE)
0.8
0.24 0.22 0.2 I
I
0.6
0.4
0.18 0.16 0.14
0.2 0.12 0
0.1 0
0.1
0.2
0.3
0.4 D
0.5
0.6
0.7
2
3
4
5
6 d
7
8
9
fixed disturbance, D
10
= 0.1
Eavesdropping versus cloning strategies
Note:
• So far: optimal eavesdropping strategies coincide with optimal quantum cloning strategies (apart from B92)
• But: different figure of merit used (mutual info for crypto; fidelity for cloning)
• General proof for equivalence/non-equvalence missing ; Open problem Coherent attacks I. Cirac and N. Gisin, Phys. Lett. A 229, 1 (1997)
Coherent eavesdropping for BB84 H. Bechmann-Pasquinucci and N. Gisin, Phys. Rev. A 59, 4238 (1999)
Coherent eavesdropping for six-state protocol
; Coherent eavesdropping does not increase Eve’s Shannon information, but probability of Eve to guess key ¨ ; see recent work by Konig and Renner on Quantum de Finetti theorem
VI. Unconditional security (of BB84)
P. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 (2000)
“Unconditional”: security under any attack allowed by laws of quantum mechanics “Security”: Eve has “no significant” info about key; i.e. probability that A and B agree on key about which Eve has more than exp. small info is exp. small Idea of proof: Relate security of BB84 to entanglement purification and quantum error correcting codes (CSS-codes) Outline: i) entanglement-based version of BB84 ii) CSS-codes iii) security of ent-based version of BB84 iv) equivalence of ent-based and prepare+measure scheme for BB84
Unconditional security (of BB84)
i) Ent-based version of BB84: Aim: create number m of shared perfect Bell states, + + | φ+ i⊗m = | φ i ⊗ · · · ⊗ | φ iAB AB AB
with | φ+ i where | ¯ 0i
=
=
√1 (| 00i 2
√1 (| 0i 2
+ | 11i) =
+ | 1i), | ¯ 1i =
√1 (| ¯ 0¯0i 2
√1 (| 0i 2
+ | ¯1¯1i)
− | 1i)
; perfect correlation for measurement in same basis Method: Alice creates 2n Bell states, sends subsystems to Bob; use half of pairs for a check (estimate error rate); other half: correct errors with CSS code
Trick: Alice sends half of Bob’s subsystems in basis +, half in basis ×
(; prevent eavesdropping)
A little detour: (quantum) error correction
Classical error correction:
• linear [n, k] code C is set of codewords (encoding k bits of info), each code word is binary vector of length n • (n × k)-dim generator matrix G: message x → y = Gx • ((n − k) × n)-dim parity check matrix H : Hy = 0 for all code words y • y = Gx, error e ; y ′ = y + e • Hy ′ = Hy + He = He
error syndrome
• information in error syndrome ; correct error
Quantum errors: bit flip:
σx =
!
0
1
1
0
combined phase-bit-error:
σz =
phase error:
σy =
0 i
!
−i 0
!
1
0
0
−1
ii) quantum CSS codes: Calderbank and Shor, Phys. Rev. A 54, 1098 (1996); A. Steane, Proc. Roy. Soc. Lond. A 452, 2551 (1996).
constructed from binary [n, k1 ] code C1 and [n, k2 ] code C2 with C2
⊂ C1 , suppose C1 and C2⊥ can correct ℓ errors:
• code words (from x ∈ C1 ): P 1 | x + C2 i := √ | x + yi |C2 | y∈C 2
• if x − x′ ∈ C2 then | x + C2 i = | x′ + C2 i,
otherwise (different cosets): code words are orthogonal
• number of cosets of C2 in C1 is |C1 |/|C2 | ; m = k1 − k2 qubits can be encoded • error correction: define σαs = σαs1 ⊗ σαs2 ⊗ · · · ⊗ σαsn ∈ {x, z}, and σα0 = 1l, s = (s1 , s2 , ..., sn ) n-bit vector * measure σzs for each row vector s of H1 (parity check matrix for C1 ) ; syndrome for bit flips s for each row vector s of H2 * measure σx (parity check matrix for C2⊥ ; syndrome for phase flips where α
• important property: error correction for phase errors decoupled from bit flips!
A little detour: Cosets Let G and H be two groups with G
⊂ H.
Coset of G in H , determined by h, is
h + G = {h + g|g ∈ G} Example: additive cyclic group H
= {0, 2} Cosets of G in H : subgroup G
= {0, 1, 2, 3} = Z4 ,
0 + G = {0, 2} = G
1 + G = {1, 3}
2 + G = {2, 0} = G
3 + G = {3, 1}
; two distinct cosets, G itself, and 1+G = 3 + G. The two different cosets of G in H partition H
Ent-based version of BB84:
1. Alice creates 2n qubit pairs in state | φ+ i⊗2n . 2. Alice randomly selects n pairs, will serve as check qubits. 3. Alice selects random 2n bit string b and applies the Hadamard transformation) to her half of each qubit pair whenever b is “1.” 4. Alice sends other half of all qubit pairs to Bob. 5. Alice announces b and which pairs will serve as check qubits. 6. Bob performs Hadamard on those of his qubits where b is “1.” 7. Alice and Bob measure check qubits in the {| 0i, | 1i}
basis to estimate error rate. If more than ℓ results differ, they abort protocol.
8. Remaining qubits: Alice and Bob measure the syndromes for the codes C1 and C2 , correct errors, and obtain
| φ+ i⊗m . 9. They measure | φ+ i⊗m in basis {| 0i, | 1i} basis to obtain a shared secret key.
iii) Security of ent-based version of BB84:
a) “Eve gets exponentially small information”: H.-K. Lo and H. F. Chau, Science 283, 2050 (1999)
If for | ψi
= | φ+ i⊗m F = hψ |̺| ψi ≥ 1 − 2−s
then extractable mutual information of Eve is
S(ρ) ≤ (2m + s + 1/ ln 2)2−s + O(2−2s ) b) “Check bits are representative for real errors”: M. Nielsen and I. Chuang, Quantum Computation and Quantum Information, Cambridge University Press (2000)
Random n-bit check string from 2n-string: for any real positive constants δ and ǫ, the probability of finding less than δn errors on check bits, but more than (δ
+ ǫ)n errors on remaining 2 bits is smaller than e−O(ǫ n) , for sufficiently large n.
iv) Equivalence of ent-based and prepare+measure scheme for BB84: 1. Alice creates random key k and does CSS encoding into
n qubits. 2. Alice randomly selects n positions (out of 2n) as check qubits and the remaining n positions are the code qubits. 3. Alice selects a random 2n bit string b and applies Hadamard to qubit when b is “1.” 4. She sends the resulting state to Bob. 5. Alice announces b, and position and values of check qubits. 6. Bob performs Hadamard on qubit when b is “1.” 7. Bob measures the check qubits in {| 0i, | 1i} basis. If
more than ℓ results disagree with Alice’s prepared state, they abort protocol.
8. Bob decodes the key qubits, gets key k . Remark: Instead of Hadamard, Alice can send at random one of four BB84 states 4n times, Bob measures in random basis, they keep only cases of identical bases.
Summary of Lecture 2
• Other QKD protocols: B92, six-state, higher dimensions • Eavesdropping strategies (individual, collective, coherent) • Comparison of protocols: using more degrees of freedom decreases Eve’s mutual information
• Unconditional security proof for BB84 (Shor-Preskill):
relation to entanglement purification and CSS codes for quantum error correction
• Equivalence of entanglement-based and prepare+measure BB84 protocol
VII. Defence against PNS eavesdropping: recent developments Implementations: Experiment (theoretical): single polarized photons Reality: single photon sources do not exist, use weak laser pulse (each pulse contains typically ν no photon:
= 0.1 photons:
∼ 90%; one photon: ∼ 10%; more than one photon: ∼ 1% )
Poisson distribution:
p(n) = ν n e−ν /n!
1
prob p(n)
0.8
0.6
0.4
0.2
0 0
0.5
1
1.5 2 2.5 no. of photons n
3
3.5
4
Danger: Photon number splitting (PNS) attack of Eve!!! No unconditional security!!! PNS attack: (Eve replaces lossy channel by ideal channel) non-demolition measurement ; photon number
• multi-photon events: split off one photon, get full information (no noise) • one-photon event: block fraction to correct statistics, eavesdrop on others (introduce noise)
• vacuum events: forward
; need new ideas!
New ideas for defence against PNS attack:
• Decoy states: prepare additional states to detect eavesdropping (different ν ) • SARG: modify classical sifting Decoy states: W.Y. Hwang, Phys. Rev. Lett. 91, 057901 (2003); H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 23054 (2005)
• introduce decoy signals at random, differ only in photon number distribution, i.e. ν , not in wavelength etc. • check loss of decoy pulses (abort if necessary) • estimate loss of signal pulses, improve key generation rate −2
10
−3
Key generation rate
10
GYS
−4
10
−5
10
−6
10
GLLP without decoy states
GLLP+Decoy
−7
10
0
20
40
60
80
100
120
140
160
Transmission distance [km]
from: H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 23054 (2005) Note: GLLP refers to D. Gottesmann, H.-K. Lo, N. Lutkenhaus, ¨ and J. Preskill, QIC 4, 325 (2004)
SARG: V. Scarani, A. Ac´ın, G. Ribordy, and N. Gisin, Phys. Rev. Lett. 92, 057901 (2004)
• New public announcement: two “neighbouring” signal states instead of polarization basis;
signal set: {signal, random state of other basis }
• Example: A sends | 0i, announces {| 0i, | +i} • Bob: random measurement basis, if {0, 1}: inconclusive; if {+, −} and finds | −i: sure that signal is | 0i • efficiency: after sifting only 1/4 of raw key (1/2 for BB84) • security: multi-photon events do not give Eve full info 1
δ
δ
BB84
c
c
0.6
BB84 new 4−states protocol
0.4
I
Eve
[bits/pulse]
0.8
0.2
δ
1
0 0
5
10
15
20
25
30
attenuation [dB]
from: V. Scarani, A. Ac´ın, G. Ribordy, and N. Gisin, Phys. Rev. Lett. 92, 057901 (2004) Note: attenuation δ
= αℓ, α = 0.25dB/km, fiber losses ηδ = 10−δ/10 ,
detection rate of Bob:
Rraw (δ) ≃ ηdet ηδ ν
VIII. Secret key rate Remember QKD: i) 1st phase: Effective bipartite quantum state shared:
| ψef f iAB =
X√ i
pi | iiA | ϕi iB
Measurement in basis {| ii}
; effective preparation of | ϕi i with prob. pi ; joint classical probability distribution P (A, B) ii) 2nd phase: classical processing of correlated data, key distillation Eavesdropping:
• Eve does most general interaction: total state | ψABE i, any measurement ; extension: P (A, B) → P (A, B, E) • Mutual information between A and B, given E: X I(A; B|E) = pe [H(A|e) + H(B|e) − H(A, B|e)] e∈E
with conditional Shannon entropy
H(X|e) = −
P
x∈X
p(x|e) log p(x|e)
Intrinsic information and bound for secret key rate U. Maurer and S. Wolf, IEEE Trans. Inf. Theory 45, 499 (1999)
Def. Intrinsic information:
˜ I(A; B ↓ E) = inf I(A; B|E) ˜ E→E
Def. Secret key rate:
S(A; B||E)
Maximal amount of secret key bits extractable asymptotically from P (A, B, E); classical analogue of distillable entanglement Ed
Def. Information of formation:
If orm (A; B|E)
Minimal number of secret key bits needed to create P (A, B), classical analogue of entanglement cost Ec
Upper bound for secret key rate:
S(A; B||E) ≤ I(A; B ↓ E) ≤ If orm (A; B|E)
IX. Role of entanglement in QKD
Entanglement as precondition for secure key M. Curty, M. Lewenstein, and N. Lutkenhaus, ¨ Phys. Rev. Lett. 92, 217903 (2004)
Theorem: Given measurements Ma and Mb and probability distribution P (A, B). Then the correlations in P (A, B) cannot lead to secret key unless one can prove the presence of entanglement in the (effective) distributed state via an
P
⊗ Mb , i.e. P Tr(W σ) ≥ 0 for all separable σ and a,b cab P (a, b) < 0. entanglement witness W
=
a,b cab Ma
Proof: Construct witnesses for QKD protocols (BB84, 6-state)
Equivalence of quantum entanglement and secret bits (If orm
6= 0)
A. Ac´ın and N. Gisin, Phys. Rev. Lett. 94, 020501 (2005)
Theorem: Let P (A, B) be probability distribution of A and B after measuring Ma and Mb . Then P (A, B) has to originate
⇐⇒ for all | ψABE i, compatible with P (A, B), and all measurements Me for Eve, P (A, B, E) contains secret correlations. from an entangled state ̺AB
Proof: Entanglement witnesses.
Secure key from bound entanglement (1) K., M., P. Horodecki, and J. Oppenheim, Phys. Rev. Lett. 94, 160502 (2005)
Bound entanglement: entanglement without distillability
Introduction of private states: produce one bit of secure key (equivalent of singlet for key distillation) Theorem: A state is private ⇔ it is of form + † γm = U | φ+ 2m iAB hφ2m | ⊗ ̺A′ B ′ U Pd + with | φd i = i=1 | iii, and ̺A′ B ′ arbitrary, and “twisting”
unitary
m
U=
2 X
′
i,j=1
AB | ijiAB hij | ⊗ Uij
′
Proof: ask Paweł Example for γ1 -state:
̺ = p| φ+ ihφ+ | ⊗ ̺+ + (1 − p)| φ− ihφ− | ⊗ ̺− with | φ± i
=
√1 (| 00i 2
± | 11i and ̺± orthogonal
= 12 (1 + 1/d), and ̺± symmetric/antisymmetric projectors: ED ≤ log[(d + 1)/d] ; for d → ∞ we have KD ≫ ED ! Surprisingly: for p
Secure key from bound entanglement (2) K., M., P. Horodecki, and J. Oppenheim, Phys. Rev. Lett. 94, 160502 (2005)
Result: Let ̺± be certain “hiding” states (arbitrary indistinguishable by LOCC, arbitrarily orthogonal), and introduce some errors
; certain bound entangled state, from which one secure bit can be extracted! Bounds on KD :
ED ≤ KD ≤ Er∞ ≤ Ec with regularized relative entropy of entanglement
Er∞ (̺) = limn→∞ Er (̺n )/n Possible strict inequalities:
ED < KD < Ec
ED < Er∞
The moral: Secret key distillation ↔ entanglement distillation
Classical Information Theory
Quantum Information theory
Summary of Lecture 3
• Implementations: Photon number splitting attack • New ideas: decoy state, SARG • Secret key rate: number of secret bits that can be distilled • Entanglement ⇔ secret bits in P (A, B, E) • Secret key from bound entanglement
Quantum Information Theory in Dusseldorf ¨ ¨ Dusseldorf, Institut fur ¨ Theoretische Physik III, Universitat ¨ Germany
DB (Coach), Hermann Kampermann, Razmik Unanyan [→ KL] (Postdocs), Matthias Kleinmann, Tim Meyer
[→ Industry], Zahra Shadman (PhD students)
Postdoc and PhD position available!!!
What was it all about???
• Quantum key distribution is secure, due to laws of quantum mechanics
• Protocols: BB84 and Ekert, plus derivatives of them (more non-orthogonal states, higher dimensions)
• Unconditional security proofs exist • Photon number splitting attack as danger for implementations, ; defense via new protocols • Entanglement and secret key rate • Note: exist other quantum cryptographic tasks, such as quantum bit commitment
B
A
plain text
encryption key A
cipher text
cipher text
E
decryption key B
plain text
Some selected literature
View publication stats
More Documents from "shana"
Quantum_cryptography.pdf
April 2020 6
Erum Ahmed_mbp Final Report
July 2020 14
Organizational Trauma And Healing
June 2020 5
Ass2_352 Lab
June 2020 6
Makalah Rangkuman
June 2020 8