Quantum Cryptography Cryptography Quantum Key Distribution
Main Point Cryptography Quantum Key Distribution BB84 continuous Security Attack model Information
Introduction What is Cryptography? Cryptography is the art of rendering a message unintelligible to any unauthorized party dkssudgktpdy 안녕하세요 (Korean) It is part of the broader field of cryptology, which also includes cryptoanalysis, the art of code breaking
Introduction Why do we need cryptography? Suppose Mark want to send a secret message to his girl friend over an insecure channel! Insecure secure
Cryptography Key : What’s key? Encryption : combine a message with some additional information - known as the “key” – and produce a cryptogram. Decryption : combine a cryptogram with some additional information - known as the “key” – and produce a message.
Cryptography RSA(Ronald Rivest, Adi Shamir,Leonard Adleman) If Bob wants to be able to receive messages encrypted with a public key cryptosystem, he must first choose a "private" key, which he keeps secret. Then, he computes from this private key a "public" key, which he discloses to any interested party. Alice uses this public key to encrypt her message. She transmits the encrypted message to Bob, who decrypts it with the private key
Cryptography RSA(Ronald Rivest, Adi Shamir,Leonard Adleman) Big Prime number factorization is so difficult problem Public-key cryptosystems are convenient and they have thus become very popular over the last 20 years What is problem? Not proven security Shor’s algorithm
Cryptography Symmetrical(secret-key) cryptosystem Block type DES AES etc.. Stream type LFSR One-time pad etc..
Cryptography One-time pad first proposed by Gilbert Vernam in 1926 This cryptosystem is thus provably secure in the sense of information theory (Shannon 1949) Actually, this is today the only provably secure cryptosystem What is problem? Difficult to implementation
sending a “secret key” by using the laws of physics to warrant the complete security of the transmission Discrete variable BB84 B92 Etc.. Continuous variable Squeezed state Gaussian distribution Quantum Key Distribution Quantum Physics Principle of Complementary Heisenberg Uncertainty Principle Correspondence Principle etc..
Quantum Key Distribution Cryptography Asymmetric RSA symmetric One-time pad Quantum Cryptography DescreteContinuous Quantum Mechanics Number theory, Algebra..
Quantum Key Distribution BB84 proposed by Charles H. Bennett and Gilles Brassard in 1984 Two state( |0>, |1>), but four bases(|0,V>, |1,H>, |0,L>, |1,R>) Bases with such a property are called conjugate => Unpredictable
Quantum Key Distribution BB84(Protocol) Alice sends random “bits” (0 or 1) encoded in two 2 different “basis” Bob randomly chooses either the “+” or the “×” basis and records the transmitted and reflected photons Bob announces openly his choice of basis (but not the result!) and Alice answers “ok” or “no”. Bits with different basis are discarded The remaining bits give the secret key
Quantum Key Distribution BB84(without Eve, no noise)
Quantum Key Distribution Attack model Intercept-resend model (opaque eavesdropping) Error rate Coherent or joint Optimal individual Collective
Quantum Key Distribution BB84(with Eve, no noise)
Quantum Key Distribution BB84(with Eve, no noise) Raw key extraction Over the public channel, Bob communicates to Alice which quantum alphabet he used for each of his measurements Alice and Bob then delete all bits for which they used incompatible quantum alphabets to produce their resulting raw keys Error estimation Over the public channel, Alice and Bob compare small portions of their raw keys to estimate the error-rate R, and then delete the disclosed bits from their raw keys to produce their tentative final keys
Quantum Key Distribution BB84(with Eve, no noise) If one guesses correctly, then Alice’s transmitted bit is received with probability 1. On the other hand, if one guesses incorrectly, then Alice’s transmitted bit is received correctly with probability 1/2. Thus in general, the probability of correctly receiving Alice’s transmitted bit is
Quantum Key Distribution BB84(with Eve, no noise) If there is no intrusion, then Alice’s and Bob’s raw keys will be in total agreement. However, if Eve has been at work, then corresponding bits of Alice’s and Bob’s raw keys will not agree with probability
Quantum Key Distribution BB84(with Eve, with noise) We must assume that Bob’s raw key is noisy Since Bob can not distinguish between errors caused by noise and by those caused by Eve’s intrusion, the only practical working assumption he can adopt is that all errors are caused by Eve’s eavesdropping Under this working assumption, Eve is always assumed to have some information about bits transmitted from Alice to Bob. Thus, raw key is always only partially secret
Quantum Key Distribution BB84(with Eve, with noise) Over the public channel, Alice and Bob compare small portions of their raw keys to estimate the error-rate R, and then delete the disclosed bits from their raw key to produce their tentative final keys. If R exceeds a certain threshold, then privacy amplification is not possible If so, Alice and Bob return to stage 1 to start over. On the other hand, if, then Alice and Bob proceed to Reconciliation
Quantum Key Distribution Reconciliation Key Alice and Bob publically agree upon a random permutation, and apply it to what remains of their respective raw keys Alice and Bob partition the remnant raw key into blocks of length L For each of these blocks, Alice and Bob publically compare overall parity checks, making sure each time to discard the last bit of each compared block
Quantum Key Distribution Privacy amplification Alice and Bob compute from the error-rate R an upper bound k of the number of bits of reconciled key known by Eve Alice and Bob publically select n−k−s random subsets of reconciled key, without revealing their contents. The undisclosed parities of these subsets become the final secret key
Quantum Key Distribution BB84(with noise) Noise? ReconciliationPrivacy amplification Resend R=0? No Yes Key! Yes Key!
Quantum Key Distribution Security by Information theory I. Csiszar, and J. Korner, IEEE Trans. Inf. Theory, 24, 330 (1978) Alice and Bob can establish a secret key (using error correction and privacy amplification) if and only if
Quantum Key Distribution Security by Information theory Shannon’s formula
Quantum Key Distribution Security by Information theory A Generic Security Proof for Quantum Key Distribution by M. Christandl et al, quant- ph/0402131 Shannon’s formula Von Neumann’s formula (Quantum information) Key Rate R
Quantum Key Distribution Where is quantum? Measurement every measurement perturbs a system No-cloning theorem It is impossible to copy an arbitrary quantum state chosen among a set of non-orthogonal states No perturbation No measurement No eavesdropping
Quantum Key Distribution Experiment “Experimental Quantum Cryptography” (C.Bennett et al, J.Cryptology 5, 3-28, 1992) etc.. What is problem? Photon Generation Reliable?
Quantum Key Distribution Essential feature : quantum channel with non-commuting quantum observables not restricted to single photon polarization! New QKD protocol where : The non-commuting observables are the quadrature operators X and P i.e. continuous variable
Quantum Key Distribution Quantum cryptography with Squeezed states(Mark Hillery, PRA, 61, 022309) Quantum distribution of Gaussian keys using squeezed states(N.J.Cerf et al, PRA, 63, 052311) The non-commuting observables are the quadrature operators X and P
Quantum Key Distribution Using Squeezed state The non-commuting observables are the quadrature operators X and P Reconciliation(sliced) Privacy Amplification P X
Quantum Key Distribution Continuous Variable Quantum Cryptography Using Coherent States(F. Grosshans et al, PRL 88, 057902(2002)) The non-commuting observables are the quadrature operators X and P The transmitted light contains weak coherent pulses(about 100 photons) with a gaussian modulation of amplitude and phase The detection is made using shot-noise limited homodyne detection
Quantum Key Distribution Using Coherent state The non-commuting observables are the quadrature operators X and P Reconciliation(sliced) Privacy Amplification P X
Quantum Key Distribution Security by Information theory Shannon, von Neumann
Quantum Key Distribution Security by Information theory Gaussian distribution
Quantum Key Distribution Security by Information theory Gaussian state Information
Conclusion One-time pad(QKD) Where is quantum? Measurement(Discrete, Continuous) every measurement perturbs a system No-cloning theorem(Discrete, Continuous) It is impossible to copy an arbitrary quantum state chosen among a set of non-orthogonal states Quantum Information theory for Security
Acknowledgement Many Thanks..(M.S. Kim, Jingak Jang, Wonmin Son..) Also Many Thanks for all who attend our seminar
Reference Quantum cryptography, N.Gisin et al, quant-ph/0101098