Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Quantum Cryptography (III)

Device-Independent QKD Quantum cryptography is the only provable secure way of transmitting information through an authenticated public channel. Its security is based on Quantum Mechanics. Is the validity of Quantum Mechanics the only assumption required for secure QKD? NO! The honest parties should have some knowledge about their devices.

Device-Independent QKD Example: BB84 Alice Bob x y a b If x=y → perfect correlations If x≠y → no correlations The state is separable. No secure QKD! The observed data are the same as those for perfect BB84 with qubits.

Device-Independent QKD Standard QKD protocols based their security on: 1.Quantum Mechanics: any eavesdropper, however powerful, must obey the laws of quantum physics. 2.No information leakage: no unwanted classical information must leak out of Alice's and Bob's laboratories. 3.Alice and Bob have an authenticated public channel. 4.Knowledge of the devices: Alice and Bob have an (almost) perfect control of the devices.

On assumptions A QKD protocol should be based on testable assumptions. Alice and Bob local spaces have dimension equal to two. Is this a testable assumption? What is an assumption? Any hypothesis that (i) is not needed in the perfect scenario where the honest parties share a secret key but (ii) is essential for the distribution of the secret key. Is no information leakage a real assumption?

Device-Independent QKD Is there a protocol for secure QKD based on without requiring any assumption on the devices? Alice Bob x y a b The devices are now seen as quantum black boxes. Alice and Bob estimate the observed probability distribution and bound Eve’s information. over all states such that

Bell’s inequalities violation Bell’s inequality violation is a necessary condition for security If the correlations are local: A perfect copy of the local instructions can go to Eve. Whenever some correlations do not violate any Bell’s inequality, they can be reproduced by measuring a separable state. Bell’s inequalities are the only entanglement witnesses which are independent of the Hilbert space dimension. Any protocol should be built from non-local correlations. Barrett, Hardy & Kent

CHSH Protocol x y a b The settings x=0,1 and y=0,1 are used to compute the violation of the CHSH inequality. The setting x=2 and y=1 are used in for the secret key. The settings are depicted in a qubit-like picture for the sake of simplicity. They can be any measurements compatible with the observed statistics.

CHSH Protocol The protocol is secure in the case of zero noise, i.e. when Alice and Bob observe the maximal violation of the CHSH inequality. Cirelson: The maximal quantum violation of the CHSH inequality is This violation can already be achieved by measuring a two-qubit maximally entangled state. Any other quantum realization of this violation is basically equivalent to a maximally entangled state of two qubits. Eve cannot be correlated at all at the point of maximal violation → Security

Device-Independent QKD We have developed a device- independent QKD scheme and prove its security under the assumption of N copies of the same probability distribution. The obtained key rates are clearly comparable to those obtained for standard schemes. Less assumptions Stronger security! General security proof? De Finetti theorem for this situation, with uncharacterized devices?

Given, does it have a quantum origin? The boundary of quantum correlations Classical Correlations QM Classical correlations (CS): Quantum correlations (QS): Bell’s Theorem The set of classical correlations, for finite alphabets of inputs and outputs defines a convex set with a finite number of extreme points. The quantum set is also convex but does not have a finite number of extreme points. What’s the quantum boundary?

Practical implementations

Quantum communication protocols Single-photon source Single-photon detector Quantum channel

Practical implementations  Single photon source  Weak laser pulse  |  with |  |<<1.  Quantum channel  Fiber optic.  Single photon detectors  Avalanche photodiodes. Real devices imperfections open security loopholes!

Time-bin qubit  qubit :  any qubit state can be created and measured in any basis variable coupler variable coupler 1 0   h AliceBob D 0 D 1 switch 1 0

Plug & Play Perfect interference (V  99%) without any adjustments, since: both pulses travel the same path in inverse order both pulses have exactly the same polarisation thanks to FM Drawback: Trojan horse attacks Alice Bob

Photon number splitting attack Alice Bob Weak coherent pulse: The pulse contains n photons with probability If the channel has sufficiently large losses, Eve can use the presence of multi-photon pulses and break the protocol, without introducing any error.

Photon number splitting attacks Alice Bob Eve 1 photon, Pr(n=1) Eve blocks the single-photon pulses Lossy quantum channel (L) 2 photon, Pr(n=2). The imperfect source produces a clone! Eve keeps one of the photons and forwards the other to Bob through a perfect line. Eve keeps her photon until the basis reconciliation → she can read the information. Bob receives the qubit unperturbed. If Eve can reproduce the losses in the channel via the two-photon pulses, BB84 remains insecure! This defines a critical value of the losses, or distance, for the implementation.

Possible solution: SARG Alice Bob Change the encoding Consider the case where Alice has sent +z. The reconciliation works as follows: 1.Alice announces the sent state plus one of the neighbours, say +x. 2.If Bob measures z, he gets the result +z, so he cannot identify the state. In this case, the parties reject the symbol. 3.If Bob measures x, he may get the result –x, so he knows that the sent state was +z. The symbol is accepted. Otherwise it is rejected. If Eve keeps one photon, she is not able to read the information perfectly even after the reconciliation part of the protocol.

Decoy state QKD Alice Bob Alice uses sources of different amplitudes for the encoding. Hwang If Eve applies the PNS attack, Alice and Bob will see a difference between the sources → they detect the attacks and abort the protocol. Thus, using the different amplitudes, Alice and Bob can estimate the amount of multi-photon pulses Eve is attacking and the information she is getting. Decoy-state QKD can be as robust as implementations using ideal single-photon sources.

Conclusions Basic idea Protocols Security proofs Exact relation with entanglement? Practical protocols Security proofs? More general scenarios New privacy amplification theory Very inter-disciplinary line of research

Thanks for your attention!