Quantum Key Distribution Chances and Restrictions Norbert Lütkenhaus Emmy Noether Research Group Institut für Theoretische Physik I Universität Erlangen-Nürnberg Institut für Optik, Information und Photonik Max-Planck Forschungsgruppe, Erlangen Kommentare
Overview What does Quantum Key Distribution do? QKD and Correlations Security intuition based on Quantum Mechanics Performance in real implementations Current Problems animieren
What is QKD about? Alice Bob key (X): Generated key: informtion theoretic security secure: I(X;Eve)=0 random: H(X) = n (maximal) universally composable Classical Channel EVE initial secret key ??? Additional Resources: Correlations via Quantum Channel Restrictions: -initially point-to-point -max range 20 km (150km?) -key rate e.g. 100 bits/sec, increase to 100 kbits or more?
Correlations and information theoretic security Alice Eve Bob C S > max {I AB - I AE, I AB -I BE } - Csiszar, Körner, IEEE, IT 24, 339 (1978). Lower bound on secrecy capacity C S : (rate of secret communication between Alice and Bob) I BE I AB I AE AB E P ABE (a,b,e) Wyner Wire Tap Eve obtains degraded copy of message Alice and Bob can perform secure communication - U. M. Maurer, IEEE Trans. Inf.Theo. 39, 1733 (1993); Upper Bounds on secrecy capacity C S : Cs I(A;B E) - U. Maurer and S. Wolf, IEEE T. I. T. 45, 499 (1999). I(A,B E) = min E E I(A;B|E) with I(A;B|E) = H(A,E) + H(B,E) – H(A,B,E) – H(E) Intrinsic Information: I(A;B E)
Exploiting the Csiszar-Körner bound (one-way communication) AB E I‘ AB = 1 I‘ (AB)E AB E I AB I AE 1)Alice‘s bit string defines the key 2)Amount of required classical communication A B to allow Bob to correct his errors:(1-I AB ) bits 3) Estimate Eve‘s relevant information [ C. Cachin, U.M. Maurer,IEEE Trans. Inf. Theo. 39, 1733 (1993).] 4)Privacy amplification: Shorten key by fraction AB E I‘‘ AB = 1 I‘‘ (AB)E =0
Quantum Mechanics Signal states are represented by complex vectors, represented by (dual vectors are represented by ) Measurements correspond to set of positive, hermitian operators, one for each possible outcome ‘i’, that form the resolution of the identity operator Quantum mechanics predicts the probability of a measurement outcome as the expectation value Composed systems are described by state vectors that can be expressed as linear combination of tensor products of basis vectors of each individual system Measurement on only one subsystem: use
Eavesdropping If can be verified to behave like the input states locally on system A for two non-orthogonal input states and, then we can show that holds for any linear combination of and. P(A,B,E) = P(A,B) P(E). U Eve U unitary No errors for non-orthogonal states Only trivial operation by Eve no leakage of information Eavesdropper
Alice: Bob: Bennett Brassard Protocol Sifting (public discussion) Quantum Part: Create random key: random signals random measurements Public discussion over faithful classical channel: distinguish deterministic from random processes No errors: transmitted faithfully Key is secure : 0:
data 0101… basis 0110… Phase I: Quantum Shor-Preskill type security proof noisy channel Encoding into QECC code Decoding of QECC code Detector Quantum/classical procedure for CSS codes: noisy channel data 0100… Phase II: Classical data 0101… 1)classical error correction 2)classical privacy amplification Quantum Error Correction Code Detector basis 0101… data 0101… secret key data 0101… basis 0110…
Gain formula The gain formula gives the number of secure bits after error correction and privacy amplification per signal sent by Alice: privacy amplification (Eve‘s information gain that caused errors) privacy amplification (Eve‘s additional information gained during error correction) 11 %
Realistic Signals No single photon sources (though getting there!) Source Laser Weak laser pulse (without phase reference) Multi-photon signals Several copies of signal state Eve can single out a copy No errors are caused Delayed measurement gives full information to Eve Alice Bob Eve Multi-photon signals are a nuisance, but not an obstacle privacy amplification takes care of extra information
Unconditional security proof Inamori, NL, Mayers, quant-ph/ Assumptions and settings: Mixture of vacuum, single and multi-photon signals Ideal polarization preparation (or equivalent) No optical intrusion into Alice and Bob No restrictions on Eve acting on signals Detection probability independent of signal or basis choice Eve knows a lot, but we know how much she knows: Error correction Privacy Amplification unconditionally secure key Eve’s optimal strategy: Split one photon off all multi-photon signals ( no error, but full information) Eavesdrop on a few single photon signals to maintain expected number of detected signals Block remaining single photon signals (only limit of long keys shown) Conservative approach: Eve responsible for all observed errors and all loss Minimal fraction of contributing single photon signals e: error rate in sifted key p exp: detection rate P multi multi-photon probability υ rep repetition rate
Optical implementation Example: Townsend, Opt. Fib. Tech. 4, (1998) Polarization: Relative phase between two optical modes low error rate over long distances (>150 km) Problem: Bob receives weak signals need excellent photo detectors
Achievable Rates as of 2000 Rates per time slot, optical fiber based implementations.
Commercial Applications Commercial product: operation on installed optical fiber European effort: IdQuantique (Geneva) EU IP “Secure Communication using Quantum Cryptography” © MagiQ Technologies
Quantum Communication and Correlations Phase I: Physical Set-Up Generation of correlations between Alice and Bob possibly containing hidden correlations with Eve Phase II: Classical Communication Protocol Advantage distillation (e.g. announcement of bases in BB84 protocol) Error Correction ( Alice and Bob share the same key) Privacy Amplification ( generates secret key shared by Alice and Bob) Physics: correlated data with a promise. (Classical) Computer Science: Solve Communication Problem with classically correlated data … Which type of correlations are useful for Quantum Communication?
Potential for correlations secret bits per signal distance (channel model) not secure (proven) protocol independent not secure (proven) Regime of Hope secure (proven) protocol e.g. weak coherent pulse BB84 - [Inamori, NL, Mayers quant-ph/ ] - [Gottesman, Lo, NL, Preskill quant-ph/ ] typically 20 – 40 km e.g about 100 km for BB84 signals [Dusek, Jahma, NL, PRA (2000)]
Conclusions Quantum Key Distribution offers information theoretic secure key. It can be implemented with todays technology. We are still in the learning process to ramp up rate and distance. Warning: need to secure devices against side-channel attacks. QKD seems ideal topic for interface Physics and Computer Science: physics generates correlations with a promise computer science offers public discussion protocols to extract key