Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Security of Quantum Key Distribution with Imperfect Devices Hoi-Kwong Lo Dept. of Electrical & Comp. Engineering (ECE); & Dept. of Physics University.

Published byKelly Lindsey Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Security of Quantum Key Distribution with Imperfect Devices Hoi-Kwong Lo Dept. of Electrical & Comp. Engineering (ECE); & Dept. of Physics University."— Presentation transcript:

1 1 Security of Quantum Key Distribution with Imperfect Devices Hoi-Kwong Lo Dept. of Electrical & Comp. Engineering (ECE); & Dept. of Physics University of Toronto Email:hklo@comm.utoronto.ca URL: http://www.comm.utoronto.ca/~hklo Joint work with Daniel Gottesman Norbert Lütkenhaus John Preskill http://xxx.lanl.gov/abs/quant-ph/0212066

2 2 Outline 1.Motivation and Summary of Results: Quantum Key Distribution (QKD): Theory and Practice 2.Entanglement distillation approach to security proof of QKD 3.Shor-Preskill’s proof of security of BB84 4.Security of QKD with imperfect devices 5.Security of QKD with two-way classical communications

3 3 QKD : Theory Bennett and Brassard’s scheme (BB84) ASSSUMPTIONS: 1.Source: Emits perfect single photons. (No multi-photons) 2.Channel: Noisy but lossless. (No absorption in channel) 3.Detectors: a) Perfect detection efficiency. (100 %) 4.Basis Alignment: Perfect. (Angle between X and Z basis is exactly 45 degrees.) Assumptions lead to security proofs: Mayers (BB84), Lo and Chau (quantum-computing protocol), Biham et al. (BB84), Ben-Or (BB84), Shor-Preskill (BB84), … Conclusion: QKD is secure in theory. Alice Bob

4 4 QKD : Practice e.g., weak coherent state implementation of BB84 Reality: 1.Source: Weak coherent states of bosonic modes. (Double photons may be emitted.) 2.Channel: Absorption inevitable. (e.g. 0.25 dB/km) 3.Detectors: efficiency ~15% for Telecom wavelengths 4.Basis Alignment: Minor misalignment inevitable. Question: Is QKD is secure in practice?

5 5 Our assumptions Assumptions: 1. Both Source and detector are under LIMITED control of an adversary. 2.Allow basis-dependent, individual flaws. Comparison: Mayers: perfect source but arbitrary detector. Kaoshi-Preskill: arbitrary basis-independent source and perfect detector. Inamori, Lutkenhaus, and Mayers: weak coherent states with perfect phase randomization, perfect basis alignment and basis-independent detection efficiency.

6 6 Applications of our results 1Tagging : A faculty source may “tag” some of the qubits with information, readable by the eavesdropper, that reveals the basis used in preparation. (Special case: Inamori, Lutkenhaus, and Mayers considered weak coherent states. Multi-photons reveal basis information). 2Basis-dependent detector efficiency : The probability that a qubit is detected may depend on the basis used. An adversary may control whether the detector fires to disguise eavesdropping. 3Basis-dependent misalignment in source/detector: Source and detector not perfectly aligned. Eavesdropper can exploit her freedom to rotate these devices to reduce the disturbance caused by her eavesdropping.

7 7 Conceptual interest of our result Alice Bob Eve Quantum Key Distribution (QKD): Entanglement Distillation Protocol (EDP): [Distill better “singlets” from imperfect ones by local operations and classical communications.] Connecting two big ideas in quantum information: EDP with PRACTICAL QKD. [Distill a secure key from imperfect quantum communications.] singlets Alice Bob Environmental Noise

8 8 Our general framework: Eve and Fred (Intuition) Imagine two collaborating adversaries, Eve and Fred, try to foil QKD. Eve: does not know the basis used by Alice and Bob and has no direct control on source/detector. Fred: knows the basis used by Alice and Bob and has limited control on source/detector for each signal individually. Alice Fred Basis information Polarization information U Eve Eve Preparation by Measurement by Fred Bob Basis information Polarization information Set up a “Chinese Wall” to separate information between Eve and Fred.

9 9 Our general framework: Eve and Fred (More Precise) Imagine two collaborating adversaries, Eve and Fred, try to foil QKD. Eve: does not know the basis used by Alice and Bob and has no direct control on source/detector. Fred: knows the basis used by Alice and Bob and has limited control on source/detector for each signal individually. Eve Fred U Eve Basis information Polarization information Alice Bob N.B. Eve prepares Singlets.

10 10 Outline 1.Motivation and Summary of Results: Quantum Key Distribution (QKD): Theory and Practice 2.Entanglement distillation approach to security proof of QKD 3.Shor-Preskill’s proof of security of BB84 4.Security of QKD with imperfect devices 5.Security of QKD with two-way classical communications.

11 11 2. EDPs (Entanglement distillation protocols) Distill better singlets from imperfect ones by local operations and classical communications (LOCCs). singlet states Alice Bob Environmental Noise Remark: A singlet is a pair of qubits in the standard state | 01> - |10>. It exhibits perfect quantum correlations (i.e., entanglement).

12 12 Entanglement Distillation Protocol (EDP) Distant laboratory paradigm AliceBob N imperfect singlets Local operations and classical communications (LOCCs) AliceBob K (<N ) perfect singlets

13 13 Classification of errors acting on spin-1/2 system A)Bit flip error: B) Phase error : C) Simultaneous Bit-flip and Phase error: Y= X Z For N spin-1/2 objects, consider the tensor product error operator. Remark: If an entanglement distillation protocol can correct up to t errors acting on N spin-1/2 objects of the tensor product form in X, Y and Z types of errors, then it can correct a general error acting on up to t out of the N spin-1/2 objects. (This is because I, X, Y, and Z generate the most general 2 x 2 unitary matrix.) Two types of truly independent errors

14 14 EDP-based QKD scheme (Deutsch et al.; Lo-Chau) 1.(Testing error rate) Suppose Alice and Bob share 2N noisy singlets. Alice and Bob can test their purity by randomly choosing say N out of the 2N pairs and measuring either X X or Z Z. If error rate not too big, go to Step 2. 2.(Entanglement Distillation) Alice and Bob can apply local operations and classical communications to distill out a smaller number, say k, almost perfect singlets from the N remaining pairs. 3.(Key generation) They can then measure those k singlets, say along the Z axis, to generate a secret key. Remark: Key generation along Z axis only.,

15 15 EDP-based QKD scheme (Deutsch et al.; Lo-Chau) 1.(Testing error rate) Suppose Alice and Bob share 2N noisy singlets. Alice and Bob can test their purity by randomly choosing say N out of the 2N pairs and measuring either X X or Z Z. If error rate not too big, go to Step 2. 2.(Entanglement Distillation) Alice and Bob can apply local operations and classical communications to distill out a smaller number, say k, almost perfect singlets from the N remaining pairs. 3.(Key generation) They can then measure those k singlets, say along the Z axis, to generate a secret key. Problem 1: A naïve application of CLASSICAL probability theory generally FAILS to describe a QUANTUM problem accurately. (Einstein-Podolsky-Rosen paradox).,

16 16 EDP-based QKD scheme (Deutsch et al.; Lo-Chau) 1.(Testing error rate) Suppose Alice and Bob share 2N noisy singlets. Alice and Bob can test their purity by randomly choosing say N out of the 2N pairs and measuring either X X or Z Z. If error rate not too big, go to Step 2. 2.(Entanglement Distillation) Alice and Bob can apply local operations and classical communications to distill out a smaller number, say k, almost perfect singlets from the N remaining pairs. 3.(Key generation) They can then measure those k singlets, say along the Z axis, to generate a secret key. Solution: Surprisingly, classical random sampling theory works in this quantum problem because of the “commuting observables” idea: Provided that we consider observables (self-adjoint operators) that commute, they have simultaneous eigenvalues and eigenvectors. Therefore, it is mathematically consistent to consider the probabilities of those simultaneous eigenvectors. (Lo-Chau),

17 17 EDP-based QKD scheme (Deutsch et al.; Lo-Chau) 1.(Testing error rate) Suppose Alice and Bob share 2N noisy singlets. Alice and Bob can test their purity by randomly choosing say N out of the 2N pairs and measuring either X X or Z Z. If error rate not too big, go to Step 2. 2.(Entanglement distillation) Alice and Bob can apply local operations and classical communications to distill out a smaller number, say k, almost perfect singlets from the N remaining pairs. 3.(Key generation) They can then measure those k singlets, say along the Z axis, to generate a secret key., Problem: Entanglement distillation (Step 2) requires quantum computers! Experimentally challenging.

18 18 Question How can one remove the assumption of quantum computers in security proof of QKD? Solution: Shor-Preskill’s proof….

19 19 Outline 1.Motivation and Summary of Results: Quantum Key Distribution (QKD): Theory and Practice 2.Entanglement distillation approach to security proof of QKD 3.Shor-Preskill’s proof of security of BB84 4.Security of QKD with imperfect devices 5.Security of QKD with two-way classical communications

20 20 Overall Strategy of Shor-Preskill’s proof Use Entanglement Distillation Protocols (EDPs) to prove security of BB84: EDP-based QKD BB84 Reduction Procedure: 1.Construct EDP-based QKD scheme and prove its security. 2.Show that security of EDP-based QKD scheme implies Security of BB84. Result: A simple proof of unconditional security of BB84. (Cf. Mayers’ proof, the first proof for BB84, is hard for many people.) Remark: Unconditional security means security against the most general type of attacks---``joint attacks’’. Holy Grail of Quantum Crypto.

21 21 Correspondence between CSS codes and BB84 (Shor-Preskill’s proof) CSS codes BB84 bit flip error correction error correction phase error correction privacy amplification (to remove Eve’s info.) N.B.: CSS stands for Calderbank-Shor-Steane codes. It is a common class of quantum codes.

22 22 Intuition of Shor-Preskill’s proof Shor-Preskill use CSS codes which have the nice properties that their generators of the form X-type or Z-type. i.e., the bit-flip and phase error correction procedures are decoupled. In EPP-based QKD protocol, the key is generated by measuring Z’s. Therefore, value of the key is not affected by phase error correction. Therefore, Alice and Bob do NOT need to compute the phase error syndrome. Consequently, no quantum computers are needed. If Alice and Bob do not announce the phase error syndrome, it can be shown that the density matrix prepared by Alice is the same as in BB84. From Eve’s view, Alice and Bob could have prepared the state by using EDPs. What is important is not phase error correction is actually performed, but that it could have been successful, if it had been performed.

23 23 Outline 1.Motivation and Summary of Results: Quantum Key Distribution (QKD): Theory and Practice 2.Entanglement distillation approach to security proof of QKD 3.Shor-Preskill’s proof of security of BB84 4.Security of QKD with imperfect devices 5.Security of QKD with two-way classical communications

24 24 EDP-based QKD scheme (Deutsch et al.; Lo-Chau) 1.(Testing error rate) Suppose Alice and Bob share 2N noisy singlets. Alice and Bob can test their purity by randomly choosing say N out of the 2N pairs and measuring either X X or Z Z. If error rate not too big, go to Step 2. 2.(Entanglement Distillation) Alice and Bob can apply local operations and classical communications to distill out a smaller number, say k, almost perfect singlets from the N remaining pairs. 3.(Key generation) They can then measure those k singlets, say along the Z axis, to generate a secret key. Remark: Key generation along Z axis ONLY.,

25 25 Error Rates of tested and untested pairs Tested Pairs:, X-basis error rate (of tested signals), Z-basis error rate (of tested signals) Key generation Pairs:, bit-flip error rate. [Key generation rate: ] Question: How to relateto ? Answer: In standard BB84. The tested pairs is a fair sample of The population. Therefore, the error rates of the tested and Untested pairs are the same. i.e., =, and =., phase error rate.

26 26 Error Rates of tested and untested pairs Tested Pairs:, X-basis error rate (of tested signals), Z-basis error rate (of tested signals) Key generation Pairs:, bit-flip error rate. [Key generation rate: ] Question: How to relateto ? Answer: In standard BB84. The tested pairs is a fair sample of The population. Therefore, the error rates of the tested and Untested pairs are the same. i.e., =, and =. Question: What if we introduce imperfections?, phase error rate.

27 27 Error Rates of tested and untested pairs Tested Pairs:, X-basis error rate (of tested signals), Z-basis error rate (of tested signals) Key generation Pairs:, bit-flip error rate. [Key generation rate: ] Question: How to relateto ? Answer: With imperfection = (Biased Sample) =. We reduce the whole question of dealing with imperfections to deriving constraints on from., phase error rate.

28 28 Example I: Tagged qubits Suppose a fractionof the qubits are tagged by Fred. The tag informs Eve which basis is used. So, Eve can learn polarizations without disturbing the qubits. Eve has no information about the basis used for the untagged photons. For untagged photons, bit-flip and phase error rates are the same----- Call it. For tagged photons, bit-flip error rate is zero and phase error rate is at most 1. Therefore, we have Example: In weak coherent state implementation, the tagging probability,, where is probability for emitting a multi-photon and is detection probability.

29 29 Example II: Trojan Pony Suppose the detector is not perfectly efficient. A fraction of the signals that enter the detector fail to trigger it, resulting in no recorded outcome. Suppose Fred, who knows Bob’s basis, controls whether the detector fires or not, subject to the constraint that at most a fraction, can be eliminated. In the worst case, every pair that Fred removes has a bit-flip error and no phase error. Before any pairs were eliminated, suppose the error rate was in both cases. After elimination, the error rates are:,

30 30 Example III: Misalignment Suppose Bob is unable to control his measurement basis perfectly. Instead of measuring a qubit along the Z-axis, he might be measuring it within a cone of angle from the desired axis. Similarly, instead of measuring along the X-axis, he might be measuring it within a cone of angle from the desired axis. The situation is equivalent to one in which Bob’s measurement is perfect, but Fred is allowed to perform a rotation up to an angle depending on the basis used by Bob. Therefore, we have where is a rotation of up to an angle.

31 31 Summary We have proven that QKD is secure even when both source and detector are imperfect and even when the flaws are adversarial and basis-dependent. Limitations Still, the model source and detectors are not completely general. Indeed, the flaws are assumed to be individual and limited. We have put aside the question of how Alice and Bob can verify our assumptions experimentally. We have not considered how to strengthen our results by using two-way classical communications. (Cf. Gottesman-Lo ). We have only considered the asymptotic case of an infinitely long key, but not the realistic case of a finitely long key.

32 32 Outline 1.Motivation and Summary of Results: Quantum Key Distribution (QKD): Theory and Practice 2.Entanglement distillation approach to security proof of QKD 3.Shor-Preskill’s proof of security of BB84 4.Security of QKD with imperfect devices 5.Security of QKD with two-way classical communications

33 33 Classification of Entanglement Distillation Protocols Alice A) EDP with ONE-WAY classical communications only. B) EDP with TWO-WAY classical communications. Alice Bob

34 34 Connecting EDP with BB84 EDP with one-way Communications (modified Lo-Chau protocol) BB84 Shor-Preskill Use “CSS codes” EDP with two-way communications BB84 ??

35 35 Connecting EDP with BB84 EDP with one-way Communications (modified Lo-Chau protocol) BB84 Shor-Preskill Use “CSS codes” EDP with two-way communications BB84 ?? Remark: EDP with one-way comm. are equivalent to QECCs.

36 36 Connecting EDP with BB84 EDP with one-way Communications (modified Lo-Chau protocol) BB84 Shor-Preskill Use “CSS codes” EDP with two-way communications BB84 ?? Remark: EDP with one-way comm. are equivalent to QECCs. Motivations: 1) Entanglement distillation protocols (EDPs) with two-way classical communications are known to be more powerful than those with only one-way comm. (Bennett, DiVincenzo, Smolin and Wootters. See also, Deutsch et al.) 2) To prove unconditional security of standard protocols such as "Cascade".

37 37 Connecting EDP with BB84 EDP with one-way Communications BB84 Shor-Preskill Use CSS codes EDP with two-way communications BB84 Gottesman-Lo Two-way CSS-like codes

38 38 Tolerable Bit Error Rates MayersSecure up to ~7% Shor-PreskillSecure up to ~11% Gottesman-LoSecure up to ~19% Question: Under what operating parameters will BB84 be secure? Proof (Quantum) Bit Error Rate Remark: Our proof makes ``advantage distillation’ rigorous even against the most general type of attacks---joint attacks. (Advantage distillation=method to distill a key when Bob has a worse channel than Eve.) Cf. Upper bound: 25%. (BB84 is known to be insecure at 25% bit error rate by intercept-resend strategy.)

39 39 Correspondence between EDP and BB84 (Gottesman-Lo’s proof) EDP BB84/six-state bit-flip error detection “advantage distillation” bit-flip error correction error correction phase error correction privacy amplification We proved BB84 is secure up to 18.9 percent bit error rate. “Security of quantum key distribution with two-way classical communications”, D. Gottesman and H.-K. Lo, IEEE Transactions on Information Theory, Vol. 49, No. 2, p. 457 (Feb., 2003). http://xxx.lanl.gov/abs/quant-ph/0105121http://xxx.lanl.gov/abs/quant-ph/0105121

40 40 Phenomenology of QKD 1.Design practical protocols for classical post- processing of QKD. 2.Model real-life QKD systems. 3.Study eavesdropping attacks.

41 41 1.Design practical protocols for classical post-processing of QKD. Remark: ``Privacy amplification’’ is the dual of error correction. (Cf. “Generalized Hamming Weights for linear codes”, Wei, IEEE IT, 91) 1. Finite size codes: (convolutional codes or block codes?) Security proofs usually deal with an infinitely long key. In practice, it is necessary to consider a final key of finite length. 2.Fluctuations become very important. 3.Need REAL-TIME (hardware?) implementation. 4.Limited REAL random number generator rate. 5.Limited computational power. 6.Limited memory space. 7.Limited classical communication bandwidth. 8.Cost

42 42 2. Model real-life QKD systems. 1) All models of QKD are idealizations of real-life systems. Real-life QKD system is a complex system with many degrees of freedom. 2) Imperfections: Imperfect single-photon sources Lossy channels Imperfect single-photon detection efficiency Detectors’ dark counts Trojan Horse’s attacks Denial-of-service attacks How to quantify (experimentally) small imperfections and ensure security in the presence of those imperfections?

43 43 3. Study eavesdropping attacks. The best way to build a secure cryptographic system is to try hard to break it. Need to study theoretically and experimentally the feasibility and power of various eavesdropping attacks: beam- splitting attacks, unambiguous state determination, Trojan Horse attacks, etc.

Download ppt "1 Security of Quantum Key Distribution with Imperfect Devices Hoi-Kwong Lo Dept. of Electrical & Comp. Engineering (ECE); & Dept. of Physics University."

Similar presentations

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
1 Decoy State Quantum Key Distribution (QKD) Hoi-Kwong Lo Center for Quantum Information and Quantum Control Dept. of Electrical & Comp. Engineering (ECE);

1 Decoy State Quantum Key Distribution (QKD) Hoi-Kwong Lo Center for Quantum Information and Quantum Control Dept. of Electrical & Comp. Engineering (ECE);
Quantum Computing MAS 725 Hartmut Klauck NTU 5.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
Spin chains and channels with memory Martin Plenio (a) & Shashank Virmani (a,b) quant-ph/0702059, to appear prl (a)Institute for Mathematical Sciences.

Spin chains and channels with memory Martin Plenio (a) & Shashank Virmani (a,b) quant-ph/ , to appear prl (a)Institute for Mathematical Sciences.
Fixing the lower limit of uncertainty in the presence of quantum memory Archan S. Majumdar S. N. Bose National Centre for Basic Sciences, Kolkata Collaborators:

Fixing the lower limit of uncertainty in the presence of quantum memory Archan S. Majumdar S. N. Bose National Centre for Basic Sciences, Kolkata Collaborators:
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Enhancing Secrecy With Channel Knowledge

Enhancing Secrecy With Channel Knowledge
1 Decoy State Quantum Key Distribution (QKD) Hoi-Kwong Lo Center for Quantum Information and Quantum Control Dept. of Electrical & Comp. Engineering (ECE);

1 Decoy State Quantum Key Distribution (QKD) Hoi-Kwong Lo Center for Quantum Information and Quantum Control Dept. of Electrical & Comp. Engineering (ECE);
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Quantum Computing MAS 725 Hartmut Klauck NTU 12.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
Quantum Cryptography Ranveer Raaj Joyseeree & Andreas Fognini Alice Bob Eve.

Quantum Cryptography Ranveer Raaj Joyseeree & Andreas Fognini Alice Bob Eve.
Quantum Key Distribution (QKD) John A Clark Dept. of Computer Science University of York, UK

Quantum Key Distribution (QKD) John A Clark Dept. of Computer Science University of York, UK
QEC’07-1 ASF 6/13/2015 MIT Lincoln Laboratory Channel-Adapted Quantum Error Correction Andrew Fletcher QEC ‘07 21 December 2007.

QEC’07-1 ASF 6/13/2015 MIT Lincoln Laboratory Channel-Adapted Quantum Error Correction Andrew Fletcher QEC ‘07 21 December 2007.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Universal Optical Operations in Quantum Information Processing Wei-Min Zhang ( Physics Dept, NCKU )

Universal Optical Operations in Quantum Information Processing Wei-Min Zhang ( Physics Dept, NCKU )
Quantum Key Distribution Yet another method of generating a key.

Quantum Key Distribution Yet another method of generating a key.
Quantum Algorithms I Andrew Chi-Chih Yao Tsinghua University & Chinese U. of Hong Kong.

Quantum Algorithms I Andrew Chi-Chih Yao Tsinghua University & Chinese U. of Hong Kong.
CSEP 590tv: Quantum Computing

CSEP 590tv: Quantum Computing

Similar presentations

Ads by Google