Quantum cryptography CS415 Biometrics and Cryptography UTC/CSE.

Quantum cryptographyQuantum cryptography

CS415 Biometrics and CryptographyCS415 Biometrics and Cryptography

UTC/CSEUTC/CSE

IntroductionIntroduction

Light waves are propagated as Light waves are propagated as discrete particles known as discrete particles known as photonsphotons. .

PolarizationPolarization of the light is carried by of the light is carried by the direction of the angular the direction of the angular momentum, or spin of the photons. momentum, or spin of the photons.

Polarized photonsPolarized photons

Polarization can be Polarization can be modeled as a linear modeled as a linear combination of basis combination of basis vectors vertical (vectors vertical () ) and horizontal (and horizontal ())

A quantum state of a photon is described as a vector quantum cryptography

often uses photons in 1 of 4 polarizations (in degrees): 0, 45, 90, 135

ψb

a

Properties of Quantum Information

Heisenberg Uncertainty Principle (HUP) If there is a particle, such as an electron,

moving through space, it is impossibly to measure both its position and momentum precisely.

A polarization filter A polarization filter A polarization filterA polarization filter is a material that is a material that

allows only light of a specified allows only light of a specified polarizatio direction to pass. polarizatio direction to pass.

A photon will either pass or not pass A photon will either pass or not pass through a polorization filter, but if it through a polorization filter, but if it emerges it will emerges it will be aligned with the be aligned with the filterfilter regardless of its initial state. regardless of its initial state. There are no partial photons. There are no partial photons.

Polarization by a FilterPolarization by a Filter

Unpolarized light

Vertical aligned filter

Vertically polarized light

Filter tilted at angle q

• Unpolarized light enters a vertically aligned filter, some light is absorbed and the remainder is polarized in the vertical direction.

• A second filter tilted at some angle q absorbs some of the polarized light and transmits the rest, giving it a new polarization.

Polarization by a FilterPolarization by a FilterUnpolarized light

Vertical aligned filter

Vertically polarized light

Filter tilted at angle q

• If the first one is the generator from Alice, a vertical polarized light is generated.

• There is a certain probability that the photon will pass through the second filter. The probability depends on the angle q.

• The angle increases from 0 to 90 degree, and the probability decreases from 1 to 0. When q is 45 degree, the probability is precisely 50%.

Polarization by a FilterPolarization by a FilterTransmitting light polarization and measurements determine the polarization of the outgoing light.

TransmittingTransmitting Measurement Measurement Outgoing Outgoing

Alice Alice transmits 1transmits 1

(+45 degree)(+45 degree)

Bob Measures with -Bob Measures with -45 degree filter45 degree filter

Photos are always Photos are always blockedblocked

Bob Measures with Bob Measures with 90 degree filter90 degree filter

45% photons blocked45% photons blocked

45% photons pass45% photons pass

Bob transmit 0Bob transmit 0

(0 degree)(0 degree)Bob Measures with -Bob Measures with -45 degree filter45 degree filter

45% photons blocked45% photons blocked

45% photons pass45% photons pass

Bob Measures with Bob Measures with 90 degree filter90 degree filter

Photos are always Photos are always blockedblocked

Perpendicular blocked;

Otherwise some pass

More examplesMore examples

Quantum CryptographyQuantum Cryptography

Quantum CryptographyQuantum Cryptography Better Name – Better Name – Quantum Key Quantum Key

DistributionDistribution (QKD) – It’s NOT a new (QKD) – It’s NOT a new crypto algorithm!crypto algorithm!

Two physically separated parties can Two physically separated parties can create and share random secret keys. create and share random secret keys.

Allows them to verify that the key has Allows them to verify that the key has not been intercepted. not been intercepted.

Quantum Key Distribution Quantum Key Distribution Requires two channels

one quantum channel (subject to adversary and/or noises) one public channel (authentic, unjammable, subject to

eavesdropping)

BB84 QKD protocolBB84 QKD protocol uses polarization of photons to encode the uses polarization of photons to encode the

bits of information – relies on “bits of information – relies on “uncertaintyuncertainty” ” to keep Eve from learning the secret key.to keep Eve from learning the secret key.

Bennett: “Bennett: “Quantum cryptography using any Quantum cryptography using any two nonorthogonal statestwo nonorthogonal states”, Physical Review ”, Physical Review Letters, Vol. 68, No. 21, 25 May 1992, pp Letters, Vol. 68, No. 21, 25 May 1992, pp 3121-31243121-3124

Charles H. Bennett

an IBM Fellow at IBM Research

Gilles Brassard

Canada Research Chair in Quantum Information processing

Properties of Quantum Information

Quantum “no-cloning” theorem: an unknown quantum state cannot be cloned.

Measurement generally disturbs a quantum state one can set up a rectilinear measurement

or a circular (diagonal) measurement a circular (diagonal) measurement disturbs the

states of those diagonal photons having 0/90

Properties of Quantum Information

BB84BB84 Alice transmits short bursts. The polarization in Alice transmits short bursts. The polarization in

each burst is randomly modulated to one of each burst is randomly modulated to one of four states (horizontal, vertical, left-circular, or four states (horizontal, vertical, left-circular, or right-circular).right-circular).

Bob measures photon polarizations in a Bob measures photon polarizations in a random sequence of bases (rectilinear or random sequence of bases (rectilinear or diagonal). diagonal).

Bob tells the sender publicly what sequence of Bob tells the sender publicly what sequence of bases were used. bases were used.

Alice tells the receiver publicly which bases Alice tells the receiver publicly which bases were correctly chosen. were correctly chosen.

Alice and Bob discard all observations not from Alice and Bob discard all observations not from these correctly-chosen bases. these correctly-chosen bases.

The observations are interpreted using a binary The observations are interpreted using a binary scheme: scheme: left-circular or horizontal is 0left-circular or horizontal is 0, and , and right-circular or vertical is 1right-circular or vertical is 1. .

BB84BB84 representing the types of photon representing the types of photon

measurements:measurements:+ rectilinear + rectilinear O circular O circular

representing the polarizations themselves:representing the polarizations themselves:< left-circular< left-circular> right-circular> right-circular| vertical| vertical− − horizontalhorizontal

Probability that Bob's detector fails to Probability that Bob's detector fails to detect the photon at all = 0.5.detect the photon at all = 0.5.

Reference: http://monet.mercersburg.edu/henle/bb84/demo.php

BB84 – No EavesdroppingBB84 – No Eavesdropping A A B: B: |<|<−−−−−<−<<<−−<−−<>>−<>>>−<>|||−−<|−−< Bob randomly decides detector: Bob randomly decides detector: +++++++O+O+O+O++OOOO+O++++O++++++O+O+O+O For each measurement, P(failure to detect photon) = 0.5 For each measurement, P(failure to detect photon) = 0.5 The results of Bob's measurements are: The results of Bob's measurements are:

−− >− >− −−<<<< || |||| B B A: A: types of detectors used and successfully made (but not types of detectors used and successfully made (but not

the measurements themselves): the measurements themselves): ++ O+ O+ ++OOOO ++ ++++

Alice tells BobAlice tells Bob which measurements were of the correct type: which measurements were of the correct type: . . .. . . ..

−− − − << || ((key =key = 0 0 0 1) 0 0 0 1) Bob only makes the same kind of measurement as Alice about Bob only makes the same kind of measurement as Alice about

half the time. Given that the P(B detector fails) = 0.5, you would half the time. Given that the P(B detector fails) = 0.5, you would expect about 5 out of 20 usable shared digits to remain. In fact, expect about 5 out of 20 usable shared digits to remain. In fact, this time there were 4 usable digits generated. this time there were 4 usable digits generated.

BB84 – With EavesdroppingBB84 – With Eavesdropping A A B: B: <|<−>−<<|<><−<|<−|−<<|<−>−<<|<><−<|<−|−< Eavesdropping occurs.Eavesdropping occurs.

To detect eavesdropping:To detect eavesdropping: Bob only makes the same kind of measurement as Bob only makes the same kind of measurement as

Alice about half the time. Given that the P(B detector Alice about half the time. Given that the P(B detector fails) = 0.5, you would expect about 5 out of 20 fails) = 0.5, you would expect about 5 out of 20 usable usable shared digitsshared digits to remain. to remain.

A A B B: : reveals 50% (randomly) of the shared digits.reveals 50% (randomly) of the shared digits. B B A A: reveals his corresponding check digits.: reveals his corresponding check digits. If > 25%If > 25% of the check digits are wrong, Alice and Bob of the check digits are wrong, Alice and Bob

know that somebody (Eve) was listening to their know that somebody (Eve) was listening to their exchange.exchange.

NOTE – 20 photons doesn’t provide good guarantees NOTE – 20 photons doesn’t provide good guarantees of detection.of detection.

DARPA Quantum NetworkDARPA Quantum Network

Pros & ConsPros & Cons

Nearly Impossible to stealNearly Impossible to steal Detect if someone is listeningDetect if someone is listening ““Secure”Secure”

Distance Limitations Distance Limitations AvailabilityAvailability

vulnerable to DOSvulnerable to DOS keys can’t keep up with plaintextkeys can’t keep up with plaintext

Quantum cryptologyQuantum cryptology

Key distributionKey distribution

Alice and Bob first agree on two Alice and Bob first agree on two representations for ones and zeroes representations for ones and zeroes

One for each basis used, {One for each basis used, {,,} } and {and {, , }. }.

This agreement can be done in publicThis agreement can be done in public DefineDefine

1 = 1 = 0 = 0 = 1 = 1 = 0 = 0 =

Key distribution - BB84Key distribution - BB84

1.1. Alice sends a sequence of photons to Bob.Alice sends a sequence of photons to Bob.Each photon in a state with polarization Each photon in a state with polarization corresponding to 1 or 0, but with randomly chosen corresponding to 1 or 0, but with randomly chosen basis. basis.

2.2. Bob measures the state of the photons he receives, Bob measures the state of the photons he receives, with each state measured with respect to randomly with each state measured with respect to randomly chosen basis. chosen basis.

3.3. Alice and Bob communicates via an open channel. Alice and Bob communicates via an open channel. For each photon, they reveal which basis was used For each photon, they reveal which basis was used for encoding and decoding respectively. All photons for encoding and decoding respectively. All photons which has been encoded and decoded with the same which has been encoded and decoded with the same basis are kept, while all those where the basis don't basis are kept, while all those where the basis don't agree are discarded. agree are discarded.

EavesdroppingEavesdropping

Eve has to randomly select basis for her Eve has to randomly select basis for her measurementmeasurement

Her basis will be wrong in 50% of the time.Her basis will be wrong in 50% of the time. Whatever basis Eve chose she will measure 1 or 0Whatever basis Eve chose she will measure 1 or 0 When Eve picks the wrong basis, there is 50% When Eve picks the wrong basis, there is 50%

chance that she'll measure the right value of the chance that she'll measure the right value of the bitbit

E.g. Alice sends a photon with state corresponding E.g. Alice sends a photon with state corresponding to 1 in the {to 1 in the {,,} basis. Eve picks the {} basis. Eve picks the {, , } basis } basis for her measurement which this time happens to for her measurement which this time happens to give a 1 as result, which is correct. give a 1 as result, which is correct.

EavesdroppingEavesdroppingAlice’sAlice’sbasis basis

Alice’sAlice’sbitbit

Alice’sAlice’sphotonphoton

Eve’sEve’sbasisbasis

CorrectCorrect Eve’sEve’sphotonphoton

Eve’sEve’sbitbit

CorrectCorrect

{{,,}}

11 {{,,}} YesYes 11 YesYes

{{, , }} NoNo 11 YesYes

00 NoNo

00 {{,,}} YesYes 00 YesYes

{{, , }} NoNo 11 NoNo

00 YesYes

{{, , }}

11 {{,,}} NoNo 11 YesYes

00 NoNo

{{, , }} YesYes 11 YesYes

00 {{,,}} NoNo 11 NoNo

00 YesYes

{{, , }} yesyes 00 YesYes

Eves problemEves problem

Eve has to re-send all the photons to Bob Eve has to re-send all the photons to Bob Will introduce an error, since Eve don't Will introduce an error, since Eve don't

know the correct basis used by Alice know the correct basis used by Alice Bob will detect an increased error rateBob will detect an increased error rate Still possible for Eve to eavesdrop just a Still possible for Eve to eavesdrop just a

few photons, and hope that this will not few photons, and hope that this will not increase the error to an alarming rate. If increase the error to an alarming rate. If so, Eve would have at least partial so, Eve would have at least partial knowledge of the key. knowledge of the key.

Detecting eavesdroppingDetecting eavesdropping When Alice and Bob need to test for When Alice and Bob need to test for

eavesdroppingeavesdropping By randomly selecting a number of bits from By randomly selecting a number of bits from

the key and compute its error ratethe key and compute its error rate Error rate < EError rate < Emax max assume no eavesdropping assume no eavesdropping Error rate > EError rate > Emax max assume eavesdropping assume eavesdropping

(or the channel is unexpectedly noisy)(or the channel is unexpectedly noisy)Alice and Bob should then discard the whole Alice and Bob should then discard the whole key and start overkey and start over

NoiseNoise

Noise might introduce errorsNoise might introduce errors A detector might detect a photon even though A detector might detect a photon even though

there are no photonsthere are no photons Solution:Solution:

send the photons according to a time schedule.send the photons according to a time schedule. then Bob knows when to expect a photon, and can then Bob knows when to expect a photon, and can

discard those that doesn't fit into the scheme's discard those that doesn't fit into the scheme's time window.time window.

There also has to be some kind of error There also has to be some kind of error correction in the over all process.correction in the over all process.

Error correctionError correction

Suggested by Hoi-Kwong Lo. (Shortened version)Suggested by Hoi-Kwong Lo. (Shortened version)1.1. Alice and Bob agree on a random permutation of the Alice and Bob agree on a random permutation of the

bits in the keybits in the key2.2. They split the key into blocks of length kThey split the key into blocks of length k3.3. Compare the parity of each block. If they compute the Compare the parity of each block. If they compute the

same parity, the block is considered correct. If their same parity, the block is considered correct. If their parity is different, they look for the erroneous bit, using parity is different, they look for the erroneous bit, using a binary search in the block. Alice and Bob discard the a binary search in the block. Alice and Bob discard the last bit of each block whose parity has been announcedlast bit of each block whose parity has been announced

4.4. This is repeated with different permutations and block This is repeated with different permutations and block size, until Alice and Bob fail to find any disagreement in size, until Alice and Bob fail to find any disagreement in many subsequent comparisonsmany subsequent comparisons

Privacy amplificationPrivacy amplification

Eve might have partial knowledge of the key. Eve might have partial knowledge of the key. Transform the key into a shorter but secure Transform the key into a shorter but secure

keykey Suppose there are n bits in the key and Eve Suppose there are n bits in the key and Eve

has knowledge of m bits. has knowledge of m bits. Randomly chose a hash function whereRandomly chose a hash function where

h(x): {0,1\}h(x): {0,1\}n n {0,1\} {0,1\} n-m-sn-m-s

Reduces Eve's knowledge of the key to 2 Reduces Eve's knowledge of the key to 2 –s / –s /

ln2ln2 bits bits

EncryptionEncryption

Key of same size as the plaintextKey of same size as the plaintext Used as a one-time-padUsed as a one-time-pad Ensures the crypto text to be Ensures the crypto text to be

absolutely unbreakableabsolutely unbreakable

What to comeWhat to come

Theory for quantum cryptography Theory for quantum cryptography already well developedalready well developed

Problems:Problems: quantum cryptography machine quantum cryptography machine

vulnerable to noisevulnerable to noise photons cannot travel long distances photons cannot travel long distances

without being absorbedwithout being absorbed

SummarySummary

The ability to detect eavesdropping The ability to detect eavesdropping ensures secure exchange of the keyensures secure exchange of the key

The use of one-time-pads ensures The use of one-time-pads ensures securitysecurity

Equipment can only be used over Equipment can only be used over short distancesshort distances

Equipment is complex and expensiveEquipment is complex and expensive