Seminar Report

Shri Vile Parle Kelavani Mandal’s

NMIMS (Deemed-to-be University)

Mukesh Patel School of Technology Management & EngineeringJVPD Scheme, Bhaktivedanta swami Marg,

Vile Parle (w), Mumbai- 400 056.

Certificate

Department of Information Technology Engineering

This is to certify that following students:

Jayant Kumar(125),Farhan Mahesania(128),Sazmin Momin(131).

have submitted their seminar report entitled

Quantum Cryptography

as a part of their curriculum for the Second Year, B.Tech, Trimester – V, during the academic year 2009-2010

Internal Mentor HOD

(1)

Introduction

Until modern times cryptography referred almost exclusively to encryption, which is the

process of converting ordinary information (plaintext) into unintelligible gibberish

(i.e., ciphertext).Decryption is the reverse, in other words, moving from the unintelligible

ciphertext back to plaintext. A cipher (or cypher) is a pair of algorithms that create the

encryption and the reversing decryption. The detailed operation of a cipher is controlled

both by the algorithm and in each instance by a key. This is a secret parameter (ideally

known only to the communicants) for a specific message exchange context. Keys are

important, as ciphers without variable keys can be trivially broken with only the

knowledge of the cipher used and are therefore less than useful for most purposes.

Historically, ciphers were often used directly for encryption or decryption without

additional procedures such as authentication or integrity checks.

Cryptography (or cryptology; from Greek κρυπτός, kryptos, "hidden, secret";

and γράφω, gráphō, "I write", or -λογία, -logia, respectively) is the practice and study of

hiding information. Modern cryptography intersects the disciplines

of mathematics, computer science, and engineering. Applications of cryptography

include ATM cards, computer passwords, and electronic commerce.

• Transmitting information with access restricted to the intended recipient even if

the message is intercepted by others.

Cryptography is of increasing importance in our technological age using broadcast,

network communications, Internet, e-mail, cell phones which may transmit sensitive

information related to finances, politics, business and private confidential matters

Important Terms Used In Cryptography

Cryptography the art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible, and then retransforming that message back to its original form. Plaintext the original intelligible message Ciphertext the transformed message Cipheran algorithm for transforming an intelligible message into one that is unintelligible by transposition and/or substitution methods

Keysome critical information used by the cipher, known only to the sender & receiver.

Encipher (encode) the process of converting plaintext to ciphertext using a cipher and a key

Decipher (decode) the process of converting ciphertext back into plaintext using a cipher and a key.

Cryptanalysisthe study of principles and methods of transforming an unintelligible message back into an intelligible message without knowledge of the key. Also called “codebreaking”.

Cryptology both cryptography and cryptanalysis.

Code an algorithm for transforming an intelligible message into an unintelligible one using a code-book.

Concepts

Encryption C = E_(K)(P) .

Decryption P = E_(K)^(-1)(C).

E_(K) is chosen from a family of transformations known as a cryptographic system.

The parameter that selects the individual transformation is called the key K, selected from a keyspace K .

A Brief History of Cryptography

Ancient Ciphers

have a history of at least 4000 years ancient Egyptians enciphered some of their hieroglyphic writing on monuments

ancient Hebrews enciphered certain words in the scriptures 2000 years ago Julius Ceasar used a simple substitution cipher, now known as the

Caesar cipher Roger Bacon described several methods in 1200s Geoffrey Chaucer included several ciphers in his works Leon Alberti devised a cipher wheel, and described the principles of frequency

analysis in the 1460s Blaise de Vigenère published a book on cryptology in 1585, & described the

polyalphabetic substitution cipher increasing use, esp in diplomacy & war over centuries

Machine Ciphers

Jefferson cylinder, developed in 1790s, comprised 36 disks, each with a random alphabet, order of disks was key, message was set, then another row became cipher

Wheatstone disc, originally invented by Wadsworth in 1817, but developed by Wheatstone in 1860's, comprised two concentric wheels used to generate a polyalphabetic cipher.

Enigma Rotor machine, one of a very important class of cipher machines, heavily used during 2nd world war, comprised a series of rotor wheels with internal cross-connections, providing a substitution using a continuously changing alphabet

(2)

Traditional Cryptography

Privacy is paramount when communicating sensitive information, and humans have invented some unusual ways to encode their conversations. In World War II, for example, the Nazis created a bulky machine called the Enigma that resembles a typewriter on steroids. This machine created one of the most difficult ciphers (encoded messages) of the pre-computer age. Even after Polish resistance fighters made knockoffs of the machines -- complete with instructions on how the Enigma worked -- decoding messages was still a constant struggle for the Allies [source: Cambridge University]. As the codes were deciphered, however, the secrets yielded by the Enigma machine were so helpful that many historians have credited the code breaking as an important factor in the Allies' victory in the war.

What the Enigma machine was used for is called cryptology. This is the process of encoding (cryptography) and decoding (cryptoanalysis) information or messages (called plaintext). All of these processes combined are cryptology. Until the 1990s, cryptology was based on algorithms -- a mathematical process or procedure. These algorithms are used in conjunction with a key, a collection of bits (usually numbers). Without the proper key, it's virtually impossible to decipher an encoded message, even if you know what algorithm to use.

There are limitless possibilities for keys used in cryptology. But there are only two widely used methods of employing keys: public-key cryptology and secret-key cryptology. In both of these methods (and in all cryptology), the sender (point A) is referred to as Alice. Point B is known as Bob.

In the public-key cryptology (PKC) method, a user chooses two interrelated keys. He lets anyone who wants to send him a message know how to encode it using one key. He makes this key public. The other key he keeps to himself. In this manner, anyone can send the user an encoded message, but only the recipient of the encoded message knows how to decode it. Even the person sending the message doesn't know what code the user employs to decode it.

PKC is often compared to a mailbox that uses two keys. One unlocks the front of the mailbox, allowing anyone with a key to deposit mail. But only the recipient holds the key that unlocks the back of the mailbox, allowing only him to retrieve the messages.

The other usual method of traditional cryptology is secret-key cryptology (SKC). In this method, only one key is used by both Bob and Alice. The same key is used to both encode and decode the plaintext. Even the algorithm used in the encoding and decoding process can be announced over an unsecured channel. The code will remain uncracked as long as the key used remains secret.

SKC is similar to feeding a message into a special mailbox that grinds it together with the key. Anyone can reach inside and grab the cipher, but without the key, he won't be able to decipher it. The same key used to encode the message is also the only one that can decode it, separating the key from the message.

Traditional cryptology is certainly clever, but as with all encoding methods in code-breaking history, it's being phased out.

Limitations of Traditional Cryptography

Both the secret-key and public-key methods of cryptology have unique flaws. Oddly enough, quantum physics can be used to either solve or expand these flaws.

The keys used to encode messages are so long that it would take a trillion years to crack one using conventional computers.

The problem with public-key cryptology is that it's based on the staggering size of the numbers created by the combination of the key and the algorithm used to encode the message. These numbers can reach unbelievable proportions. What's more, they can be made so that in order to understand each bit of output data, you have to also understand every other bit as well. This means that to crack a 128-bit key, the possible numbers used can reach upward to the 1038 power [source: Dartmouth College]. That's a lot of possible numbers for the correct combination to the key.

The keys used in modern cryptography are so large, in fact, that a billion computers working in conjunction with each processing a billion calculations per second would still take a trillion years to definitively crack a key [source: Dartmouth College]. This isn't a problem now, but it soon will be. Current computers will be replaced in the near future with quantum computers, which exploit the properties of physics on the immensely small quantum scale. Since they can operate on the quantum level, these computers are expected to be able to perform calculations and operate at speeds no computer in use now could possibly achieve. So the codes that would take a trillion years to break with conventional computers could possibly be cracked in much less time with quantum computers. This means that secret-key cryptology (SKC) looks to be the preferred method of transferring ciphers in the future.

But SKC has its problems as well. The chief problem with SKC is how the two users agree on what secret key to use. If you live next door to the person with whom you exchange secret information, this isn't a problem. All you have to do is meet in person and agree on a key. But what if you live in another country? Sure, you could still meet, but if your key was ever compromised, then you would have to meet again and again.

It's possible to send a message concerning which key a user would like to use, but shouldn't that message be encoded, too? And how do the users agree on what secret key to use to encode the message about what secret key to use for the original message? The problem with secret-key cryptology is that there's almost always a place for an unwanted third party to listen in and gain information the users don't want that person to have. This is known in cryptology as the key distribution problem.

It's one of the great challenges of cryptology: To keep unwanted parties -- or eavesdroppers -- from learning of sensitive information. After all, if it was OK for just anyone to hear, there would be no need to encrypt a message.

Quantum physics has provided a way around this problem. By harnessing the unpredictable nature of matter at the quantum level, physicists have figured out a way to exchange information on secret keys.

(3)

QUBITS

The most important unit of information in computer science is the bit. There aretwo possible values that can be stored by a bit: the bit is either equal to “0” or equal to“1.” These two different states can be represented in various ways, for example by asimple switch or by a capacitor: if not charged, the capacitor holds the value zero; if charged, it holds the value one.There exist many possibilities to physically represent a qubit in practice, as everyQuantum system with at least two states can serve as a qubit. For example, the spin of anAtom or the polarization5 of a light particle can represent the state of a qubit. Even a catwith its two basic states “dead” and “alive,” introduced by Schrödinger [1935] tovisualize fundamental concepts of quantum mechanics, might serve as a representation.The cat’s problem—or fortune from the animal’s point of view—when being used as aQuantum system is its sheer size compared to that of an atom or light particle. There is noway to protect such a big quantum instance from interaction with its environment, whichin turn will result in decoherence of the superposition of the cat.

Qubit Representation

In general, a quantum state |ψ) is an element of a finite-dimensional complexvector space (or Hilbert space) H. We denote the scalar product of two states |ψ) and |φ)by (ψ|φ), where (ψ| = |ψ) T is the conjugate transpose of |ψ). It is convenient to deal withnormalized states, so we require (ψ|ψ) = 1 for all states |ψ) that have a physical meaning.The quantum analog of the bit is called qubit, which is derived from quantum bit.A qubit |ψ) is an element of a two-dimensional Hilbert space, in which we can introducean orthonormal basis, consisting of the two states |0) and |1). Unlike its classicalcounterpart, the quantum state can be in any coherent superposition of the basis states:|ψ) = α|0) + β|1), (1)where α and β are, in general, complex coefficients. This is due to the fact that thequantum mechanical equation of motion, the Schrödinger equation, is linear: Any linearsuperposition of its solutions (the quantum states) is also a solution. Since we requirequantum states to be normalized, we find that the coefficients in (1) have to fulfill

|α|2 + |β|2 = 1, where | · | denotes the absolute value.

(3)

Photon Properties

Photons are some pretty amazing particles. They have no mass, they're the smallest measure of light, and they can exist in all of their possible states at once, called the wave function. This means that whatever direction a photon can spin in -- say, diagonally,

vertically and horizontally -- it does all at once. Light in this state is called unpolarized. This is exactly the same as if you constantly moved east, west, north, south, and up-and-down at the same time.

The foundation of quantum physics is the unpredictability factor. This unpredictability is pretty much defined by Heisenberg's Uncertainty Principle. This principle says, essentially, that it's impossible to know both an object's position and velocity -- at the same time.

But when dealing with photons for encryption, Heisenberg's principle can be used to our advantage. To create a photon, quantum cryptographers use LEDs -- light emitting diodes, a source of unpolarized light. LEDs are capable of creating just one photon at a time, which is how a string of photons can be created, rather than a wild burst. Through the use of polarization filters, we can force the photon to take one state or another -- or polarize it. If we use a vertical polarizing filter situated beyond a LED, we can polarize the photons that emerge: The photons that aren't absorbed will emerge on the other side with a vertical spin ( | ).

The thing about photons is that once they're polarized, they can't be accurately measured again, except by a filter like the one that initially produced their current spin. So if a photon with a vertical spin is measured through a diagonal filter, either the photon won't pass through the filter or the filter will affect the photon's behavior, causing it to take a diagonal spin. In this sense, the information on the photon's original polarization is lost, and so, too, is any information attached to the photon's spin.

So how do you attach information to a photon's spin? That's the essence of quantum cryptography.

(4)Quantum Cryptography

Quantum cryptography was proposed first by Stephen Wiesner, and then at Columbia University in New York, who, in the early 1970s, introduced the concept of quantum conjugate coding. His seminal paper titled "Conjugate Coding" was rejected by IEEE Information Theory but was eventually published in 1983 in SIGACT News (15:1 pp. 78-

88, 1983). In this paper he showed how to store or transmit two messages by encoding them in two “conjugate observables”, such as linear and circular polarization of light, so that either, but not both, of which may be received and decoded. He illustrated his idea with a design of unforgeable bank notes. A decade later, building upon this work, Charles H. Bennett, of the IBM Thomas J. Watson Research Center, and Gilles Brassard, of the Université de Montréal, proposed a method for secure communication based on Wiesner’s “conjugate observables”. In 1990, independently and initially unaware of the earlier work, Artur Ekert, then a Ph.D. student at Wolfson College, University of Oxford, developed a different approach to quantum cryptography based on peculiar quantum correlations known as quantum entanglement.

Quantum cryptography uses quantum mechanics to guarantee secure communication. It enables two parties to produce a shared random bit string known only to them, which can be used as a key to encrypt and decrypt messages.

An important and unique property of quantum cryptography is the ability of the two communicating users to detect the presence of any third party trying to gain knowledge of the key. These results from a fundamental part of quantum mechanics: the process of measuring a quantum system in general disturbs the system.

A third part trying to eavesdrop on the key must in some way measure it, thus introducing detectable anomalies. By using quantum superpositions or quantum entanglement and transmitting information in quantum states, a communication system can be implemented which detects eavesdropping. If the level of eavesdropping is below a certain threshold a key can be produced which is guaranteed as secure, otherwise no secure key is possible and Communication is aborted.

The security of quantum cryptography relies on the foundations of quantummechanics, in contrast to traditional public key cryptography which relies on thecomputational difficulty of certain mathematical functions, and cannot provide anyindication of eavesdropping or guarantee of key security.Quantum cryptography is only used to produce and distribute a key, not totransmit any message data. This key can then be used with any chosen encryptionalgorithm to encrypt and decrypt a message, which can then be transmitted over astandard communication channel. The algorithm most commonly associated with QKD isthe one-time pad, as it is provably secure when used with a secret, random key.Quantum cryptographic devices typically employ individual photons of light andtake advantage of either the Heisenberg Uncertainity principle or QuantumEntanglement.

Uncertainity

Unlike in classical physics, the act of measurement is an integral part of quantummechanics. So it is possible to encode information into quantum properties of a photon insuch a way that any effort to monitor them disturbs them in some detectable way. The

effect arises because in quantum theory, certain pairs of physical properties arecomplementary in the sense that measuring one property necessarily disturbs the other.This statement is known as the Heisenberg uncertainty principle. The two complementaryproperties that are often used in quantum cryptography are two types of photonsPolarization, e.g. rectilinear (vertical and horizontal) and diagonal (at 45° and 135°).

Entanglement

It is a state of two or more quantum particles, e.g. photons, in which many of theirphysical properties are strongly correlated. The entangled particles cannot be describedby specifying the states of individual particles and they may together share information ina form which cannot be accessed in any experiment performed on either of the particlesalone. This happens no matter how far apart the particles may be at the time.

Using Quantum Cryptology

Quantum cryptography uses photons to transmit a key. Once the key is transmitted, coding and encoding using the normal secret-key method can take place. But how does a photon become a key? How do you attach information to a photon's spin?

This is where binary code comes into play. Each type of a photon's spin represents one piece of information -- usually a 1 or a 0, for binary code. This code uses strings of 1s and 0s to create a coherent message. For example, 11100100110 could correspond with h-e-l-l-o. So a binary code can be assigned to each photon -- for example, a photon that has a vertical spin ( | ) can be assigned a 1. Alice can send her photons through randomly chosen filters and record the polarization of each photon. She will then know what photon polarizations Bob should receive.

When Alice sends Bob her photons using an LED, she'll randomly polarize them through either the X or the + filters, so that each polarized photon has one of four possible states: (|), (--), (/) or ( ) [source: Vittorio]. As Bob receives these photons, he decides whether to measure each with either his + or X filter -- he can't use both filters together. Keep in

mind, Bob has no idea what filter to use for each photon, he's guessing for each one. After the entire transmission, Bob and Alice have a non-encrypted discussion about the transmission.

The reason this conversation can be public is because of the way it's carried out. Bob calls Alice and tells her which filter he used for each photon, and she tells him whether it was the correct or incorrect filter to use.

Their conversation may sound a little like this:

Bob: PlusAlice: Correct

Bob: PlusAlice: Incorrect

Bob: XAlice: Correct

Since Bob isn't saying what his measurements are -- only the type of filter he used -- a third party listening in on their conversation can't determine what the actual photon sequence is.

Here's an example. Say Alice sent one photon as a ( / ) and Bob says he used a + filter to measure it. Alice will say "incorrect" to Bob. But if Bob says he used an X filter to measure that particular photon, Alice will say "correct." A person listening will only know that that particular photon could be either a ( / ) or a ( ), but not which one definitively. Bob will know that his measurements are correct, because a (--) photon

traveling through a + filter will remain polarized as a (--) photon after it passes through the filter.

After their odd conversation, Alice and Bob both throw out the results from Bob's incorrect guesses. This leaves Alice and Bob with identical strings of polarized protons. It my look a little like this: -- / | | | / -- -- | | | -- / | … and so on. To Alice and Bob, this is a meaningless string of photons. But once binary code is applied, the photons become a message. Bob and Alice can agree on binary assignments, say 1 for photons polarized as ( ) and ( -- ) and 0 for photons polarized like ( / ) and ( | ).

This means that their string of photons now looks like this: 11110000011110001010. Which can in turn be translated into English, Spanish, Navajo, prime numbers or anything else the Bob and Alice use as codes for the keys used in their encryption.

Protocols Utilizing Heisenberg's Uncertainty Principle

In 1984 Charles Bennett and Gilles Brassard published the first QKD protocol [BB84]. It was based on Heisenberg's Uncertainty Principle and is simply known as the BB84 protocol after the author’s names and the year in which it was published. It is still one of the most prominent protocols and one could argue that all of the other HUP based protocols are essentially variants of the BB84 idea. The basic idea for all of these protocols then is that Alice can transmit a random secret key to Bob by sending a string of photons where the secret key's bits are encoded in the polarization of the photons. Heisenberg's Uncertainty Principle can be used to guarantee that an Eavesdropper cannot measure these photons and transmit them on to Bob without disturbing the photon's state in a detectable way thus revealing her presence.

BB84 Protocol

Figure shows how a bit can be encoded in the polarization state of a photon in BB84. We define a binary 0 as a polarization of 0 degrees in the rectilinear bases or 45 degrees in the diagonal bases [CKI-BB84] [Gisin02]. Similarly a binary 1 can be 90 degrees in the rectilinear bases or 135 in diagonal bases. Thus a bit can be represented by polarizing the photon in either one of two bases.

In the first phase, Alice will communicate to Bob over a quantum channel. Alice begins by choosing a random string of bits and for each bit; Alice will randomly choose a basis, rectilinear or diagonal, by which to encode the bit. She will transmit a photon for each bit with the corresponding polarization, as just described, to Bob. For every photon Bob receives, he will measure the photon's polarization by a randomly chosen basis. If, for a particular photon, Bob chose the same basis as Alice, then in principle, Bob should measure the same polarization and thus he can correctly infer the bit that Alice intended to send. If he chose the wrong basis, his result, and thus the bit he reads, will be random.

In the second phase, Bob will notify Alice over any insecure channel what basis he used to measure each photon. Alice will report back to Bob whether he chose the correct basis for each photon. At this point Alice and Bob will discard the bits corresponding to the photons which Bob measured with a different basis. Provided no errors occurred or no one manipulated the photons, Bob and Alice should now both have an identical string of bits which is called a sifted key. The example below shows the bits Alice chose, the bases she encoded them in, the bases Bob used for measurement, and the resulting sifted key after Bob and Alice discarded their bits as just mentioned [Wiki-SIFT].

Before they are finished however, Alice and Bob agree upon a random subset of the bits to compare to ensure consistency. If the bits agree, they are discarded and the remaining bits form the shared secret key. In the absence of noise or any other measurement error, a disagreement in any of the bits compared would indicate the presence of an eavesdropper on the quantum channel. This is because the eavesdropper, Eve, were attempting to determine the key, she would have no choice but to measure the photons sent by Alice before sending them on to Bob. This is true because the no cloning theorem assures that she cannot replicate a particle of unknown state [Wooters82]. Since Eve will not know what bases Alice used to encode the bit until after Alice and Bob discuss their measurements, Eve will be forced to guess. If she measures on the incorrect bases, the Heisenberg Uncertainty Principle ensures that the information encoded on the other bases is now lost.

Figure: Shifted Key

Thus when the photon reaches Bob, his measurement will now be random and he will read a bit incorrectly 50% of the time. Given that Eve will choose the measurement basis incorrectly on average 50% of the time, 25% of Bob's measured bits will differ from Alice [Rieffel00]. If Eve has eavesdropped on all the bits then after n bit comparisons by Alice and Bob, they will reduce the probability that Eve will go undetected to ¾n [Lomonaco98]. The chance that an eavesdropper learned the secret is thus negligible if sufficiently long sequences of the bits are compared.

B92 Protocol

In 1992, Charles Bennett proposed what is essentially a simplified version of BB84 in his paper, "Quantum cryptography using any two non-orthogonal states" [Bennett92]. The key difference in B92 is that only two states are necessary rather than the possible 4 polarization states in BB84. As shown in figure 4, 0 can be encoded as 0 degrees in the rectilinear basis and 1 can be encoded by 45 degrees in the diagonal basis [CKI-BB92] [Gisin02]. Like the BB84, Alice transmits to Bob a string of photons encoded with randomly chosen bits but this time the bits Alice chooses dictates which bases she must use. Bob still randomly chooses a basis by which to measure but if he chooses the wrong basis, he will not measure anything; a condition in quantum mechanics which is known

as an erasure [Bruss07]. Bob can simply tell Alice after each bit she sends whether or not he measured it correctly.

Figure: B92 2-State Encoding

Other Uncertainty Based Protocols

Another variant of BB84 is the Six-State Protocol (SSP) proposed by Pasquinucci and Gisin in 1999 [SSP99]. SSP is identical to BB84 except, as its name implies, rather than using two or four states, SSP uses six states on three orthogonal bases by which to encode the bits sent. This means that an eavesdropper would have to choose the right basis from among 3 possibilities. This extra choice causes the eavesdropper to produce a higher rate of error thus becoming easier to detect. Brus and Micchiavello proved in 2002 that such higher-dimensional systems offer increased security [Bruss02].

While there are a number of other BB84 variants, one of the more recent was proposed in 2004 by Scarani, Acin, Ribordy, and Gisin [Sarg04]. The SARG04 protocol shares the exact same first phase as BB84. In the second phase, when Alice and Bob determine for which bits their bases matched, Alice does not directly announce her bases. Rather she announces a pair of non-orthogonal states, one of which she used to encode her bit. If Bob used the correct basis, he will measure the correct state. If he chose incorrectly, he will not measure either of Alice's states and he will not be able to determine the bit. This protocol has a specific advantage when used in practical equipment as will be discussed in Section 5.

BB84 was the first proposed QKD protocol and it was based on Heisenberg's Uncertainty Principle. A whole series of protocols followed which built on the ideas of BB84. Some of the most notable of these were B92, SSP, and Sarg04. The next section describes the alternate approach to QKD which is based on the principle of quantum entanglement.

Protocols Utilizing Quantum Entanglement

Artur Eckert contributed a new approach to quantum key distribution where the key is distributed using quantum teleportation [Eckert91]. This section describes his protocol and its application to the protocols based on HUP described in the previous section.

Eckert's Protocol

Figure: Entangled QKD Model

Eckert describes a channel where there is a single source that emits pairs of entangled particles, which could be polarized photons [Eckert91]. The particles are separated and Alice and Bob each receive one particle from each pair as shown in figure 5. Alice and Bob would each choose random bases on which to measure their received particles. As in BB84, they would discuss in the clear which bases they used for their measurements. For each measurement where Alice and Bob used the same bases, they should expect opposite results due to the principle of quantum entanglement as described earlier. This means that if Alice and Bob both interpret their measurements as bits as before, they each have a bit string which is the binary complement of the other. Either party could invert their key or they would thus share a secret key.

The presence of an eavesdropper can be detected by examining the photons for which Alice and Bob chose different bases for measurement. Alice and Bob can measure these photons in a third basis and discuss their results. With this information they can test Bell's Inequality which should not hold for entangled particles [Gisin02]. If the inequality does hold, it would indicate that the photons were not truly entangled and thus there may be an eavesdropper present.

Entangled BB84 Variants

It is important to note the similarity between Eckert's protocol and BB84. If Alice was the source and Alice and Bob did not perform Eckert's entanglement check, we are essentially left with BB84. Bennet and Brassard [BBM92] noted that any variant of BB84 could be adapted to use an entangled photon source instead of Alice being the source. In particular, Enzer et al 2002 [Enzer02] described an entangled version of the SSP protocol with added security. Work has also been done that shows that the SARG04 protocol can tolerate fewer errors with a two-photon source (entangled) than a single-photon source (Alice) [Fung06].

This section described the approach to QKD that utilized the principle of quantum entanglement. Artur Eckert was the first to propose the idea in his 1991 paper but Bennett and Brassard pointed out that his ideas could be incorporated into the BB84 protocol. A series of subsequent papers investigated the use of quauntum entangled photons in the variants of the BB84 protocols.

(5)

Practical Security Concerns

QKD is unconditionally secure in the sense that no assumptions are made about Eve's inability to compute hard mathematical problems but rather her inability to violate physics [Bruss07]. Even with this security, however, the QKD protocols are still susceptible to a man-in-the-middle attack where Eve pretends to be Bob to Alice and simultaneously pretends to be Alice to Bob. Such an attack is impossible to prevent under any key distribution protocol without Alice and Bob authenticating each other first. Furthermore it is not immediately obvious whether QKD protocols are perfectly secure when used with imperfect equipment and in the presence of noise. This section examines the security of the QKD protocols in practical systems.

QKD with Noisy Channels - Privacy Amplification

In real systems, if Alice and Bob discover their measurements are not perfectly correlated, it is difficult for them to determine whether the discrepancy was caused by using noisy imperfect equipment or whether there was an eavesdropper present creating perturbations in the state of the photons by measuring them. We have already discussed in sections 3 and 4 how the two approaches to QKD would detect an eavesdropper under ideal conditions. In practical systems, Alice and Bob would not want to discard every transmission that wasn't error free since there likely will always be some natural error not caused by Eve. Since there is some error, we must assume that Eve may have successfully learned some of the key's bits. QKD protocols can employ a technique known as privacy amplification to reduce the information Eve has about the key down to an arbitrary level.

Before applying privacy amplification, Alice and Bob must first remove the errors from their shared key. They can use classical error correction to arrive at the same key without giving the key away to Eve. A simple scheme would involve Alice randomly choosing pairs of bits and sending the xor value to Bob [Gisin02]. Bob would tell Alice whether or not he has the same xor value for those pairs of bits. In this way they could arrive at the same shared key without revealing what the bit values were in each pair they compared.

With Alice and Bob sharing an identical key, they can transform their key into a new key in a way that Eve could not unless she also had exactly the same entire key. This technique is called privacy amplification and involves shrinking the original key to a new key unknowable to Eve. A simple privacy amplification scheme is for Alice to announce to Bob pairs of bits from the original key [Gisin02]. Alice and Bob would then replace these random pairs of bits in the original key with the xor value for each pair to create a new key. Eve cannot know the xor value for a pair of bits with certainty unless she is certain of both original bits, thus she cannot know the new key.

QKD with Practical Equipment - PNS Attack

Figure: Photon Number Splitting Attack

In addition to noise, it is also currently impractical for equipment to reliably produce and detect single photons. Instead real systems often use a laser producing a small amount of coherent light. Producing multiple photons, however, opens up a new attack known as the photon number splitting (PNS) attack [Brassard00] shown above in figure 6. In PNS, Eve splits off a single photon or a small number of photons from each bit transmission for measurement and allows the rest to pass on to Bob. This would allow Eve to measure her photons without disturbing the photons Bob measures. Lo et al developed a trick to send extra decoy pulses for Alice and Bob to measure allowing them to detect a PNS attack [Lo05]. In addition, the SARG04 protocol is resistant to the PNS because Alice does not directly reveal her bases [Sarg04]. Instead, as described in Section 3, she reveals a pair of non-orthogonal states in which the bit might be encoded. If bob chose the correct bases he will discover that he measured one of these two states that Alice revealed. If not Alice and Bob will drop that bit. This means that Eve does not know which bases to use when measuring her copy of the photon even after Alice and Bob agree on the bases used. This forces Eve to guess which will mean she will not know the bit with certainty. In 2004, Gottesman et al published a paper [Gottesman04] describing how the security of BB84 based QKD protocols hold when using imperfect devices.

This section examined the security of QKD in the presence of noise and when using imperfect equipment. Privacy amplification was introduced to describe how the QKD protocols could be sure Eve maintains no useful information when errors are detected during measurement. The photon number splitting attack, resulting from an imperfect photon source, was also described.

Attacks:

Example: Intercept and resend

The simplest type of possible attack is the intercept-resend attack, where Eve measures the quantum states (photons) sent by Alice and then sends replacement states to Bob, prepared in the state she measures. In the BB84 protocol, this produces errors in the key

Alice and Bob share. As Eve has no knowledge of the basis a state sent by Alice is encoded in, she can only guess which basis to measure in, in the same way as Bob. If she chooses correctly, she measures the correct photon polarization state as sent by Alice, and resends the correct state to Bob. However, if she chooses incorrectly, the state she measures is random, and the state sent to Bob is sometimes not the same as the state sent by Alice. If Bob then measures this state in the same basis Alice sent, he gets a random result—as Eve has sent him a state in the opposite basis—instead of the correct result he would get without the presence of Eve. The table below shows an example of this type of attack.

Alice's random bit 0 1 1 0 1 0 0 1

Alice's random sending basis

Photon polarization Alice sends

Eve's random measuring basis

Polarization Eve measures and sends

Bob's random measuring basis

Photon polarization Bob measures

PUBLIC DISCUSSION OF BASIS

Shared secret key 0 0 0 1

Errors in key ✓ ✘ ✓ ✓

The probability Eve chooses the incorrect basis is 50% (assuming Alice chooses randomly), and if Bob measures this intercepted photon in the basis Alice sent he gets a random result, i.e., an incorrect result with probability of 50%. The probability an intercepted photon generates an error in the key string is then 50% x 50% = 25%. If Alice

and Bob publicly compare n of their key bits (thus discarding them as key bits, as they are no longer secret) the probability they find disagreement and identify the presence of Eve is

So to detect an eavesdropper with probability Pd = 0.999999999 Alice and Bob need to compare n = 72 key bits.

Security Proofs

The above is just a simple example of an attack. If Eve is assumed to have unlimited resources, for example classical and quantum computing power, there are many more attacks possible. BB84 has been proven secure against any attacks allowed by quantum mechanics, both for sending information using an ideal photon source which only ever emits a single photon at a time , and also using practical photon sources which sometimes emit multiphoton pulses . These proofs are unconditionally secure in the sense that no conditions are imposed on the resources available to the Eavesdropper, however there are other conditions required:

1. Eve cannot access Alice and Bob's encoding and decoding devices. 2. The random number generators used by Alice and Bob must be trusted and truly

random (for example a Quantum random number generator). 3. The classical communication channel must be authenticated using an

unconditionally secure authentication scheme.

Man in the middle attack

Quantum cryptography is vulnerable to a man-in-the-middle attack when used without authentication to the same extent as any classical protocol, since no known principle of quantum mechanics can distinguish friend from foe. As in the classical case, Alice and Bob cannot authenticate each other and establish a secure connection without some means of verifying each other's identities (such as an initial shared secret). If Alice and Bob have an initial shared secret then they can use an unconditionally secure authentication scheme (such as Carter-Wegman,) along with quantum key distribution to exponentially expand this key, using a small amount of the new key to authenticate the next session. Several methods to create this initial shared secret have been proposed, for example using a 3rd party or chaos theory.

Photon number splitting attack

In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice many implementations use laser pulses attenuated to a very low level to send the quantum

states. These laser pulses contain a very small number of photons, for example 0.2 photons per pulse, which are distributed according to a Poissonian distribution. This means most pulses actually contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split off the extra photons and transmit the remaining single photon to Bob. This is the basis of the photon number splitting attack , where Eve stores these extra photons in a quantum memory until Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then measure her photons in the correct basis and obtain information on the key without introducing detectable errors.

Even with the possibility of a PNS attack a secure key can still be generated, as shown in the GLLP security proof, however a much higher amount of privacy amplification is needed reducing the secure key rate significantly (with PNS the rate scales as t2 as compared to t for a single photon sources, where t is the transmittance of the quantum channel).

There are several solutions to this problem. The most obvious is to use a true single photon source instead of an attenuated laser. While such sources are still at a developmental stage QKD has been carried out successfully with them. However as current sources operate at a low efficiency and frequency key rates and transmission distances are limited. Another solution is to modify the BB84 protocol, as is done for example in the SARG04 protocol, in which the secure key rate scales as t3 / 2. The most promising solution is the decoy state idea, in which Alice randomly sends some of her laser pulses with a lower average photon number. These decoy states can be used to detect a PNS attack, as Eve has no way to tell which pulses are signal and which decoy. Using this idea the secure key rate scales as t, the same as for a single photon source. This idea has been implemented successfully in several QKD experiments, allowing for high key rates secure against all known attacks.

Hacking attacks

Hacking attacks target imperfections in the implementation of the protocol instead of the protocol directly. If the equipment used in quantum cryptography can be tampered with, it could be made to generate keys that were not secure using a random number generator attack. Another common class of attacks is the Trojan horse attack which does not require physical access to the endpoints: rather than attempt to read Alice and Bob's single photons, Mallory sends a large pulse of light back to Alice in between transmitted photons. Alice's equipment reflects some of Mallory's light, revealing the state of Alice's polarizer. This attack is easy to avoid, for example using an optical isolator to prevent light from entering Alice's system, and all other hacking attacks can similarly be defeated by modifying the implementation. Apart from Trojan horse there are several other known attacks including faked state attacks, phase remapping attacks and time-shift attacks. The time-shift attack has even been successfully demonstrated on a commercial quantum

crypto-system. This demonstration is the first successful demonstration of quantum hacking against a non-homemade quantum key distribution system.

Denial of service

Because currently a dedicated fibre optic line (or line of sight in free space) is required between the two points linked by quantum cryptography, a denial of service attack can be mounted by simply cutting or blocking the line.

(6)Real Life Applications and Recent Achievements

Quantum finance

MONEY has been transferred between banks using quantum cryptography for the first time. This novel technology promises to make exchanging information 100 per cent secure, and the latest feat brings it nearer to commercialisation.The experiment was carried out by a team headed by Anton Zeilinger of the University of Vienna. The city's mayor sent a donation of €3000 to the team, using data sent along an optical fiber threaded through sewers between Vienna City Hall and the Schottengasse branch of Bank Austria-Creditanstalt.Encrypting and decrypting the message required a key, sent secretly from the transmitter to the receiver using pairs of entangled photons. Any eavesdropper would have disturbed the quantum entanglement and signaled their presence, as well as making it impossible to extract any information from the message. The commercial quantum cryptographic devices that already exist use a different system, employing weak pulses of light to create a secure key. Using pairs of entangled photons makes it easier to guarantee absolute secrecy. Although the two buildings in the Vienna transfer were only 500 meters apart, Zeilinger says that it should be possible to extend such links to 20 kilometres. "In three years, we'll have a marketable system," says team member Andrea Aglibut.

Quantum Encryption Computer with Wireless Link

The world's first quantum encryption computer network has been expanded to include a wireless link that uses quantum communications codes. Most modern cryptography rests upon the difficulty of solving very complex mathematical problems used to encrypt data. This makes it theoretically vulnerable to being hacked using dramatic mathematical or computing breakthroughs. By contrast, quantum cryptography near guarantees communications security, using quirks of quantum physics to thwart eavesdropping attempts. The wireless connection was added to the DARPA Quantum Network, a quantum fiber-optic network buried beneath the ground in Massachusetts, US. The network was built by US Company BBN Technologies with funding from the US Defense Advanced Research Projects Agency (DARPA). It now links 10 different sites, including BBN's offices, Harvard University and Boston University. The wireless connection was installed by UK defense research company QinetiQ. Brian Lowans, at QinetiQ says introducing the wireless link represents a "critical first step toward global networks protected by quantum cryptography".Qinetiq has already demonstrated a wireless quantum link over 25 kilometers. But eventually researchers hope to extend the

range to be able to reach satellites that orbit at an altitude of hundreds or even thousands of kilometres.Tim Spiller a researcher at Hewlett Packard's labs in Bristol, UK this could be used to secure communications between over long distances on the ground. "It's a long term aim," he told New Scientist. "It really expands your options for sharing cryptographic keys."Quantum cryptography guarantees security by encoding information as polarized photons which can be sent down a fiber optic cable or through the air. Intercepting these photons disturbs their quantum state, alerting both sides to an eavesdropper's presence.

"An uncrackable information network has long been a goal for government and financial institutions," says Chip Elliot, principal engineer at BBN Technologies. "With the addition of the free space link nodes, we have demonstrated the potential for a complete quantum cryptography network that's both wired and wireless."

Intruder detection

Quantum cryptography guarantees secure communications by harnessing the quantum quirks of photons sent between users. Any attempt to intercept the photons will disturb their quantum state and raise the alarm. But Elliott points out that even quantum cryptography "does not give you 100 per cent security". Although quantum keys are theoretically impossible to intercept without detection, implementing them in the real world presents hackers with several potential ways to listen in unobserved.

One example is if a laser inadvertently produces more than one photon, which happens occasionally. An eavesdropper could potentially siphon off the extra photons and decrypt the key, although no one has actually done this.

"However Qnet is more secure than current internet cryptography," says Elliott, which relies on "one way functions". These are mathematical operations that are very simple to compute in one direction, but require huge computing power to perform in reverse.

Secure Electronic Ballots (E-voting)

As technology advances, electronic voting is becoming more of a normal occurrence in general elections. There are two main types of electronic voting machines, optical scan machines and direct-recording electronic (DRE) machines. A voter casting a ballot using optical scan machines involve the following three steps.

Electronic Voting Using Optical Scanner

The three steps shown in Figure 1 are as follows:The voter receives a paper ballot from a poll worker. The voter then makes their selections by filling the bubbles on the ballot in the same manner a student would fill out a standardized test.1. The ballot is then given to a poll worker where the voter watches as their ballot sheet is scanned by an optical scan voting machine. The voter’s selections are then converted into binary then stored in the machines internal memory with all the other votes scanned by that machine.2. At the conclusion of the election, all the stored votes within the optical scanning machines are sent electronically to the county Board of Elections (BOE) for counting. The paper ballots are kept for future audits.

A voter casting a ballot using DRE machines involve the following three steps:1. The voter inserts a smart card, issued by a poll worker, into the DRE machine. The DRE machine has a touch screen displaying the ballot.2. The votes made by the voter are recorded by the vote recording software and saved directly into the DRE machines internal memory, along with all the other votes cast on that DRE machine.3. At the conclusion of the election, the contents of the DRE machines are sent electronically to the county Board of Elections for counting.

Electronic Voting Using DRE

The three step process described for the optical scanning machines and DRE machines are susceptible to an attack at each step in the voting process. In step one of the voting

processes; the machine could be compromised with vote stealing software. In this scenario, the voting machine needs to be physically secure to prevent against this type ofattack. In step two of the voting process; the machine could be compromised to incorrectly record a vote where a person may be able to vote multiple times, delete votes, or disable the machine entirely. In this scenario, the voting machine needs to be physically secure in addition to a means of verifying a voter’s ballot was recorded correctly.In the third step in the voting process; the centralized tallying machine that performs the counting of the votes could be compromised, where the election could be skewed in any direction. In this scenario, the centralized voting machine needs to be physically secure and the transmission of votes from the voting machines needs to be secure as well.

The electronic voting process has a number of other vulnerabilities discovered by University of California researchers, but the vulnerabilities discussed cover a majority of them. As stated in the introduction, securing an electronic ballot is more than just protecting the electronic ballot against third party interception. TheElectronic voting systems must be physically secure as well as electronically secure. Quantum cryptographic systems only contribute to securing ballots at the third step of the voting process, specifically the electronic transmission of electronic ballots from one location to the centralized counting machine. This is how the technology is applied by the Swiss for securing electronic ballots during the parliamentary election held on October21, 2007.

Swiss Secure Balloting(Protection Of Swiss Election)

Geneva, Switzerland has been the innovator of electronic voting by being one of the first to offer electronic voting over the internet. They have also been credited with being the first to use a quantum cryptographic system to secure electronic ballots over a fiber-optic line. The quantum cryptographic system was developed by Id Quantique incollaboration with Senetas by Professor Nicolas Gisin at the University of Geneva. The quantum cryptographic unit that was developed is called ID500. The price tag associated with this cryptographic box starts at $50,000. The technology has been in development for at least two decades and has benefited fromfinancial support from the United States military.The cryptographic systems employed by the Swiss are used for securing a link between the central ballot-counting station in downtown Geneva and government data centers in the suburbs of Geneva over fiber-optic channels. The newly used quantum cryptographic system is used to transmit the count totals of a public election. Quantumcryptographic technology is specifically used in the exchange of secret keys for point-to-point encryption methods such as Triple-DES or Advanced Encryption Standard at speeds of about 100 times a second and is capable of automatically detecting a third party from eavesdropping on the communication stream. The encryption boxes usedby the Swiss use quantum cryptographic technology for exchanging secret keys and use Triple-DES to provide a secure point-to-point connection between two parties. Initially, the quantum cryptographic systems used by the Swiss proved to be successful, but they do have limitations, which include encryption speed and transmission distance. Currently,

typical quantum cryptographic machines can only transmit at speeds of 100 Mbps while the Swiss system is capable of encrypting at 1 Gbps. The hardware used is limited to a 50 mile transmission distance before the protons performing the encryption over the fiber-optic line begins to degrade. These limitations are introduced by how quantum cryptographic systems perform a key exchange. Currently, thereare plans for enhancing QC systems to reduce these limitations and the amount susceptible attacks.

Stopping Software Piracy (By Generation Of Uncrackable Codes)

THE long-running battle between coders and code-breakers could soon be over, as a breakthrough in quantum cryptography has brought uncrackable codes a step closer. To exchange a coded message, the sender and recipient must somehow share a secret sequence of 0s and 1s that is used as a key to encode and decode the message. The problem is finding a way to exchange the key without it being intercepted. To achieve this, cryptographers have developed the technique known as quantum key distribution, which uses the quantum properties of photons to encode the key. But the technique has an Achilles' heel.

(7)Conclusion And Future Scope

Future enhancements of current QC systems include making QC more secure, increasing the transmission distance of fiber-optic lines, increasing encryption rates and making the technology wireless. One might think QC systems are unconditionally secure because of the quantum mechanics theory used, but the theory can only be solid if QC hardware transmits single photons. Current QC implementations do not transmit single protons, but bursts of protons. With photon bursts instead of single protons, eavesdropping attacks are possible because Eve could siphon off individual photons without being detected.

One proposal, introduced by Toshiba, for making QC systems more secure is by sending randomly interspersed pulses within the quantum signal called decoy pulses. These decoy pulses are of weakened strength than the real quantum signals, which means the decoy pulses rarely contain more than one photon. So, the sender and receiver can monitor the ratio of decoy pulses to real quantum singles that made it through to determine if an eavesdropper was present. With decoy pulses, Eve will have a harder time siphoning meaningful photons, decreasing the level of vulnerability of the QC system. This approach would also increase the transmission distance and encryption rate by 100-fold because stronger quantum pulses can be used.

Another advancement for making QC systems more secure is the development of a light emitting diode capable of emitting a single photon more reliably.Toshiba’s methodology is to create an array of quantum dots, each about 45 nanometers in diameter, for emitting a single photon. This advancement would increase the level of security offered by current QC systems, but does not resolve the transmission distance and encryption rate limitations. The most promising advancement to QC systems is the wireless application.

Current QC systems transmit their quantum signals across fiber-optic channels, but only a small few have been able to send quantum signals through free space. Current military plans are to use satellites to transmit quantum photons globally. Few people have been able to transmit QC photons through free space, but it has been proven that the wireless QC systems are conceivable. Having a wireless QC system wouldalleviate the transmission distance limitation. The encryption can be resolved with advancements of electronic hardware when larger capacity storage devices and better processors come available. Wireless QC systems are still in the development stage, but the few successful attempts are making strides in the realization of commercial wireless QC systems.

Future developments will focus on faster photon detectors, a major factor limitingthe development of practical systems for widespread commercial use. Chip Elliott, BBN'sprincipal engineer, says the company is working with the University of Rochester and

NIST's Boulder Laboratories in Colorado to develop practical superconducting photondetectors based on niobium nitride, which would operate at 4 K and 10 GHz.

The ultimate goal is to make QKD more reliable, integrate it with todaystelecommunications infrastructure, and increase the transmission distance and rate of keygeneration. Thus the Long-term goals of quantum key distribution are the realisticimplementation via fibers, for example, for different buildings of a bank or company,and free space key exchange via satellites. Quantum cryptography already provides themost advanced technology of quantum information science, and is on the way to achievethe (quantum) jump from university laboratories to the real world.

Quantum cryptographic systems are becoming more of a reality with each passing day. The primary use of QC systems is for the distribution of secret keys for encrypting and decrypting a conversation between two parties, but they are being used by several financial institutions and by the Swiss for securing electronic ballots and have beensupported greatly by the military. The Swiss have successfully used quantum cryptographics in securing the ballots of a public election when the ballots are transferred from the voting centers to the counting and archiving center,which is only a portion of actually securing electronic ballots. Because QC systems are based off the principles ofquantum mechanics, QC systems are inherently secure against eavesdropping, although QC systems are susceptible to several man-in-the-middle and denial of service attacks. There are several different ways to perform quantum key exchange, such as the BB84 protocol, the B92 protocol, and the Ekert scheme protocol. The QC system is verypromising and advancements are being made to improve upon the technology, most notably a wireless implementation. With all the hype surrounding quantum cryptographic systems, the technology is very promising, but still susceptible to hacker attacks and has transmission distance and encryption rate limitations. These limitations are being addressed and proposals have been made to resolve these limitations and protect against the known hacker attacks, but it may be a while until the quantum cryptographic systems are accepted and used on a larger scale.

(8)

References