andrea pasquinucciprofs.sci.univr.it/.../lezioni-extra/pasquinucci-qkd.pdfa.pasquinucci –...

Cryptography the Quantum WayCryptography the Quantum WayYesterday, Today, TomorrowYesterday, Today, Tomorrow

Andrea PasquinucciUCCI.IT

December 11th, 2012Dipartimento di Informatica

Università di Verona

A.Pasquinucci – Cryptography the Quantum Way – Verona 11/12/2012 Page:2

Contents

Who I am A QKD Quick Tour QKD and Physics QKD and Cryptography: Myth, Legends and

possible Truths? QKD and Protocols QKD on the Market


Andrea Pasquinucci First student in C.S./Physics (A.D. 1979 ...) Then career in Theoretical Physics of High

Energy Elementary Particles (USA, DK, CH, BE, IT) ... but also C.S. as SysAdmin and to “compute”

From 2000 back to C.S. in Industry (and still teaching once in a while): Networking, OS (Unix/Linux), High Performance

Computing and Web Applications Security, Cryptography


QKD

Create and distribute (symmetric) secret keys using elementary particles ruled by non-relativistic Quantum Mechanics

Photons

No encryption, only key-exchange


Brief History 1970 approx.: Stephen Wiesner's protocol for quantum

cash (published 1983) 1979: Bennet & Brassard idea of QKD (published

1982) 1984: Bennet & Brassard first and main QKD protocol

“BB84” 1989: Bennet & Brassard experimental prototype 1992: first QKD lab implementation 1994: 23Km QKD on Telco optical fibers 2004: 150Km QKD; first commercial products


How QKD works - 1

Alice & Bob need a Random Symmetric Secret Key for OTP, 3DES, AES ...

Eve wants the key

Alice & Bob need: a Quantum Communication Channel to

exchange elementary particles; a Classical Communication Channel with

authentication and integrity guaranteed.


How QKD works - 2

Simplest Eve's Setup Eve can do anything allowed by Physics on the

Quantum Channel

Eve can only listen undetected on the Classical Channel (Eavesdropping) This usually requires that Alice & Bob share an initial

Secret (QKD can be seen as a Secret Key Expansion Protocol or even as a Stream Cipher)


How QKD works - 3


How QKD works - 4 We detect Eve only after having generated the key

Eve must tamper with the Quantum Channel, information from the classical channel is not enough

Thanks to Q.M., Alice and Bob can discover Eve tampering on the Quantum Channel

We cannot use QKD directly to transfer information in a secure way There are efforts to devise “Quantum Ciphers”


How QKD works - 5

Encoding: 1 Key Bit in 1 Elementary Particle Generate single photons

No disturbances Send single photons in Dark Fibers

No repeaters Send single photons in Air/Space

Line of Sight => Distance limitation


The Physics of QKD - 1

In Quantum Mechanics, it is not possibile to measure a particle without modifying it, unless: We already know something about the particle And we use a compatible measurement


The Physics of QKD - 2

There are NO Quantum Photocopying Machines (sorry Eve ... )


BB84 - 1

We use photons either in fibre or air/space We choose 2 sets of incompatible states and

measurements, for example: Vertical polarization = 1 Horizontal polarization = 0

Diagonal Right polarization = 1 Diagonal Left polarization = 0


BB84 - 2


Eve in Action


Errors and Security All Errors Belong to Eve

Both experimental and induced by Eve Run an Error Detection / Correction Algorithm

(Reconciliation) Amount of Error => Quantum Bit Error Rate

(QBER) => Amount of Information that Eve could have obtained

Shannon Information Theory: if QBER


QBER and Secret Key

0.40.0

Shan

non

Info

rmat

ion

0.1 0.2 0.30.0

0.2

0.4

0.6

0.8

1.0

QBER

I AB=1−H (QBER)

IAESecret key rate


At Last: the Secret Key

Alice & Bob Run a Privacy Amplification Algorithm on the Key Reduces to 0 the information that possibly

Eve has obtained

The final Key is much shorter than the original photon-encoded key: 25% or less


QKD vs Classical Cryptography

Do we need QKD? Or RSA, DH ... are enough?

QKD RSAHW (fiber, “air”) SWMath proven secure Math undecidedExpensive CheapQC ready QC failsLimited Distance Any-where/how


QKD, RSA and QC RSA, DH will be defeated by Quantum

Computers (Shor's Algorithm) Integer Factorization & Discrete Logarithm Problems

Symmetric and Hash algorithms are safe (Grover's Algorithm is a minor theoretical speed up)

New Post-Quantum Public Key Cryptosystems are safe Hash-, Code-, Lattice- based and Multivariate

cryptography


QKD + OTP or QKD + RSA

QKD + One Time Pad: Proven Secure but (today) very slow (Kbps) Limit on distance (100Km) Expensive

QKD + RSA: XOR of the symmetric keys generated by QKD and

RSA Frequent key refreshment (10 times per sec.) Future proof and Perfect Forward Secrecy


QKD Network Implementation


A few QKD ProtocolsBit Encoding:

Polarization encoding Phase encoding: normal, self-aligned, sideband modulation

(frequency encoding) Entangled photon pairs: polarization / energy-time entanglement Continuous variables

Protocols depend on physics implementation: BB84: 2 + 2 orthogonal states B92: 2 non-orthogonal states 6-state: 2 + 2 + 2 orthogonal states Ekert o E91: entangled photons Higher dimensions: more than 2 orthogonal states


Implementing a QKD Protocol

Depends on: Quantum Mechanical (Physics) Implementation Assumptions on HW Realization and Behaviour Protocols / algorithms adopted in each phase Shannon Information Theory C.S. Algorithms (eg. Error Correction, Privacy

Amplification)


QKD in Real Life Multiple-Photons Sources (Weak Coherent Pulse,

Parametric Down Conversion) Eve can intercept one of many equal photons

Imperfect detectors (Avalanche Photodiode) Eve can trick the detectors

Proven-security can be not-so-secure after all ... Counter-measures:

Protocols (eg. Decoy states, SARG) HW


Commercial QKD id Quantique (Geneva CH) MagiQ (NY USA) Elsag Datamat (Genova, Italy) NEC, Toshiba, Siemens et al.: research and

developing products Military, Secret Services and Government

Agencies, Banks and Financial Institutions (eg. VISA) have shown interest

EU (SECOQC) and USA (DARPA) funding of research projects


Latest Developments

Recent news on Quantum Memories: extending QKD distance

limitations (technologies similar to QC) Quantum Dots: true single-photon sources Airborne QKD: ground to airplane (Munich D) QKD on Ordinary Fibre: QKD photons in the

same fibre as network data (Toshiba + Cambridge UK – requires new sources and new detectors)


Thanks

Andrea Pasquinucci

[email protected]

© Andrea Pasquinucci - Creative Commons BY-NC-ND 3.0

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28

andrea pasquinucciprofs.sci.univr.it/.../lezioni-extra/pasquinucci-qkd.pdfa.pasquinucci –...

Documents