quantum cryptography beyond the buzz grégoire ribordy cern, may 3rd 2006
TRANSCRIPT
Quantum CryptographyQuantum CryptographyBeyond the buzzBeyond the buzz
Grégoire RibordyCERN, May 3rd 2006
2www.idquantique.com
OutlineOutline
Quantum physics and information technology
The limits of classical cryptography
The principles of quantum cryptography
Practical systems and applications
Future directions
3www.idquantique.com
Moore’s law and quantum physicsMoore’s law and quantum physics
O ui
N on
1
10
100
1000
10000
100000
1970 1980 1990 2000 2010 2020
Year
Tra
nsi
sto
rs p
er
chi
p
[x
1000
]
0
10
20
30
40
50
Siz
e o
f tra
nsis
tor'
s g
rid
[a
tom
s]
1
10
100
1000
10000
100000
1970 1980 1990 2000 2010 2020
Year
Tra
nsi
sto
rs p
er
chi
p
[x
1000
]
0
10
20
30
40
50
Siz
e o
f tra
nsis
tor'
s g
rid
[a
tom
s]
Quantum Limit
4www.idquantique.com
Classical and Quantum physicsClassical and Quantum physics
Classical physics … - 1900 Describes the macroscopic world
Deterministic
Intuitive
Quantum physics 1900 - … Description of the microscopic
world
Probabilistic Central role of the observer Not very intuitive
Quantum physics Novel information processing possibilities Quantum Information Theory (QIT)
5www.idquantique.com
Generating random numbers with quantum physicsGenerating random numbers with quantum physics
High bit rate• 4 or 16 Mbits/s
Continuous monitoring
Main OS’s supported
6www.idquantique.com
OutlineOutline
Quantum physics and information technology
The limits of classical cryptography
The principles of quantum cryptography
Practical systems and applications
Future directions
7www.idquantique.com
M essage
Public Key
ScrambledM essage
M essage
Private Key
Different Keys
Message
Secret Key
ScrambledMessage
Message
Secret Key
Identical keysKey Exchange ?!?
Introduction: Classical CryptographyIntroduction: Classical Cryptography
Secret Key Cryptography
Public Key Cryptography
Alice
Bob
Different keys Key exchange solved
Vulnerabilities!!!
8www.idquantique.com
Key length
Co
mp
uti
ng
tim
e
Decryption(without key)
Security of public key cryptographySecurity of public key cryptography
EncryptionDecryption (with key)
Selected Key Length
9www.idquantique.com
Vulnerabilities of public key cryptographyVulnerabilities of public key cryptography
Key length
Co
mp
uti
ng
tim
e
Classical computer
Selected Key Length
10www.idquantique.com
Vulnerabilities of public key cryptographyVulnerabilities of public key cryptography
Key length
Co
mp
uti
ng
tim
e
Quantum computer
Classical computer
& Theoretical progress
Selected Key Length
11www.idquantique.com
Where does Quantum Cryptography fit in?Where does Quantum Cryptography fit in?
Message
Secret Key
ScrambledMessage
Message
Secret Key
Alice
Bob
Quantum Cryptography is a key distribution technique!
Quantum Key Distribution is a better name!!!
Secret key exchange by quantum cryptography
12www.idquantique.com
OutlineOutline
Quantum physics and information technology
The limits of classical cryptography
The principles of quantum cryptography
Practical systems and applications
Future directions
13www.idquantique.com
Physical implementation of a data channelPhysical implementation of a data channel
Fragile !"0"
"1""1"
Classical communication Quantum communication
Security guaranteed by the laws of quantum physics
14www.idquantique.com
Quantum Cryptography: rules of the gameQuantum Cryptography: rules of the game
1. Details of the protocole publicly known
2. Goal: to produce a secret key or nothing
« Eve cannot do better than cutting the line »
Alice and Bob: to estimate Eve’s information on key
IAE small: Produce a key
IAE large:
k’
Eve
Quantum channel
Classical channel
QUANTUM KEY DISTRIBUTION
15www.idquantique.com
Polarization of PhotonsPolarization of Photons
Direction of oscillation of the electric field associated to a lightwave
Polarization states
What can we do with it ?
50 %
E
50 %
16www.idquantique.com
Irreversibility of MeasurementsIrreversibility of Measurements
Incoming photon polarized at 90
Incoming photon polarized at 45
50 %
Rotation of polarizer
50 %
17www.idquantique.com
Quantum communicationsQuantum communications
Transmitting information with a single-photon
Use a quantum property to carry information
Liner States
= "0" = |0>
= "1" = |1>
18www.idquantique.com
Eavesdropping (1)Eavesdropping (1)
A single-photon constitutes an elementary quantum system
It cannot be split
Semi-transparent mirror
?
?
50%
50%
19www.idquantique.com
Eavesdropping (2)Eavesdropping (2)
Communication interception
Use quantum physics to force spy to introduce errors in the communication
?|0> |0>
Eve
BobAlice
20www.idquantique.com
Quantum Cryptography ProtocoleQuantum Cryptography Protocole
BB84
A better name: Quantum Key Distribution
A lice 's B it S e q u e n c e
0 1 0 - 0 1 1 1 1 - 1 0
- 1 - - 0 1 - - 1 - 1 0
B o b 's B a s e s
B o b 's R e s u lts
K e y
A lice
B o b
P o la riz e r s
H o r iz o n ta l - Ve rtic a l
D ia g o n a l ( -4 5 , + 4 5 )
H /V B a s is
4 5 B a s is
0
0
0
0
21www.idquantique.com
Eavesdropping (3)Eavesdropping (3)
50% 50%
50%50%
50% 50% 50%50%
Bob
Eve
Ok Ok OkErrorError
Alice
22www.idquantique.com
Key Distillation (ideal case)Key Distillation (ideal case)
Alice BobQuantum channel
Qubits
Transmission
Basis
Reconciliation
QBERestimate
QBER =0 : no eavesdropping
> 0 : eavesdropping
Sifted key
Reveals rather than prevents eavesdropping
A better name: quantum key distributionquantum key distribution
23www.idquantique.com
Key Distillation (realistic case)Key Distillation (realistic case)
Alice BobQuantum channel
Public channel
(losses)
Qubits
Transmission
Basis
Reconciliation
QBERestimate
Error
correctionPrivacy
amplification
Sifted key
Raw key
Key Key
24www.idquantique.com
Information curvesInformation curves
0.40.0
Sh
an
no
n In
form
atio
n
0.1 0.2 0.30.0
0.2
0.4
0.6
0.8
1.0
QBER
)(1 QBERHI AB
IAEOpt. indiv. attack
Secret key rate
25www.idquantique.com
The Principles of Quantum Cryptography: SummaryThe Principles of Quantum Cryptography: Summary
Quantum CommunicationQuantum CommunicationRaw key exchangeRaw key exchange
Integrity VerificationIntegrity VerificationKey DistillationKey Distillation
Key UseKey Use
Quantum Cryptography
Conventional SymmetricCryptography
Point-to-point optical link
Future-proof key exchangewith security guaranteed bythe laws of physics
26www.idquantique.com
OutlineOutline
Quantum physics and information technology
The limits of classical cryptography
The principles of quantum cryptography
Practical systems and applications
Future directions
27www.idquantique.com
Building a Quantum Key Distibution SystemBuilding a Quantum Key Distibution System
Necessary components
“System approach”
ChannelSingle-Photon Source
Single-Photon Detector
28www.idquantique.com
Polarization CodingPolarization Coding
Typical system
LD 1
LD 2
LD 3
LD 4
QuantumChannel
Alice BobBasis 1
Basis 2
/2
PBS
PBS
"0"
"1""0"
Waveplates
BS
BS
BS F "1"
APD
APD
Public Channel
29www.idquantique.com
InterferencesInterferences
30www.idquantique.com
InterferometerInterferometer
Classical interference
Port 1
Port 2
E
1E
2E
0
0.5
1
0 2 4 6
Phase [radians]
Sortie 1
Sortie 2
31www.idquantique.com
Phase encodingPhase encoding
Quantum optics: single-photon
A
B
A lic e
B o b
D 2
D 10
0.5
1
0 2 4 6
Phase [radians]
Output 1
Output 2
Base 1: A = 0;
Base 2: A =
Basis choice: B = 0;
Compatible: Alice A Di
Bob Di A(A-B = n)Bas
es Incompatible: Alice and Bob ??
(A-B = )
32www.idquantique.com
Phase encoding (2)Phase encoding (2)
Stability of such system ???
In practice
A
B
A lic e
B o b
D 2
D 1
10 km
10 km ± /10 (100 nm)
A lice
A B
B o b
Time (ns)
LL
0
20
40
60
80
CC
-3 -2 -1 0 1 2 3
CL + LC
+
33www.idquantique.com
Auto-compensated set-upAuto-compensated set-up
Time multiplexing
A lice
B obA
B
A tt .S h o r t a rm
L o n g a rm
M F
S P
34www.idquantique.com
Practical requirementsPractical requirements
Distance limitation < 100 km
Current range is sufficient for a vast majority of MAN/SAN applications
Point-to-point dark fiber• Amplifiers• Opto-electro-opto conversion
perturbation of the quantum state of the photon
Distance
Signal, Noise
pnoise
psignal
35www.idquantique.com
Link Encryptors with QKDLink Encryptors with QKD
Network Appliance• Point-to-point link encryption
• Layer 2 device
• Network protocole independent
• Compatible with higher layer encryption
Specifications- Encryption: AES (128, 192, 256 bits)- Key rate as high as 100 keys / s- Distance < 100 km (60 miles)- Pair of dark fiber
Target ApplicationsMAN or SAN encryption
36www.idquantique.com
« Swiss Quantum » Pilot Site« Swiss Quantum » Pilot Site
37www.idquantique.com
OutlineOutline
Quantum physics and information technology
The limits of classical cryptography
The principles of quantum cryptography
Practical systems and applications
Future directions
38www.idquantique.com
Extending the key distribution distanceExtending the key distribution distance
Chaining links
Better components
Free space links to low-earth-orbit (LEO) satellites
Quantum relays and repeaters
Tokyo Geneva
A BB' A ' B" A" B'" A '"
Telco Infrastructure
39www.idquantique.com
Compatibility with conventional optical networksCompatibility with conventional optical networks
Optical switching
WDM Links
40www.idquantique.com
Thank you very much for your attentionThank you very much for your attention
id Quantique SA
Chemin de la Marbrerie, 3
CH-1227 Carouge
Switzerland
Ph: +41 22 301 83 71
Fax: +41 22 301 83 79
www.idquantique.com
41www.idquantique.com
Optical TapsOptical Taps
Optical taps are cheap and simple to use
« Tapping a fibre-optic cable without being detected, and making sense of the information you collect isn’t trivial but has certainly been done by intelligence agencies for the past seven or eight years. These days, it is within the range of a well funded attacker, probably even a really curious college physics major with access to a fibre optics lab and lots of time on his hands. »
John Pescatore, former NSA Analyst
The submarine « USS Carter » worth $4.1 bn will be able to tap and eavesdrop undersea cables.
42www.idquantique.com
Key useKey use
The key produced by a quantum cryptography system is used with conventional symmetric encryption algorithms• One-time pad « unconditional security »
• Other symmetric algorithms (AES, Tripe-DES, etc.) enhanced security by frequent key change
Why is Quantum Cryptography not used to transmit data?1) Quantum Cryptography cannot guarantee that one particular bit will
actually be received.With a random key, it is not a problem. With data, it is.
2) Quantum Cryptography does not prevent eavesdropping, but reveals it a posteriori. Sending a key and verifying its secrecy allows to prevent information leakage.
43www.idquantique.com
Device AuthenticationDevice Authentication
Initial key
Quantum Cryptography Session n: key material
Authentication keyEncryption/decryption key
Session nAuthentication key n
Au
the
ntic
atio
n k
ey
refre
sh
ed