quantum key distribution - université de mons · quantum key distribution quantum cryptography...
TRANSCRIPT
Quantum key distribution
1
Eleni Diamanti [email protected]
LTCI, CNRS, Télécom ParisTech
Paris Centre for Quantum Computing
Photonics@be doctoral school May 10, 2016
• Principles of quantum information useful for quantum cryptography
• Introduction to cryptography and key distribution
• Quantum key distribution: general idea, BB84 protocol, QKD generic algorithm, photon number splitting attacks
• Continuous-variable QKD: principle and security
• Practical implementations, towards on-chip systems
• Current challenges in quantum cryptography
2
Outline
In quantum information, information is encoded on the qubit quantum analog to the classical bit fundamental unit of information it can be any physical system that can exist in two states ions, atoms, electrons, photons
The photon is exclusively the qubit in quantum communication systems it is robust to ambient noise it can be transported for long distances in optical fibers For quantum computing systems, there are still many candidates: cold atoms, ions, superconducting circuits, photons…
Principles of quantum information
3
qubit = two-dimensional quantum system its Hilbert space is spanned by two basis states , : computational basis All states of the qubit can be expressed in this basis as:
Bloch sphere representation
0
qubit
1
z
y
x
2
0 1
qubit cos 0 sin 1ie
Superposition principle: Qubits can exist in superposition states. In general, where , i.e. the probabilities of measuring the state in the two eigenstates add up to 1
qubit 0 1
2 21
4
A useful qubit
A qubit is useful when
we can prepare it in a well defined initial state for photons, we use single-photon sources or lasers, followed by appropriate operations
beam splitter, phase shifter, half or quarter waveplates for different types of encoding
we can manipulate it by applying well controlled unitary operations for photons, we use standard photonic components
we can measure it for photons, we use single-photon detectors
the result is deterministic if we know the preparation basis, otherwise the result is ambiguous
the measurement projects the qubit at a definite state, we cannot re-measure it!
the measurement disturbs the qubit (Heisenberg’s uncertainty principle)
5
A quantum state cannot be copied, fundamental property, important for quantum cryptography
No-cloning theorem
, is impossible
6
Entanglement and nonlocality
Information can be encoded on entangled qubits an entangled state cannot be factorized in product states when one qubit is measured, the measurement result being completely random, the second qubit will be found in the corresponding state signature of nonlocality
entangled
1
2H H V V
7
Non-local states produce interesting effects when we consider correlations Bell inequalities derived for local hidden variable models
The violation of Bell’s inequality is a confirmation of the nonlocal nature of quantum mechanics
2 2 2S
What about applications?
The notions of superposition and entanglement are a precious resource for applications in quantum communications and quantum computing there is no classical analog to these notions, which allow us to improve drastically our communication and calculation capacity
These applications include quantum teleportation, entanglement swapping, quantum repeaters quantum key distribution, quantum cryptography quantum algorithms
8
the most advanced field in quantum communications, close to industrial applications
From ancient times…
The wish to communicate secretly goes back to the beginning of our civilisation in Ancient Greece, the Spartans (~400 bC) were using the Scytale transposition = rearrangement of plaintext by special permutation
cryptography = κρυπτός + γράφω = write secretly
Cesar introduced for the first time a simple cipher based on the substitution of letters substitution = replacement of letters by other letters
9
…to modern times
During the second World War, the famous Enigma, an extremely sophisticated device, was extensively used Enigma was broken by a British team (with Alan Turing) with the first digital computer (COLOSSUS)
Today, cryptography is used everywhere for military and diplomatic purposes, but also in the Internet, online commerce,… An essential different with the first encryption schemes is that the encryption and decryption algorithms are publicly known security relies solely on the secrecy of a chain of random bits, the key
10
The Vernam cipher or “one-time pad”
A B C D E … … X Y Z ! , .
00 01 02 03 04 … … 23 24 25 26 27 28 29
H E L L O W O R L D !
M 07 04 11 11 14 26 22 14 17 11 03 27
k 13 08 22 00 12 26 03 21 10 16 05 23
C 20 12 03 11 26 22 25 05 27 27 08 20
U M D L W Z F ! ! I U
Alphabet
Example
( ) (mod30)
( ) (mod30)
k
k
E M M k C
D C C k M
Algorithms
11
What is wrong with classical cryptography?
Vernam showed that if the key is truly random as long as the message only used once a spy cannot reconstruct the message even if she possesses infinite time and computational resources But the two parties first have to share the key using a trusted and secure channel cryptography = key distribution problem
Solutions “classical” dedicated trusted courier : not practical mathematical public-key cryptography : computational security
12
physical quantum cryptography : unconditional security
Security relies on mathematical assumptions that have not been proven (factorization of large prime numbers) future progress can compromise the secret messages exchanged today…
Quantum key distribution
Quantum cryptography relies on the laws of quantum mechanics superposition principle, no-cloning theorem to resolve the problem of key distribution offering unconditional security guaranteed against a spy with infinite time and computational resources
A quantum key distribution (QKD) system includes a quantum channel used for the transmission of qubits an authenticated classical channel used for testing possible perturbations in the transmission
13
Authenticated classical channel
Quantum channel
information
error
Eve’s measurement inevitably introduces perturbations that lead to detectable errors the analysis of these errors allows the generation of the secret key
During the quantum transmission, the key is obtained using either a given set of non-orthogonal quantum states of single photons or a given set of measurements performed on entangled photons
14
A single-photon QKD protocol (BB84)
The first QKD protocol was proposed by Bennett and Brassard in 1984 (BB84) Suppose information is encoded in the polarization of single photons using two non-orthogonal bases 0
1 0 1
0° - basis 45° - basis
Single-photon source
Electrooptic modulator
V 45H 45
Quantum channel 50/50
beamsplitter
Single-photon detectors
Polarization beam splitters
0° - basis
45° - basis
0 1 0 1
/ 2
In practice, the system of Alice and Bob could be like this:
15
If only one basis was used Eve could insert a detection system like Bob’s in the path, obtain the answer and retransmit the bit to Alice without been detected… By adding a second non-orthogonal basis, whose states can be written as a linear superposition of the first basis states, e.g., Eve gets “confused” since she does not know in which basis she should measure the intercepted photons if she measures in the right basis she gets the right result if she measures in the wrong basis she gets a completely random result
1
452
H V
16
Trade-off between the information obtained from the measurement and the perturbation of the states due to no-cloning of non-orthogonal states
Protocol Alice sends randomly modulated single photons to Bob Bob randomly measures in one of the two bases They talk on the phone to say which basis they have used for each photon without revealing the result! They discard the instances for which they chose a different basis process of sifting : 50% probability What remains is the secret key!
Example
Alice codes x + x + + x x +
0 0 1 0 1 1 1 0
Bob decodes
+ x x + + + x x
0 1 1 0 1 1 1 0
Sifting 1 0 1 1 Key 17
Eve’s intercept and resend attack – simple security argument
Source
Eve does not know the preparation basis, she has to randomly choose the measurement basis of her intercepted photons she chooses the wrong basis with 50% probability and Bob chooses the right basis with 50% probability Overall error rate = 25% if Alice and Bob sacrifice part of their key to estimate the error rate Eve’s presence is inevitably detected
18
An entangled-photon QKD protocol (BBM92)
The first QKD protocol based on entanglement was proposed by Ekert in 1991, followed by Bennett, Brassard and Mermin in 1992 extension of the BB84 protocol
Entangled-photon source
0° - basis
45° - basis 45° - basis
0° - basis
Information is coded on the polarization of entangled photons, in particular
1 1
45 45 45 452 2
H V V H
0 1 0 1
19
Protocol Alice and Bob independently and randomly choose a measurement basis If their bases match, they keep the results as their key (after sifting) Alice and Bob can simply check if Bell’s inequality has been violated at the end of their communication i.e., if for their polarization measurements they find a spy has intercepted their communication!
2 2S
Eve cannot obtain information during the quantum transmission the key does not exist in the transmission channel, it is created after the measurements by Alice and Bob, and their public communication! Eve can intercept and block the entangled pair, and prepare a new pair for which she has at least partial information three partially entangled photons (monogamy of entanglement) but, as before, this will inevitably introduce errors, which would be absent in a perfect system free of spying
20
A spy’s measurements prevent the violation of Bell’s inequality
Is the key secret?
In the absence of system errors, the spy will surely get detected by the errors she induces in the communication this procedure leads to the establishment of unconditionally secret keys But all practical systems have innocent errors! due to imperfections of the system components errors due to imperfections cannot be distinguished from errors caused by eavesdropping…
A complete QKD protocol should consider all errors as errors due to Eve, take into account possible information leakage, and bound this leakage as a function of the error rate this is performed by two additional processes Error correction + Privacy amplification
21
A security proof of a QKD protocol against general eavesdropping attacks is a difficult theoretical exercise
Hierarchy of attacks: individual collective coherent (unconditional security)
A QKD algorithm
Quantum transmission
Sifting
Error correction
Raw key
Sifted key Error rate estimation
Leakage due to error correction
Source characteristics
Security criteria
Theory
Privacy amplification
Error-free key
Secret key
Shrinking factor
22
Secret key generation rate in practical systems
We examine the case of BB84 with polarization encoding • key generation rate after quantum transmission
𝑅raw = ν 𝜇𝑇 + 𝑑 where ( )/10
communication rate
average number of photons per pulse
10 transmission efficiency
detector quantum e
BL LT
fficiency
channel loss coefficient
channel length
receiver's losses
detector dark counts
B
L
L
d
per clock cycle
• final secret key generation rate
𝑅secret =1
2ν(µ𝑇 + 𝑑 𝜏 − 𝑓 𝑒 ℎ(𝑒
23
Privacy amplification Error correction
Typical curve of rate vs. distance Linear part the rate drops as a given power of the channel attenuation Exponential part the rate drops abruptly and goes to zero due to the growing contribution of the detector dark counts
24
Eve can perform the following attack non-destructive measurement of photon number if : extract and keep one photon, perform delayed measurement if not : block the signal and pretend a vacuum state
BB84 and photon number splitting (PNS) attacks
Photon number measurement
Quantum memory
Perfect channel
Delayed measurement
Consider the practical case of using a highly attenuated laser instead of a single-photon source the laser is a photon source that follows the Poisson distribution, i.e., where is the average photon number per pulse
( )!
neP n
n
2n
25
Why is this detrimental? If the channel loss is large, the photon arrival rate at Bob’s site is much lower than the photon sending rate at Alice’s site Eve can replace the lossy fiber with a lossless one, block one-photon pulses completely, and, if she finds more than one photon, extract one and keep it until Alice and Bob have revealed their bases If the transmitted photons are enough to simulate the average photon arrival rate determined by the channel loss, Eve can extract complete information about the key without inducing any error the entire key is completely insecure!
26
For an ideal single-photon source: 𝑅ideal~𝑇
i.e., the rate decreases linearly with the channel transmission For an attenuated laser source: i.e., the rate decreases quadratically with the channel transmission
𝑅laser~𝑇2, 𝜇opt ~𝑇
Practical components create security loopholes in QKD systems Eliminating these loopholes while obtaining good performance is a major challenge in the field
27
Continuous-variable QKD
• Random modulation of amplitude and phase of coherent states • Random measurement of quadrature of each coherent state with a homodyne detection system
28
Random quadrature measurement
quantum channel Phase modulator
choice of X or P Local
oscillator
Signal
_
P
A
Shot noise
Gaussian modulation
,T
( )AV , elv
classical channel
28
Up till now we have described QKD relying on discrete variables: key information encoded on properties (polarization, phase) of single photons (or weak coherent states) Key information can also be encoded on continuous variables
Security of coherent state CV-QKD
Excess noise
Shot noise • In the Gaussian channel model, coherent states are modified by losses and excess noise
• These are introduced by Eve and degrade the signal-to-noise ratio (SNR) her presence is revealed by noise variance measurements
• Statistics from the homodyne detection allow to quantify the noise introduced by the eavesdropper
Shannon’s theory links the information exchanged between Alice and Bob, and the SNR
AB 2 2
1 1log 1 SNR log 1
2 2 1
ATVI
T
29
Eve’s information on Bob’s key (reverse reconciliation) is bounded using a Heisenberg inequality (uncertainty on Eve’s knowledge of Bob’s measurements)
BE 2
11log
2/ 1 1
1
A
A
TV TI
TT T
V
Secret key generation rate
AB BE 0, for any transmission K I I T
Security of coherent state CV-QKD
30
Secret key generation rate
• Result applies to individual, Gaussian attacks
• Security proven against arbitrary collective attacks : Gaussian attacks are optimal
• More recently, security proofs against arbitrary coherent attacks at asymptotic limit and in finite-size regime: in practical implementations, finite size of data must be taken into account!
31
K
Post-processing algorithms
• After the quantum transmission, Alice and Bob share a set of correlated quadrature measurements
• To distill a secret string of bits, they need to:
– Discretize their data to obtain discrete symbols
– correct the errors reconciliation
– eliminate any remaining key information available to Eve privacy amplification
• Error correction performed using multi-dimensional reconciliation and Low Density Parity Check (LDPC) codes with finite efficiency
32
IAB IBE
Irec Irec
K
K
Effective secret key generation rate
• In practice, reconciliation limits the communication distance
AB BE 0, for small transmissionK I I
33
K
Keff
Discrete and continuous-variable QKD
34
Discrete variables Continuous variables
Key encoding Photon polarization/phase EM field amplitude-phase
Detection Single-photon Coherent (homodyne/heterodyne)
Max range 200 km 100 km
Max rate 1 Mbit/s 100 kbit/s
Post processing Key readily available Complex error correction
Security General attacks, finite-size , side channels
General attacks, finite-size, side channels
Stability Months Months
Practical implementations
The choice of communication channel is crucial free space direct link between Alice and Bob using telescopes no birefringence but atmospheric perturbations and background noise optical fiber minimum absorption at 1550 nm (0,2 dB/km) telecom wavelength very easy to use but birefringence and polarization fluctuations This choice determines the operation wavelength of the system components, and especially the sources and detectors
35
Goal: best performance in terms of maximum communication rate and distance with a high guaranteed security level
The first QKD system
IBM-University of Montréal
36
QKD prototypes
37 Institut d’Optique, TélécomParisTech
ID Quantique
University of Vienna
Optical setup for coherent state CV-QKD
Laser diode
1550 nm
1 s (1 MHz)
100 ns
1/99
Signal
Local oscillator 50/50
Photodiode
PBS
Alice
Channel
PBS
20 m
50/50
Bob _
Homodyne
detector
S LO
200 ns
S
LO Polarization
controller
Amplitude
Modulator
Phase
Modulator
Feedback control
Polarization
beam splitter
Faraday mirror
Clock
generation
Phase
Modulator
Faraday mirror
20 m
PBS
10/90
Variable
attenuator
38
Asymptotic Finite-size 109
Finite-size 108
- 10 kbit/s@ 20 km, 200 bit/s @ 80 km - Secure against collective attacks including finite-size effects
Long-distance experiments
39
Bottleneck due to inefficient error correction for Gaussian variables New error correction codes at low SNR Improved optical stability to enable the acquisition of large blocks
Practical QKD networks
Up till now individual point-to-point links between Alice and Bob But their range is inherently limited… for next generation of very long-distance cryptographic systems we need secure quantum networks
40
SECOQC QKD network, 2008 Various QKD prototypes on Siemens optical fiber network in Vienna Target performance: 2 kbit/s, 25 km, 24 hour operation Several network quality tests
Tokyo QKD network, 2010, 2015 Durban South Africa network, 2010 Swiss Quantum Network, 2011
Telecom network integration
Goal: achieve coexistence with classical signals to overcome use of dark fiber links
41
Photonic integration
42
Candidate system for full integration: CVQKD on silicon
On-chip DVQKD P. Sibson et al, arXiv:1509.00768 University of Bristol
Scalable, large-scale quantum networks will rely on integrated technologies Low cost, efficiency, reconfigurability, interconnectivity, reproducibility
0.5 mm
2.6
mm
Reduce cost and size by orders of magnitude CMOS compatibility
OPSIS – IME Foundry
Towards on-chip CVQKD
43
44
Alice and Bob on the same chip
Main CV-QKD functionalities Shot noise limited homodyne detection
Phase and amplitude modulation control
Proof-of-principle device
Telecom silicon photonics vs. CVQKD
45
Si modulator Ge photodetector
Loss 5 dB -
3 dB cut-off 30 GHz ~ 100 GHz
Data rate 40 Gbit/s 40 Gbit/s
Dark current < 1 μA 1 nA
Responsivity - 0.5 – 1.1 A/W
Extinction ratio (dB)
8 dB @ 40 Gbit/s
-
• Modulators: lower bandwidth (speed is not the main issue) but higher extinction ratio (>30 dB) and lower loss carrier depletion, carrier injection, thermal ring resonator
• Photodetectors: strong linearity for input power up to a few mW, low dark current, high quantum efficiency, shot noise limited
• High optical attenuation (80 dB) without phase drift
Quantum hacking
helps strengthen practical
QKD!
Quantum hacking exploits discrepancy
between theoretical model
and practical
implementation
Theoretical model Some assumptions in security
proofs may be incorrect or insufficient
Implementation Technological
deficiencies/imperfections
Eve obtains a portion of the secret key while staying concealed
46
Imperfections and side channels for CV-QKD
• Solutions based on refined security proofs and (measurement) device independence
• First approach for CV-QKD
• Modulation not exactly Gaussian
• Calibration procedures for homodyne detection and phase noise
• Local oscillator calibration procedure
• Trojan horse-type of attacks
countermeasures!
47
Current challenges in quantum cryptography
Device independent QKD ultimate solution for side-channel attacks due to practical imperfections possible thanks to recent loophole-free Bell tests but still impractical rates and range
48
High security but also everyday applications data centers in cloud computing infrastructures space communications secure ATM transaction devices mobile QKD, ship devices…
Measurement device independent QKD ‘light’ version of DI-QKD covering attacks due to detectors
Quantum cryptography beyond QKD and post-quantum cryptography many protocols illustrating quantum supremacy : better-than-classical security design future quantum-safe infrastructure