Quantum Cryptography Cryptography Quantum Key Distribution

Main Point Cryptography Quantum Key Distribution  BB84  continuous Security  Attack model  Information

Introduction What is Cryptography? Cryptography is the art of rendering a message unintelligible to any unauthorized party  dkssudgktpdy  안녕하세요 (Korean) It is part of the broader field of cryptology, which also includes cryptoanalysis, the art of code breaking

Introduction Why do we need cryptography? Suppose Mark want to send a secret message to his girl friend over an insecure channel! Insecure secure

Cryptography Key : What’s key? Encryption : combine a message with some additional information - known as the “key” – and produce a cryptogram. Decryption : combine a cryptogram with some additional information - known as the “key” – and produce a message.

Asymmetrical(public-key) cryptosystem Symmetrical(secret-key) cryptosystem Cryptography

Asymmetrical(public-key) cryptosystem  ElGamal Cryptosystem  Elliptic curve Cryptosystem  The Merkle-Hellman Knapsack Cryptosystem  RSA(Ronald Rivest, Adi Shamir,Leonard Adleman)  etc..

Cryptography RSA(Ronald Rivest, Adi Shamir,Leonard Adleman)  If Bob wants to be able to receive messages encrypted with a public key cryptosystem, he must first choose a "private" key, which he keeps secret. Then, he computes from this private key a "public" key, which he discloses to any interested party. Alice uses this public key to encrypt her message. She transmits the encrypted message to Bob, who decrypts it with the private key

Cryptography RSA(Ronald Rivest, Adi Shamir,Leonard Adleman)  Big Prime number factorization is so difficult problem  Public-key cryptosystems are convenient and they have thus become very popular over the last 20 years What is problem?  Not proven security  Shor’s algorithm

Cryptography Symmetrical(secret-key) cryptosystem  Block type DES AES etc..  Stream type LFSR One-time pad etc..

Cryptography One-time pad  first proposed by Gilbert Vernam in 1926  This cryptosystem is thus provably secure in the sense of information theory (Shannon 1949) Actually, this is today the only provably secure cryptosystem What is problem?  Difficult to implementation

Cryptography One-time pad = Secret channel Classical channel = Difficult to implementation

sending a “secret key” by using the laws of physics to warrant the complete security of the transmission  Discrete variable BB84 B92 Etc..  Continuous variable Squeezed state Gaussian distribution Quantum Key Distribution Quantum Physics Principle of Complementary Heisenberg Uncertainty Principle Correspondence Principle etc..

Quantum Key Distribution Cryptography Asymmetric RSA symmetric One-time pad Quantum Cryptography DescreteContinuous Quantum Mechanics Number theory, Algebra..

Quantum Key Distribution BB84  proposed by Charles H. Bennett and Gilles Brassard in 1984  Two state( |0>, |1>), but four bases(|0,V>, |1,H>, |0,L>, |1,R>)  Bases with such a property are called conjugate => Unpredictable

Quantum Key Distribution BB84(Protocol)  Alice sends random “bits” (0 or 1) encoded in two 2 different “basis”  Bob randomly chooses either the “+” or the “×” basis and records the transmitted and reflected photons  Bob announces openly his choice of basis (but not the result!) and Alice answers “ok” or “no”. Bits with different basis are discarded  The remaining bits give the secret key

Quantum Key Distribution BB84(without Eve, no noise)

Quantum Key Distribution Attack model  Intercept-resend model (opaque eavesdropping) Error rate  Coherent or joint  Optimal individual  Collective

Quantum Key Distribution BB84(with Eve, no noise)

Quantum Key Distribution BB84(with Eve, no noise)  Raw key extraction Over the public channel, Bob communicates to Alice which quantum alphabet he used for each of his measurements Alice and Bob then delete all bits for which they used incompatible quantum alphabets to produce their resulting raw keys  Error estimation Over the public channel, Alice and Bob compare small portions of their raw keys to estimate the error-rate R, and then delete the disclosed bits from their raw keys to produce their tentative final keys

Quantum Key Distribution BB84(with Eve, no noise) If one guesses correctly, then Alice’s transmitted bit is received with probability 1. On the other hand, if one guesses incorrectly, then Alice’s transmitted bit is received correctly with probability 1/2. Thus in general, the probability of correctly receiving Alice’s transmitted bit is

Quantum Key Distribution BB84(with Eve, no noise) If there is no intrusion, then Alice’s and Bob’s raw keys will be in total agreement. However, if Eve has been at work, then corresponding bits of Alice’s and Bob’s raw keys will not agree with probability

Quantum Key Distribution BB84(with Eve, with noise) We must assume that Bob’s raw key is noisy  Since Bob can not distinguish between errors caused by noise and by those caused by Eve’s intrusion, the only practical working assumption he can adopt is that all errors are caused by Eve’s eavesdropping  Under this working assumption, Eve is always assumed to have some information about bits transmitted from Alice to Bob. Thus, raw key is always only partially secret

Quantum Key Distribution BB84(with Eve, with noise) Over the public channel, Alice and Bob compare small portions of their raw keys to estimate the error-rate R, and then delete the disclosed bits from their raw key to produce their tentative final keys. If R exceeds a certain threshold, then privacy amplification is not possible If so, Alice and Bob return to stage 1 to start over. On the other hand, if, then Alice and Bob proceed to Reconciliation

Quantum Key Distribution Reconciliation Key  Alice and Bob publically agree upon a random permutation, and apply it to what remains of their respective raw keys  Alice and Bob partition the remnant raw key into blocks of length L  For each of these blocks, Alice and Bob publically compare overall parity checks, making sure each time to discard the last bit of each compared block

Quantum Key Distribution Privacy amplification  Alice and Bob compute from the error-rate R an upper bound k of the number of bits of reconciled key known by Eve  Alice and Bob publically select n−k−s random subsets of reconciled key, without revealing their contents. The undisclosed parities of these subsets become the final secret key

Quantum Key Distribution BB84(with noise) Noise? ReconciliationPrivacy amplification Resend R=0? No Yes Key! Yes Key!

Quantum Key Distribution Security by Information theory  I. Csiszar, and J. Korner, IEEE Trans. Inf. Theory, 24, 330 (1978)  Alice and Bob can establish a secret key (using error correction and privacy amplification) if and only if

Quantum Key Distribution Security by Information theory  Shannon’s formula

Quantum Key Distribution Security by Information theory  A Generic Security Proof for Quantum Key Distribution by M. Christandl et al, quant- ph/  Shannon’s formula  Von Neumann’s formula (Quantum information)  Key Rate R

Quantum Key Distribution Where is quantum?  Measurement every measurement perturbs a system  No-cloning theorem It is impossible to copy an arbitrary quantum state chosen among a set of non-orthogonal states No perturbation No measurement No eavesdropping

Quantum Key Distribution Experiment  “Experimental Quantum Cryptography” (C.Bennett et al, J.Cryptology 5, 3-28, 1992)  etc.. What is problem?  Photon Generation  Reliable?

Quantum Key Distribution Essential feature : quantum channel with non-commuting quantum observables  not restricted to single photon polarization! New QKD protocol where :  The non-commuting observables are the quadrature operators X and P  i.e. continuous variable

Quantum Key Distribution Quantum cryptography with Squeezed states(Mark Hillery, PRA, 61, ) Quantum distribution of Gaussian keys using squeezed states(N.J.Cerf et al, PRA, 63, )  The non-commuting observables are the quadrature operators X and P

Quantum Key Distribution Using Squeezed state The non-commuting observables are the quadrature operators X and P Reconciliation(sliced) Privacy Amplification P X

Quantum Key Distribution Continuous Variable Quantum Cryptography Using Coherent States(F. Grosshans et al, PRL 88, (2002))  The non-commuting observables are the quadrature operators X and P  The transmitted light contains weak coherent pulses(about 100 photons) with a gaussian modulation of amplitude and phase  The detection is made using shot-noise limited homodyne detection

Quantum Key Distribution Using Coherent state The non-commuting observables are the quadrature operators X and P Reconciliation(sliced) Privacy Amplification P X

Quantum Key Distribution Attack model(Continuous variable)  Intercept-resend model (opaque eavesdropping) Error rate  Coherent  Individual Optimal  Collective

Quantum Key Distribution Security by Information theory  Shannon, von Neumann

Quantum Key Distribution Security by Information theory  Gaussian distribution

Quantum Key Distribution Security by Information theory  Gaussian state  Information

Conclusion One-time pad(QKD) Where is quantum?  Measurement(Discrete, Continuous) every measurement perturbs a system  No-cloning theorem(Discrete, Continuous) It is impossible to copy an arbitrary quantum state chosen among a set of non-orthogonal states  Quantum Information theory for Security

Acknowledgement Many Thanks..(M.S. Kim, Jingak Jang, Wonmin Son..) Also Many Thanks for all who attend our seminar

Reference Quantum cryptography, N.Gisin et al, quant-ph/