Introduction to Quantum Key Distribution

Slides:



Advertisements
Similar presentations
Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.
Advertisements

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Quantum Cryptography Nick Papanikolaou Third Year CSE Student
Slide 1 Introduction to Quantum Cryptography Nick Papanikolaou
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Quantum Cryptography ( EECS 598 Presentation) by Amit Marathe.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Elliptic curve arithmetic and applications to cryptography By Uros Abaz Supervised by Dr. Shaun Cooper and Dr. Andre Barczak.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Superdense coding. How much classical information in n qubits? Observe that 2 n  1 complex numbers apparently needed to describe an arbitrary n -qubit.
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Quantum Key Establishment Wade Trappe. Talk Overview Quantum Demo Quantum Key Establishment.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 12: Idiot’s Guide.
BB84 Quantum Key Distribution 1.Alice chooses (4+  )n random bitstrings a and b, 2.Alice encodes each bit a i as {|0>,|1>} if b i =0 and as {|+>,|->}
CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.
Quantum Cryptography Prafulla Basavaraja CS 265 – Spring 2005.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Lo-Chau Quantum Key Distribution 1.Alice creates 2n EPR pairs in state each in state |  00 >, and picks a random 2n bitstring b, 2.Alice randomly selects.
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.
Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Quantum Cryptography.
Quantum Public Key Cryptography with Information- Theoretic Security Daniel Gottesman Perimeter Institute.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
CS4600/5600 Biometrics and Cryptography UTC/CSE
Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.
Lecture 6: Public Key Cryptography
Gagan Deep Singh GTBIT (IT) August 29,2009.
A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.
Public-Key Cryptography CS110 Fall Conventional Encryption.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
1 A Randomized Space-Time Transmission Scheme for Secret-Key Agreement Xiaohua (Edward) Li 1, Mo Chen 1 and E. Paul Ratazzi 2 1 Department of Electrical.
CS555Topic 251 Cryptography CS 555 Topic 25: Quantum Crpytography.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Lecture 2: Introduction to Cryptography
Quantum Cryptography Slides based in part on “A talk on quantum cryptography or how Alice outwits Eve,” by Samuel Lomonaco Jr. and “Quantum Computing”
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Nawaf M Albadia
1 Conference key-agreement and secret sharing through noisy GHZ states Kai Chen and Hoi-Kwong Lo Center for Quantum Information and Quantum Control, Dept.
Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.
Quantum Cryptography Christian Schaffner
Quantum Cryptography Antonio Acín
Quantum Cryptography and Quantum Computing. Cryptography is about a)manipulating information b)transmitting information c)storing information.
Introduction to Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
Security. Cryptography (1) Intruders and eavesdroppers in communication.
Presented By, Mohammad Anees SSE, Mukka. Contents Cryptography Photon Polarization Quantum Key Distribution BB84 Protocol Security of Quantum Cryptography.
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
J. Miranda University of Ottawa 21 November 2003
Big Numbers: Mathematics and Internet Commerce
Quantum Cryptography Arjun Vinod S3 EC Roll No:17.
Quantum Key Distribution
Quantum Cryptography Alok.T.J EC 11.
Richard Cleve DC 2117 Introduction to Quantum Information Processing CS 667 / PH 767 / CO 681 / AM 871 Lecture 22 (2009) Richard.
Quantum Cryptography Scott Roberts CSE /01/2001.
Richard Cleve DC 2117 Introduction to Quantum Information Processing CS 667 / PH 767 / CO 681 / AM 871 Lecture 24 (2009) Richard.
Spin Many quantum experiments are done with photon polarization instead of electron spin Here is the correspondence between the two And the measurement.
Presentation transcript:

Introduction to Quantum Key Distribution Gonen Krak

Classical Cryptography Suppose Alice and Bob wish to communicate in the presence on an eavesdropper Eve A provably secure classical scheme exists for this, called the one-time pad

The One-Time Pad The one-time pad requires Alice and Bob to share a secret key : 𝒌∈ {𝟎,𝟏} 𝒏 uniformly distributed. - When Alice wishes to send the message 𝒎 to Bob, she computes 𝒄=𝒎⊕𝒌 and sends it to Bob. - When Bob receives 𝒄 he computes 𝒄⊕𝒌= 𝒎⨁𝒌 ⨁𝒌=𝒎⨁ 𝒌⨁𝒌 =𝒎⨁𝟎=𝒎 to get the original message.

One-time Pad Security This protocol achieves perfect security, since given constant string 𝐜∈ {𝟎,𝟏} 𝒏 , for every message 𝒎 we have 𝑷𝒓 𝒌 𝒎⊕𝒌=𝒄 = 𝟏 𝟐 𝒏 It is important to note that for security, Alice and Bob must never re-use the same key twice, since then Eve can learn information about the original messages: 𝒄⨁ 𝒄 ′ = 𝒎⨁𝒌 ⨁ 𝒎 ′ ⨁𝒌 =𝒎⨁ 𝒌⨁ 𝒌 ′ ⨁ 𝒎 ′ =𝒎⨁𝒎′

The Key Distribution Problem Problem : How do Alice and Bob share the secret key between them before sending the message? Most abstractly in the classical world, a key distribution protocol can be based on any trapdoor one-way function. Such a function is a mathematical function that can create two strings s1 and s2 that share a mathematical relation such that given s2, it is very hard to calculate s1.

The Key Distribution Problem Usually “hard” means that there is no known polynomial-time algorithm to calculate s1. Given such trapdoor one-way function, Alice and Bob can use this function to create for both of them a private key(s1) and a public key(s2). When Alice wishes to send a message to Bob she encrypts it with Bob’s public key and then Bob decrypts it with his private key.

The Key Distribution Problem There are several problems with the classical scheme of the key distribution problem. First, their security is based on the fact that there are no known algorithms for mathematical problems which might have an efficient solution. Second, usually such mathematical problems(such as factoring large integers) have an efficient solution on quantum computers.

Quantum Key Distribution A quantum key-distribution protocol is a protocol that uses the quantum mechanical model that enables Alice and Bob to set up a secret key provided they have : A quantum channel where Eve can read and modify messages An authenticated classical channel, where Eve can read messages but not modify them

Quantum Key Distribution There are several proposed protocols for QKD. In this lecture we will talk about two of them : The BB84 protocol : This is first protocol proposed for QKD. This protocol is easier to implement in reality but harder to analyze and prove its security The Lo and Chau protocol : This is the first protocol which have been proved to be secure. Harder to implement but easier to analyze

The BB84 Protocol The BB84 protocol works as follows : At the beginning Alice decides on a random string 𝒙∈ {𝟎,𝟏} 𝒏 Alice uses two alphabets to encode 𝒙 : |𝟎>,|𝟏> and |+>,|−> where |+> = 𝟏 𝟐 |𝟎>+|𝟏> |−> = 𝟏 𝟐 |𝟎>−|𝟏>

The BB84 Protocol For every bit Alice wants to send, she randomly choses alphabet(basis) in which to encode the bit and sends the corresponding state to Bob When Bob receives the message, for each bit he randomly choses alphabet and performs the corresponding measurement Note that if Eve do not modify the message, Bob will have 75% of the message correct

The BB84 Protocol After Bob has preformed his measurements, he compares with Alice on the classical channel the bases he chose for each bit Then Alice and Bob drop all the bits that Bob used the wrong basis to measure them. Now Alice and bob remain with two strings that should be identical

The BB84 Protocol To ensure consistency, Alice and bob choose a random subset of 𝒎 bits and compare them. If they are indeed consistent they take the remaining bits as a secret key Since Eve can modify the qubits that Alice sends to Bob, she can supply Bob qubits in any state she wants. In the next slides, we will focus on the simple case when she just measures the bits and sends them forward to Bob

The BB84 Protocol Note that since Eve doesn’t know which bases Alice chose, she needs to guess. Thus, after Alice and Bob compared the bases and stayed only with the bits they measured in the same basis, the only way for a random bit to be different in Alice and Bob’s strings is if Eve had measured it in the wrong basis (Pr = 𝟏 𝟐 ) and Bob got the opposite result when he measured it in the correct basis (Pr = 𝟏 𝟐 ). That’s happen in probability 𝟏 𝟐 ∙ 𝟏 𝟐 = 𝟏 𝟒

The BB84 Protocol Now, when Alice and Bob choose 𝒎 bits for consistency check, each pair of corresponding bits is indeed identical with probability (1-1/4) = ¾ Thus, the probability for Eve to go undetected is 𝟑 𝟒 𝒎 which is exponentially small.

The BB84 Protocol The interesting case is what happens when Eve supply to Bob qubits in arbitrary state in order to reveal some information about the key It is possible to show that the more information Eve acquires about the key, the less the probability for Eve to go undetected is.

The BB84 Protocol Overall, this protocol is relatively easy to implement, and even though its hard to analyze its security, it was proved that it is secure. These reasons make this protocol the most common protocol for QKD In the next slides will talk about a different protocol for QKD and analyze its security

The Lo and Chau Protocol Notice the Bell state | 𝝍 − > = |𝟎𝟏>−|𝟏𝟎> 𝟐 If Alice and Bob share this pair of qubits and both of them preform local measurement in the computational basis they will get correlated(opposite) result. Idea : Alice and Bob can share a series of Bell states | 𝝍 − >| 𝝍 − >| 𝝍 − >.. between them and then just preform measurements and NOT gates to obtain a secret key.

The Lo and Chau Protocol Problem : Eve can access the quantum channel and change the qubits. Thus we may assume that Eve supplies the qubits for both Alice and Bob. Therefore, the task of Alice and Bob is, in fact, to verify using local operations and classical communication only if the state of the qubits they share is indeed is a series of | 𝝍 − > states. Notice that they can’t simply perform a measurement along the Bell basis since such measurement requires both qubits

The Lo and Chau Protocol Let’s denote the Ball basis vectors by | 𝝓 + > = |𝟎𝟎>+|𝟏𝟏> 𝟐 =| 𝟎 𝟎 > | 𝝍 + > = |𝟎𝟏>+|𝟏𝟎> 𝟐 =| 𝟎 𝟏 > | 𝝓 − > = |𝟎𝟎>−|𝟏𝟏> 𝟐 =| 𝟏 𝟎 > | 𝝍 − > = |𝟎𝟏>−|𝟏𝟎> 𝟐 =| 𝟏 𝟏 > For now, let’s assume that Eve supplies Alice and Bob 𝑵 pairs of qubits such that each pair is a Bell basis vector. Thus, the state of the whole system can be represented by a bit string 𝒙∈ { 𝟎 , 𝟏 } 𝟐𝑵

The Lo and Chau Protocol In this notation, Alice’s and Bob’s goal is to verify that the state string 𝒙 is all 𝟏 ’s. Remember that Alice and Bob can only perform local operations on their qubits and communicate classical bits. Our goal is to try and investigate which properties of this bit string Alice and Bob can verify under these limitations.

The Lo and Chau Protocol For example, Alice and Bob can’t verify if two consecutive bits are 𝟎 𝟎 , 𝟎 𝟏 , 𝟏 𝟎 , 𝟏 𝟏 since this corresponds to a measurement in the Bell basis. Note that Alice and Bob can verify if the right bit of each pair is 𝟎 or 𝟏 by performing a local measurement in the computational basis and then comparing the results (parallel or anti-parallel)

The Lo and Chau Protocol So, the question here is whether can Alice and Bob verify a few properties about the state string while sacrificing small number of qubits and guess with high probability whether the state string is all 𝟏 ’s or not. The answer turns out to be yes, as we will see in the next slides.

The Lo and Chau Protocol Let’s look at the property of whether the parity (the number of 1’s) in a subset of bits is odd or even. Let 𝒌 be a subset of bits (indexes) of 𝟐𝑵-bit string 𝒙. The probability that another random bit string 𝒚 has the same parity on 𝒌 equals to 𝟐 𝒌 −𝟏 ∙ 𝟐 𝟐𝑵− 𝒌 𝟐 𝟐𝑵 = 𝟏 𝟐 Thus the probability that another bit string 𝒚 has the same parity on 𝒎 randomly-chosen independent subsets equals to 𝟏 𝟐 𝒎

The Lo and Chau Protocol Hence, if Alice and Bob are able to verify the parity of random subsets of bits without sacrificing many qubits, they can verify with high probability whether the state string 𝒙 is all 𝟏 ’s or not.

The Lo and Chau Protocol Note that calculating the parity of a subset 𝒎 of a bit string 𝒙 equals to the modulo-2 product of 𝒔∙𝒙 where 𝒔 is an index string defined by 𝒔 𝒊 =𝟏 iff 𝒊∈𝒎. For example, if 𝒙=𝟏𝟎𝟏𝟏 and 𝒎={𝟏,𝟑} then 𝒔=𝟎𝟏𝟎𝟏 and 𝒔∙𝒙=𝟏 with accordance that there are odd numbers of 1’s in the subset 𝒎 of 𝒙

The Lo and Chau Protocol So now, all what we have to look for is a way for Alice and Bob to calculate 𝒔∙𝒙 for any 𝟐𝑵-bit string 𝒔 (which can be chosen using the classical communication channel). Note the following 3 unitary transformations defined in terms of our previous notation :

The Lo and Chau Protocol The transformation on two qubits that swaps the bits ( | 𝒊 𝒋 > -> | 𝒋 𝒊 >) The transformation on two qubits that XOR’s the left bit into the right bit (| 𝒊 𝒋 > -> | 𝒊 𝒊⨁𝒋 >) 3. The transformation on four qubits (two pairs) that performs the action | 𝒊 𝒋 >⊗| 𝒍 𝒌 > -> | 𝒊⊕𝒍 𝒋 >⊗| 𝒍 𝒋⊕𝒌 > These transformations U1 , U2 and U3 are easily seen unitary since they permute a basis

The Lo and Chau Protocol Note that if Alice and Bob were able to use these transformations, they could compute 𝒔∙𝒙 in the following way : In the first stage, put the parity required from each pair in its right bit This means, if the corresponding index bits in 𝒔 are 01 then do nothing on this pair. If the bits are 10 then use U1 on the pair to swap the bits. Finally, if the the bits are 11 then use U2 on this pair to put the XOR (parity) of both bits into the right bit of the pair

The Lo and Chau Protocol 2. In the second stage, use the U3 transformation on all the required pairs with the same target pair to gain the XOR of all the required bits in the right bit of the target pair. For example, if 𝒔=𝟎𝟎𝟎𝟏𝟏𝟎𝟏𝟏 then we ignore the first pair, do nothing to the second pair, use U1 on the third pair, use U2 on the fourth pair and finally use U3 on the second and third pair and then on the second and fourth pair.

The Lo and Chau Protocol After all this, the required parity will be represented in the right bit of the second pair. All left to do now is to check whether the right bit of the second pair is 𝟏 , and this is indeed possible as noted earlier We showed that if Alice and Bob can create these transformations using local operations only, then they could also calculate the required parity of any subset

The Lo and Chau Protocol Well, it turns out that any of these transformations has a simple tensor product representation! (the calculation is left for you to verify..) U1 = 𝑩 𝒚 ⊗ 𝑩 𝒚 where 𝑩 𝒚 = 𝟏 𝟐 𝟏 −𝟏 𝟏 𝟏 U2 = 𝑩 𝒙 𝝈 𝒙 ⊗ 𝑩 𝒙 𝝈 𝒙 where 𝑩 𝒙 = 𝟏 𝟐 𝟏 −𝒊 −𝒊 𝟏 U3 = 𝑪𝑵𝑶𝑻⊗𝑪𝑵𝑶𝑻 where each CNOT acts on the left/right bits of both pairs.

The Lo and Chau Protocol For example, if Alice and Bob decided on 𝒔=𝟎𝟎𝟎𝟏𝟏𝟎𝟏𝟏 then they both need to execute the following circle on their pairs

The Lo and Chau Protocol Note that for each chosen subset 𝒔, only one pair is measured and thus “destroyed”. It is possible for Alice and Bob to apply “fixes” on the other pairs which took place in the circuit and transform them back to their original state based on the measurement results. (Good exercise at home..) Thus for every subset Alice and Bob need to sacrifice only one pair.

The Lo and Chau Protocol We showed until now that if Eve performs the qubits in a tensor product state of the Bell basis vectors, Alice and Bob can verify in very high probability whether they share a series of | 𝝍 − > states or not But note that Eve may use a super-position of these states or even more general - to entangle some of the qubits with her own qubits hoping to create correlations that will reveal information about the key during the computation

The Lo and Chau Protocol The most general state Eve can supply is |𝒖> = 𝒊 𝟏 , 𝒊 𝟐 ,.., 𝒊 𝑵 𝒋 𝒂 𝒊 𝟏 , 𝒊 𝟐 ,.., 𝒊 𝑵 ,𝒋 | 𝒊 𝟏 , 𝒊 𝟐 ,.., 𝒊 𝑵 >⊗ |𝒋> Where i1,..,iN run on {00 , 01 , 10 , 11} and |𝒋> is some orthonormal basis for Eve’s private qubits. Note that the measurements preformed by Alice and Bob during the protocol can be represented by the observables 𝑸 𝒔 = 𝒔∙𝒘 |𝒘><𝒘| for each subset 𝒔

The Lo and Chau Protocol Denote by 𝑾 the observable corresponding to a measurement in the 𝑵-Bell basis, i.e. 𝑾= 𝒘 |𝒘><𝒘| All the above operators refer to a single basis (the the 𝑵-Bell basis), and since all the operators diagonalizable with respect to that basis they commute with 𝑾

The Lo and Chau Protocol Therefore, any of the 𝑸 𝒔 values are not affected by a prior measurement of 𝑾 In other words, for any state |𝒖> Eve might have supplied, the sequence of subset parities measured in the verification stage would not have been affected if Eve had pre-measured |𝒖> in the Bell basis (i.e. made a measurement of W) before handing the state to Alice and Bob

The Lo and Chau Protocol A measurement of 𝑾 would make the state |𝒖> collapse into one of the 𝑵-Bell basis states and thus our previous analysis is valid for this case as well *Note that this is still not a complete formal proof, but it should give you the idea behind it.

The Lo and Chau Protocol An important idea behind this quantum-to-classical reduction is that a quantum mechanical experiment has a classical interpretation whenever observables that refer to only one basis are considered. This guarantees that one can apply standard results in the classical world (such as probability theory and statistics theory) to the original quantum problem