Quantum Cryptography: Quantum Key Distribution CSE 825

Quantum Cryptography is different than Quantum Computing. Confusing because there is only one algorithm for a quantum computer and it factors large numbers so its primary purpose is to break cryptography. Michigan State University2

Private (secret) Key A k-bit secret key is shared by two users. The assumption is that finding a particular key is intractable (brute force). If advances in computing make it tractable, choose a longer key. 3

Notation Players: A & B Named: Alice & Bob Who is the bad guy? Michigan State University4

Secret Key = one-time pad Alice converts message into a string of bits and XORs with the key. 5

Michigan State University Secret Key = one-time pad Alice converts message into a string of bits and XORs with the key. Each key bit is used once (reuse allows deduction about the message). 6

Michigan State University Secret Key = one-time pad Alice converts message into a string of bits and XORs with the key. Each key bit is used once (reuse allows deduction about the message). Bob XORs the key with the received string to extract the original message. 7

Michigan State University Secret Key = one-time pad Alice converts message into a string of bits and XORs with the key. Each key bit is used once (reuse allows deduction about the message). Bob XORs the key with the received string to extract the original message. Without the key an eavesdropper sees random bits. 8

Michigan State University Key Distribution Key distribution is the problem of getting a secure key to both parties. 9

Michigan State University Quantum Key Distribution Quantum Cryptography uses quantum properties to securely distribute a secret key. 10

Michigan State University History of Quantum Cryptography 1970s concept proposed by Weisner 1984 Bennett and Brassard developed the first quantum cryptography protocol: BB first experimental demonstration (32 cm) 2002 first commercial product available ( 11

Michigan State University Quantum Mechanics Elements of quantum information, typically photons, are put in a particular state by the sender and then observed by the receiver. Because of the Uncertainty Principle certain quantum information occurs as conjugates that cannot be measured simultaneously. 12

Michigan State University Quantum Mechanics Polarization of photons can be expressed in any of three different bases: rectilinear, circular, and diagonal but observing in one basis randomizes the conjugates. If the sender and receiver are not using the same base, reading the information effectively destroys it (randomizes it) without yielding useful information. 13

Michigan State University Unpolarized light enters a vertically aligned filter, which absorbs some of the light and polarizes the remainder in the vertical direction. A second filter tilted at some angle q absorbs some of the polarized light and transmits the rest, giving it a new polarization If first filter is a + and the second is an X, matched polarization passes through, mismatches pass randomly 14

Michigan State University A quantum cryptography system allows two people, say Alice and Bob, to exchange a secret key. Alice uses a transmitter to send photons in one of four polarizations: 0, 45, 90 or 135 degrees. Bob uses a receiver to measure each polarization in either the rectilinear basis (0 and 90) or the diagonal basis (45 and 135); according to the laws of quantum mechanics he cannot simultaneously make both measurements. Important: photons are sent one at a time! 15

Michigan State University Alice sends photons with one of the four polarizations, chosen at random. 16

Michigan State University Alice sends photons with one of the four polarizations, chosen at random. For each photon, Bob chooses at random the type of measurement: + or X 17

Michigan State University Alice sends photons with one of the four polarizations, chosen at random. For each photon, Bob chooses at random the type of measurement: + or X Bob records the result of his measurements, but keeps it a secret. 18

Michigan State University Alice sends photons with one of the four polarizations, chosen at random. For each photon, Bob chooses at random the type of measurement: + or X Bob records the result of his measurements, but keeps it a secret. Bob tells Alice the measurement types used (but not results) in freespace. Alice tells him which were correct. 19

Alice sends photons with one of the four polarizations, chosen at random. For each photon, Bob chooses at random the type of measurement: + or X Bob records the result of his measurements, but keeps it a secret. Bob tells Alice the measurement types used (but not results) in freespace. Alice tells him which were correct. Alice and Bob keep correct cases and translate to 0’s and 1’s

Michigan State University Eve Since reading a bit destroys it, to eavesdrop Eve must regenerate bits. 21

Michigan State University Eve Since reading a bit destroys it, to eavesdrop Eve must regenerate bits. Half the time she will read and regenerate correctly. 22

Michigan State University Eve Since reading a bit destroys it, to eavesdrop Eve must regenerate bits. Half the time she will read and regenerate correctly. Combine that with Bob reading correctly half the time, means that ¼ of the time Eve will generate an error visible to Bob & Alice. 23

Michigan State University Check As a check, Alice and Bob choose some bits at random to reveal. 24

Michigan State University Check As a check, Alice and Bob choose some bits at random to reveal. If the bits agree, they can use the remaining bits with assurance that they have not been intercepted. 25

Michigan State University Check As a check, Alice and Bob choose some bits at random to reveal. If the bits agree, they can use the remaining bits with assurance that they have not been intercepted. But if they find significant discrepancies, it indicates tampering due to eavesdropping, and they should start over to transmit another key. 26

Michigan State University Why it works? If eavesdropper Eve observes the data, she disturbs the quantum state. 27

Michigan State University Other options for Eve Eve could also attempt to listen to only a small number of bits going by in hopes that she can know a few bits and go undetected. Alice and Bob can prevent this attack by shrinking their secret key down after having established it ( “ privacy amplification ” ). If they shrink their key in the right way, Eve's chances of knowing even one bit would be very small. 28

Michigan State University If Eve happens to choose the same basis as Bob, he will not notice—he will get the same result, and the same result as if she had done nothing. However, Eve doesn't know what basis Bob will choose to measure in. If Eve measures in the X basis and Bob measures in the Z basis (or vice-versa), Bob's result will now be random— even if the original state was prepared in the Z basis! 29

Michigan State University If Eve is observing, when Alice and Bob compare notes about the value of observed bits, half the time, their bits will be different when they should be the same. 30

Michigan State University Noise Noise exists and Eve introduces more noise. 31

Michigan State University Noise Noise exists and Eve introduces more noise. Alice and Bob eliminate noise with public error correction: e.g. public communication of the parity of small subsets of the key. By always withholding the last bit, the public parity discussion is harmless 32

Michigan State University Attacks Single photon QKD proven secure against “ collective attack ”, conjectured to be the strongest “ joint attack ” (I don ’ t understand either the terminology or the proof.) A “ man in the middle ” attack protected by “ classical privacy amplification ” (single photon?) 33

More Attacks Actual physical devices aren’t as perfect as assumed in the theorems: occasionally there are multiple photons. Can that result in a practical attack? Privacy amplification can handle Eve knowing a few bits. Decoy states can help identify Eve’s snooping by lowering energy to prevent multiple protons for short periods known to Alice and Bob. Michigan State University34

“Blinding” seemed to be an effective attack, but protection has been found Michigan State University35

MIM What about Man-in-the-middle? Michigan State University36

Michigan State University Could Eve split a multi-photon stream, reducing its intensity, but not its content? – PNS: Photon Number Splitting attack requires storage which currently is not possible. –“ There are various possible solutions to this particular problem; it is the unanticipated flaws that present the greatest security hazard. ” 37

In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice many implementations use laser pulses attenuated to a very low level to send the quantum states. These laser pulses contain a very small number of photons, for example 0.2 photons per pulse, which are distributed according to a Poissonian distribution. This means most pulses actually contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split off the extra photons and transmit the remaining single photon to Bob. This is the basis of the photon number splitting attack, where Eve stores these extra photons in a quantum memory until Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then measure her photons in the correct basis and obtain information on the key without introducing detectable errors. Michigan State University38

Proof assumptions Eve cannot physically access Alice and Bob's encoding and decoding devices. The random number generators used by Alice and Bob must be trusted and truly random. The classical communication channel must be authenticated using an unconditionally secure authentication scheme. The message must be encrypted using one- time pad like scheme. Michigan State University39

Hacking attacks target vulnerabilities in the operation of a QKD protocol or deficiencies in the components of the physical devices used in construction of the QKD system. If the equipment used in quantum key distribution can be tampered with, it could be made to generate keys that were not secure using a random number generator attack. Another common class of attacks is the Trojan horse attack which does not require physical access to the endpoints: rather than attempt to read Alice and Bob's single photons, Eve sends a large pulse of light back to Alice in between transmitted photons. Alice's equipment reflects some of Eve's light, revealing the state of Alice's basis (e.g., a polarizer). This attack can be detected, e.g. by using a classical detector to check the non- legitimate signals (i.e. light from Eve) entering Alice's system. It is also conjectured that most hacking attacks can similarly be defeated by modifying the implementation, though there is no formal proof. Michigan State University40

Michigan State University Real World Key exchange is now slow: – 1 Mbits/sec over 20 km of optical fiber – 10 kbits/sec over 100 km of optical fiber Distance record is km optical fiber (2007) As long as any existing fiber spans. Free space distance record 144 km Photon loss and errors are limiting factors 41

Commercial id Quantique (Geneva) MagiQ Technologies (New York) QuintessenceLabs (Australia) SeQureNet (Paris) World's first bank transfer using quantum key distribution was done in Vienna, Austria (2004). Id Quantique was used in the Swiss canton of Geneva to transmit ballot results to the capital in the 2007 national election. Battelle Memorial Institute used id Quantique to connect their main campus in Columbus, OH and their manufacturing facility in Dublin, OH (2013). Michigan State University42

The 10-node DARPA Quantum network has been running since 2004 in Massachusetts. (BBN Technologies, Harvard, Boston U. and QinetiQ. The world's first computer network protected by quantum key distribution was implemented in October 2008, at a scientific conference in Vienna (SECOQC: Secure Communication Based on Quantum Cryptography). The network used 200 km of standard fibre optic cable to interconnect six locations across Vienna and the town of St Poelten located 69 km to the west. The Tokyo QKD Network was inaugurated on the first day of the UQCC2010 conference. The network involves an international collaboration between 7 partners; NEC, Mitsubishi Electric, NTT, NICT, Toshiba, Id Quantique, Austrian Institute of Technology (AIT), the Institute for Quantum Optics and Quantum Information (IQOQI) and the University of Vienna. Michigan State University43

A hub-and-spoke network has been operated by Los Alamos National Laboratory since All messages are routed via the hub. The system equips each node in the network with quantum transmitters–i.e., lasers–but not with expensive and bulky photon detectors. Only the hub receives quantum messages. To communicate, each node sends a one-time pad to the hub, which it then uses to communicate securely over a classical link. The hub can route this message to another node using another one time pad from the second node. The entire network is secure, provided that the central hub is secure. Individual nodes require little more than a laser - prototype nodes are around the size of a box of matches. Michigan State University44

Michigan State University 45

Michigan State University BBN + DARPA 46

The current commercial systems are aimed mainly at governments and corporations with high security requirements. Key distribution by courier is typically used in such cases, where traditional key distribution schemes are not believed to offer enough guarantee. This has the advantage of not being intrinsically distance limited, and despite long travel times the transfer rate can be high due to the availability of large capacity portable storage devices. The major difference of quantum key distribution is the ability to detect any interception of the key, whereas with courier the key security cannot be proven or tested. QKD systems also have the advantage of being automatic, with greater reliability and lower operating costs than a secure human courier network. Michigan State University47

Factors preventing wide adoption of quantum key distribution outside high security areas: – the cost of equipment – the lack of a demonstrated threat to existing key exchange protocols. However, with optic fiber networks already present in many countries the infrastructure is in place for a more widespread use. Michigan State University48