Download An Introduction to Quantum Key Distribution

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
Document related concepts
no text concepts found
Transcript 
An Introduction to
Quantum Key Distribution
Akihisa Tomita
Quantum Computation and Information Project,
ERATO-SORST, JST
Nano Electronics Research Laboratories, NEC Corp.
Security in optical communication
networks
• Improved technology:
High-Quality, High-speed,
Highly robust to disturbance
– Insensitive to eavesdropping
Intra-net
Database/server
Access network
station
Carrier’s
private
network
Dark-fibers: easily tapped
Protection by cryptography
2
2
Threat by innovating technologies
• Shor’s and related quantum algorithms
– Efficient solution for factorization, discrete log, ….
(on which the security of public key cryptography relies)
• Grover algorithm for database search
• Progress in computers
(reduces time to break codes)
• Invention of new algorithm
– One-way has not been proved
– Back doors may be exist in a certain implementation
3
3
Code breakers in the fictitious world
• ‘TRANSLTR,’ a huge computer in
Dan Brown’s novel
“DIGITAL FORTRESS”
–
–
–
–
5yrs. development period
$1.9 B cost
3 M processors in parallel
10,000 bit-key decrypted in an hour
– quantum algorithm employed?
in 1998? (Shor’s algorithm appeared
in 1994)
4
4
RSA Challenge (it’s real)
1200
1000
bits
800
600
400
• current key: 1024 bits
• may need to upgrade
200
0
1990 1995 2000 2005 2010 2015 2020 2025
year
affordable resource
5
security
5
Secure communication
Plain Text
M
Encryption
fk: algorithm
Cipher Text
C=fk(M)
Key k
• Caesar’s Cipher
– algorithm: replace a
character by the k-th
one in the alphabet
– Key: a number k
– example:
6
6
Perfectly secure cryptography
• Vernam cipher (One-time-pad)
– C = M⊕K
– Fresh keys (used only once)
– Length(M) = Length(K) = Length(C) = const.
10100101
Cipher text
10100101
key
key
⊕
11101011
Plain text
Plain text
01001110
Cipher text
=
11101011
01001110
“N”
7
=
⊕
Common TRUE random numbers
“N”
7
Requirements for common keys
• Secure communication with Vernam cipher
Alice
Bob
message
key distribution
message
Key
error rate: ex. <10-9
• shared by Alice and Bob
• negligible information
for eavesdroppers
• statistically random
8
Key
χ (K ) ≤ 2−δ
ex. δ = 8
Pass the RN tests:
ex. FIPS140-2
SP800-22
8
Adversaries
•
•
•
•
•
Collect pairs of [plain texts] and cipher texts
Guess key (cryptanalysis)
Decode the following cipher texts
impossible for one-time-pad
only way is eavesdropping key distribution to
know the key used in cipher
• try to get as much as information on the key
• If Adversaries' information on raw key is bounded,
their information on final key can be reduced by
Privacy Amplification
9
9
Quantum Key Distribution
~security based on laws of physics~
• A protocol to share random numbers
(cryptographic key) between remote parties
• Everlasting, unconditional security
guaranteed by quantum mechanics and
Information theory, i.e.,
Any computers (incl. quantum) cannot draw
key information
• Detection of eavesdropping, or
guaranteed security
• by limiting eavesdropper’s information
10
10
Mission impossible:
to distinguish two states with a single measurement
• classical states = possible
• orthogonal states = possible
• non-orthogonal states = impossible
If you had many copies, it would be possible without a trace
disturbance
upper bound of information
accept!
error free
reject!
50% error
11
11
Secure key distribution with quantum
communication
Bob
Alice
Application
secure key
Decoding
erase leakage info
Privacy amp.
error
correction
transmission
key
TX
Coding
Eve
12
common random numbers
Quant. Comm.
key
RX
estimate leakage information
12
Errors and Eve’s information
Eve:
:+ basis
Alice:+ basis
Eve gets information
I1>+
I1>+
Alice:x basis
Eve causes error
I1>×
0
×
=
1
2
1
(0
+
+1
(
+
0
)
)
proved
1It× was
=
0 + − 1 + that,
2
1 E
max
[ ] 2
Z
Eve’s state
13
0 +1
++
1
after coding-decoding, for Alice’s key [Z]
ρ[ Z ] − ρ E ≤ Pph ≤ 2 N h (n
1
2l
++
missing
phase
information
E
ρ
∑ [Z ]
[Z ]
e
N )− m
h ( x) = − x log 2 x − (1 − x) log 2 (1 − x) ;0 ≤ x ≤ 1 / 2
Alice’s sent: l bits, final key: N bits
M. Hayashi, PRA 76, 012329 (2007)
13
Secure key distribution with quantum
communication
Bob
Alice
Application
secure key
Decoding
erase leakage info
Privacy amp.
error
correction
transmission
key
TX
Coding
Eve
14
common random numbers
Quant. Comm.
key
RX
estimate leakage information
14
Error Correction Code
• Use redundancy to recover from error
• ex. correct one bit error
encoding : 0 → (000); 1 → (111)
channel
(000)
(100)
(010)
(001)
(111)
(011)
(101)
(110)
error correction
15
15
(2m-1,2m-1-m) Hamming code
• Parity check matrix H=[I:P] mxm: mx(2m-1-m)
– list 2m-1 vectors of m bits
ex. m=2
 1 0 1


 0 1 1
• Generator matrix G=[tP:I] (2m-1-m)xm:(2m-1-m)x(2m-1-m)
(1
1 1)
• codeword c = aG a = {0,1}
(000),(111)
• error
v = c+e
• syndrome t s = H t v = H t e
1
s 1 = 
0
16
1
0 1    1 
1
 0  =  , s 2 = 
1 1    0 
0

0
H t c = H tG t a = 0
H G = [I
t
 P
P]  = P + P = 0
I 
0
0 1    0 
1
 1  =  , s 3 = 
1 1    1 
0

0
0
0 1    1 
 0  =  
1 1    1 
1
16
Privacy amplification
• If Eve’s knowledge about
W is at most Θ<N
• Alice and Bob can distill N
-m bits of secure key K,
which satisfies
(0?1??0?)
3 bits known
0.06
0.04
0.02
0
0
(δ = m − Θ)
,
with a random choice of
universal hash function G
(N-m x N) random matrix:
K=GW
16 32 48 64 80 96 112
Key value (7bits)
Probability
I (K ) ≤ 2
−δ
Probability
• Alice and Bob share N
random bits W
0.08
0.15
0.1
0.05
0
0 1 2 3 4 5 6 7 8
Key value (3bits)
17
Bennett, Brassard, Crepeau, Maurer, IEEE Trans. IT 41, 1915 (1995)
17
BB84 protocol
Alice
Bob
01001
00100
11......
Random
numbers
Select one basis
Select one basis
1
0
Quantum channel
0
1
0
1
Det.
R(θ
θ)
R(θ
θ)
Single photon
modulation
01001
00100
11......
Shared key
0
1
??
Eve
M
demodulation
Classical channel
01001
00100
11......
Shared key
basis sift,
error check, reconciliation,….
18
18
Assumptions on security proof of BB84
• Quantum mechanics is correct
• An authenticated classical communication
channel exists
– Eve can hear, but cannot modify
• Legitimated users are isolated from
outside
– eavesdropping is allowed only on the channel
19
19
Security proof of BB84 by Shor and Preskill
Shor & Preskill, PRL 85, 441 (2000)
• A CSS code (quantum error correction
code) to achieve unconditional security:
χ E (R ) → 0 with the rate R = 1 − h(e× ) − h(e+ )
• assuming perfect devices (single photon
source and single photon detector*)
h( x) = − x log 2 x − (1 − x) log 2 (1 − x)
* Mayers proved the unconditional security with imperfect
photon detectors before Shor-Preskill (1996)
20
20
Improvement of security proof
• Classical error correction and privacy
amplification (Koashi & Preskill)
• The above holds for finite length code in the
sense that Holevo information is bounded by:
χ E ≤ 2 −δ (Hayashi)
• Imperfect photon detectors (Mayers, Koashi,
ILM)
• Eve’s information should be measured with
Hoelvo information or distance norm to
guarantee the universal composability (Renner
& others)
21
21
Assumptions on BB84 protocol
ideal
practical
• single photon source
• weak coherent light
– one photon for one bit
• infinite computational
resource
– infinite code length
(asymptotic)
• infinite code length,
infinite time to measure
– no estimation error
– no fluctuation
– 0,1,2,.. photons for one
bit
• finite memory capacity,
execution time
– finite code length
• finite code length,
finite time
– sampling error
– fluctuation
Can we extract secure keys under the practical assumptions?
Yes, with decoy method.
22
22
PNS (Photon Number Splitting) Attack
Effective attack on weak coherent pulse
Average Photon Number µ
P (n , µ ) n ≥ 2 ≥ 1 − exp [− T µ ]
Alice
weak coherent
pulse source
0 photon
Poisson
1 photon
Distribution 2 photon
Lossless fiber
Hide the “stealing”
Bob
photon
detector
Eve
(Eavesdropper)
• If more than two photons in a pulse, take one and keep it.
If one photon, cut the line.
• Measure the photon after the basis is open, and
• get full information.
• For large channel loss, Eve is not detected.
23
23
Information Leakage
Eve
Alice
probabilistic
Bob
No photons
detection events: J0
1
part of
key information
detection events: J1
disturbed bits: t
WCP
disturbance
2 or more all the key
information
detection events: J2
no disturbance
(
)
Information on Bob’s sift bit: J 0 + J 1 h t J 1 + J 2
24
(GLLP04)
24
Idea of Decoy method
Decoy method [Hwang PRL 91 057901(03)]
µ
detection
error
0
・・・・
・・・
1
・・・・
・・・
2
・・・・
・・・
・・・
・・・・
・・・
k
・・・・
・・・
Check bits
0
・・・
・・・
・・・
eavesdropping
2
random selection
1
sift key
k
Photon number: known
Ave. photon number: unknown
25
constraint
tight estimation
Asymptotic theory for k=1,2 given
by Wang PRL 94 230503 (05)
and Lo, et al PRL 94 230504 (05)
25
Implementation:
How to certificate security?
•
•
•
•
•
•
•
•
26
Ingredients
protocol
process
calibration/test
qualification
transport
storage
usage
26
Making QKD equipment
LS
q-encoder
(interferometer+PM)
q-decoder
(interferometer)
detector
clock
RNG
RNG
clock
• signal processing
• q-commun.
– Light Source
– encode/
decode
– detector
27
•control
–clock sync.
–RNG
–frame sync.
–temp.
– raw key
– sift
– channel estimation
(leakage information)
– error correction
– privacy amplification
27
A QKD system under development
Alice
Bob
Z
X
Pulse
LD
PLC
PLC
X
Z
RNG RNG
clock
CWDM
clock regen.
LD
PLC module
28
main-board
sub-board
ATCA
PLC: Planar Lightwave Circuit
compact APD module
28
PLC characteristics
execss loss<1dB
PLC
AMZI
TA
1.55 µm
Pulsed
ATT.
Depolarized
negligible PDL
PLC
AMZI
Polarization
scrambler
÷
TB
>20dB
over 3h.
stabilized within 0.01 ºC
1
0.99
21
Visibility
22
Counts/sec (104 )
Measured ratio (dB)
polarization independence
stability
23
6
5
4
3
2
1
0
1 hour
17.8
18
18.2
0.98
0.97
∆φ = 2π
πN
0.96
18.4
Temperature (°C) T A
20
0.95
0
30
60
90
120
Time (min.)
29
Ratio
150
180
17
17.5
18
18.5
19
19.5
Temperature (°C) TB
29
Issues for high speed operation
• high speed photon detector
– APD (afterpulse, RF circuit)
– SSPD
• True random number generator
– LSI’s
– entanglement-based (built-in randomness)
• Signal processing circuit
– high clock frequency,large memory,
code length~1Mbit)
– development of special purpose circuit board
30
30
Field experiment of fast QKD transmission
2x2 AMZI PLC
1550 nm
65 km : 2 round trips
97 km : 3 round trips
2-drive MZM
(IM/PM)
DML
Keihanna
Daianji
16km
ATT
DCF
CLK
source
625
MHz
RNG
ATT
1/20
CLK
Tx
1570 nm
2x4 AMZI PLC
Transmitter (Alice)
1
( F + S ) DDMZM
2
NBF
φ1
φ2
Eout
 φ1 − φ2 
 φ1 + φ2 
= Ein cos
 ⋅ exp i

2 
 2 

NBF
L-EDFA
SSPD #1
TIA
SSPD #3
TIA
SSPD #4
TIA
SSPD #2
TIA
10 MHz
CLK
CLK
Rx
Rx
PLL
Receiver (Bob)
31
Tanaka, et al; Opt. Ex. 16, 11354 (2008)31
Sift key transmission performance
97 km WDM
97 km No WDM
65 km WDM
65 km No WDM
10
8
6
4
2
0
14
Sifted key rate [kbps]
Quantum BER [%]
12
97 km WDM
97 km No WDM
65 km WDM
65 km No WDM
12
10
8
6
4
2
0
0
0.1
0.2
0.3
0.4
Average photon number [photons/pulse]
0.5
0
0.1
0.2
0.3
0.4
Average photon number [photons/pulse]
0.5
No degradation caused by WDM
Nonlinear noise can be successfully suppressed
Stable for more than 6 h
Final key rate estimation using decoy
µ = 0.4 photon/pulse
Final key rate : 0.78 ~ 0.82 kbps
µ’ = 0.15 photon/pulse
(asymptotic)
µ’’ = 0.0 photon/pulse
We could have claimed “secure QKD experiment,” if done in 2002
32
32
What’s the problem?
• Transmitter
– PRNG
• should be replaced by high speed TRNG
– fixed intensities
• should be change pulse-to-pulse
– phase correlation between pulses?
• no, we drove the laser in gain-switch mode.
• Receiver
– different detector efficiencies
• should be calibrated
– passive basis choice
• probably no problem
• Post processing
– finite key
• not yet
– off-line
• high speed electronics (hardware logic) under development
33
33
Performance prospect
Key generation rate (per pulse)
100kbps with ~GHz clock
10-3
10-4
10-5
10-6
10-7
10-8
no external photons
asymptotic (3decoy) fiber loss: 0.17dB/km
receiver loss: 5dB
visibility: 0.94
detector efficiency: 0.1
pD = 4 ×10−7
N=104
Eve’s information on
final key:
χ E ≤ 2 −9(bits/4kb final key)
N=106
N=105
10-9
Transmission distance (km)
34
Hasegawa et al.: arXiv 0707.3541
34
QKD provides Values in…
• Strategic information link
– Extreme security
(one-time-pad)
– long distance
– small market
• Key Infrastructure
Back-up
center
router
– Replacement of PKI
(D-H key exchange)
– compatibility with existing network
the internet
• ad-hoc/terminal/FTTH
– weakest link
– cost
– really necessary?
35
router
Session key
server
Master key
server
35
Highly secure network
>1000km
Repeater; satellite (semi classical, quantum)
QKD Network
Photonic Network
36
36
QKD Network
Remote 1
Remote 1
Remote
sub-centre
Centre Centre
Remote 2
・
・
・
・
・
・
N shared key
Remote N
• transmission (1:1, 1:N, N:M)
• relay
• key sharing
37
Remote M
• monitor
• path-control
• buffer
37
Interconnectivity
1. Functions
•
•
Interface between different venders’ equipment
Common key file structures
2. Compatibility between systems
•
•
•
photon transmission
error correction (data exchange)
privacy amplification (data exchange)
3. Key synchronization
•
•
encryption/decryption
compensation of the difference on the specification
•
•
error rate
key (clock) rate
“classical” connection would be a practical solution
38
38
Satellite scenario for long distance
transmission
• Satellite as a trusted
repeater
– no limitation on transmission
distance
• QKD experiments in free
space (EU)
– La Palma-Tenerife (144km)
– entangled photons / WCP
(decoy method)
Nature Phys. 3, 481 (2007)
Phys. Rev. Lett. 98, 010504 (2007)
39
39
Rapid intensity change from LEO
OICETS (Kirari) Circular orbit, altitude~610km
– Short time window ~3min
– Intensity change by range,
thickness of atmosphere
– can be compensated using
orbital data.
• Security? (Eve also knows it)
40
2000
3min.
40
35
1500
1000
30
500
25
0
00:00 02:00 04:00 06:00 08:00 10:00 12:00
Time(minutes)
ground aperture(m)
LEO aperture(m)
wavelength
pointing loss
Aatm (dB)
Fried parameter
Transmission
0.3
0.1
800
0.2
1
0.2
0.8
40
A tte n u a tio n (d B )
– ∆t~5ns demonstrated by
Villoresi, et al (NJP10 033038
(2008))
– higher clock?
2500
R a n g e (k m )
• tracking
• # of bits (not enough for good
statistics)
• timing (clock synchronization)
45
3000
Fluctuation by atmosphere
• Intensity/phase
– wind, turbulences
• distorted wavefront
– temperature
• refraction angle
– scattering, diffraction
by small particles
• Difficult to use decoy;
– E91, or other protocols
Beam spot from the satellite (NICT)
• key rate, statistics
LEO-Ground optical communication
experiment by NICT (March & May, 2006)
41
41
Cryptography
• not complete with secure key distribution
• Functions of cryptography
– Confidentiality
– Integrity
– Authentication
42
42
QKD may have crossed
the Valley of Death
to get into the Darwinian Sea….
Basic
Research
Invention
Applied
Research
Innovation
New Products
New Business
(viable)
“Struggle for Life” in a Sea of Technical and Entrepreneurship Risk
Prof. Lewis M. Branscomb, Harvard University
43
43
• Symbol of communication,
security
(Native American)
• Symbol of tall talking
(Japanese)
conch shell
To clarify what we can promise to the costumers
44
44
Conclusion
• Security proof on QKD has been almost
established
• Successful proto-types have proved feasibility
• To survive in Darwinian sea
– Propose business models
• application
• cost/value
– Define specification
– improve performance
– system integration
45
45
collaborators
QCI pj.
– M. Hayashi
(moved to Tohoku U.)
– J. Hasegawa
– T. Hiroshima
–
–
–
–
–
M. Sasaki
M. Fujiwara
S. Miki
Z. Wang
M. Toyoshima
–
–
–
–
–
–
A. Tajima
A. Tanaka
W. Maeda
S. Takahashi
Y. Nambu
K. Yoshino
– S.-W. Nam
– B. Beak
NEC’s work has been partly supported by NICT
46
46
Related documents