Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Quantum Key Distribution Kommentare Chances and Restrictions Norbert Lütkenhaus Emmy Noether Research Group Institut für Theoretische Physik I Universität Erlangen-Nürnberg Institut für Optik, Information und Photonik Max-Planck Forschungsgruppe, Erlangen Overview • What does Quantum Key Distribution do? • QKD and Correlations • Security intuition based on Quantum Mechanics • Performance in real implementations • Current Problems animieren What is QKD about? EVE Classical Channel Bob Alice initial secret key 010110101 key (X): 010110101 ??? Generated key: informtion theoretic security secure: I(X;Eve)=0 random: H(X) = n (maximal) universally composable Additional Resources: Correlations via Quantum Channel Restrictions: -initially point-to-point -max range 20 km (150km?) -key rate e.g. 100 bits/sec, increase to 100 kbits or more? Correlations and information theoretic security Alice Bob E EveIBE IAE Eve obtains degraded copy of message Alice and Bob can perform secure communication Lower bound on secrecy capacity CS: PABE(a,b,e) A Wyner Wire Tap (rate of secret communication between Alice and Bob) B - Csiszar, Körner, IEEE, IT 24, 339 (1978). IAB CS > max {IAB - IAE, IAB -IBE } Upper Bounds on secrecy capacity CS: - U. M. Maurer, IEEE Trans. Inf.Theo. 39, 1733 (1993); -U. Maurer and S. Wolf, IEEE T. I. T. 45, 499 (1999). Cs I(A;BE) • Intrinsic Information: I(A;BE) I(A,BE) = minEE I(A;B|E) with I(A;B|E) = H(A,E) + H(B,E) – H(A,B,E) – H(E) Exploiting the Csiszar-Körner bound (one-way communication) E IAE A B IAB E A I‘(AB)E 1) 2) 3) [C. Cachin, U.M. Maurer,IEEE Trans. Inf. Theo. 39, 1733 (1993).] B I‘AB = 1 Alice‘s bit string defines the key Amount of required classical communication AB to allow Bob to correct his errors: (1-IAB) bits Estimate Eve‘s relevant information 4) I AE IABE I AE 1 I AB 1 (I AB I AE ) Privacy amplification: Shorten key by fraction CS 1 1 I ABE E I‘‘ (AB)E=0 A B I‘‘AB = 1 CS I AB I AE Quantum Mechanics •Signal states are represented by complex vectors, represented by •(dual vectors are represented by ) •Measurements correspond to set of positive, hermitian operators F , i one for each possible outcome ‘i’, that form the resolution of the identity operator F Id i i •Quantum mechanics predicts the probability of a measurement outcome as the expectation value Pr(i) Fi • Composed systems are described by state vectors that can be expressed as linear combination of tensor products of basis vectors of each individual system A, B cn , m n ~ m A B n ,m • Measurement on only one subsystem: use Fi Id B Eavesdropping Eve E U A A, E U unitary If A, E can be verified to behave like the input states locally on system A for two non-orthogonal input states and ' , then we can show that ~ A ~ E ~ A ' holds for any linear combination Aof P(A,B,E) = P(A,B) P(E). No errors for non-orthogonal states Only trivial operation by Eve no leakage of information A A U E A and ' A . Eavesdropper Bennett Brassard Protocol Quantum Part: Create random key: random signals random measurements Public discussion over faithful classical channel: distinguish deterministic from random processes Alice: Bob: Sifting (public discussion) 0: 1: 1 0 1 No errors: transmitted faithfully Key is secure 1 Shor-Preskill type security proof basis 0110… data 0101… Encoding into QECC code Quantum Error Correction Code Detector Decoding of QECC code noisy channel noisy channel noisy channel Quantum/classical procedure for CSS codes: Phase I: Quantum basis 0101… basis 0110… data 0101… noisy channel Detector data 0101… Phase II: Classical data 0101… 1) 2) data 0100… classical error correction classical privacy amplification data 0101… data 0101… secret key Gain formula The gain formula gives the number of secure bits after error correction and privacy amplification per signal sent by Alice: 1 G 1 h[e] h[e] 2 privacy amplification (Eve‘s additional information gained during error correction) privacy amplification (Eve‘s information gain that caused errors) 11 % Realistic Signals Multi-photon signals Several copies of signal state No single photon sources (though getting there!) Source Eve can single out a copy 1 No errors are caused Delayed measurement gives full information to Eve Eve Weak laser pulse (without phase reference) Laser Pr( n) Exp[ ] n n! Alice Bob Multi-photon signals are a nuisance, but not an obstacle privacy amplification takes care of extra information Unconditional security proof Inamori, NL, Mayers, quant-ph/0107017 Assumptions and settings: •Mixture of vacuum, single and multi-photon signals •Ideal polarization preparation (or equivalent) •No optical intrusion into Alice and Bob •No restrictions on Eve acting on signals •Detection probability independent of signal or basis choice Conservative approach: •Eve responsible for all observed errors and all loss 2e G 12 rep pexp R1 h he R (only limit of long keys shown) hx x log 2 x 1 x log 2 1 x Eve’s optimal strategy: •Split one photon off all multi-photon signals (no error, but full information) •Eavesdrop on a few single photon signals to maintain expected number of detected signals •Block remaining single photon signals Eve knows a lot, but we know how much she knows: Error correction Privacy Amplification unconditionally secure key R pexp pmulti Minimal fraction of contributing single photon signals pexp e: error rate in sifted key pexp: detection rate Pmulti multi-photon probability υrep repetition rate Optical implementation Example: Townsend, Opt. Fib. Tech. 4, 345-370 (1998) Polarization: Relative phase between two optical modes low error rate over long distances (>150 km) Problem: Bob receives weak signals need excellent photo detectors Achievable Rates as of 2000 Rates per time slot, optical fiber based implementations. Commercial Applications © MagiQ Technologies Commercial product: operation on installed optical fiber European effort: IdQuantique (Geneva) EU IP “Secure Communication using Quantum Cryptography” Quantum Communication and Correlations Phase I: Physical Set-Up Generation of correlations between Alice and Bob possibly containing hidden correlations with Eve Physics: correlated data with a promise. Which type of correlations are useful for Quantum Communication? (Classical) Computer Science: Solve Communication Problem with classically correlated data … Phase II: Classical Communication Protocol Advantage distillation (e.g. announcement of bases in BB84 protocol) Error Correction ( Alice and Bob share the same key) Privacy Amplification ( generates secret key shared by Alice and Bob) Potential for correlations secret bits per signal not secure (proven) Regime of Hope not secure (proven) protocol independent secure (proven) protocol e.g. weak coherent pulse BB84 - [Inamori, NL, Mayers quant-ph/0107017] - [Gottesman, Lo, NL, Preskill quant-ph/0212066] typically 20 – 40 km distance (channel model) e.g about 100 km for BB84 signals [Dusek, Jahma, NL, PRA 62 022306 (2000)] Conclusions Quantum Key Distribution offers information theoretic secure key. It can be implemented with todays technology. We are still in the learning process to ramp up rate and distance. Warning: need to secure devices against side-channel attacks. QKD seems ideal topic for interface Physics and Computer Science: physics generates correlations with a promise computer science offers public discussion protocols to extract key