量子密码学-从理论到实践

所需积分/C币:34 2018-07-26 19:52:45 208KB PDF

文章描述了量子密码学的理论安全性和实践安全性的差异,读者可以在理解量子密码学原理的基础上,了解最新的研究进展,并对目前的实践应用状况及其安全性进行深入的了解。
02 and all vertical and 135-degree signals a" 1". Such In order to address these two problems, Alice and Bob a generated binary string is now their secret key have to perform classical post-processing of their raw The first phase of the protocol uses signals and mea- keys. First, Alice and Bob may perform error correc- surements via the quantum channel. Alice keeps a clas- tion to correct any crror in thc raw kcy. Now, thcy sha ical record of the signal states she sent. Similarly, Bob a reconciled key on which Eve may have partial informa- keeps a classical record of the measurement devices he tion. Second, they may perform So-called privacy ampli has chosen together with his measurement outcomes fication. That is to say, they apply a function on their The second phase of the protocol uses a public classical reconciled key to map it into a final key which is shorter, channel. An eavesdropper may try to break the scheme but is supposed to bc almost pcricctly sccurc by launching a man-in-the-middle attack where she im- Proving the security of QKD in a noisy setting was a sonates as Alice to Boh and impersonates as bob to very hard problem. This is because instead of attack Alice. To prevent this attack, Alice and Bob should au- ing Alice's signals individually, Eve may conduct a joint thenticate the data sent in their classical channel. For- attack. In the most general attack, Eve may couple all tunately, efficient classical authentication methods exist. the signals received from Alice with her probe and evolve To authenticate an M-bit message, Alice and Bob only the conbined systen by soine unitary transformation and need to consume a key of order log M bits. In summary, then send parts of her systems to Bob, keeping the rest starting from a short pre-shared key, Alice and Bob can in her quantum memory. She then listens to all the pub gcncratc a long sccurc kcy by using quantum kcy distri- lic discussion between Alice and Bob. Some time in the bution. They can keep a small portion of it for authent E e may perform some measurement on her sy cation in a subsequent round of quantum key distribution tem to try to extract some information about the key and use the rest as a key for one-time pads. The fact that A priori, it is very hard to take all possible attacks into there is no degradation of security by using this new se- account cure kcy is called composability and has bcen proven in It took morc than 10 ycars, but thc sccurity of QKD in s, provided that one uses a proper definition of security a noisy setting was finally solved in a number of papers e.g. 5, 6. As a result, we should strictly speak of In particular, Shor and Preskill 10) have unified the ear QKD as quantum key growing lier proofs by Mayers 11, 12 and by Lo and Chau) The BB84 protocol is only one example of a QKD pro- by using quantum error correction ideas. [Lo and Chaus tocol. Actually, there are many QKD protocols, as nearly proof uses the entanglement distillation approach to se any set of Oll-orthogollal signal states together with a set curity proof, proposed by Deutsch et al. 14. Shor and of non-commuting measurement devices will allow secure Preskill showed that bB84 is secure whenever the error QKD. 7 These protocols differ, however, in their sym- rate(commonly called quantum bit error rate, QBER)is mctry that simplifies the sccurity analysis, in the casc less than ll percent. Allowing two-way classical commu of their experimental realization and in their tolerance nications between Alice and Bob, Gottesman and Lo 15 to channel noise and loss. Independent of Bennett and have shown that bB84 is secure whenever the QBcR is Brassards work, Ekert proposed a QKD protocol(Ekert less than 18.9 percent. Subsequently, Chau 16 extended 91)based on Bell's inequalities 8]. In 1992, Bennett pro- the secure region up to 20.0 percent. An upper hound posed a simple protocol (B92)9 that involves only two on the tolerable QBER is also known: BB84 is known to non-orthogonal states. A protocol of particularly high bc insccurc whcn obscrvcd correlations contain no quan syillinletry is the six-state protoco tum correlations anymore 17, which happens when the average QBER is above 25 It.18 A major open question is the following: What is the threshold va ue of IV. BB84 PROTOCOL IN A NOISY QBER above which BB84 is insecure? Is there really a ENVIRNOMENT gap bctwccn thc 20% and the 25%? The idealized BB84 protocol described above will not work in any practical rea. liza tions. Even when there are V. BB84 WITH PRACTICAL SOURCE IN no eavesdropping activities, any real quantum channel is NOISY AND LOSSY ENVIRONMENT ncccssarily noisy duc to, for instance, somc misalignment in a quantum channel. As a result, Alice and bob will Real-life QKD systems suffer from many type of imper- generally find a finite amount of disturbance in their test fections. While single photon sources may well be very signals. Since Alice and Bob can never he sure about the useful for quantum computing, it is important to note origin of the disturbance, as conservative cryptographers, that single photon sources are not needed for QKD. This we should assumc that Evc has full control of thc chan- is good news because currently single photon sources are nel. Therefore, we are faced with two problems. First, rather impractical for QKD the polarization data of Alice inlay be different froln those (a) Source: It is rather conloN to use attenuated laser of Bob. This means that their raw keys are different. Sec- pulses as signa. s. Those a ttentua ted laser pulses, when ond, Eve might have some partial information on those phase randomized, follow a Poissonian distribution in the raw kcys number of photons. i.c., the probability of having n pho 4 tons in a signal is given by Pu(n)=e-u/n where u, This means that in the worst case scenario, all the er- chosen by the sender, Alice, is the average number rors arise from eavesdropping in single-photon signals hotons In the recent years, several groups developed experi For instance, if we use u-0.1, then most of the pulses mental demonstrations of QKD using imperfect devices contain no photons, some contain single photons and a QKD experiments have been successfully performed over fraction of order 0.005 signals contains several photons. about 100km of commercial Telecom fibers and also b)Channel: A quantum channel, e.g. an optical fiber about 100km of open-air. There have even been serious or open air, is lossy as well as noisy proposals for performing satellite to ground QKD exper (c)Detector: Detectors often suffer false detection imcnts, thus cabling a global quantum cryptographic events due to background and so-called intrinsic dark counts. Morcovcr. somc misalignment in thc dctection set-up by the Cambridge group is shown in Figure 2 system is inevitable Fiber-based QKD systems have matured over the recent Let us consider what happens when we use attenu ated laser pulses, rather than perfect single photons. as Alice Bob the source in BB84.18, The vacuum component f the signal reduces the signal rate since no signal will 0 be detected by Bob. The single photon component of WDM WDM the signal works ideally. The problematic part are the multi-photon signals. Essentially, each multi-photon sig- nal contains morc than onc copy of thc polarization in formation, thus allowing eve to steal a copy of FIG. 2: Schematics of actual QKD cxpcriments with phasc he in- encoding of signals. The figure is from 20(Courtesy of A formation without Alice and Bob knowing it. More con- Shields) cretely, the resence of multi-photon signals allows Eve to perform the photon-mumber-splitting(PNS)attack. In years so that at least two firms, id Quantique and MagiQ the PNs attack, Eve performs a quantum non-demolition manufacture them in a commercial setting measurement of the number of photons on each signal emitted by Alice. Such a measurement tells Eve exactly It is important to notice that a sccurity proof that takes into account all the above imperfections the number of photons in a signal without disturbing its has been given by Gottesman-Lo-Liitkenhaus-Preskill polarization. Now, Eve can act on the signal depend ing on the total number of photons. If she finds a vac (GLLP)(21), building on earlier work by Inamori, Lutkenhaus and mayers As we pointed out before uum signal, she can resend it to Bob without introducing it is not morc sccurc"to usc singlc-photon sources. In any additional errors. If she finds a multi-photon signal fact, at present, it is much more practical to use laser she splits off one photon and keeps it in her quantun memory and sends the remainder to bob. Note that pulses, rather thall single-photon sources. Anothler iIll when Evc sends the reminder to Bob, she may replacc portant issue to mention here is that security proofs as the original lossy quantum channel by a lossless channel sume models for sending and receiving devices(though In other words, Eve may effectively introduce photon not for the quantum channel). Onc has thcrcforc always to check that these models fit the real physical devices number-dependent loss in the channel. Eves splitting action does not disturb the signal polarization either in the photon she splits off, nor in thc photon she sends on VI. NEW METHODS Later in the protocol Alice will reveal the polarization basis of the signal. This will allow Eve to perforin the The rough behaviour of the signal rate according to correct measurement, on the single photon she split off GLLP is easily understood. For low and intermediate thereby obtaining perfect information about the polar ization of Mlicc's signal losses, one can ignore the effects of errors, and the secret key rate can be understood in terms of the multi-photon The remaining signals are single-photon signals. Ro probability of the source, pmalti, and the observed prob call that in the pns attack. Eve has enhanced the trans ability that Bob receives a signal, Prec mittance of multi-photon signals by replacing the origi- nal lossy quantum channel by a lossless one. Therefore G prec- multi in order to match the eftects of the original loss in the Assuming a Poissonian photon number distribution for channel, Eve has to suppress some of the single photon the source with Imeall photon Iluinber u, we find pmalt signa ls. That is to say she has to send a. n..tral signa to bob that will cause no errors and look like loss Of 1-(1+p)exp(-,), and, assuming that we obserue a course. the vacuum signal does this job here. The ex probability prec as in a standard optical transmission act rate of the suppressed signals depends on the mean with singlc photon transmittivity n such t photon number of the source and the loss in the channel 1-un exp(-un), we can perform a simple optimization over A anld find the choice Hopt N1). Therefore, we find On those single-photon signals that she does not block Evc may pcrform any coherent eavesdropping attack 2 This key generation is rather low compared to the com- munication demand on optical fiber net works. Moreover due to the detector imperfections, at some point the dark counts of thc dctcctors kick in so that wc find an cffcctivc cut-off at distances around 20-40 km. In summary. stan- dard implementations of Qkd are limited in distances and key generation rates. There are several approache to solving these problems A. Decoy state QKD The first and simplest approach is decoy state QKD 23 25 In addition to signal states of average pho- ton number u, Alice also creates decoy states of various Key rates for the experimental set-up in(26 using the mcan photon numbcrs v, v2, cte. For instance, Alicc GLLP results 2 with and wit hout. the use of decoy states may use a variable attenuator to modulate the inten ity of each signal. Consequently, each signal is ch loseR randomly to be either a. signa. I state or a decoy sta te. sIgl whether it comes from a signal statc or a decoy statc. tive phase between the two pulses the strong reference Therefore, any attempt for an eavesdropper to suppress pulse and the signal pulse. Bob splits off a small part of the strong reference pulse and uses it to interfere with photon signals in the signal state will lead also to a the signal pulse to measure the relative phase between suppression of single-photon signals in the decoy states the two. In addition Bob monitors the intensity of the After Bob's acknowledgement of his detection of signals remainder of each strong reference pulse. Since the refer- Alice broadcasts which signals arc signal statcs and which signals are decoy states and what types. By computing cncc pulsc is strong, such monitoring can be donc casily the gain (i. e, the ratio of the number of detection events by, for instance, a power-meter to the number of signals sent by Alice) and the QBER of The idea behind this protocol is to make sure that Eve the decoy state, Alice and Bob will almost surely discover docs not havc a neutral signal at hcr hand which would such a suppression and catch Evc's cavcsdropping attack. allow her to suppress signals at will without causing an As shown by Lo et al. 124, in the limit of infinite num- error rate. (Such a neutral signal plays a crucial role ber of choices of intensities of the decoy states, the only in the PNS attack in addition to the multi-photon si eavesdropping strategy that will produce the correct gain nals!) Suppose Eve performs some attacks such as the and QBER for all secretly chosen average photon num- PNS attack on the signal pulse. For some measurement ber is a standard beam-splitter attack. As a result, decoy outcomes, she would like to selectively suppress the signal state QKD allows a dramatically higher key generation pulse. But how could she do that? rate,R=O(m), compared to R=O(r)for IOI-decoy protocols as well as a. much higher distance for uncondi- If Eve significantly suppresses the strong reference tionally secure QKD with a practical QKD system. See p Bob's intensity measurement of the reminder of Figure岛 the strong reference pulse will find a substantially lower Ilow many decoy states are needed? It has been shown value than expected. On the other hand, if Eve does not that only one or two type of decoy states are needed significantly suppress the strong reference pulse but only or practica.I protocols 25,27 The first experimental suppresses the signal pulse, then when Bob measures the demonstrations of decoy state QKD has been done. 28 relative phase between the strong reference pulse and the Givcn its simplicity, wc expect decoy statc Qkd to bo signal pulse, he will find a random outcome(for all con come a standard technique in the field. Indeed, many clusive events). So either way, Eve is in trouble follow-up experiments have now been performed In a number of rcccnt papers, it has bccn proven rigor ously that QKd with strong reference pulses can achieve a key generation rate R 0 Nonethe B. QKD with strong reference pulses less, those proofs require Boh's detection system with certain suitable properti one proof requires Bob has The sccond approach is based on the strong rcfcrencc a local oscillator that bccn modc-locked to alicc's pulses idea, dating back to Bennett's 1992 paper. 9 strong reference pulse, another requires Bob has a pho- The idea is the following. In addition to a phase llod- ton detector that can distinguish Inlulti-photol signals ulated weak signa. I pulse, Alice sends also a strong un- from single photons). Therefore, they do not apply to modulated reference pulse to Bob through a quantum standard threshold"detectors that do not distinguish channel. Quantum information is encoded in the rcla- singlc-photon signals from multi-photons 6 C. Differential Phase Shift QKD essary and sufficient conditions for security, see 34 In a popular book, The Code Book", the author, si A third approach to increase the perfornance of QKD mon Singh [35 proposed that quantum cryptography will devices is the the differential phase shift (DPS)QKD pro- be the end point of the evolution of cryptography with tocol.3l Here one uses a coherent train of laser pulses the ultimate victory of the code-makers. Our view is where the bit information is encoded into the relative different. First, quantum cryptography will complement phase between the pulses. But each pulse belongs there- conventional cryptography, rather than replacing it en fore to two signals! Though Eve can split photons off the tirely. Second, in order to ensure that a practical QKD ignal trains, these will remain in non-orthogonal signal system is secure, it is important to verify that the as states and therefore reveal not their full information to sumptions made in the security proofs actually hold in Eve!(A similar effect exists already in the B92 protocol the practical system. Third, Qkd does enjoy a funda with a strong reference phase! In the DPS-QKd proto- montal advantagc ovcr conventional cryptography in tho col Eve is now also hlainpered again with the suppression sense that, after a quantum transmission, unlike conven of signal states as such a procedure would require to break tional cryptography, there is no classical transcript left the pulse train-which causes errors. The same holds for for the transmission Therefore, for an eavesdropper to a related scheme using time-bins. 32 break a QKD system, she has to possess the required Experimental implementations of DPS QKD have been quantum tcchnology right at thc timc of quantum trans At present, a rigorous proof of the un- mission. For this reason, a skillful eavesdropper can and conditional security of differential phase shift QKd is still should invest heavily ill quantulnl technology roW, rather MiSsing than later, to exploit unexpected loopholes in a prac tical QKD system. In summary, there is no substitute for battlc-tcsting. Wc nced quantum hackers as much VII. CONCLUDING REMARKS as quantum cryptographers. We live in an exciting time where the interplay bety the theory and practice of Owing to spacc limit, we have not talked much about quantum cryptography has just begun. The everlasting other QKD implementations, such as those based on warfare between code-makers and code-breakers contin parametric down conversion sources, nor new detectors such as superconducting single-photon detectors(SSPD We thank critical comments on t he earlier version of and transition-edge sensor (TES) detectors. We have this paper by Artur Ekert and Renato Renner. This re omitted also thc cmcrging ficld of continuous variable scarch is supported by NSERC, CIAR, CrC Program, QKD systems which make use of homodyne or hetero- MITACS, CFl, OIT, PREA, CIPI and Perimeter Insti- done detection tute for Theoretical physics. R ch at perimeter ir Security of QKD is a. very slippery subject and one tute is supported in part by the Government of canada should work extremely carefully. Regarding a careful through NSerc and the province of Ontario through analysis and thc formulation of sccurity, scc 6]. For ncc- MEDT 1 D. Welsh, Codes and Cryptography(Oxford University Crypto 96(Springer, Berlin, 1996), pp. 343-357 Press. 1988 12 D Mayers, JACM 48, 351(2001 2 P. W. Shor, SIAM J Comput. 26, 1484(1997) 13H.-K. Lo and H. F. Chau, Science 283, 2050(1999) 3C. H. Bennett and G. Brassard, in Proceedings of IEEE 14 D. Deutsch, A. Ekert, R. Josza, C. Macchiavello, International Conference on Computers, Systems, and S. Popescu, and A. Sanpera. Phys. Rev. Lett. 77, 2818 Signal processing, Bangalore, India (ieee, new York (1996) 1984),pp.175-179 15 D. Gottesman and H-K. Lo, IEEE Trans. Inf. Theory 4S. Wiesner, Sigact News 15, 78(1983 49,457(2003 5M. Ben-Or, M. Horodecki, D. W. Leung, D Mayers, and 6 H. Chau, Phys. Rev. A 66, 60302(2002) J Oppenheim. in Second Theory of Cryptography Confer- 17 M. Curty, O. Guhne, M. Lewenstein, and N. Litkenhaus ence, TCC 2005, Cambridge, MA USA, February 10-12 Phys.Rev.A71,022306(2005 2005., edited by J. Kilian(Springer, Berlin, 2005), vol. 18G. Brassard, N. Lutkenhaus, T. Mor, and B Sanders. 3378 of Lecture Notes in Computer Science, pp. 386-106 Phys. Rev. Lett. 85, 1330(2000) 6 R. Renner, Ph.D. thesis, ETH Zurich(2005) 19 N. Lutkenhaus, Phys. Rev. A 61,052304(2000) 7 N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Re 20 Z.L. Yuan, A W. Sharpe, and A.J. Shields, Appl. Phys Mod.Phys.74,145(2002) Lett.90,01118(2007) 8A. K. Ekert, Phys. Rev. Lett 67, 661(1991) 21 D. Gottesman, H.K. Lo, N. Luitkenhaus and J. Preskill, 9 C. H. Bennett, Phys. Rev. Lett. 68, 3121(1992) Quant. Inf. Comp. 4, 325(2004) 10 P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 111 22 H. Inamori, N. Lutkenhaus, and D. Mayers, Eur. Phys 2000 J.D(2007); quant-ph/0107017 [11 D. Mayers, in Advances in Cryptology- Proceedings of 23 W.Y. Hwang, Phys. Rev. Lett 91, 57901(2003) 24]H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94 tudawe, quant-ph/0607082 30504(2005) 31] K Inoue and T Honjo, Phys. Rev. A 71, 042305(2005) 25X.B. Wang, Phys. Rev. Lett. 94, 230503(2005) 32 D. Stucki, N. Brunner, N. Gisin, V. Scarani, and 26C. Gobby, Z. Yuan, and A Shields, Appl. Phys. Lett. 84, H. Zbinden, Appl. Phys. Lett. 87, 194108(2005) 3762(2004) 33 E Diamanti, H. Takesue, T. Honjo, K Inoue, and Y. Ya 27 B. Ma, Xand Qi, Y. Zhao, and H.-K. Lo, Phys. Rev. A mamoto, Phys. Rev. A 72, 052311(2005) 72,012326(2005) 34 K. Horodecki, M. Horodecki, P. Horodecki, and J. Op 28 Y. Zhao, B. Qi, X. Ma, H.-K. Lo, and L Qian, Phys penheim, Phys. Rev. Lett. 94, 160502(2005) Rev.Lett.96,070502(2006) 35 S Singh, The Code Book: The Science of Secrecy from 29M. Koashi, Physical Review Letters 93, 120501(pages 4) Ancient Egypt to Quantum Cryptography(Doubleday, 2004 New York, 1999 ). 30 K. Tamaki, N. Litkenhaus, M. Koashi, and J. Batuwan-

...展开详情
试读 7P 量子密码学-从理论到实践
img

关注 私信 TA的资源

上传资源赚积分,得勋章
    最新推荐
    量子密码学-从理论到实践 34积分/C币 立即下载
    1/7
    量子密码学-从理论到实践第1页
    量子密码学-从理论到实践第2页
    量子密码学-从理论到实践第3页

    试读已结束,剩余4页未读...

    34积分/C币 立即下载 >