Transcript Alice Bob

Quantum Cryptography
(III)
Antonio Acín
ICFO-Institut de Ciències Fotòniques (Barcelona)
www.icfo.es
Paraty, Quantum Information School, August 2007
Device-Independent QKD
• Quantum cryptography is the only provable
secure way of transmitting information through an
authenticated public channel.
• Its security is based on Quantum Mechanics.
Is the validity of Quantum Mechanics the only
assumption required for secure QKD? NO!
The honest parties should have some
knowledge about their devices.
Device-Independent QKD
x
y
a
b
Example:
BB84
Alice
 AB 
p(a, b x, y)
1
 00 00  11 11 Z   00 00  11 11 X
4
• If x=y → perfect correlations
• If x≠y → no correlations
The state is separable.
Bob
The observed data
are the same as
those for perfect
BB84 with qubits.
No secure QKD!
Device-Independent QKD
Standard QKD protocols based their security on:
1. Quantum Mechanics: any eavesdropper, however
powerful, must obey the laws of quantum physics.
2.
No information leakage: no unwanted classical
information must leak out of Alice's and Bob's
laboratories.
3.
Alice and Bob have an authenticated public channel.
4.
Knowledge of the devices: Alice and Bob have an
(almost) perfect control of the devices.
On assumptions
• A QKD protocol should be based on testable assumptions.
Alice and Bob local spaces have dimension equal to
two. Is this a testable assumption?
• What is an assumption?
Any hypothesis that (i) is not needed in the perfect
scenario where the honest parties share a secret key but
(ii) is essential for the distribution of the secret key. Is no
information leakage a real assumption?
Device-Independent QKD
The devices are now seen as quantum black boxes. Alice and Bob estimate
the observed probability distribution and bound Eve’s information.
x
y
p(a, b x, y)
a
Alice
over all states
b
Bob
min I  A : B    A : E 

ABE
such that

pa, b x, y   tr  AB M xa  M yb

Is there a protocol for secure QKD based on p(a, b x, y)
without requiring any assumption on the devices?
Bell’s inequalities violation
Bell’s inequality violation is a necessary condition for security
If the correlations are local:
p(a, b x, y)   p  pa x,  qb y,  
A perfect copy of the local instructions can go to Eve.
Barrett, Hardy & Kent
• Whenever some correlations do not violate any Bell’s inequality,
they can be reproduced by measuring a separable state.
• Bell’s inequalities are the only entanglement witnesses which are
independent of the Hilbert space dimension.
Any protocol should be built from non-local correlations.
CHSH Protocol
x=1
x=2
x
 AB
y
x=0
a
b
pIQ (a, b x, y)
• The settings x=0,1 and y=0,1 are used to compute the violation of the
CHSH inequality.
• The setting x=2 and y=1 are used in for the secret key.
• The settings are depicted in a qubit-like picture for the sake of simplicity.
They can be any measurements compatible with the observed statistics.
y=0
y=1
CHSH Protocol
The protocol is secure in the case of zero noise, i.e. when Alice and
Bob observe the maximal violation of the CHSH inequality.
Cirelson: The maximal quantum violation of the CHSH inequality is
  a0 b0  b1   a1 b0  b1   2  Q  2 2
This violation can already be achieved by measuring a two-qubit
maximally entangled state. Any other quantum realization of this violation
is basically equivalent to a maximally entangled state of two qubits.
Eve cannot be correlated at all at the point of maximal violation → Security
Device-Independent QKD
We have developed a deviceindependent QKD scheme and
prove its security under the
assumption of N copies of the
same probability distribution.
The obtained key rates are
clearly comparable to those
obtained for standard schemes.
Less assumptions
Stronger security!
General security proof?
De Finetti theorem for this situation, with uncharacterized devices?
The boundary of quantum correlations
 p 1,11,1 


 p 1,2 1,1 





 p r , r 1,1 





 p r , r m, m 


Quantum correlations (QS):
QM
Classical Correlations
pa x    pa, b x, y 

pa, b x, y   tr  AB M xa  M yb

CS  QS
Classical correlations (CS):
Bell’s Theorem
pa, b x, y    p p A a  , x  p B b  , y 

b
• The set of classical correlations, for finite alphabets of inputs and
outputs defines a convex set with a finite number of extreme points.
• The quantum set is also convex but does not have a finite number of
extreme points.
What’s the quantum boundary?
Given
pa, b x, y  , does it have a quantum origin?
Practical
implementations
Quantum communication protocols
Quantum channel
Single-photon source
Single-photon detector
Practical implementations
 Single photon source  Weak laser pulse | with ||<<1.
 Quantum channel  Fiber optic.
 Single photon detectors  Avalanche photodiodes.
Real devices imperfections open security loopholes!
Time-bin qubit


qubit :
0
  c0 0  c1e i 1
0 i1
any qubit state can be created and
2
0 1
measured in any basis
2
2
0 i1
2
1
Alice

  c0 0  c1e i 1
1
hn
1
0
variable coupler
j
Bob
D0
0
D1
switch
switch
0 1
variable coupler
Plug & Play
Bob
Alice
Laser
FR
PM
APD
D
A
PBS
PM
APD
Drawback:
Perfect interference (V99%) withoutTrojan
any adjustments
, since:
horse attacks
•
•
both pulses travel the same path in inverse order
both pulses have exactly the same polarisation thanks to FM
Photon number splitting attack
Alice
Weak coherent pulse:
 e
 /2
2

n 0
n
n!
Bob
n
The pulse contains n photons with probability Pr n   e

2
 2n
n!
If the channel has sufficiently large losses, Eve can use the presence of
multi-photon pulses and break the protocol, without introducing any error.
Photon number splitting attacks
1 photon, Pr(n=2).
2
Pr(n=1) The imperfect source produces a clone!
Lossy quantum channel (L)
Alice
Bob
blocks one
the single-photon
Eve keeps
of the photons
pulses
and forwards the other to Bob
through a perfect line.
Eve
Eve keeps her photon until the basis
reconciliation → she can read the
information. Bob receives the qubit
unperturbed.
If Eve can reproduce the losses in the channel via the
two-photon pulses, BB84 remains insecure!
This defines a critical value of the losses, or distance, for the implementation.
Possible solution: SARG
Change the encoding
0
1
Alice
0
1
0
1
Change the encoding
1
 0
 z     0
 z     1
 0
1
1 1
1 1
   x 
 
x 
1
2 
2   1
0
Bob
1
0
1
1
0
Consider the case where Alice has sent +z. The reconciliation works as follows:
1. Alice announces the sent state plus one of the neighbours, say +x.
2. If Bob measures z, he gets the result +z, so he cannot identify the state. In
this case, the parties reject the symbol.
3. If Bob measures x, he may get the result –x, so he knows that the sent state
was +z. The symbol is accepted. Otherwise it is rejected.
If Eve keeps one photon, she is not able to read the information perfectly
even after the reconciliation part of the protocol.
Decoy state QKD
Hwang
Alice uses sources of different
amplitudes for the encoding.
Alice
Bob
If Eve applies the PNS attack, Alice and Bob will see a difference between the
sources → they detect the attacks and abort the protocol.
Thus, using the different amplitudes, Alice and Bob can estimate the amount of
multi-photon pulses Eve is attacking and the information she is getting.
Decoy-state QKD can be as robust as implementations
using ideal single-photon sources.
Conclusions
Basic idea
Protocols
Security
proofs
More general
scenarios
Exact relation with
entanglement?
New privacy
amplification theory
Very inter-disciplinary line of research
Practical
protocols
Security proofs?