Transcript transparent - Indico

Quantum Cryptography
Beyond the buzz
Grégoire Ribordy
CERN, May 3rd 2006
Outline

Quantum physics and information technology

The limits of classical cryptography

The principles of quantum cryptography

Practical systems and applications

Future directions
www.idquantique.com
2
100000
50
10000
40
1000
30
100
20
10
10
Size of transistor's grid
[atoms]
Transistors
chip[x1000]
[x1000]
Transistors
perper
chip
Moore’s law and quantum physics
Quantum Limit
1
1970
0
1980
1990
2000
2010
2020
Year
Oui
No n
www.idquantique.com
3
Classical and Quantum physics
Classical physics
 … - 1900
 Describes the macroscopic world
Quantum physics
 1900 - …
 Description of the microscopic
world
 Deterministic
 Probabilistic
 Central role of the observer
 Not very intuitive
 Intuitive
Quantum physics  Novel information processing possibilities
 Quantum Information Theory (QIT)
www.idquantique.com
4
Generating random numbers with quantum physics
 High bit rate
• 4 or 16 Mbits/s
 Continuous monitoring
 Main OS’s supported
www.idquantique.com
5
Outline

Quantum physics and information technology

The limits of classical cryptography

The principles of quantum cryptography

Practical systems and applications

Future directions
www.idquantique.com
6
Introduction: Classical Cryptography

Secret Key Cryptography
Message
Message
Scrambled
Message
Alice



Secret Key
Secret Key
Bob
Identical keys
Key Exchange ?!?
Public Key Cryptography
Message
Different keys
 Key exchange solved
Vulnerabilities!!!
Message
Scrambled
Message


Public Key
Private Key
Different Keys
www.idquantique.com
7
Security of public key cryptography
Computing time
Decryption
(without key)
Encryption
Decryption (with key)
Key length
Selected Key Length
www.idquantique.com
8
Vulnerabilities of public key cryptography
Computing time
Classical computer
Key length
Selected Key Length
www.idquantique.com
9
Vulnerabilities of public key cryptography
Computing time
Classical computer
Quantum computer
& Theoretical progress
Key length
Selected Key Length
www.idquantique.com
10
Where does Quantum Cryptography fit in?
Message
Message
Scrambled
Message
Alice


Secret Key
Secret Key
Bob
Secret key exchange by quantum cryptography
Quantum Cryptography is a key distribution technique!
Quantum Key Distribution is a better name!!!
www.idquantique.com
11
Outline

Quantum physics and information technology

The limits of classical cryptography

The principles of quantum cryptography

Practical systems and applications

Future directions
www.idquantique.com
12
Physical implementation of a data channel
Classical communication
"1"
"1"
Quantum communication
"0"
Fragile !
Security guaranteed by the laws of quantum physics
www.idquantique.com
13
Quantum Cryptography: rules of the game
Classical channel
|...>
Quantum channel
sk’
Eve
1. Details of the protocole publicly known
2. Goal: to produce a secret key or nothing
 « Eve cannot do better than cutting the line »
Alice and Bob: to estimate Eve’s information on key
IAE small: Produce a key
IAE large:
QUANTUM KEY DISTRIBUTION
www.idquantique.com
14
Polarization of Photons

Direction of oscillation of the electric field associated to a lightwave

Polarization states

What can we do with it ?

E

50 %
50 %
www.idquantique.com
15
Irreversibility of Measurements
Incoming photon polarized at 90
Incoming photon polarized at 45
50 %
50 %
Rotation of polarizer
www.idquantique.com
16
Quantum communications

Transmitting information with a single-photon Liner States

Use a quantum property to carry information
= "0" = |0>
= "1" = |1>
www.idquantique.com
17
Eavesdropping (1)

A single-photon constitutes an elementary quantum system
It cannot be split

Semi-transparent mirror
50%
?
?
50%
www.idquantique.com
18
Eavesdropping (2)

Communication interception
Alice
Bob
?
|0>
|0>
Eve

Use quantum physics to force spy to introduce errors in the
communication
www.idquantique.com
19
Quantum Cryptography Protocole
 BB84
Bob
H/V Basis
Alice
Polarizers
45 Basis
Horizontal - Vertical
Diagonal (-45, +45)
Alice's Bit Sequence
Bob's Bases
Bob's Results
0
1
0
0-
0
1
1
1
1
-0
1
0
Key
-
1
-
0-
0
1
-
-
1
0-
1
0
 A better name: Quantum Key Distribution
www.idquantique.com
20
Eavesdropping (3)
Alice
Eve
50%
50%
50%
50%
Bob
50%
Ok
50%
Error
Ok
www.idquantique.com
50%
50%
Error
Ok
21
Key Distillation (ideal case)
Alice
Bob
Quantum channel
Sifted key
0 : no eavesdropping
Reveals rather than prevents eavesdropping
> 0 : eavesdropping
A better name: quantum key distribution
QBER =
www.idquantique.com
22
Key Distillation (realistic case)
Alice
Bob
Quantum channel
(losses)
Raw key
Public channel
Sifted key
Key
Key
www.idquantique.com
23
Information curves
Shannon Information
1.0
I AB  1  H (QBER)
0.8
IAE
Secret key rate
Opt. indiv. attack
0.6
0.4
0.2
0.0
0.0
0.1
0.2
0.3
0.4
QBER
www.idquantique.com
24
The Principles of Quantum Cryptography: Summary
Conventional Symmetric
Cryptography
Key Use
Quantum Cryptography
Future-proof key exchange
with security guaranteed by
the laws of physics
Integrity Verification
Key Distillation
Quantum Communication
Raw key exchange
Point-to-point optical link
www.idquantique.com
25
Outline

Quantum physics and information technology

The limits of classical cryptography

The principles of quantum cryptography

Practical systems and applications

Future directions
www.idquantique.com
26
Building a Quantum Key Distibution System

Necessary components
Single-Photon Source
Channel
Single-Photon Detector

“System approach”
www.idquantique.com
27
Polarization Coding

Typical system
Bob
Alice
Basis 1
"1"
LD 1
Quantum
Channel
LD 2
BS
"0"
PBS
/2
F
PBS
BS
LD 3
BS
LD 4
APD
"0"
Waveplates
"1"
APD
Basis 2
Public Channel
www.idquantique.com
28
Interferences
www.idquantique.com
29
Interferometer


Classical
interference
E

E1


E2
1
Sortie 1
Port 1
0.5
Sortie 2
Port 2
0
0
2
4
6
Phase [radians]
www.idquantique.com
30
Phase encoding

Quantum optics: single-photon
Alice
1
A
Output 1
0.5
Base 1: A = 0; p
Bob
Base 2: A = p/2; 3 p/2
Output 2
D1
B
0
0
D2
2
4
6
Phase [radians]
Bases
Basis choice: B = 0; p/2
Compatible:
Alice A  Di
(A-B = np)
Bob Di  A
Incompatible: Alice and Bob ??
(A-B = p/2)
www.idquantique.com
31
Phase encoding (2)
Alice

A
Stability of such system ???
10 km
10 km ± /10 (100 nm)
Bob
D1
B
D2

In practice
Alice
Bob
80
A
B
CL + LC
60
LL
CC
40
20
0
-3
-2
-1
0
1
2
3 Time (ns)
+
www.idquantique.com
32
Auto-compensated set-up

Time multiplexing
SP
A
Short arm
Bob
Att.
MF
B
Alice
Long arm
www.idquantique.com
33
Practical requirements

Distance limitation < 100 km
Signal, Noise
psignal
pnoise
Distance
Current range is sufficient for a vast majority of MAN/SAN applications

Point-to-point dark fiber
•
•
Amplifiers
Opto-electro-opto conversion
perturbation of the quantum state of the photon
www.idquantique.com
34
Link Encryptors with QKD

Network Appliance
•
•
•
•
Point-to-point link encryption
Layer 2 device
Network protocole independent
Compatible with higher layer encryption
Specifications
- Encryption: AES (128, 192, 256 bits)
- Key rate as high as 100 keys / s
- Distance < 100 km (60 miles)
- Pair of dark fiber
Target Applications
MAN or SAN encryption
www.idquantique.com
35
« Swiss Quantum » Pilot Site
www.idquantique.com
36
Outline

Quantum physics and information technology

The limits of classical cryptography

The principles of quantum cryptography

Practical systems and applications

Future directions
www.idquantique.com
37
Extending the key distribution distance

Chaining links
A
B' A'
B" A"
B'" A'"
B
Telco Infrastructure

Better components

Free space links to low-earth-orbit (LEO) satellites
Tokyo

Geneva
Quantum relays and repeaters
www.idquantique.com
38
Compatibility with conventional optical networks

Optical switching

WDM Links
www.idquantique.com
39
Thank you very much for your attention
id Quantique SA
Chemin de la Marbrerie, 3
CH-1227 Carouge
Switzerland
Ph: +41 22 301 83 71
Fax: +41 22 301 83 79
[email protected]
www.idquantique.com
www.idquantique.com
40
Optical Taps

Optical taps are cheap and simple to use
« Tapping a fibre-optic cable without being detected, and making sense of the
information you collect isn’t trivial but has certainly been done by intelligence
agencies for the past seven or eight years. These days, it is within the range of a
well funded attacker, probably even a really curious college physics major with
access to a fibre optics lab and lots of time on his hands. »
John Pescatore, former NSA Analyst
The submarine « USS Carter » worth $4.1 bn will be able to tap and eavesdrop
undersea cables.
www.idquantique.com
41
Key use


The key produced by a quantum cryptography system is used with
conventional symmetric encryption algorithms
•
One-time pad  « unconditional security »
•
Other symmetric algorithms (AES, Tripe-DES, etc.)  enhanced security
by frequent key change
Why is Quantum Cryptography not used to transmit data?
1) Quantum Cryptography cannot guarantee that one particular bit will
actually be received.
With a random key, it is not a problem. With data, it is.
2) Quantum Cryptography does not prevent eavesdropping, but reveals it a
posteriori. Sending a key and verifying its secrecy allows to prevent
information leakage.
www.idquantique.com
42
Device Authentication
Initial key
Quantum Cryptography Session n: key material
Encryption/decryption key
www.idquantique.com
Authentication key
Authentication key refreshed
Authentication key n
Session n
43