






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The development of a system that modifies the usual protocol of quantum cryptography by incorporating elements of special relativity. The result is that in principle, every detected photon can be used in the final key, thus doubling or tripling the possible data rate. The document also provides an overview of standard quantum cryptography and its vulnerabilities. authored by Evan Jeffrey, Matthew Brenner, and Paul Kwiat from the Department of Physics at the University of Illinois.
Typology: Lecture notes
1 / 11
This page cannot be seen from the preview
Don't miss anything!







Quantum cryptography is a method of communicating securely, the secrecy of which is guaranteed by the laws of physics and information theory. Current implementations suffer from relatively short ranges and low data rates. We are developing a system that modifies the usual protocol by incorporating elements of special relativity. The result is that in principle, every detected photon can be used in the final key, thus doubling or tripling the possible data rate. Our delayed-choice quantum cryptography (DCQC) system works by storing the photon sent to Bob in a low-loss optical delay line until a classical signal from Alice informs him which measurement basis to use.
Encryption is the science of encoding messages (called the plaintext) in a form (the ciphertext) that provides no information to unintended recipients, yet can easily be decoded into the original message by the intended recipient. Algorithms for encrypting data date back thousands of years,^1 but only since the advent of modern information theory^2 have useful formalisms been developed for analyzing ciphers. As a result, the past century has seen the emergence of encryption algorithms such as the DES (data encryption standard), RSA (Rivest, Shamir, and Aldeman cipher), and the new AES (advanced encryption standard), that stand up to concerted attacks by intelligent and well equipped adversaries. However, almost all of these algorithms are merely “hard” to crack (that is, recover the plaintext without having the key needed for decryption), where the cipher chosen is based on what an acceptable definition of “hard” is. Furthermore, the security of an algorithm is only ever evaluated based on known attack strategies. Thus, these systems are potentially vulnerable to breakthroughs in analysis techniques, rapid advances in available computing power, and the emergence of new types of computers that follow fundamentally different rules.
For example, the DES, a 56-bit keyed cipher, was once considered secure enough for most any task, yet now can be cracked via brute-force methods in a matter of hours by dedicated hardware. DES has also been shown to be vulnerable to two new powerful analysis techniques, differential cryptanalysis^3 and linear cryptanalysis.^4 RSA, an algorithm based on the difficulty in finding large prime factors, has been losing ground to frequent advances in state-of-the-art factoring algorithms. Moreover, the prospect of quantum computers looms on the horizon, promising to factor numbers fast enough to make RSA trivially crackable. Clearly, then, for secrets which must be kept for “as long as men are capable of evil,”^5 there is a desire for a system secure against not only presently known attacks, but all possible future forms of attack.
One – and only one – provably secure encryption algorithm does exist: it is the “one time pad” (OTP) protocol, which is also one of the simplest algorithms in use. If the sender (from here on, Alice) and receiver (Bob) share a secret string of random numbers of the same length as the plaintext, Alice can simply add the two bit-by-bit (or letter-by-letter) and send the result to Bob. Bob can then subtract the secret key from the ciphertext to recover the original message. The proof of security for this algorithm hinges on the property that for any given ciphertext, all possible plaintexts are equally likely, so that the ciphertext contains no information available to a third party. Although OTPs have been used occasionally in espionage and military applications where total security is absolutely necessary, the protocol poses some serious problems. First, it requires a key as long as the message to be sent. This is difficult to achieve in many scenarios. Also, as the name implies, each key (or pad) may only be used once. If it is ever used to encrypt a second message, the security is compromised and both messages could be recovered.
The disadvantages of the OTP make it impractical for most applications, relegating it to be used for short, ultra-secret communications. Even so, the difficulty of key management has sometimes led to OTPs being
Channel
Quantum
Channel
Classical |D〉
|A〉
|V 〉
Attenuator
|H〉
Figure 1. Typical layout for BB84 key exchange protocol. Based on a random number generator, Alice fires one of four lasers, corresponding to the chosen communication states. The resultant pulse is then attenuated to an average intensity of less than 1 photon, and sent to Bob. He randomly selects an analysis basis to measure in, either doing nothing (H-V basis) or turning on a Pockels cell (PC) to rotate the polarization by 45◦^ (D-A basis).
implemented or used insecurely, causing security compromises when a “lesser” cryptography system might have prevailed. No amount of theoretical security can compensate for a poor implementation, so it is desirable to have methods of ensuring that a system is being used properly.
The central problem in the OTP is key distribution – how does one transmit the all-important secret random string of bits from Alice to Bob? Classical key distribution methods, e.g., phone lines or fiber optics, are all potentially vulnerable to an undetected eavesdropper. The heart of quantum cryptography is a quantum key distribution (QKD) protocol that uses “quantum uncertainty” to allow the secure exchange of key material suitable for a OTP by remote parties. The most common protocol for QKD is the BB84 protocol^6 protocol. See Gisin et al. for a superb review of several algorithms and implementations of QKD.^7
In BB84 (shown in Fig. 1), Alice transmits to Bob a series, not of bits, but of “qubits” (quantum bits). The qubit typically used is the polarization of a single photon. Alice sends qubits randomly chosen from four states |H〉, |V 〉, |D〉 ≡ |H〉^ √+ 2 |V 〉, and |A〉 ≡ |H〉−|^ √ 2 V 〉, representing horizontal, vertical, diagonal, and anti-diagonal polarization, respectively. The first two states comprise the H-V basis and the second two comprise the D-A basis. Alice and Bob agree to allow |H〉 and |D〉 to represent a logical “0,” and |V 〉 and |A〉 to represent a logical “1.” Bob measures the polarization of the photons he receives with an analyzer, randomly oriented to either discriminate between |H〉 and |V 〉 or between |D〉 and |A〉. He then records the outcome for each measurement (“0” or “1”), along with the measurement basis.
Having performed the quantum part of this protocol, Alice and Bob then publicly announce their respective basis choices, but not the actual states they sent or received. Since each basis can represent either logical value, they have not divulged any information about their key data; however, they know that when they used the same basis, their results are perfectly correlated. This is guaranteed because a state prepared as |H〉 (|D〉) will never be detected as |V 〉 (|A〉), and vice-versa. In contrast, when Alice and Bob randomly select different bases, they will get completely uncorrelated results. They now select only the bits where both parties used the same basis, forming the “sifted keys”, which are in principle identical. In practice, various noise sources will cause their sifted keys to be slightly different, requiring the use of error correction codes to fix. In addition, they must consider the possibility that an interested third party (Eve, the eavesdropper) may have intercepted, measured, or tampered with the photons “in flight”. However, because not all of the states used are orthogonal, if Eve tries to gain information about the polarization of the photons, she will necessarily introduce an error signal. Alice and Bob can detect the errors with error-correcting codes, and use the measured error rate to place an upper bound on
By the linearity of quantum mechanics,
But, according to the definition of Oˆ,
∴ Oˆ does not exist, since these two forms are not equivelent.
It can be shown that the error signal gives a bound to the amount of information Eve can gain.10, 11^ If she measures every qubit that passes, the bit error rate (BER) is 25%, which indicates effectively complete knowledge of the shared key, while lower error signals indicate partial knowledge. For sufficiently low error rates, Alice and Bob can cleverly choose to discard data in such a way as to reduce Eve’s knowledge of the secret key. This privacy amplification step reduces the usable efficiency of the QKD channel when the BER becomes large. In fact, if the BER is above 15%, there will be no secret key material left after error correction and privacy amplification.^7
While quantum key exchange is provably secure if the appropriate error detection, correction, and privacy amplifi- cation steps are followed, it is based on a number of assumptions. First, we assume that the public communication channel the parties use to communicate basis choices and error correction information is authenticated. Bob must know that the information he is receiving came from Alice untampered, otherwise Eve can mount a man- in-the-middle attack. For this, she intercepts both the quantum and classical communication destined for Bob and negotiates a key with Alice. Simultaneously, she impersonates Alice to Bob, establishing a quantum key with him.
Second, there is an assumption that Alice can produce single photon Fock states. If Alice unintentionally sends two photons with the same polarization, Eve could remove one photon for later measurement, and transmit the other unmolested to Bob. Her eavesdropping then would be very effective and undetectable from the BER. In practice, most implementations use pulsed laser sources attenuated down to single-photon levels (typically ∼ 0 .1 photon per pulse). However, the photon number distribution for laser sources is Poissonian – even when the mean photon number per pulse is well below 1, a small but significant fraction of pulses will have two or more photons. Some degree of this can be overcome by attenuating the laser sources further, or with privacy amplification, both at a significant cost in efficiency.
A third major assumption is that the information on the state Alice transmitted must not be available through another channel. In particular, information about the state must not be recorded in any other degree of freedom of the photon, such as frequency or direction, nor may that information be leaked via classical side channels such as RF emission from switches. This may turn out to be one of the hardest requirements to meet.
System noise strongly limits the efficiency of BB84. While Eve must introduce errors to gain information about the key, natural noise sources can also cause errors. To protect their security, Alice and Bob must assume
Figure 3. Schematic for delayed-choice system, including the addition of a delay stage for Bob (shown with only 4 passes for clarity) and an extra classical communication component (indicated schematically by the two radio towers, though in practice we implement it using classical laser pulses) for transmitting basis information. The state to send is selected by a quantum random number generator (QRNG).
that all errors could be indicating the presence of an eavesdropper, and react accordingly. The efficiency of BB will drop in a noisy environment (see Fig. 2, and in a sufficiently noisy environment the protocol will not work at all, as the net yield of secret bits (after error correction and privacy amplification) will drop to zero.
In delayed-choice quantum cryptography we seek to remove the inefficiency inherent in sifting the key, by incor- porating elements of special relativity. Ordinarily, Alice and Bob would only use the same basis on a fraction of the bits (50% for BB84, 33% for the SSP). The reason for this is that Eve must be unable to gain information on which basis to measure in, effectively precluding Bob from having the same information. In our delayed-choice protocol, instead of measuring his received photon immediately, Bob stores it in his “lab”. Once he has done so, Eve no longer has access to the photon, and Alice is free to broadcast the correct basis to use. Assuming Bob can store photons long enough with high efficiency, he can measure every photon in the right basis, and double the communication efficiency of BB84 QKD, or triple it for the SSP. The fact that Bob and Alice can now in principle use every photon for the key makes the six-state protocol more efficient than the four-state protocol for any BER (see Fig. 2b).
Fig. 3 shows the experimental layout for DCQC. The system is very similar to standard QKD, with the addition of a quantum storage system for storing photons to be measured later, and a fast classical communication system to transmit the basis information to Bob. In our case, the former is accomplished by a delay line constructed from mirrors, while the latter is a laser communication system with low latency modulation. The operation of the system is also similar to standard QKD. As before, Alice sends to Bob a series of photons with polarizations randomly selected from 4 (or 6) states. Bob receives these photons, but instead of measuring them, stores them in the storage device. Once Bob has a photon securely in his lab, Alice sends the information to him on which measurement basis to use. He then measures the photon in that basis, and adds that bit to the secret key. Alice and Bob then perform the usual error correction and privacy amplification steps to generate a final key.
Figure 5. Plot of the reentrant solutions to the ray matrix for a twisted cylindrical delay line. The X axis is the dimensionless base length, defined by the separation divided by the radius of curvature of the two mirrors (assumed to be identical). The Y axis is the twist angle in degrees of one mirror relative to the other. Each point corresponds to a reentrant solution for 40 ≤ N ≤ 120, with bluer points indicating more passes and longer delay times, while redder points indicate fewer passes and shorter delay times.
From this constraint, it is possible to select values of N , mx, and my , and then numerically solve to find the separation and relative twist of a pair of cylindrical mirrors that give the desired eigenvalues. Fig. 5 shows the set of solutions for 40 ≤ N ≤ 120.
In our implementation we use cylindrical mirrors with a ∼5-m radius of curvature, which gives us a base path length of approximately 2 m. Thus, about 85 round trips through the delay line are required per microsecond of total delay time. This can be achieved with a 15◦^ twist angle. We couple in and out of the delay line through a 6-mm hole drilled in the center of one of the mirrors. The size of the hole is chosen to be large enough to admit a beam whose Rayleigh range is about twice the base length of the delay line without significant diffractive losses. The mirror must be large enough for the nearby spots to be far enough from the coupling hole that the photon does not leak out prematurely.
We have designed and constructed a delay line with a delay time of 960 ns (80 round trips through the delay line of 2-m path length). The total transmission efficiency was < 20% which is not high enough to make DCQC worth implementing (since it is higher than the loss from sifting). The majority of our losses come from leakage through the mirror coatings; the reflectivity of the mirrors in our prototype system is only 98.9% at the wavelength we are presently using (670 nm). By employing mirrors with reflectivity over 99.99%, we expect to achieve storage losses less than 2%. Some amount of loss comes from clipping and diffraction when going through the coupling hole, which was sized too small in our prototype. We calculate that with a hole diameter 6 times
the 1/e^2 radius of the input beam (assumed Gaussian TEM 00 ) this diffraction loss should be less than 1%.
After transmitting the qubit photon, Alice must communicate the basis selection to Bob quickly enough to allow him to perform the measurement within the limits of his storage system. To do this, low latency communication is necessary. To this end, we have designed a fairly fast laser communication system to transmit the basis information. The transmitter consists of a standard laser diode, impedance-matched to be driven directly from a 50Ω pulse generator. The transmitter is driven by a logic circuit implementing a finite state machine (FSM) which accepts a signal on one of 2 (for BB84) or 3 (for the SSP) inputs, each corresponding to a basis, and translates that to a modulation pattern that drives the laser diode. The receiver is a fast photodiode connected to a similar logic circuit that demodulates the signal into 2 or 3 indicators. The output of the receiver is used to trigger a Pockels cell to set the polarization analysis basis.
We designed and built a prototype of the modulation/demodulation circuitry from discrete TTL logic. It functioned as expected at low clock speeds, but with discrete logic, only functioned reliably below 35 MHz, giving a communication delay of at least 260 ns. This is an acceptable, but costs us a large portion of our maximum latency (1 μs). We therefore are reimplementing the logic in a programmable logic device (Xilinx CPLD XC9536) to allow us to increase clock rates further and reduce the communication latency.
For the four state version of DCQC, polarization analysis is performed using a polarizing beam splitter (PBS) preceded by a Pockels cell. The Pockels cell sets the measurement basis according to the applied voltage. No voltage gives zero net birefringence, and therefore no rotation, so the photon is measured in the H-V basis. If a “half-wave” voltage (typically about 1 kV) is applied, the induced birefringence is the equivalent of a half waveplate, giving rotation by 45◦^ to measure in the D-A basis. One of the main advantages of the delayed-choice system, however, is the ability to efficiently implement the 6-state QKD protocol. We have thus developed a system to measure polarization in three bases using a single Pockels cell, rather than the two electro-optic devices that one might believe would be necessary.^18 As shown in Fig. 6, a unitary rotation by 23 π about the (1, 1 , 1) axis (i.e., the direction equidistant from |H〉, |D〉, and |R〉) in the Poincar´e sphere performs a cyclic permutation on the |H〉, |D〉, and |R〉 states, while a negative rotation performs the opposite permutation. With a fixed waveplate and a single Pockels cell with which we can apply either a positive or negative rotation, we can realize a single switch version of the 6-state protocol.
Like the BB84 protocol, the security of DCQC can be shown to be guaranteed by the laws of physics and mathematics. While BB84 rests solely on quantum mechanics and information theory, DCQC also depends on special relativity. The space-time diagram of Fig. 7 illustrates this point. As long as the past light cone of the arrival of a photon to Bob’s laboratory does not overlap the future light cone of Alice’s broadcast of the basis choice, no observer constrained by special relativity can have access to the quantum state and the measurement information simultaneously. This means that those two events are space-like separated, so that in some reference frame, Alice does not transmit the classical basis information until after Bob has received the photon. Alice and Bob must take care to ensure the space-like separation of the photon-receive event and the send-basis-info event.
Another way to understand the DCQC security is in direct analog to the BB84 logic. In both protocols, Alice publicly announces the basis information. In BB84 this announcement comes just after Bob has measured the photon; in DCQC the announcement comes just before. But, from the perspective of Eve, these two situations are entirely equivalent: the reduced density matrix describing Eve’s measurement system cannot depend on whether Bob has actually performed his measurement or not. If it could, then Bob and Eve could set up a faster-than- light communication system and leave Alice in wonderland. Therefore, since Eve’s information cannot depend on when Bob makes his measurement, the standard BB84 security proofs hold.19, 20
There are a number of attack strategies that Eve could use which must be accounted for and protected against. If Alice and Bob rely on the propagation speed of their signals being c to ensure the correct causality,
B 1
availability
Quantum state
Basis knowledge B 2
A 1
A 2
Stored photon bounces inside cavity
Figure 7. Spacetime diagram of delayed-choice operation. Alice at coordinate A 1 transmits a quantum signal, received by Bob at B 1 (for generality, we allow this transmission to propagate at a speed less than or equal to c). Later, Alice at A 2 transmits the information of which basis to measure in, which Bob receives at B 2 , whereupon he measures the stored state. As long as the past light cone of B 1 does not overlap the future light cone of A 2 , there is no point in space-time at which an eavesdropper could have access to both the quantum signal measured by Bob and knowledge of the basis chosen by Alice, which are necessary to eavesdrop undetectably. This is a sufficient criteria for security even if in Alice and Bob’s rest frame, A 2 is “before” B 1.
basis as Bob. Likewise, if the sender uses separate laser diodes inadvertently operating at slightly different wavelengths, Eve could in principle measure the wavelength without disrupting the polarization, and thereby gain key information without being detected. In the entangled photon system, Alice and Bob can easily check that the polarization states are otherwise indistinguishable by verifying Bell’s inequality.22, 23^ The coupling of any other degree of freedom (i.e., frequency) to the photon polarization will destroy the polarization entanglement of the initial state, resulting in an elevated BER and a reduced (or negated) ability to violate Bell’s inequality. † DCQC does not allow Bob to make a passive basis selection, since he must actually choose the analysis basis after receiving the classical information from Alice. However, the DCQC protocol is fully compatible with entangled photons, so there is no reason that Alice cannot use a passive-choice system for sending the photons, as long as all of the appropriate timing constraints can be met.
In summary, we have proposed a new protocol for quantum cryptography that increases the communication efficiency by delaying Bob’s setting of measurement basis until after the classical basis information has been sent to him by Alice. This requires Bob to have the ability to store photons without disrupting their polarization state, and we have implemented a prototype delay line for this purpose. This protocol is interesting because it relies on both quantum mechanics and special relativity to guarantee the secrecy of the exchanged key bits. This suggests to us that other protocols in information science may benefit from similar considerations. For instance, the classical bit-commitment protocol cannot be performed with perfect security in classical or quantum information,^24 but can be solved by a protocol based on special relativity.^25
†One further advantage of using entangled pairs for QKD is that, conditional upon detection of one photon, the other
output mode is projected into a near Fock state, reducing the multi-photon amplitudes associated with laser sources.
This work was supported by the Advanced Research and Development Activity, the DCI postdoctoral program, and the U.S. Army Research Office.