Embed Size (px)
Citation preview
1
candidate: Vadim Makarov
Quantum cryptography and
quantum cryptanalysis
Defence for the degree doktor ingeniørat the Norwegian University of Science and Technology, April 30, 2007
SPbSPUSt. Petersburg StatePolytechnic University
2
ca. 1970
2004 First commercial offers
Concept (“money physically impossible to counterfeit”)
...... Market?
1984 Key distribution protocol (BB84)
1989 Proof-of-the-principle experiment
1993 Key transmission over fiber optic link
Quantum cryptography timeline
3
Encoder Decoder
Open (insecure)channel
BobAlice
Key
Secure channel
MessageMessage
Encoded message
Secret key cryptography requires secure channel for key distribution.
Quantum cryptography distributes the keyby transmitting quantum states in open channel.
Key distribution
4
Retained bit sequence 1 – – 1 0 0 – 1 0 0 – 1 – 0
Bob’s measurement 1 0 0 1 0 0 1 1 0 0 0 1 0 0Bob’s detection basis
Alice’s bit sequence 1 0 1 1 0 0 1 1 0 0 1 1 1 0
Light source
Alice
Bob
Diagonal detector basis
Horizontal-vertical detector basis
Diagonal polarization filters
Horizontal-vertical polarization filters
Image reprinted from article: W. Tittel, G. Ribordy, and N. Gisin, "Quantum cryptography," Physics World, March 1998
Quantum key distribution
0
01
1
5
A = – 45 or + 45 : 0
Detector bases:
B = – 45 : X
B = + 45 : Z
A = +135 or – 135 : 1
A
Lightsource D0
B
Alice BobLA
SA
Transmission line
SB
LBD1
Interferometric QKD channel
6Quantum cryptography at NTNU
Fiber optic QKD setup
1. Optimal tracking of phase drift
2. Single photon detector with afterpulse blocking
Security against practical attacks
3. Large pulse attack: experiment
4. Faked states attack
5. Detector efficiency mismatch”0"
”1"
t
BOB
7QKD setup
Bob
Laser
APD
1310 nmPulse rate = 10 MHz
Line
Polarizationсontroller
AttenuatorAlice’s
PC
Publiccommunication(TCP/IP)
Bob’s PC
Polarizationcombiner
Polarizationсombiner
Phasemodulator 2
Polarizingsplitter
Phase modulator 1
PM coupler50/50
Variabledelay linePolarizer
Variable ratioPM coupler
“1”
“0”
Alice
PM fiberstandard SM fiber
8
Photo 1. Alice (uncovered, no thermoisolation installed)
9
Photo 2. Bob (uncovered, no thermoisolation installed)
10Tracking phase drift
To get phase accuracy Δφ within ±10° (QBERopt 1%),
no more than Na = ~ 200 detector counts per adjustment
are required.
Optimally counted at ±90° points from the extreme of the
interference curves. Exact required number of counts
where k is the number of standard deviations of not exceeding Δφ.
,2
2
2
QBER21
12
k
Na
J. Appl. Opt. 43, 4385 (2004)
11Tracking phase drift
+
–
0
0 60 minTime
J. Appl. Opt. 43, 4385 (2004)
To get phase accuracy Δφ within ±10° (QBERopt 1%),
no more than Na = ~ 200 detector counts per adjustment
are required.
Experiment: adjustment every 3 s, Na = 230:
12Test of QKD in laboratory conditions
Test run No. 2
QBER =
.5.7% average
QB
ER
, %
50
11
00 5 min
Time
Test run No. 1
best QBER
~ 4%
QB
ER
, %
50
11
00 5 min
Time
13
tgate down to 1ns
Gate pulse rate = 20 MHz
VE
Vbias
VB
t
T=1/(Gate pulse rate)
tgate–VAPD
Single photon detector:avalanche photodiode in Geiger mode
APD: Ge FD312L
T=77K, QE=16%, DC=5·10 –5
APD inside cryostatC = CAPD
Differentialamplifier
50 coaxial cables
Gate pulse generator Bias
14Afterpulse blocking
In QKD systems, probability of detecting a photon per pulse is always much lower than 1 (e.g., ~ 1/1000). This makes afterpulse blocking efficient, allowing without much loss in detection probability:
In our QKD system: 20 MHz gate pulse rate In principle: a few orders of magnitude faster gate pulse rate
–VAPD
Detector output
Hold-off time: N pulses are blocked after detecting avalanche
t
VB
t
15Hardware implementation of
afterpulse blocking
APD
Differentialamplifier
Gate pulse generator Bias
RF switch
= = Set
Reset
TriggerComparatorIntegrator
Digital output
0 0
N set by switch
CLK
Load
Counter
Overflow
16Test of afterpulse blocking
APD: Ge FD312L
Gate pulse rate = 12 MHz
QE = 7%
T = 77K
Number of gate pulses blocked
0.00
0.05
0.10
0.15
0.20
Co
un
t p
rob
abili
ty, %
Dark counts
Counts at 0.005 photon per pulse
0 2 5 12 18 34
N
17
1. Conventional security; trusted equipment manufacturer
2. Security against quantum attacks – security proofs for idealized model of equipment
3. Loopholes in optical scheme – imperfections not yet accounted in the proof
Quantum key distribution:components of security
2 311
Alice Bob
18Large pulse attack
Alice
Line
AttenuatorAlice’s
PC
Eve’s equipment
Phase modulator
– interrogating Alice’s phase modulator with powerful external pulses (can give Eve bit values directly)
19Large pulse attack: experiment
Laser
4% reflection
Vmod
OTDR
Out
In
Fine length adjustmentto get L1 = L2
L2
L1
Received OTDR pulse
Vmod, V4.1 8.20
Variable attenuator
Alice
Phase modulator
Eve
J. Mod. Opt. 48, 2023 (2001)
20
Photo 3. Artem Vakhitov tunes up Eve’s setup
21
Conventional intercept -resend:
Faked states attack:
BA FSB
EVE
A BB A
EVE
ALARM!!!
(no alarm)
Faked states attack
J. Mod. Opt. 52, 691 (2005)
22
”0"
”1"
t
BOB
Exploiting common imperfection:detector gate misalignment
Phys. Rev. A 74, 022313 (2006)
23
”0"
”1"
t
BOB
Laser pulse from Alice
Detector gate misalignment
Phys. Rev. A 74, 022313 (2006)
24
”0"
”1"
t
BOB
Detector gate misalignment
Phys. Rev. A 74, 022313 (2006)
25
”0"
”1"
t
BOB
Detector gate misalignment
Phys. Rev. A 74, 022313 (2006)
26
”0"
”1"
t
Example: Eve measured with basis Z (90°), obtained bit 1
0°BOB
= 0 °
Detector gate misalignment
(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)
27
(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)
”0"
”1"
t
Example: Eve measured with basis Z (90°), obtained bit 1
90°BOB
Eve’s attack is not detectedEve’s attack is not detected Eve obtains 100% information of the keyEve obtains 100% information of the key
= 0 °
Detector gate misalignment
28
Det
ecto
r ef
fici
ency
t0
t0 t1
0(t0)
1(t0)0(t1)1(t1)
Partial efficiency mismatch
29Partial efficiency mismatch
In the symmetric case (when 1(t0)/0(t0) = 0(t1)/1(t1) ),
Eve causes less than 11% QBER if mismatch is larger than 1:15
A. Practical faked states attack:
B. General security bound (incomplete):
where
30
-3 -2 -1 1 2 30t, ns
0
No
rmal
ized
det
ecto
r se
nsi
tivi
ty, a
rb. u
.
Detector model 1.Sensitivity curves
31
0 1 2 3 4 5 6 7 8 9 10 11 12t, ns
0
10
20
Det
ecto
r q
uan
tum
eff
icie
ncy
, % t = 5.15 ns
1/9
t = 7.40 ns
1/30
0 1
1
0
0
1
Detector model 2.Sensitivity curves at low photon number µ=0.5
32Detector efficiency mismatch
Detector efficiency mismatch is a problem for many protocols and encodings: BB84 (considered above), SARG04, phase-time, DPSK and Ekert protocols.
Control parameter t that changes detector efficienciesshall not be necessarily timing; it can be, e.g., wavelength or polarization.
The worst-case mismatch, no matter how small,must be characterized and accounted for duringprivacy amplification.
[quant-ph/0702262]
33Conclusion
A phase tracking technique and detector with afterpulse blocking were successfully developed.(QKD was demonstrated with a very limited success.)
Our group has built unique expertise in quantum cryptanalysis of attacks via optical loopholes.Several attacks have been proposed, studied in detail,and protection measures suggested.
34Possible future research
Continuing security studies beyond those presented in the thesis; we have experimented with passively-quenchedSi APD; we are trying to incorporate detector efficiency mismatch into general proof... With sufficient financing,a study of high-power damage can be attempted.
Improving the QKD experiment, demonstrating it overat least ~ 20 km distance. Performance of detectorand phase tracking can be more accurately characterized.
The QKD field is abound with novel ideas that can be tried...
35
Optional slides
36
0.00 0.11QBER
0
1
R
0
Handling errors in raw key
R = 1 – 2 h(QBER)
37
MagiQ Tecnologies
USA
id Quantique
Switzerland
Standard VPN router + QKD equipment for frequent key changes
Several other companies also have the QKD technology, but are not selling yet
Commercial offers (as of late 2006)
38
Photo 4. Bob (left) and Alice (right), thermoisolation partially installed
39
Typical values of reflection coefficients for different fiber-optic components(courtesy Opto-Electronics, Inc.)
40( Eve’s basis = Bob’s basis )
is sufficient for eavesdropping
Alice
Eve’s basis det. result
Bob
Incompatible basis –discarded by Alice and Bob during sifting
41
0 10.00
0.11
QB
ER
Not proven(assumed insecure)
Insecure
0.0660
Securewith reduced key rate
Security state of QKD system
( reduced rate at QBER=0 line, too )
42
Trondheim
St. Petersburg
