Quantum crypto


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Quantum crypto

  1. 1. Applications of Quantum Cryptography – QKD CS551/851 CR yptography A pplications B istro Mike McNett 6 April 2004 Paper: Chip Elliott, David Pearson, and Gregory Troxel. “ Quantum Cryptography in Practice ”
  2. 2. Outline <ul><li>Basics of QKD </li></ul><ul><li>History of QKD </li></ul><ul><li>Protocols for QKD </li></ul><ul><li>BB84 Protocol </li></ul><ul><li>DARPA / BBN Implementation </li></ul><ul><li>Other Implementations </li></ul><ul><li>Pro’s & Con’s </li></ul><ul><li>Conclusion </li></ul>
  3. 3. Quantum Cryptography <ul><li>Better Name – Quantum Key Distribution (QKD) – It’s NOT a new crypto algorithm! </li></ul><ul><li>Two physically separated parties can create and share random secret keys. </li></ul><ul><li>Allows them to verify that the key has not been intercepted. </li></ul>
  4. 4. Basic Idea
  5. 5. History of QKD <ul><li>Stephen Wiesner – early 1970s wrote paper &quot;Conjugate Coding” </li></ul><ul><li>Paper by Charles Bennett and Gilles Brassard in 1984 is the basis for QKD protocol BB84. Prototype developed in 1991. </li></ul><ul><li>Another QKD protocol was invented independently by Artur Ekert in 1991. </li></ul>
  6. 6. Two Protocols for QKD <ul><li>BB84 (and DARPA Project) – uses polarization of photons to encode the bits of information – relies on “ uncertainty ” to keep Eve from learning the secret key. </li></ul><ul><li>Ekert – uses entangled photon states to encode the bits – relies on the fact that the information defining the key only &quot;comes into being&quot; after measurements performed by Alice and Bob. </li></ul>
  7. 7. BB84 <ul><li>Original Paper: Bennett: “ Quantum cryptography using any two nonorthogonal states ”, Physical Review Letters, Vol. 68, No. 21, 25 May 1992, pp 3121-3124 </li></ul>
  8. 8. BB84 <ul><li>Alice transmits a polarized beam in short bursts. The polarization in each burst is randomly modulated to one of four states (horizontal, vertical, left-circular, or right-circular). </li></ul><ul><li>Bob measures photon polarizations in a random sequence of bases (rectilinear or circular). </li></ul><ul><li>Bob tells the sender publicly what sequence of bases were used. </li></ul><ul><li>Alice tells the receiver publicly which bases were correctly chosen. </li></ul><ul><li>Alice and Bob discard all observations not from these correctly-chosen bases. </li></ul><ul><li>The observations are interpreted using a binary scheme: left-circular or horizontal is 0 , and right-circular or vertical is 1 . </li></ul>
  9. 9. BB84 <ul><li>representing the types of photon measurements: </li></ul><ul><li>+ rectilinear </li></ul><ul><li>O circular </li></ul><ul><li>representing the polarizations themselves: </li></ul><ul><li>< left-circular </li></ul><ul><li>> right-circular </li></ul><ul><li>| vertical </li></ul><ul><li>− horizontal </li></ul><ul><li>Probability that Bob's detector fails to detect the photon at all = 0.5. </li></ul>Reference: http://monet.mercersburg.edu/henle/bb84/demo.php
  10. 10. BB84 – No Eavesdropping <ul><li>A  B: |< − − −< < −−< >>−<> | |−−< </li></ul><ul><li>Bob randomly decides detector: </li></ul><ul><li>++ + +O+O + O O +O+++ + +O+O </li></ul><ul><li>For each measurement, P(failure to detect photon) = 0.5 </li></ul><ul><li>The results of Bob's measurements are: </li></ul><ul><li> − >− − < < || | </li></ul><ul><li>B  A: types of detectors used and successfully made (but not the measurements themselves): </li></ul><ul><li> + O+ + O O ++ + </li></ul><ul><li>Alice tells Bob which measurements were of the correct type: </li></ul><ul><li> . . . . ( key = 0 0 0 1) </li></ul><ul><li>Bob only makes the same kind of measurement as Alice about half the time. Given that the P(B detector fails) = 0.5, you would expect about 5 out of 20 usable shared digits to remain. In fact, this time there were 4 usable digits generated. </li></ul>
  11. 11. BB84 – With Eavesdropping <ul><li>A  B: <|<−>−<<|<><−<|<−|−< </li></ul><ul><li>Eavesdropping occurs. </li></ul><ul><li>To detect eavesdropping: </li></ul><ul><li>Bob only makes the same kind of measurement as Alice about half the time. Given that the P(B detector fails) = 0.5, you would expect about 5 out of 20 usable shared digits to remain. </li></ul><ul><li>A  B : reveals 50% (randomly) of the shared digits. </li></ul><ul><li>B  A : reveals his corresponding check digits. </li></ul><ul><li>If > 25% of the check digits are wrong, Alice and Bob know that somebody (Eve) was listening to their exchange. </li></ul><ul><li>NOTE – 20 photons doesn’t provide good guarantees of detection. </li></ul>
  12. 12. DARPA Project
  13. 13. DARPA Project Overview <ul><li>Combined Effort – BBN, Harvard, Boston University </li></ul><ul><li>DARPA Project </li></ul><ul><li>Provides “high speed” QKD. Keys are used by a VPN. </li></ul><ul><li>Tests against eavesdropping attacks </li></ul>
  14. 14. DARPA Project Overview <ul><li>QKD Network – Requires a set of trusted network relays </li></ul><ul><li>Uses Phase Shifting instead of Polarization </li></ul><ul><li>Uses a VPN – Uses QKD to generate VPN keys </li></ul><ul><li>Fully compatible with conventional hosts, routers, firewalls, etc. </li></ul><ul><li>Quantum Channel also used for timing and framing </li></ul><ul><li>Eve is very capable – just can’t violate Quantum Physics </li></ul>
  15. 15. QKD Attributes <ul><li>Key Confidentiality </li></ul><ul><li>Authentication – Not directly provided by QKD – need alternative methods </li></ul><ul><li>“Sufficiently” Rapid Key Delivery </li></ul><ul><li>Robustness </li></ul><ul><li>Distance (and Location) Independence </li></ul><ul><li>Resistant to Traffic Analysis </li></ul>
  16. 16. DARPA Quantum Network
  17. 17. Randomly selects Phase and Value Randomly chooses Phase Basis Measures Phase & Value Timing and Framing
  18. 18. 1’s and 0’s <ul><li>Unbalanced Interferometers </li></ul><ul><li>Provides different delays </li></ul><ul><li>Must be “identical at Sender and Receiver </li></ul>
  19. 19. 1’s and 0’s <ul><li>Photon follows both paths </li></ul><ul><li>Long path lags behind short path </li></ul><ul><li>Travels as two distinct pulses </li></ul><ul><li>Bob receives </li></ul><ul><li>Pulses again take long & short paths </li></ul>
  20. 20. 1’s and 0’s <ul><li>Waves are Summed </li></ul><ul><li>Center Peak – Provides the Bases </li></ul>
  21. 21. 1’s and 0’s <ul><li>1’s and 0’s represented by adjusting the relative phases of the two waves (S A L B and L A S B ). This is the Δ value. </li></ul>
  22. 22. 1’s and 0’s <ul><li>1’s and 0’s represented by adjusting the phase Δ value. </li></ul><ul><li>Encodes 1 or 0 value in either of two randomly selected nonorthogonal bases. </li></ul><ul><li>0 = phase shift of 0 (basis 0) or phase shift π /2 (basis 1) </li></ul><ul><li>1 = phase shift of π (basis 0) or phase shift 3 π /2 (basis 1) </li></ul><ul><li>Randomly applies one of four phase shifts to encode four different (basis, value) pairs </li></ul><ul><li>If Δ = 0 or π , then compatible bases </li></ul><ul><li>If Δ = π /2 or 3 π /2 , then incompatible bases </li></ul><ul><li>Heavily dependent on correct timing – Alice provides </li></ul>
  23. 23. QKD Protocols <ul><li>Sifting –Unmatched Bases; “stray” or “lost” qubits </li></ul><ul><li>Error Correction – Noise & Eaves-dropping detected – Uses “cascade” protocol – Reveals information to Eve so need to track this. </li></ul><ul><li>Privacy Amplification – reduces Eve’s knowledge obtained by previous EC </li></ul><ul><li>Authentication – Continuous to avoid man-in-middle attacks – not required to initiate using shared keys – Not well explained in Paper. </li></ul>
  24. 24. IPSEC <ul><li>“Continually” uses new keys obtained from QKD </li></ul><ul><li>Used in IPSEC Phase 2 hash to update AES keys about once / minute </li></ul><ul><li>Can support: </li></ul><ul><ul><li>Rapid reseeding, or </li></ul></ul><ul><ul><li>One-time pad </li></ul></ul><ul><li>Supports multiple tunnels, each uniquely configured </li></ul>
  25. 25. Key Lifetime and Key Size QKD Extensions <ul><li>Can support: </li></ul><ul><li>Rapid reseeding, or </li></ul><ul><li>One-time pad </li></ul>
  26. 26. Issues <ul><li>Time outs (due to insufficient bits available) </li></ul><ul><li>Noise affects on key establishment. This can’t be detected by IKE. </li></ul>
  27. 27. Other Implementations <ul><li>Two Other Implementations of Quantum Key Distribution: </li></ul><ul><ul><li>D Stucki, N Gisin, O Guinnard, G Ribordy, and H Zbinden. Quantum key distribution over 67 km with a plug&play system .  New Journal of Physics 4 (2002) 41.1–41.8. </li></ul></ul><ul><ul><li>ID Quantine: http:// www.idquantique.com/files/introduction.pdf </li></ul></ul><ul><li>MagiQ. Whitepaper: http://www.magiqtech.com/registration/MagiQWhitePaper.pdf </li></ul><ul><li>Satellite-based QKD: http://ej.iop.org/links/q68/BKUvFWVrm756,uxc76lU,Q/nj2182.pdf </li></ul>
  28. 28. Pros & Cons <ul><li>Nearly Impossible to steal </li></ul><ul><li>Detect if someone is listening </li></ul><ul><li>“Secure” </li></ul><ul><li>Distance Limitations </li></ul><ul><li>Availability </li></ul><ul><ul><li>vulnerable to DOS </li></ul></ul><ul><ul><li>keys can’t keep up with plaintext </li></ul></ul>
  29. 29. Questions? <ul><li>Back to Richard! </li></ul>