Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Post processing for quantum key distribution


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Post processing for quantum key distribution

  1. 1. Post-processing forquantum key distribution Xiongfeng Ma CQIQC, University of Toronto Institute for Quantum ComputingChi-Hang Fred Fung, Jean-Christian Boileau, Hoi Fung Chau Computers & Security 30, 172 – 177 (2011) Phys. Rev. A 81, 012318 (2010) 1
  2. 2. OutlineIntroductionSecurity proofFinite key analysisPost-processingConclusion 2
  3. 3. Introduction 3
  4. 4. Private key cryptosystem Alice and Bob share two identical keys secretly: one-time pad Encode DecodeMessage 10010110101 10101100001 Code XOR XOR Key 00111010100 00111010100 Key Code 10101100001 10010110101 Message Alice Bob Key Distribution 4
  5. 5. Quantum key distribution BB84 (Bennett & Brassard 1984) Alice Bob 0101100 110100 0101110 01X11X0 11X10X0 01X11X0 Eve0:1: 1110100 5
  6. 6. Biased basis choiceStandard BB84 Alice and Bob choose X- and Z-basis with equal probabilities (50/50) Basis sift factor: 1/2Efficient BB84 Alice and Bob choose X- and Z-basis with different probabilities, i.e., with a bias Basis sift factor: approaches to 1 asymptoticallyTrade-off In practice, a larger bias leads to less accurate phase error rate estimation. Think about the extreme case.H.-K. Lo, H. F. Chau, and M. Ardehali, J. Crypto. 18, 133 (2005). 6
  7. 7. In practiceBiased basis ratio, e.g., 90% for Z-basisand 10% for X-basisBit reconciliation Error correction: straightforward*Authentication and error verificationPrivacy amplification Amount: phase error rate estimation Efficiency: hash matrix constructionConfidence level on the final key Security parameters 7
  8. 8. ObjectivesLink between security analyses andexperiments Infinite-key analysis to finite-key analysisPost-processing From raw key to final key, step by stepParameter optimization Biased basis choice Security parameter vs. secure-key costTowards a security analysis standard Security claim Final key size evaluation Underlying assumptions 8
  9. 9. Take-home messagesA practical post-processing scheme: step by step Basis independent source Squashing model compatible detection systemBiased basis ratio Typically, 90:10Authentication: can be done efficiently in practice Error verification: essentially an authentication schemePhase error estimation: a strict bound Main contribution to the finite-key effectEfficiency of privacy amplification: highOther sources and protocols: yet to be done Decoy state, COW, DPS, …X. Ma, C.-H. F. Fung, J.-C. Boileau, H. F. Chau, Computers & Security 30, 172 – 177 (2011) 9
  10. 10. Why is it secure? 10
  11. 11. A quick reviewPrepare-and-measure protocols BB84, six-state…Entanglement based protocols Ekert91, BBM92Unconditional security proof Mayers (1996) Lo and Chau (1999) Shor and Preskill (2000) Devetak and Winter (2003), Renner (2005)Security analysis for QKD with imperfect devices E.g. Mayers, Lütkenhaus, ILM Koashi-Preskill Gottesman-Lo-Lütkenhaus-Preskill (GLLP) 11
  12. 12. Entanglement based protocolsAlice (or Eve) prepares an EPR pair Ψ AB = 1 2 ( 00 + 11 ) Alice and Bob each measures one half of the pairEstimate bit and phase error ratesZ basis measurement (bit) |0> or |1>X basis measurement (phase) |0>+|1> or |0>-|1>C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, and W. K. Wootters, PRA 54, 3824 (1996). 12
  13. 13. Entanglement distillation protocol Entanglement distillation (Lo & Chau 99)1. Bit error correction2. Phase error correction3. Share (almost) pure EPR pairs4. Measure in Z basis to get final key Reduce to prepare-and-measure schemes (Shor & Preskill 00) Put the final key measurement ahead by moving 4 ahead of 1 Error correction Privacy amplification 13
  14. 14. Underlying assumptionsCharacterized source or basis-independent source Single photon (qubit) source Coherent state source: decoy state Entangled sourceDetection system: compatible with the squashing model Threshold detector No efficiency mismatchClassical accessories authentication; error correction; classical communication; random number generators; key management; Secure key cost: asymptotically negligibleInfinite key limit Rates → probabilities Failure probability → 0N. J. Beaudry, T. Moroder, and N. Lütkenhaus, Phys. Rev. Lett. , 101, 093601, (2008). 14
  15. 15. Basis independent setupBBM92 (Bennett, Brassard & Mermin 1992) One can assume Eve has a full control of the source. The basis choice is independent of the state in the channel. The source can be treated as a perfect single photon (qubit) Eve or EPR source.M. Koashi and J. Preskill, Phys. Rev. Lett. , 90, 057902, (2003).X. Ma, C.-H. F. Fung, and H.-K. Lo, PRA 76, 012307 (2007). 15
  16. 16. Finite key analysis 16
  17. 17. Finite-key issuesInitial key Authentication: man-in-the-middle attack Other uses: encryption of classical communication in the post- processingComposability Generated key may be used for the next round of QKD Key growth rather than key distributionNo perfect key in real-life Identical: Alice and Bob share the same key Real-life: no perfect error correction code, i.e., any error correction code can only guarantee with a certain confidence interval Private: Eve knows nothing about the final key Real-life: Eve can just guess the bit values of the initial key with a successful probability, ε=2-k 17
  18. 18. Naïve security definitionsSecure key cost in post-processing Key cost (k) < key generation (n)A fixed failure probability for an arbitrary number ofrounds, ε, [too strong] With Eve’s simple guess + man-in-the-middle attack: ε=2-k, for each round The failure probability for n rounds (potentially n attacks) is at least n2-k, linear dependenceSmall portion of the initial key known by Eve, [too weak] Even exponentially small is not strong enough due to continuous use of the QKD system Requirement of composability 18
  19. 19. Composable securityConfidence interval / Failure probability Confidence interval: the probability that the final key is identical and private, 1-ε The failure probability for n rounds: nε, linear dependence Exponentially decreasing with key cost k A rough guess: ε=2-O(k) per round Smaller than a certain threshold determined by some practical use of the key, say 10-10 Remark: it does not mean Eve knows nε-bit information about the final keyComposable security definition Failure probability is smaller than the pre-determined threshold for all rounds of QKD system usagesM. Ben-Or et al, in TCC (2005), 386.R. Renner and R. König, in TCC (2005), 407. 19
  20. 20. Security measuresFidelity: failure probability Lo, Chau and other prior works M. Hayashi M. KoashiTrace distance R. Canetti (2001) M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim (2005) R. Renner and R. König (2005)Workshop, Finite-Size Effects in QKD (Singapore,2008) Two approaches are equivalent Renner: we should use trace distance 20
  21. 21. To-do listRe-exam security proofs Underlying assumptions Formulas from asymptotic security analyses should be re- derived Note: all the security analyses are about privacy amplificationCalculate failure probability and secure-key cost For each step: basis sift, error correction, authentication, error verification, and phase error rate estimation Efficiency of privacy amplificationParameter optimization Biased basis choice secure-key cost for each stepWe have all the recipes ready: put them together 21
  22. 22. Post-processing 22
  23. 23. Underlying assumptionsA single photon (qubit) source or a basis-independent source Coherent state (e.g., with decoy state) QKD: in progressA detection system: compatible with thesquashing modelClassical communicationRandom number generator and keymanagement 23
  24. 24. Flow chart M. Hayashi, D. W. Leung, H.-K. Lo, N. Lütkenhaus, M. Koashi, X. Mo, B. Qi, R. Renner, V. Scarani, D. Stebila, K. Tamaki, W. Tittel Workshop, Quantum Works QKD Meeting (Waterloo, Canada) Workshop, Finite-Size Effects in QKD (Singapore) N. Lütkenhaus, Phys. Rev. A 59, 3301 (1999): using error verification to replace error testing. 24
  25. 25. Procedures IKey sift [neither authenticated nor encrypted] Discard all no-clicks and randomly assign double- clicks Other sift scheme might be applied, e.g., Ma, Moroder and Lütkenhaus, arXiv:0812.4301 (2008) tkenhausBasis sift [authenticated but not encrypted] Use a 2k-bit secure key to generate a Toeplitz matrix Calculate the tag by multiply the matrix with her/his basis string Send each other the basis string with the tag Discard those bits that used different bases Other sift scheme might be applied, e.g., SARG’04 25
  26. 26. Procedures IIError correction [not authenticated but encrypted] Any error correction scheme can be applied here Count the number of bits in the classical communicationError verification [essentially an authenticationproblem] Alice sends an encrypted tag to Bob Bob verify the tag If failed, they can go back to error correction again 26
  27. 27. Procedures IIIPhase error rate estimation Prob.{phase error} = Prob.{bit error} Asymptotically, rates → probabilities A simple random sampling problem 27
  28. 28. Procedure IVPrivacy amplification [authenticated butnot encrypted] Alice generates an nx+nz+l-1bit random bit string and sends it to Bob through an authenticated channel They use this random bit string to generate a Teoplitz matrix to do privacy amplification 28
  29. 29. Final key rateKey rate formulaFinite-key effect Phase error rate estimation, which determines the biased basis choice k3: cost of authentication, error verification, efficiency of privacy amplification 29
  30. 30. OptimizationParameters to be optimized Failure probabilities: Key costs:Finite-key effect Net key growth: NR≥l-kec-k3 Failure probability: ε=εph + ε3 The contribution of ε3 is negligible, when the final key length >> 37 bits 30
  31. 31. Finite-key effectsError correction [fixed]Phase error Other partsrate estimation: Authentication The amount of Error privacy verification amplification Efficiency of Optimal basis privacy bias amplification 31
  32. 32. Quick resultsAn extreme example Raw key size n=1030 and ε=10-30; k3=947 bits and ε3<10-32A typical example n=107, ε=10-7; k3=202 bits and ε3<10-9Observation Main effect comes from phase error estimation The efficiency of privacy amplification is close to 1 The costs of authentication and error verification are negligible in a normal (say, data size >10k) experiment 32
  33. 33. 1 0.95 0.9 0.85 0.8 ex=ez=4%Bias 0.75 ε=10-7 100% error correction efficiency 0.7 0.65 0.6 px set by Alice 0.55 qx obtained by Bob 0.5 2 4 6 8 10 12 10 10 10 10 10 10 Raw key data size 33
  34. 34. 0.7 0.6Key rate per raw key 0.5 0.4 0.3 ex=ez=4% ε=10-7 0.2 100% error correction efficiency 0.1 Finite key Asymptotic key 0 2 4 6 8 10 12 10 10 10 10 10 10 Raw key data size 34
  35. 35. 5 10min data size to yield a positive key minimun data size 4 10 3 10 ex=ez=4% 100% error correction efficiency 2 10 -100 -80 -60 -40 -20 0 10 10 10 10 10 10 failure probability ε 35
  36. 36. ConclusionA practical post-processing scheme withfailure probability as the security definitionError verification: essentially anauthentication schemePhase error estimation: a strict boundEfficiency of privacy amplification: highParameter optimization: main finite-keyeffect comes from phase error rateestimation 36
  37. 37. Further discussionFurther improvement in the privacy amplificationstep: no classical communication needed? Efficiency: failure probability, secure-key cost Extractors for privacy amplificationDetector efficiency mismatch Squashing modelFinite-key analysis for the decoy-state QKD Statistics (software) HardwareComputational complexity On-line post-processingRandom number consumption Extractors 37
  38. 38. ReferencesX. Ma, C.-H. F. Fung, J.-C. Boileau, H. F. Chau, Computers &Security 30, 172 – 177 (2011)C.-H. F. Fung, X. Ma, and H. F. Chau, Phys. Rev. A 81, 012318(2010)H. Krawczyk, in Advances in Cryptology - CRYPTO94 (Springer-Verlag, 1994), 893, 129-139.N. Lütkenhaus, Phys. Rev. A 59, 3301 (1999).M. Koashi and J. Preskill, Phys. Rev. Lett. , 90, 057902, (2003).M. Ben-Or et al, in TCC (2005), 386.R. Renner and R. König, in TCC (2005), 407.M. Hayashi, Phys. Rev. A 74, 022307 (2006).X. Ma, C.-H. F. Fung, and H.-K. Lo, PRA 76, 012307 (2007).V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501 (2008).T. Tsurumaru and K. Tamaki, Phys. Rev. A 78, 032302 (2008).N. J. Beaudry, T. Moroder, and N. Lütkenhaus, Phys. Rev. Lett. 101,093601 (2008). 38
  39. 39. Another interesting topicEfficiency loophole Long existing problem in Bell’s inequality testsQKD system Detector efficiency mismatch Dead time / after pulseAttacks Time-shift attack Other freedoms: space, frequency, … Even practical one-time encryptionEfficiency-loophole free QKDX. Ma, T. Moroder, and N. Lütkenhaus, arXiv:0812.4301, (2008). 39
  40. 40. Thank you! Xiongfeng Ma, July 06th, 2011 40