Quantum Cryptography By AVINASH G. PILLAI University of Washington avinashp at cs.washington.edu Introduction For ages, mathematicians have searched for a system that would allow two people to exchange messages in perfect privacy. Quantum cryptographic systems take advantage of Heisenberg's uncertainty principle, according to which measuring a quantum system in general disturbs it and yields incomplete information about its state before the measurement. Eavesdropping on a quantum communication channel therefore causes an unavoidable disturbance, alerting the legitimate users. This yields a cryptographic system for the distribution of a secret random cryptographic key between two parties initially sharing no secret information that is secure against an eavesdropper having at her disposal unlimited computing power. Once this secret key is established, it can be used together with classical cryptographic techniques such as the one-time-pad or symmetric key cryptography to allow the parties to communicate meaningful information in absolute secrecy. In this paper we will examine some of the early protocols devised for doing a quantum key exchange and quantum bit commitment. The quantum bit commitment scheme proposed was later proven to be flawed, but quantum key exchange protocol is provably secure if implemented on top of secure bit commitment scheme [3] and if the transmission error is less. Why Quantum Cryptography? Today the widely used public key cryptosystem is RSA which exploits the fact that it is difficult to factor large numbers. Although there are some other ways to attack RSA cryptosystem, the most promising one attempts to factor the modulus. Initially, when the RSA cryptosystem was invented, it was predicted that it would take exponentially large number of years to factor 512 bit numbers. But with the increase in computing power (and using distributed computing) and improvements in factoring algorithm, it can be achieved in shorter time frame. Today it is already recommended to move to longer key lengths and to use key sizes of 2048 bits for corporate use and 4096 bits for valuable keys. However with further improvements in factoring algorithms and computing power, it would become possible to factor numbers of these sizes in future. Another threat to the security of public-key cryptography could originate from the construction of a quantum computer. Quantum computers could potentially make it possible to factor much larger numbers in time required to encrypt the data. This could potentially make RSA vulnerable to attacks thus rendering it useless. Hence, researchers are trying to explore quantum cryptography to examine if it can be used to transmit data securely over public channel without any chance of an adversary eavesdropping on the communication. Quantum Key Distribution Polarized Photons based approach - Charles H. Bennett and d Gilles Brassard The principle of quantum cryptography consists in the use of non-orthogonal quantum states. Its security is guaranteed by the Heisenberg uncertainty principle, which does not allow us to discriminate non-orthogonal states with certainty and without disturbing the measured system. It should be noted that quantum mechanics does not avert eavesdropping; it only enables us to detect the presence of an eavesdropper. Since only the cryptographic key is transmitted, no information leak can take place when someone attempts to listen in. When discrepancies are found, the key is simply discarded and the users repeat the procedure to generate a new key. At the beginning, the two parties that wish to communicate, traditionally called Alice and Bob, agree that, e.g., | ↔ | and | / | stand for the bit value 0, and | ↨ | and | \ | stand for a bit value 1. Now Alice, the sender, generates a sequence of random bits that she wants to transmit, and randomly and independently for each bit she was chooses her encoding basis, rectilinear or diagonal. Physically it means that she transmits photons in the four polarization states | ↔ |, | / |, | ↨ | and | \ | with equally distributed frequencies. Bob, the receiver, randomly and independently of Alice, chooses his measurement bases, either rectilinear or diagonal. Statistically, their bases coincide in 50% of cases, when Bob's measurements provide deterministic outcomes and perfectly agree with Alice's bits. In order to know when the outcomes were deterministic, Alice and Bob need an auxiliary public channel to tell each other what basis they had used for each transmitted and detected photon. This classical channel may be tapped, because it transmits only information about the used bases, not about the particular outcomes of the measurements. Whenever their bases coincide, Alice and Bob keep the bit. On the other hand, the bit is discarded when they chose different bases, or Bob's detector failed to register a photon due to imperfect efficiency of detectors or the photon was lost somewhere on the way. Any potential eavesdropper, traditionally called Eve, who listens into this conversation can only learn whether they both set the rectilinear or diagonal basis, but not whether Alice had sent a 0 or 1. If Eve is present and wants to eavesdrop on the channel, she cannot passively monitor the transmissions (single quantum cannot be split and its state cannot be copied without introducing detectable disturbances). What Eve can do is either to intercept the photons sent by Alice, performs measurements on them and resends them to Bob. As Alice alternates her encoding bases at random, Eve does not know the basis to make a measurement in. She must choose her measurement bases at random as well. Half the time she guesses right and she resends correctly polarized photons. In 50% of cases, though, she measures in the wrong basis, which produces errors. For example, let us suppose that Alice sends a 1 in the rectilinear basis, Eve measures in the diagonal basis, and Bob measures in the rectilinear basis (otherwise the bit would be discarded). Now, no matter whether Eve detects and resends | / | or | \ |, Bob has a 50% chance to get | ↔ |, i.e., a binary 0, instead of | ↨ |. Thus, if we consider it is a continuous interceptresend eavesdropping, Bob finds on average errors in 25% of the bits that he successfully detects. If Alice and Bob agree to disclose part of their strings in order to compare them, they can discover these errors. When they set identical bases, their bit strings should be in perfect agreement. When discrepancies are found, Eve is suspected of tampering with the photons, and the cryptographic key is thrown away. The basic quantum key distribution protocol is inadequate in practice that for two reasons: 1. Realistic detectors have some noise; therefore, Alice's and Bob's data will differ even in the absence of eavesdropping. Accordingly, they must be able to recover from a reasonably small error frequency. 2. It is technically difficult to produce a light pulse containing exactly one photon. There is a probability approximately that an eavesdropper will be able to split a pulse into two or more photons, reading one and allowing the other(s) to go to Bob 2 . This allows the eavesdropper to learn a constant fraction of the bits shared between Alice and Bob without inducing errors. This kind of eavesdropping is called “beam splitting”. Alice and Bob need to reconcile the data transferred during quantum transmission to remove the errors. Alice and Bob could first agree on a random permutation of the bit positions in their strings to randomize on the locations of errors, and then partition the permuted strings into blocks of size k. For each such block, Alice and Bob compare the block's parity. Blocks with matching parity are tentatively accepted as correct, while rest are subject to a search, disclosing log(k) further parities of sub blocks, until the error is found and corrected. Even with an appropriate block size, some errors will typically remain undetected, having occurred in blocks or sub blocks with an even number of errors. To remove additional errors, the random permutation and block parity disclosure can be repeated several more times, with increasing block sizes, until Alice and Bob estimate that at most a few errors remain in the whole data. To avoid revealing any information to Eve, Alice and Bob can agree to drop the last bit from the block or sub block for which they revealed the parity. After this exercise, Alice and Bob can also randomly compare small subset of bit positions until they are assured that all the errors in the data have been discarded and they have shared a key successfully without revealing it to Eve. If the errors found during reconciliation are more than expected during transmission losses, Alice and Bob will suspect that Eve was eavesdropping on the communication and choose to discard the key and start over to exchange a new key. Quantum Bit Commitment Protocol BCJL Protocol – Gilles Brassard, Claude Crepeau, Richard Jozsa and Denis Langlois Commit(x) Unveil(x) Alice chooses a random vector r and a random codeword c such that c.r = x. She tells r to Bob in the clear, but she sends him c through the quantum channel. For this, she encodes each bit of c by a photon polarized in a randomly chosen basis (rectilinear or diagonal): bit ci = 0 is thus encoded as | ↔ | (rectilinear) if bi = 0 or | ∕ | as diagonal if bi = 1, whereas bit 1 may be encoded either as | ↕ | (rectilinear) or | \ | (diagonal). Since Bob does not know in which bases the photons are polarized, he measures them in randomly chosen bases. When he chooses the correct basis (b’i = bi ), which happens with probability 0.5, he obtains the correct bit (c’i = ci ) except with error probability at most . On the other hand, when he chooses the wrong basis (b’i != bi ), his bit is uncorrelated with Alice's bit (c’i = ci with probability 0.5). Therefore Bob's reading of Alice's word c is correct on roughly 75% of the bits. The binary linear code C has to chosen carefully so that it minimizes the chances of Bob getting information on x with the knowledge of c’ and r. It should also be chosen to minimize the chance of Alice cheating by finding two different code words c0 and c1 which would be acceptable to Bob when he unveils the bit commitment. Analysis was done on various failure aspects of the protocol like Bob gets too much information about x Bob chooses unsuitable Boolean matrix Alice can change x without detection by Bob Bob rejects a valid commitment by Alice Some of the constraints were chosen specifically to reduce the probability of these failures to happen. With these constants and assuming the laws of quantum physics, it was proved that this bit commitment scheme is secure and cannot be cheated be either party except with exceptionally small probability. Is Quantum Bit Commitment really possible? After the Quantum Bit Commitment scheme was published it was pointed out by D. Mayers [3] that it had a flaw that allowed Alice to change her bit commitment after the protocol was over. This is possible if the photons are entangled with some other system and only the larger joint system has a pure state. Alice keeps this system with her and y delaying her measurement of the other system, she could choose the bit commitment after the commit in the protocol without Bob realizing that Alice has cheated. Limitations TRANSMISSION RATE The rate of transmitting data/key is less in comparison to classical methods. The main reasons for the slow transmission rate are: Recovery time of detector – The detector needs time to recover after detecting a photon before it can correctly detect the next photon. In order to avoid “beam splitting” attacks by an eavesdropper, the mean photon number per pulse should be small. Losses in transmission also reduce the data that get effectively transmitted and hence reduce the transmission rate. Error correction and privacy amplification procedure further reduce the amount of data transmitted securely and hence reduce the transmission rate. LIMIT ON THE DISTANCE The maximal distance over which secure Quantum key exchange can be established decreases with increasing losses and increasing detector noise. Standard amplification cannot be used as they would affect the states of photons in a similar manner as eavesdropping. Present-day technology allows secure operation up to about 100km. DENIAL OF SERVICE The Quantum key exchange could be made impossible by an eavesdropper who would continuously introduce errors in the transmission by measuring the photons being transmitted. TECHNOLOGY Quantum transmission requires a need for a dedicated fiber, transmitters and detectors which make it expensive. This would be limitation to its deployment in normal scenarios. Current Research Quantum cryptography is still in its nascent stages. Research is ongoing in the following areas: Study of cryptographic techniques based on entanglement of photons. Design of more secure and robust protocols to solve the cryptographic needs. Technology improvements to make Quantum transmission more efficient, less erroneous thus improving the range in which this technology could be used. Cryptanalysts reviewing the security aspects and possible attacks models on quantum cryptosystems. Conclusion Quantum Cryptography could theoretically be used to achieve totally and provably secure communication where the adversary cannot decipher the communication regardless of the amount of computing power and time available at their disposal. However, the technology is still in experimental stage and it is still evolving. As researchers understand and explore this more; they do find flaws in some of the earlier understandings and conclusions. It is hard to see practical implementation of this technology today, given its limitations. But with future breakthroughs in Quantum transmission, Quantum computing and Quantum cryptography, it may just provide us with a truly secure communication means. References [1] Bennett, C. H., Bessette, F., Brassard, G., Salvail, L. and Smolin, J., "Experimental quantum cryptography", [ D / P / G ] Journal of Cryptology, vol. 5, no. 1, 1992, pp. 3 28. Preliminary version in Advances in Cryptology - Eurocrypt '90 Proceedings, May 1990, Springer - Verlag, pp. 253 - 265. [2] Crépeau, C., "Quantum oblivious transfer", [ D / P / G ] Journal of Modern Optics, Vol 41, No 12, December 1994, pp. 2445 - 2454. [3] Mayers, D., "The trouble with Quantum Bit Commitment", [ P / G ] posted on quantph March 96. [4] Miloslav Dusek, Norbert Lutkenhaus, Martin Hendrych, “Quantum Cryptography” [P] To appear in Progress in Optics, vol. 49, Edt. E. Wolf (Elsevier) Jan 31, 2006 [5] Mayers, D., "On the security of the quantum oblivious transfer and key distribution protocols", [ D / P / G ] Advances in Cryptology: Proceedings of Crypto '95, Springer Verlag, to appear.