Quantum Cryptography
By
AVINASH G. PILLAI
University of Washington
avinashp at cs.washington.edu
Introduction
For ages, mathematicians have searched for a system that would allow two people to
exchange messages in perfect privacy. Quantum cryptographic systems take advantage
of Heisenberg's uncertainty principle, according to which measuring a quantum system
in general disturbs it and yields incomplete information about its state before the
measurement. Eavesdropping on a quantum communication channel therefore causes
an unavoidable disturbance, alerting the legitimate users. This yields a cryptographic
system for the distribution of a secret random cryptographic key between two parties
initially sharing no secret information that is secure against an eavesdropper having at
her disposal unlimited computing power. Once this secret key is established, it can be
used together with classical cryptographic techniques such as the one-time-pad or
symmetric key cryptography to allow the parties to communicate meaningful
information in absolute secrecy.
In this paper we will examine some of the early protocols devised for doing a quantum
key exchange and quantum bit commitment. The quantum bit commitment scheme
proposed was later proven to be flawed, but quantum key exchange protocol is provably
secure if implemented on top of secure bit commitment scheme [3] and if the
transmission error is less.
Why Quantum Cryptography?
Today the widely used public key cryptosystem is RSA which exploits the fact that it is
difficult to factor large numbers. Although there are some other ways to attack RSA
cryptosystem, the most promising one attempts to factor the modulus.
Initially, when the RSA cryptosystem was invented, it was predicted that it would take
exponentially large number of years to factor 512 bit numbers. But with the increase in
computing power (and using distributed computing) and improvements in factoring
algorithm, it can be achieved in shorter time frame.
Today it is already recommended to move to longer key lengths and to use key sizes of
2048 bits for corporate use and 4096 bits for valuable keys. However with further
improvements in factoring algorithms and computing power, it would become possible
to factor numbers of these sizes in future.
Another threat to the security of public-key cryptography could originate from the
construction of a quantum computer. Quantum computers could potentially make it
possible to factor much larger numbers in time required to encrypt the data. This could
potentially make RSA vulnerable to attacks thus rendering it useless.
Hence, researchers are trying to explore quantum cryptography to examine if it can be
used to transmit data securely over public channel without any chance of an adversary
eavesdropping on the communication.
Quantum Key Distribution
Polarized Photons based approach - Charles H. Bennett and d Gilles Brassard
The principle of quantum cryptography consists in the use of non-orthogonal quantum
states. Its security is guaranteed by the Heisenberg uncertainty principle, which does not
allow us to discriminate non-orthogonal states with certainty and without disturbing the
measured system. It should be noted that quantum mechanics does not avert
eavesdropping; it only enables us to detect the presence of an eavesdropper. Since only
the cryptographic key is transmitted, no information leak can take place when someone
attempts to listen in. When discrepancies are found, the key is simply discarded and the
users repeat the procedure to generate a new key.
At the beginning, the two parties that wish to communicate, traditionally called Alice
and Bob, agree that, e.g., | ↔ | and | / | stand for the bit value 0, and | ↨ | and | \ |
stand for a bit value 1. Now Alice, the sender, generates a sequence of random bits that
she wants to transmit, and randomly and independently for each bit she was chooses
her encoding basis, rectilinear or diagonal. Physically it means that she transmits
photons in the four polarization states | ↔ |, | / |, | ↨ | and | \ | with equally distributed
frequencies. Bob, the receiver, randomly and independently of Alice, chooses his
measurement bases, either rectilinear or diagonal. Statistically, their bases coincide in
50% of cases, when Bob's measurements provide deterministic outcomes and perfectly
agree with Alice's bits. In order to know when the outcomes were deterministic, Alice
and Bob need an auxiliary public channel to tell each other what basis they had used for
each transmitted and detected photon. This classical channel may be tapped, because it
transmits only information about the used bases, not about the particular outcomes of
the measurements. Whenever their bases coincide, Alice and Bob keep the bit. On the
other hand, the bit is discarded when they chose different bases, or Bob's detector failed
to register a photon due to imperfect efficiency of detectors or the photon was lost
somewhere on the way. Any potential eavesdropper, traditionally called Eve, who listens
into this conversation can only learn whether they both set the rectilinear or diagonal
basis, but not whether Alice had sent a 0 or 1.
If Eve is present and wants to eavesdrop on the channel, she cannot passively monitor
the transmissions (single quantum cannot be split and its state cannot be copied
without introducing detectable disturbances). What Eve can do is either to intercept the
photons sent by Alice, performs measurements on them and resends them to Bob. As
Alice alternates her encoding bases at random, Eve does not know the basis to make a
measurement in. She must choose her measurement bases at random as well. Half the
time she guesses right and she resends correctly polarized photons. In 50% of cases,
though, she measures in the wrong basis, which produces errors. For example, let us
suppose that Alice sends a 1 in the rectilinear basis, Eve measures in the diagonal basis,
and Bob measures in the rectilinear basis (otherwise the bit would be discarded). Now,
no matter whether Eve detects and resends | / | or | \ |, Bob has a 50% chance to get |
↔ |, i.e., a binary 0, instead of | ↨ |. Thus, if we consider it is a continuous interceptresend eavesdropping, Bob finds on average errors in 25% of the bits that he
successfully detects. If Alice and Bob agree to disclose part of their strings in order to
compare them, they can discover these errors. When they set identical bases, their bit
strings should be in perfect agreement. When discrepancies are found, Eve is suspected
of tampering with the photons, and the cryptographic key is thrown away.
The basic quantum key distribution protocol is inadequate in practice that for two
reasons:
1. Realistic detectors have some noise; therefore, Alice's and Bob's data will differ even
in the absence of eavesdropping. Accordingly, they must be able to recover from a
reasonably small error frequency.
2. It is technically difficult to produce a light pulse containing exactly one photon. There
is a probability approximately that an eavesdropper will be able to split a pulse into two
or more photons, reading one and allowing the other(s) to go to Bob 2 . This allows the
eavesdropper to learn a constant fraction of the bits shared between Alice and Bob
without inducing errors. This kind of eavesdropping is called “beam splitting”.
Alice and Bob need to reconcile the data transferred during quantum transmission to
remove the errors. Alice and Bob could first agree on a random permutation of the bit
positions in their strings to randomize on the locations of errors, and then partition the
permuted strings into blocks of size k. For each such block, Alice and Bob compare the
block's parity. Blocks with matching parity are tentatively accepted as correct, while rest
are subject to a search, disclosing log(k) further parities of sub blocks, until the error is
found and corrected. Even with an appropriate block size, some errors will typically
remain undetected, having occurred in blocks or sub blocks with an even number of
errors. To remove additional errors, the random permutation and block parity disclosure
can be repeated several more times, with increasing block sizes, until Alice and Bob
estimate that at most a few errors remain in the whole data. To avoid revealing any
information to Eve, Alice and Bob can agree to drop the last bit from the block or sub
block for which they revealed the parity.
After this exercise, Alice and Bob can also randomly compare small subset of bit
positions until they are assured that all the errors in the data have been discarded and
they have shared a key successfully without revealing it to Eve.
If the errors found during reconciliation are more than expected during transmission
losses, Alice and Bob will suspect that Eve was eavesdropping on the communication
and choose to discard the key and start over to exchange a new key.
Quantum Bit Commitment Protocol
BCJL Protocol – Gilles Brassard, Claude Crepeau, Richard Jozsa and Denis Langlois
Commit(x)
Unveil(x)
Alice chooses a random vector r and a random codeword c such that c.r = x. She tells r
to Bob in the clear, but she sends him c through the quantum channel. For this, she
encodes each bit of c by a photon polarized in a randomly chosen basis (rectilinear or
diagonal): bit ci = 0 is thus encoded as | ↔ | (rectilinear) if bi = 0 or | ∕ | as diagonal if
bi = 1, whereas bit 1 may be encoded either as | ↕ | (rectilinear) or | \ | (diagonal). Since
Bob does not know in which bases the photons are polarized, he measures them in
randomly chosen bases. When he chooses the correct basis (b’i = bi ), which happens
with probability 0.5, he obtains the correct bit (c’i = ci ) except with error probability at
most . On the other hand, when he chooses the wrong basis (b’i != bi ), his bit is
uncorrelated with Alice's bit (c’i = ci with probability 0.5). Therefore Bob's reading of
Alice's word c is correct on roughly 75% of the bits.
The binary linear code C has to chosen carefully so that it minimizes the chances of Bob
getting information on x with the knowledge of c’ and r. It should also be chosen to
minimize the chance of Alice cheating by finding two different code words c0 and c1
which would be acceptable to Bob when he unveils the bit commitment.
Analysis was done on various failure aspects of the protocol like

Bob gets too much information about x

Bob chooses unsuitable Boolean matrix

Alice can change x without detection by Bob

Bob rejects a valid commitment by Alice
Some of the constraints were chosen specifically to reduce the probability of these
failures to happen. With these constants and assuming the laws of quantum physics, it
was proved that this bit commitment scheme is secure and cannot be cheated be either
party except with exceptionally small probability.
Is Quantum Bit Commitment really possible?
After the Quantum Bit Commitment scheme was published it was pointed out by D.
Mayers [3] that it had a flaw that allowed Alice to change her bit commitment after the
protocol was over.
This is possible if the photons are entangled with some other system and only the larger
joint system has a pure state. Alice keeps this system with her and y delaying her
measurement of the other system, she could choose the bit commitment after the
commit in the protocol without Bob realizing that Alice has cheated.
Limitations
TRANSMISSION RATE
The rate of transmitting data/key is less in comparison to classical methods. The main
reasons for the slow transmission rate are:

Recovery time of detector – The detector needs time to recover after detecting a
photon before it can correctly detect the next photon.

In order to avoid “beam splitting” attacks by an eavesdropper, the mean photon
number per pulse should be small.

Losses in transmission also reduce the data that get effectively transmitted and
hence reduce the transmission rate.

Error correction and privacy amplification procedure further reduce the amount
of data transmitted securely and hence reduce the transmission rate.
LIMIT ON THE DISTANCE
The maximal distance over which secure Quantum key exchange can be established
decreases with increasing losses and increasing detector noise. Standard amplification
cannot be used as they would affect the states of photons in a similar manner as
eavesdropping. Present-day technology allows secure operation up to about 100km.
DENIAL OF SERVICE
The Quantum key exchange could be made impossible by an eavesdropper who would
continuously introduce errors in the transmission by measuring the photons being
transmitted.
TECHNOLOGY
Quantum transmission requires a need for a dedicated fiber, transmitters and detectors
which make it expensive. This would be limitation to its deployment in normal
scenarios.
Current Research
Quantum cryptography is still in its nascent stages. Research is ongoing in the following
areas:

Study of cryptographic techniques based on entanglement of photons.

Design of more secure and robust protocols to solve the cryptographic needs.

Technology improvements to make Quantum transmission more efficient, less
erroneous thus improving the range in which this technology could be used.

Cryptanalysts reviewing the security aspects and possible attacks models on
quantum cryptosystems.
Conclusion
Quantum Cryptography could theoretically be used to achieve totally and provably
secure communication where the adversary cannot decipher the communication
regardless of the amount of computing power and time available at their disposal.
However, the technology is still in experimental stage and it is still evolving. As
researchers understand and explore this more; they do find flaws in some of the earlier
understandings and conclusions. It is hard to see practical implementation of this
technology today, given its limitations. But with future breakthroughs in Quantum
transmission, Quantum computing and Quantum cryptography, it may just provide us
with a truly secure communication means.
References
[1] Bennett, C. H., Bessette, F., Brassard, G., Salvail, L. and Smolin, J., "Experimental
quantum cryptography", [ D / P / G ] Journal of Cryptology, vol. 5, no. 1, 1992, pp. 3 28. Preliminary version in Advances in Cryptology - Eurocrypt '90 Proceedings, May
1990, Springer - Verlag, pp. 253 - 265.
[2]
Crépeau, C., "Quantum oblivious transfer", [ D / P / G ] Journal of Modern Optics,
Vol 41, No 12, December 1994, pp. 2445 - 2454.
[3] Mayers, D., "The trouble with Quantum Bit Commitment", [ P / G ] posted on quantph March 96.
[4] Miloslav Dusek, Norbert Lutkenhaus, Martin Hendrych, “Quantum Cryptography” [P]
To appear in Progress in Optics, vol. 49, Edt. E. Wolf (Elsevier) Jan 31, 2006
[5]
Mayers, D., "On the security of the quantum oblivious transfer and key distribution
protocols", [ D / P / G ] Advances in Cryptology: Proceedings of Crypto '95, Springer Verlag, to appear.