Introduction Invented by Charles Bennet and Giles Brassard in 1984
advertisement
Introduction Invented by Charles Bennet and Giles Brassard in 1984, Quantum Key Distribution (QKD) begins with a radically different premise: we should base security on known physical laws rather than on mathematical complexities. Physical devices with specialized cryptographic protocols can conjure up ever-flowing streams of random bits whose values will remain unknown to third parties. When we use these bits as key material for Vernam ciphers, we can achieve Shannon’s ideal of perfect secrecy—cheaply and easily. In contrast with the unproven foundations of public-key techniques, QKD provides information-theoretic secrecy firmly based on the laws of physics [1]. How does it work QKD lets two parties—for example, Alice and Bob—agree on secret keys. More formally, it’s a technique for agreeing on a shared random bit sequence within two distinct devices, with a very low probability that other eavesdroppers will be able to make successful inferences as to those bits’ values. We use the random bit sequences as secret keys for encoding and decoding messages between the two devices. Thus, QKD is not, in itself, a full cryptosystem. Rather, we should compare it to other key-distribution techniques, such as trusted couriers, the DiffieHellman key exchange, and so on. QKD can be an intensely confusing field: there are many approaches, the schemes are complex, and it helps to have a working knowledge of quantum optics, which is fundamental to the technology. However, the basic idea is simple, as Figure 1 illustrates. Figure 1.The basic idea of quantum cryptography. Alice sends a series of single photons to Bob, each modulated with a random basis (here, a two-sided card) and a random value. Alice chooses a card side at random, writes a random 0 or 1 on that side, and sends the card to Bob. Bob also chooses a side at random and reads that side’s value. When Alice and Bob choose the same side, Bob reads exactly what Alice wrote. Otherwise, he reads a 0 or 1 completely at random. After Bob reads all the photons he performs a sifting transaction with Alice to discard all cases where he read the wrong side (basis). He sends the random basis settings list that he used to Alice, and she tells which ones were correct. Then Alice and Bob discard all values where they disagreed on the basis and keep the remaining values for raw key material. Now, what about an eavesdropper, who we shall call Eve? At first, Eve is in a situation similar to Bob’s. She must guess which side of the card to read; half the time she will be able to read what Alice sent, and the other half she’ll get a random value But she can’t surreptitiously siphon off a little bit of a single photon because when she reads it, she demolishes it. But if Bob doesn’t get that photon, it’s no loss; the sifting process will discard that photon and Alice and Bob won’t use that bit in their key material. A clever Eve might try to regenerate a demolished photon and send a copy to Bob but she can’t. Quantum physics’ no-cloning theorem says that she can’t copy values from both sides of the card—only from the side she read. The other side will have a random value. If that’s a side that Alice and Bob agree on during sifting, any Eve-generated random values will appear as small noise bursts in the communicated values. Hence, eavesdropping always produces QKD noise, and a cautious Alice and Bob interpret all noise as evidence of active eavesdropping. In a perfect world, that would end the story. However, in real systems, some channel noise is always present, and a cryptographic system must operate with some noise levels even if they imply eavesdropping activities. To address this, we employ relatively elaborate error detection and -correction protocols to find and correct bit errors and privacy amplify the result so that Eve has a vanishingly small knowledge of the resultant bit values Alice and Bob use. Operating on bits in computer memory, privacy amplification is a classical algorithm that smears out the value of each initial shared bit across the shorter resulting set of bits; that is, it distributes its value via a universal hash across the resulting bits [1]. Quantum Key Distribution (QKD) Quantum Cryptosystem can be explained with a simple example. System is consists of a transmitter and a receiver. Alice can utilize the transmitter to send photons having one of four different polarizations at the angles of 0°, 45°, 90°, 135°. Bob utilizes the receiver to measure the polarizations at the other side. According to laws of Quantum Mechanics, the receiver can discriminate between rectilinear polarizations (horizontal-0° and vertical-90°) or circular (diagonal) polarizations (right circular-45° and left circular-135°), but can not discriminate between rectilinear and circular (diagonal) polarizations [2]. Each bit is encoded with the polarization of a photon. Polarization of a photon is the oscillation direction of its electric field, which is vertical (90°), horizontal (0°), or diagonal (+45° or -45°). Figure 2. Quantum cryptography with polarized photons. (a) Firstly, Alice and Bob agrees on an encoding scheme:”0” bit is encoded with 90° or 45° polarizations and “1” bit is encoded with 0° or -45° polarizations. (b) A rectilinear filter is used to discriminate between horizontal and vertical photons and a diagonal filter is used to discriminate between right-diagonal and left-diagonal photons. (c) A photon polarized 0° and 90° will come out polarized 0° and 90° when filtered out with a rectilinear filter and a photon polarized 45° and -45° will come out polarized 45° and -45° when filtered out with a diagonal filter. No change in polarizations. (d) A photon polarized 0° and 90° will come out randomly polarized when filtered out with a diagonal filter and a photon polarized 45° and -45° will come out randomly polarized when filtered out with a rectilinear filter. Random change in polarizations. (e) Quantum communication system used for Quantum cryptography. Figure 3. Quantum Key Distribution (QKD) (a) Alice prepares photons randomly with either rectilinear (horizontal or vertical) or circular (right-diagonal or left-diagonal) polarizations, records the polarization of each photon and then sends it to Bob [3]. (b) Bob receives each photon and randomly measures its polarization according to the rectilinear or circular basis. He records the measurement type (basis used) and the resulting polarization measured. (It is important to remember that the polarization sent by Alice may not be the same polarization Bob finds if he does not use the same basis as Alice). (c) Bob publicly tells Alice what the measurement types were, but not the results of his measurements. Alice publicly tells Bob which measurements were of the correct type. A correct measurement is the correct type of Bob used the same basis for measurement as Alice did for preparation. (d) Alice and Bob each throw out the data from measurements that were not of the correct type, and convert the remaining data to a string of bits. This string of bits forms the secret key. Using a demonstration program, the following example data was generated assuming that Alice sends 12 photons and the detector never fails [3]. The string of bits now owned by Alice and Bob is: 1 0 0 1 0 1 0 1. This string of bits forms the secret key. In practice, the number of photons sent and the resulting length of the string of bits would be much greater. Security Issues of Quantum Cryptography A message encrypted using quantum cryptography is secured by the laws of quantum physics, so if it was provably insecure the most successful theory in the history of physics would be disproved and our current understanding of the universe shattered. However, there are issues of data security relevant to a cipher beyond its confidentiality [4]. Authentication Problem It is acknowledged in the 1991 paper “Experimental Quantum Cryptography” contributed to by Bennett and Brassard, that there are issues of authentication not fully resolved by the current system [5]. It is stated that “the assumption that the public messages cannot be corrupted by [an eavesdropper] is necessary” to avoid what is known as the man-in-themiddle attack. As both Alice and Bob have no way within the proposed system of proving their identity to each other, it is possible for an attacker to sit between them and impersonate Bob to Alice, and Alice to Bob thus negotiating a secret key with each of them. The suggested solutions are an “unjammable public channel” or a standard authentication scheme which would require that both Alice and Bob shared some secret information beforehand. The latter approach would seem to negate the main advantage of Bennett and Brassard’s key exchange protocol, which is the ability for two entities to negotiate shared secret knowledge in a public channel without the need for any prior secrets. This, as it currently stands, suffers from the same drawback as the one-time pad which provides absolute secrecy but with the additional headache of securely distributing the keys. It would be possible to extend Bennett and Brassard’s protocol to include an adaptation of the current certification authority authentication mechanism for conventional public keys. The current system uses trusted agencies to digitally sign public keys and so verify the identity of their owner. This however, whilst removing the need for shared secret knowledge, relies on computationally infeasible, but breakable, mathematical equations and, as such, would not offer an absolutely secure means of identification. Figure 4. Man-in-the-middle attack using both classical and quantum channels DoS vulnerability Another element of a quantum cipher’s security is that of availability, which has not previously been an issue with conventional encryption. The root of the problem is an eavesdropper’s ability to alter photons in transit and so prevent two entities from achieving an error free channel. This could be seen as a denial of service (DoS) vulnerability, and a malicious user is not limited to this line of attack. Even if Alice and Bob are sharing secret authentication keys, an attacker could repeatedly corrupt the public authentication exchange leading to both parties exhausting their supplies of keys before a secure connection is established. However the majority of DoS attacks, whilst annoying, are not considered security critical, and there is certainly no way for an attacker to trick Alice and Bob into believing that a secure connection exists. Physical Attacks There are physical attacks which may be mounted on the transmission medium itself. Assuming that an eavesdropper has access to unlimited technology, two major techniques which have been identified are intercept/resend and beam-splitting. Intercept/resend takes advantage of the fact that current photon detecting equipment is far from perfect; only around 1 in 400 pulses (one tenth of a photon) are successfully transmitted and received. As Alice and Bob know to expect this level of photon loss, an attacker can intercept selected pulses of light before they reach Bob, measure them, and then resend them on with the detected polarity. However, due to the difficulties in quantum measurement of photons, the probability of the resent and measured photons still having the correct polarization when measured by Bob is only 0.25 or one in four. The discrepancies will therefore be apparent to both Alice and Bob. Additionally Bennett’s calculations as to any advantage gained by the eavesdropper puts the probability that they have correctly guessed a particular bit as 1/√2 or approximately 0.7 (1 DP). For a cipher to be absolutely secure, it is unacceptable that even partial disclosure of the key occurs, so therefore whilst the optical technology is imperfect, any errors in transmission must be treated as an eavesdropping attempt and the entire exchange repeated. Beam-splitting utilizes the fact that the pulses of light which Alice and Bob use to communicate, in practice, are not single photon-states. The attacker uses a mirror to deflect part of the original light beam allowing it to continue, albeit with reduced intensity, towards Bob. The deflected pulses will be stored until Alice and Bob publicly announce the bases used to encode each bit, at which point the stored beam can be correctly measured. At the current time the technology does not exist, and it is not known if it is possible, to store polarised light pulses. However a present-day attacker is still able to make guesses as to the correct measurements of their diverted beam, as in the intercept/resend attack, with the added bonus of avoiding error creation in the data stream. The drop in beam intensity is likely to alert Alice and Bob to an intruder, and a sufficient delay before the bases are publicly discussed will also allow time for any stored photons to decay. After a quantum key exchange has completed, according to Bennett and Brassard “Alice and Bob are now in the possession of a string that is almost certainly shared, but only partly secret”. This is due to their assumption that the exchange will be eavesdropped, and that it will be done to the best of an attacker’s ability. Instead of repetition of the whole process, Alice and Bob can make an estimation as to the amount of their secret key which can have been divulged (or lucky guessed), and then perform a process known as “privacy amplification”. This involves publicly selecting a hashing function from a shared secret set, and then applying it to their shared secret key. The result will be a different secret key which they both share, and of which an attacker knows nothing. Conclusion The protocol developed by Bennett & Brassard et al is the first quantum cryptographic protocol ever produced. Quantum cryptography itself is still very much in its infancy, and has not yet made it out of the laboratory and become widely and publicly used. It is not surprising therefore, that while the physics behind the idea are unshakable, there are issues which may impede its rapid take-up and acceptance. The very feature of quantum physics which gives quantum cryptography its security as a confidential cipher also reduces its security as a reliable cryptosystem. The act of observation of a quantum key exchange will irreversibly alter it, destroy data and possibly necessitate the repetition of the exchange. In practice in a public channel, this could easily be classified a denial of service attack, and at the very least will waste time and cause frustration. As the protocol stands, the issue of authentication is not fully resolved. A small amount of shared data is required between communicants before the exchange even begins, if this is necessary before a secure channel is established then it is an echo of the key-distribution problems faced by Diffie and Hellman, and GCHQ in the Sixties. The protocol however does allow for a key to be exchanged between two parties who may never have met, although there is no way for them to be assured that they are actually negotiating with each other. The telephone networks in the countries which would lead the implementation of quantum cryptosystems are heavily reliant on optical fibers. These use pulses of light to transfer telephone conversations in digital form. The existing infrastructure of optical fibers would be an ideal medium for the transfer of quantum encrypted data. An added advantage is the perceived security of the telephone system in comparison to a local network or the Internet on which anyone with a grounding in security can sniff traffic. The practice of placing telephone taps has so far largely been restricted to law enforcement and requires more engineering and electrical knowledge than most malicious attackers will possess. There is physical security at local exchanges giving another barrier to eavesdropping. Essentially this adds up to an existing, secure infrastructure for the rollout of quantum cryptography. The communications security offered by quantum encryption cannot be disputed. If two people have established a secret key and are passing polarized photons between two points, the laws of quantum physics dictate that it is impossible for the information exchanged to be compromised. The ability of private citizens to achieve this, which has never before been possible, is likely to be of particular interest to national government and law enforcement agencies. Since computer encryption has been available to the public it has been legislated and the export of algorithms from country to country tightly controlled. Quantum cryptography requires a relatively complex array of hardware to operate, or at least out of the reach of the average home user. The most likely implementation of quantum cryptography which resolves the hardware issue will be on a local exchange level, similar to the current telephone network. If the quantum encryption itself is performed at a local exchange, this gives security agencies the opportunity to place taps to record information before it is unbreakably encrypted. Quantum cryptography, as it stands at the moment, is purely a transmission cryptosystem. There is no provision for storage of encrypted data which can, and does, impede criminal investigations. Only time will tell how cryptography will evolve in the future, the catalyst for development will be practical quantum computers which currently still lie in the realm of science fiction. References: [1] Elliott Chip, “Quantum Cryptography”, IEEE Security and Privacy, July, pp.57-61, July/August 2004. [2] Toyran Mustafa, “Quantum Cryptography”, TÜBİTAK, UEKAE, 2010. [3] Hunter Karen and Duncan Todd, “Quantum Cryptography”, SCI 510: Quantum, December 9, 2002. [4] Grindlay Bill, “Quantum Cryptography”, White paper, Next Generation Security Software, January, 14, 2003. [5] Bennett, C. H., Bessette, F., Brassard, G., Salvail, L., and Smolin J., “Experimental Quantum Cryptography” Journal of Cryptology, vol. 5, no. 1, 1992, pp. 3 – 28.
