View
2
Download
0
Category
Preview:
Citation preview
Copenhagen QMATH Masterclass June 18, 2019
Robert König
A tutorial on quantum key distribution
Overview
• Information-theoretic cryptography
• Quantum key distribution
Cryptography: A few goals
Key desiderata:
• Authenticity
• Privacy
Alice or Eve ?
Problem I: Private communication
Goal: Alice wants to communicate a private message m to Bob.
Setup: Alice, Bob and Eve are in a public space
Assumption: Alice and Bob share a secret K unknown to Eve.
K=
m = “I think Eve is malicious – we should be careful”.
Some information measures for classical information theory
Shannon entropy
conditional entropy
mutual information
Properties:
conditional mutual information
Src: Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999
Ciphers for symmetry encryption: Definition
Protocol:
Src: Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999
Security definition of perfect ciphers
Protocol:
Src: Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999
Symmetric encryption: The one-time pad (achievability)
Protocol:
Claim 1: This protocol is correct, that is
Claim 2: This protocol is perfectly secret.
Note: the key and the message have the same length!
Symmetric encryption: lower bound on required key length
C. Shannon: Communication theory of secrecy systems, Bell System Technical Journal, vol. 28, pp. 656-715, 1949.
0c
a b-a
b≥ a
One-time pad as resource conversion
authentic (but public)classical channel
authentic and privateclassical channel
+ shared secret keyK K ≥
Protocol: one-time pad
Authenticity
Alice or Eve ?
Goal: Bob wants to be sure that the received message originated from Alice (and not Eve).
Setup: Alice, Bob and Eve are in a dark room. It’s impossible to see who’s speaking, and Alice and Eve have identical voices*.
Assumption: Alice and Bob share a secret K unknown to Eve.
* This is an idealization.
Message authentication codesAssumption: Alice and Bob have a shared “secret” key K
Protocol:
Goal: We want to make sure that Eve can’t change the messagesent by Alice (and still have Bob accept)
Message authentication codesAssumption: Alice and Bob have a shared “secret” key K
Protocol:
Note: this is a simplified definition. Want security even if several pairs (m,t) are observed.
Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22, 265–279 (1981)
2-universal hash functions
Construction of a (one-time) MAC
Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22, 265–279 (1981)
Transforming resources in cryptography
non-authentic classical channel
authentic (but public) classical channel+ shared secret key
K K
≥
Protocol:Message authentication
authentic (but public)classical channel
authentic and privateclassical channel
+ shared secret keyK K ≥
Protocol: one-time pad
The power of shared keys
non-authentic, publicclassical channel
+ shared secret key K K ≥
Message authentication+ one-time pad authentic and private
classical channel
Shared keys permit communicating privately over non-authentic, public classical channels.
Quantum key distribution: what it achieves (roughly)
authentic (public) classical channel+ insecure quantum channel
≥
quantum key distribution protocol
private classical channel
or: Quantum key distribution= key expansion
non-authentic (public) classical channel+ insecure quantum channel
≥
quantum key distribution protocol
+ shared secret key K K K
longer shared secret key K’
K’ K’
Some primitives of (classical) information-theoretic cryptography
Information-theoretic cryptography and information theory
Noisy communication channels(from Alice to Bob respectively Eve)
Src: Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999
Information-theoretic cryptography and information theory
Intuition:
Alice and Bob can generate more key (per channel use),the more noisy Eve’s channel is compared to Bob’s.
Noisy communication channels(from Alice to Bob respectively Eve)
Src: Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999
Information-theoretic cryptography and information theory
Intuition:
Alice and Bob can generate more key (per channel use),the more noisy Eve’s channel is compared to Bob’s.
For binary symmetric channels:
The number of secret bitsthat Alice and Bob can generateper channel use is
I. Csiszár and J. Körner, Broadcast channels with confidential messages, IEEE Transactions on Information Theory, Vol. 24, No. 3, pp. 339–348, 1978.
Information-theoretic cryptography and information theory
correctness
secrecy
Src: Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999
Information-theoretic cryptography and information theory
Theorem:
I. Csiszar, J. Körner, Broadcast channels with confidential messages, 1978
Intuition: anyadvantage can
be distilled.
correctness
secrecy
Definition of secure keys
information-theoretic definition
Tentative definition…..
There is a better one.
Variational distance and hypothesis testing
Definition of secure keys
Remark: This definition is “universally composable”
Ran Canetti, Universally Composable Security: A New Paradigm for Cryptographic Protocols ia.cr/2000/067
information-theoretic definition
Definition of secure keys
Remark: This definition is “universally composable”
On average over Eve’s information, (the conditional distribution of ) the key is close to
• independent of the message and • uniform
Information measures in the single-shot scenario
interpretation: uncertainty about X
interpretation: uncertainty about X given Y
guessing probabilitiesguessing probabilities
Information measures in the single-shot scenario
guessing probabilities guessing probabilities
equality ifX fully determined by Y
equality ifX deterministic
equality ifX, Y are independent
Partially private randomness
guessing probabilities
equality ifX fully determined by Y
equality ifX, Y are independent
n bits
E
E
n-k bits
Two notions of “secret” strings
secure key
partially private randomness
Can we convert partially private randomness into secure key?
Privacy amplification
authentic (but public)classical channel
+shared
partially privaterandomness X wrt E
X X ≥
protocol: privacy amplification
E E
K K
shared secure key
secure key
partially private randomness
Privacy amplification
partially private
secure key
Src: Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999
Privacy amplification by public discussion: definitionCharles Bennet, Gilles Brassard and Jean-Marc Robert: Privacy amplification by public discussion (1988)
Eve holds E. Alice and Bob are connected by a public broadcast channel (authentic).
Protocol:
Privacy amplification by public discussion: definitionCharles Bennet, Gilles Brassard and Jean-Marc Robert: Privacy amplification by public discussion (1988)
Eve holds E. Alice and Bob are connected by a public broadcast channel (authentic).
Protocol:
Privacy amplification by public discussion: definitionCharles Bennet, Gilles Brassard and Jean-Marc Robert: Privacy amplification by public discussion (1988)
Eve holds E. Alice and Bob are connected by a public broadcast channel (authentic).
Protocol:
Correctness is obvious: Alice and Bob end up with the same key.
Security?: Need to argue that K is an approximately secure key wrt. (E,Y)
Privacy amplification and extractorsAssumption: partially private shared randomness
Proof by conditioning. Does not work for quantum side information.
Privacy amplification and extractors
Privacy amplification and extractors
Privacy amplification and extractors
Privacy amplification from strong extractors
This argument does not work if E is quantum.
Privacy amplification and extractorsAssumption: partially private shared randomness
Proof by conditioning. Does not work for quantum side information.
Leftover hash lemma
Privacy amplification/strong extractors: a combinatorial problem
good vertex expansion
There is (currently) no comparable combinatorial property characterizing extractors for quantum side information.
Summary: privacy amplification
authentic (but public)classical channel
+X X ≥
protocol: privacy amplification
E E
K Kshared partially privaterandomness X wrt E
privacy amplification: generates shared secure key
from
shared partially private randomness
shared secure key
Summary: privacy amplification
authentic (but public)classical channel
+X X ≥
protocol: privacy amplification
E E
K Kshared partially privaterandomness X wrt E
privacy amplification: generates shared secure key
from
shared partially private randomness
shared secure key
Yet to be discussed: What if Alice and Bob do not start with the
same random variable?
Information reconciliation
authentic (but public)classical channel
+X Y ≥
protocol: information reconciliation
E E
X Xpartially privaterandomness X wrt E,correlated random variable Y
shared partially private randomness
information reconciliation: generates
shared partially private randomness
from
correlated, partially private randomness
More information measures in the single-shot scenario
maximalamount ofextractable randomness
minimal compressionlength
Minimal number of additional bits required to determine X from Y in the worst case.
Minimal number of additional bits required to describe X.
Minimal number of additional bits required to describe “typical” sample of X.
Minimal number of additional bits required to describe “typical” sample of X, given Y
Information reconciliationGoal: want to minimize additional information provided to Bob and Eve, but still guarantee that Bob can recover X
Src: Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999
Information reconciliation: the protocol
Protocol:
leakage: quantifies loss of privacy
Information reconciliation: definitionG. Brassard and L. Salvail, Secret-key reconciliation by public discussion, 1994
leakage: quantifies loss of privacy
Information reconciliation: the protocol
Protocol:
G. Brassard and L. Salvail, Secret-key reconciliation by public discussion, 1994
R. Renner and S. Wolf,Simple and Tight Bounds on Information Reconciliation and Privacy Amplification, 2005
Information reconciliation for i.id.noise
leakage
A. Smith 2006: Scrambling Adversarial Errors Using Few Random Bits, Optimal Information Reconciliation, and Better Private Codes, 2006.
This can be done efficiently
Summary: information reconciliation
≥
protocol: information reconciliation followed by privacy amplification
E
K K
authentic (but public)classical channel
+X Y
E
partially privaterandomness X wrt E,correlated randomvariable Y
The length of the final keydepends on as follows:
shared secret key
omitting
Combining information reconciliation and privacy amplification
Combining information reconciliation and privacy amplification
The length of the final keydepends on as follows:
omitting
For binary symmetric channels:
The number of secret bitsthat Alice and Bob can generateper channel use is
Part II: Quantum key distribution
authentic (public) classical channel+ insecure quantum channel
≥
quantum key distribution protocol
shared secret key
Information measures in the quantum world
Quantum guessing/min-entropyAlice
X (classical random variable)
Eve
E (quantum system)
prep E
Quantum guessing/min-entropyAlice
X (classical random variable)
Eve
E (quantum system)
prep E
Min-entropy: alternative (dual) formulation)
(Renner 2005).
Equivalence via SDP duality: K, Renner, Schaffner 2009
prep E
Bound on min-entropy reduction by conditioning
Lemma
Bounds on min-entropy for general ensembles: the pretty good measurement
Barnum, Knill, 2000
Then
Min-entropy for binary random variablesHelstrom 69,Holevo 73
Secret keys (wrt to quantum adversaries)
Definition of secure keysConsider an n-bit string Kand a correlated quantum system Q
The situation is fully described by the ensemble
or equivalently the classical-quantum state
How much information does the system Q give about K?
state prep accessible information
Definition of keys: information-theoretic definition
traditional definition:
• H.-K. Lo and H. F. Chau, Science 283, 2050 (1999)• P. Shor and J. Preskill, Phys. Rev. Lett. 85 (2000)• M. A. Nielsen and I. L. Chuang, Cambridge University Press (2000)• D. Gottesman and H.-K. Lo, IEEE Transactions on Information Theory 49, 457 (2003)•H.-K. Lo, H. F. Chau, and M. Ardehali, Journal of Cryptology 18, 133 (2005)
is secure key if
(classical reasoning,before 2006)
This is flawed because of locking of classical correlations!
We can construct explicit examples of known-plaintextattacks rendering one-time pads insecure. K., Renner, Bariska, Maurer, PRL 98, 140502 (2007)
state prep
state prep
Defining keys: composability and locking“correct” composabledefinition:
is secure key if
• Operational interpretation in terms of hypothesis testing
• Universally composable
(POVM)
Remark: Earlier security proofs were correct - they imply this stronger security notion.
Example: secure 1-bit key
Privacy amplification and extractorsAssumption: partially private shared randomness
Privacy amplification and extractorsAssumption: partially private shared randomness
K, Terhal2006
Recall:
Secure 1-bit key with respect to cq-side information
Specializing to the case where
A binary ensemble for every y:
Secure 1-bit key with respect to cq-side information
state prep
Secure 1-bit key with respect to cq-side information
state prep
Pretty good measurement strategya binary ensemble for every y:
Lemma: The following strategies yield identical statistics:
Applying the PGM of the ensemble
for every y
Applying the PGM of the ensemble
for every y
state prep
state prep
Applying the PGM of the ensemble
and then applying the function
state prep
Applying the PGM of the ensemble
and then applying the function
Pretty good measurement strategya binary ensemble for every y:
Lemma: The following strategies yield identical statistics:
Applying the PGM of the ensemble
for every y
This strategy is adaptive.
Its distinguishing advantage differs
from the optimum by a square root(Barnum-Knill)
Applying the PGM of the ensemble
for every y
Applying the PGM of the ensemble
for every y
state prep
Pretty good measurement strategya binary ensemble for every y:
Lemma: The following strategies yield identical statistics:
Applying the PGM of the ensemble
for every y
state prep
Applying the PGM of the ensemble
and then applying the function
This strategy is non-adaptive:quantum state can be replaced by
classical random variable (measurement outcome)
Classical analysis applies!
Privacy amplification and extractorsAssumption: partially private shared randomness
K, Terhal2006
Recall:
2-universal hash
K., Maurer & Renner QIP 2004/
Renner/Renner & K., 2005
function length k of key length c of seed reference
K., Terhal 2008,QIP 2007
Trevisan’sextractor
De & Vidick/De, Portmann, Vidick, Renner
2009/Ben-Aroya & Ta-Shma
2010
A certain classical extractor isn’t a quantum extractor.Gavinsky, Kempe
& de Wolf 2007
optimal suboptimalm
1
Any 1-bit output classical extractor is a quantum extractor.
optimalsuboptimal
(memory assumptions instead of min-entropy)
moptimal optimal
Quantum-secure extractors
Parameter estimation
Parameter estimation
Procedure: Alice and Bob measure (parts) of their system
Goal: Alice and Bob either
• abort or
• the post-measurement state is such that
privacy amplification
information reconciliation
Note: In general, establishing (*) does not require full tomographic information on
(*)
Initial situation:
Typically: state constrained by symmetries of the protocol
Parameter estimation: an example
Parameter estimation for tensor product states
Assume: The state is Bell-diagonal
Initial situation:
Procedure: Use e copies to do parameter estimation
Lower bound on
Upper bound on
wherePauli-Z-measurement
Then apply to each pair of systems
Goal after parameter estimation:
Parameter estimation for Bell-diagonal product states
unknown parameters
Given:
Full tomography version:
Ficticious protocol:
Parameter estimation for Bell-diagonal states
unknown parameters
Simulating “entangled” POVMs using LOCC
This can be implemented as follows:
Simulating “entangled” POVMs using LOCC
This can be implemented as follows:
Analysis:
but
Parameter estimation with Bell-diagonal product states
unknown parameters
What system E should we consider?
Parameter estimation for Bell-diagonal product states
post-measurement state
Post-measurement state after Alice’s z-measurement
Parameter estimation for Bell-diagonal product states
Post-measurement state after Alice’s z-measurement
Parameter estimation: Eve’s ensemble
Parameter estimation: Eve’s ensemble
Parameter estimation: Eve’s min-entropy
Recall: for depolarizing noise with strength
Parameter estimation: collision probability
Post-measurement state after Alice’s z-measurement
or
Bob’s distribution
yx
Parameter estimation: collision probability
yx
Parameter estimation: result for depolarizing noise
for depolarizing noise with strength
“correlation (1-disturbance)” “secrecy” (1-Eve’s information)
If the noise-rate is below some threshold probability 𝜺𝟎 then secret key can be generated!
Putting it together: QKD protocols
Typical structure of a QKD protocol
1. Quantum communication/entanglement distribution
2. Measurement
3. Postprocessing
a) Parameter estimation
b) Information reconciliation
c) Privacy amplification
The BB84 protocol
BB84-encoding of bits in qubits
These are complementary bases:
BB84(without adversary)
information reconciliation & privacy amplification
information reconciliation & privacy amplification
intermediate situationat this stage
in the noise/adversary-free case:
BB84(without adversary)
information reconciliation & privacy amplification
intermediate situationat this stage
in the noise/adversary-free case:
BB84(without adversary)
information reconciliation & privacy amplification
BB84(without adversary)
Individual (incoherent attack)
Ancilla qubits are measured before the classical postprocessing
Every system is attacked independently, with the same strategy.
Collective attacks
(Some) ancilla qubits are kept until after the classical postprocessing, then (potentially) measured.
Every system is attacked independently, with the same strategy.
The measurement may depend on the post-processing transcript.
General (coherent) attacks
Eve can apply anysuperoperator to(all) qubits, keep ancillas.
The measurement may depend on the post-processing transcript.
The BB84 protocol: entanglement-based view
information reconciliation & privacy amplification
The BB84 protocol: entanglement-based view
information reconciliation & privacy amplification
For an individual, as well as a collective attack:
the ideal state is replaced by a corrupted state
Parameter estimation is needed to
• bound Eve’s information• bound Alice and Bob’s correlation
The BB84 protocol: entanglement-based view
The BB84 protocol: entanglement-based view
Parameter estimation
The BB84 protocol: entanglement-based view
information reconciliation & privacy amplification
Parameter estimation
Final remarks: topics yet to be discussed….• Security against collective attacks implies security against general attacks via a
symmetrization argument (de Finetti/postselection).
• Refined information measures need to be used to obtain optimal key rates.
• Finite-size regime important for practical applications.
• Going beyond quantum: device-independent security from Bell inequality violations only.
• Secure two- and multiparty computation
Some references
• Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999
• Valerio Scarani, Helle Bechmann-Pasquinucci, Nicolas J. Cerf, Miloslav Dušek, Norbert Lütkenhaus, Momtchil Peev, The security of practical quantum key distribution, REVIEWS OF MODERN PHYSICS, VOLUME 81, JULY–SEPTEMBER 2009
Recommended