A tutorial on quantum key distribution - WebHome … · 2019. 6. 19. · Copenhagen QMATH Masterclass June 18, 2019 Robert König A tutorial on quantum key distribution

Copenhagen QMATH Masterclass June 18, 2019

Robert König

A tutorial on quantum key distribution

Overview

• Information-theoretic cryptography

• Quantum key distribution

Cryptography: A few goals

Key desiderata:

• Authenticity

• Privacy

Alice or Eve ?

Problem I: Private communication

Goal: Alice wants to communicate a private message m to Bob.

Setup: Alice, Bob and Eve are in a public space

Assumption: Alice and Bob share a secret K unknown to Eve.

K=

m = “I think Eve is malicious – we should be careful”.

Some information measures for classical information theory

Shannon entropy

conditional entropy

mutual information

Properties:

conditional mutual information

Src: Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999

Ciphers for symmetry encryption: Definition

Protocol:


Security definition of perfect ciphers

Protocol:


Symmetric encryption: The one-time pad (achievability)

Protocol:

Claim 1: This protocol is correct, that is

Claim 2: This protocol is perfectly secret.

Note: the key and the message have the same length!

Symmetric encryption: lower bound on required key length

C. Shannon: Communication theory of secrecy systems, Bell System Technical Journal, vol. 28, pp. 656-715, 1949.

0c

a b-a

b≥ a

One-time pad as resource conversion

authentic (but public)classical channel

authentic and privateclassical channel

+ shared secret keyK K ≥

Protocol: one-time pad

Authenticity

Alice or Eve ?

Goal: Bob wants to be sure that the received message originated from Alice (and not Eve).

Setup: Alice, Bob and Eve are in a dark room. It’s impossible to see who’s speaking, and Alice and Eve have identical voices*.

Assumption: Alice and Bob share a secret K unknown to Eve.

* This is an idealization.

Message authentication codesAssumption: Alice and Bob have a shared “secret” key K

Protocol:

Goal: We want to make sure that Eve can’t change the messagesent by Alice (and still have Bob accept)

Message authentication codesAssumption: Alice and Bob have a shared “secret” key K

Protocol:

Note: this is a simplified definition. Want security even if several pairs (m,t) are observed.

Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22, 265–279 (1981)

2-universal hash functions

Construction of a (one-time) MAC

Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22, 265–279 (1981)

Transforming resources in cryptography

non-authentic classical channel

authentic (but public) classical channel+ shared secret key

K K

≥

Protocol:Message authentication


authentic and privateclassical channel

+ shared secret keyK K ≥

Protocol: one-time pad

The power of shared keys

non-authentic, publicclassical channel

+ shared secret key K K ≥

Message authentication+ one-time pad authentic and private

classical channel

Shared keys permit communicating privately over non-authentic, public classical channels.

Quantum key distribution: what it achieves (roughly)

authentic (public) classical channel+ insecure quantum channel

≥

quantum key distribution protocol

private classical channel

or: Quantum key distribution= key expansion

non-authentic (public) classical channel+ insecure quantum channel

≥


+ shared secret key K K K

longer shared secret key K’

K’ K’

Some primitives of (classical) information-theoretic cryptography

Information-theoretic cryptography and information theory

Noisy communication channels(from Alice to Bob respectively Eve)



Intuition:

Alice and Bob can generate more key (per channel use),the more noisy Eve’s channel is compared to Bob’s.

Noisy communication channels(from Alice to Bob respectively Eve)



Intuition:

Alice and Bob can generate more key (per channel use),the more noisy Eve’s channel is compared to Bob’s.

For binary symmetric channels:

The number of secret bitsthat Alice and Bob can generateper channel use is

I. Csiszár and J. Körner, Broadcast channels with confidential messages, IEEE Transactions on Information Theory, Vol. 24, No. 3, pp. 339–348, 1978.


correctness

secrecy



Theorem:

I. Csiszar, J. Körner, Broadcast channels with confidential messages, 1978

Intuition: anyadvantage can

be distilled.

correctness

secrecy

Definition of secure keys

information-theoretic definition

Tentative definition…..

There is a better one.

Variational distance and hypothesis testing


Remark: This definition is “universally composable”

Ran Canetti, Universally Composable Security: A New Paradigm for Cryptographic Protocols ia.cr/2000/067

information-theoretic definition


Remark: This definition is “universally composable”

On average over Eve’s information, (the conditional distribution of ) the key is close to

• independent of the message and • uniform

Information measures in the single-shot scenario

interpretation: uncertainty about X

interpretation: uncertainty about X given Y

guessing probabilitiesguessing probabilities

Information measures in the single-shot scenario

guessing probabilities guessing probabilities

equality ifX fully determined by Y

equality ifX deterministic

equality ifX, Y are independent

Partially private randomness

guessing probabilities

equality ifX fully determined by Y

equality ifX, Y are independent

n bits

E

E

n-k bits

Two notions of “secret” strings

secure key

partially private randomness

Can we convert partially private randomness into secure key?

Privacy amplification


+shared

partially privaterandomness X wrt E

X X ≥

protocol: privacy amplification

E E

K K

shared secure key

secure key

partially private randomness

Privacy amplification

partially private

secure key


Privacy amplification by public discussion: definitionCharles Bennet, Gilles Brassard and Jean-Marc Robert: Privacy amplification by public discussion (1988)

Eve holds E. Alice and Bob are connected by a public broadcast channel (authentic).

Protocol:

Privacy amplification by public discussion: definitionCharles Bennet, Gilles Brassard and Jean-Marc Robert: Privacy amplification by public discussion (1988)

Eve holds E. Alice and Bob are connected by a public broadcast channel (authentic).

Protocol:

Correctness is obvious: Alice and Bob end up with the same key.

Security?: Need to argue that K is an approximately secure key wrt. (E,Y)

Privacy amplification and extractorsAssumption: partially private shared randomness

Proof by conditioning. Does not work for quantum side information.

Privacy amplification and extractors

Privacy amplification from strong extractors

This argument does not work if E is quantum.


Proof by conditioning. Does not work for quantum side information.

Leftover hash lemma

Privacy amplification/strong extractors: a combinatorial problem

good vertex expansion

There is (currently) no comparable combinatorial property characterizing extractors for quantum side information.

Summary: privacy amplification


+X X ≥


E E

K Kshared partially privaterandomness X wrt E

privacy amplification: generates shared secure key

from

shared partially private randomness

shared secure key

Summary: privacy amplification


+X X ≥


E E

K Kshared partially privaterandomness X wrt E

privacy amplification: generates shared secure key

from


shared secure key

Yet to be discussed: What if Alice and Bob do not start with the

same random variable?

Information reconciliation


+X Y ≥

protocol: information reconciliation

E E

X Xpartially privaterandomness X wrt E,correlated random variable Y


information reconciliation: generates


from

correlated, partially private randomness

More information measures in the single-shot scenario

maximalamount ofextractable randomness

minimal compressionlength

Minimal number of additional bits required to determine X from Y in the worst case.

Minimal number of additional bits required to describe X.

Minimal number of additional bits required to describe “typical” sample of X.

Minimal number of additional bits required to describe “typical” sample of X, given Y

Information reconciliationGoal: want to minimize additional information provided to Bob and Eve, but still guarantee that Bob can recover X


Information reconciliation: the protocol

Protocol:

leakage: quantifies loss of privacy

Information reconciliation: definitionG. Brassard and L. Salvail, Secret-key reconciliation by public discussion, 1994

leakage: quantifies loss of privacy

Information reconciliation: the protocol

Protocol:

G. Brassard and L. Salvail, Secret-key reconciliation by public discussion, 1994

R. Renner and S. Wolf,Simple and Tight Bounds on Information Reconciliation and Privacy Amplification, 2005

Information reconciliation for i.id.noise

leakage

A. Smith 2006: Scrambling Adversarial Errors Using Few Random Bits, Optimal Information Reconciliation, and Better Private Codes, 2006.

This can be done efficiently

Summary: information reconciliation

≥

protocol: information reconciliation followed by privacy amplification

E

K K


+X Y

E

partially privaterandomness X wrt E,correlated randomvariable Y

The length of the final keydepends on as follows:

shared secret key

omitting

Combining information reconciliation and privacy amplification

Combining information reconciliation and privacy amplification

The length of the final keydepends on as follows:

omitting

For binary symmetric channels:

The number of secret bitsthat Alice and Bob can generateper channel use is

Part II: Quantum key distribution

authentic (public) classical channel+ insecure quantum channel

≥


shared secret key

Information measures in the quantum world

Quantum guessing/min-entropyAlice

X (classical random variable)

Eve

E (quantum system)

prep E

Min-entropy: alternative (dual) formulation)

(Renner 2005).

Equivalence via SDP duality: K, Renner, Schaffner 2009

prep E

Bound on min-entropy reduction by conditioning

Lemma

Bounds on min-entropy for general ensembles: the pretty good measurement

Barnum, Knill, 2000

Then

Min-entropy for binary random variablesHelstrom 69,Holevo 73

Secret keys (wrt to quantum adversaries)

Definition of secure keysConsider an n-bit string Kand a correlated quantum system Q

The situation is fully described by the ensemble

or equivalently the classical-quantum state

How much information does the system Q give about K?

state prep accessible information

Definition of keys: information-theoretic definition

traditional definition:

• H.-K. Lo and H. F. Chau, Science 283, 2050 (1999)• P. Shor and J. Preskill, Phys. Rev. Lett. 85 (2000)• M. A. Nielsen and I. L. Chuang, Cambridge University Press (2000)• D. Gottesman and H.-K. Lo, IEEE Transactions on Information Theory 49, 457 (2003)•H.-K. Lo, H. F. Chau, and M. Ardehali, Journal of Cryptology 18, 133 (2005)

is secure key if

(classical reasoning,before 2006)

This is flawed because of locking of classical correlations!

We can construct explicit examples of known-plaintextattacks rendering one-time pads insecure. K., Renner, Bariska, Maurer, PRL 98, 140502 (2007)

state prep

state prep

Defining keys: composability and locking“correct” composabledefinition:

is secure key if

• Operational interpretation in terms of hypothesis testing

• Universally composable

(POVM)

Remark: Earlier security proofs were correct - they imply this stronger security notion.

Example: secure 1-bit key


K, Terhal2006

Recall:

Secure 1-bit key with respect to cq-side information

Specializing to the case where

A binary ensemble for every y:

Secure 1-bit key with respect to cq-side information

state prep

Pretty good measurement strategya binary ensemble for every y:

Lemma: The following strategies yield identical statistics:

Applying the PGM of the ensemble

for every y


for every y

state prep

state prep


and then applying the function

state prep






for every y

This strategy is adaptive.

Its distinguishing advantage differs

from the optimum by a square root(Barnum-Knill)


for every y


for every y

state prep




for every y

state prep



This strategy is non-adaptive:quantum state can be replaced by

classical random variable (measurement outcome)

Classical analysis applies!


K, Terhal2006

Recall:

2-universal hash

K., Maurer & Renner QIP 2004/

Renner/Renner & K., 2005

function length k of key length c of seed reference

K., Terhal 2008,QIP 2007

Trevisan’sextractor

De & Vidick/De, Portmann, Vidick, Renner

2009/Ben-Aroya & Ta-Shma

2010

A certain classical extractor isn’t a quantum extractor.Gavinsky, Kempe

& de Wolf 2007

optimal suboptimalm

1

Any 1-bit output classical extractor is a quantum extractor.

optimalsuboptimal

(memory assumptions instead of min-entropy)

moptimal optimal

Quantum-secure extractors

Parameter estimation


Procedure: Alice and Bob measure (parts) of their system

Goal: Alice and Bob either

• abort or

• the post-measurement state is such that

privacy amplification

information reconciliation

Note: In general, establishing (*) does not require full tomographic information on

(*)

Initial situation:

Typically: state constrained by symmetries of the protocol

Parameter estimation: an example

Parameter estimation for tensor product states

Assume: The state is Bell-diagonal

Initial situation:

Procedure: Use e copies to do parameter estimation

Lower bound on

Upper bound on

wherePauli-Z-measurement

Then apply to each pair of systems

Goal after parameter estimation:

Parameter estimation for Bell-diagonal product states

unknown parameters

Given:

Full tomography version:

Ficticious protocol:

Parameter estimation for Bell-diagonal states

unknown parameters

Simulating “entangled” POVMs using LOCC

This can be implemented as follows:

Simulating “entangled” POVMs using LOCC

This can be implemented as follows:

Analysis:

but

Parameter estimation with Bell-diagonal product states

unknown parameters

What system E should we consider?


post-measurement state

Post-measurement state after Alice’s z-measurement

Parameter estimation: Eve’s ensemble

Parameter estimation: Eve’s min-entropy

Recall: for depolarizing noise with strength

Parameter estimation: collision probability


or

Bob’s distribution

yx

Parameter estimation: collision probability

yx

Parameter estimation: result for depolarizing noise

for depolarizing noise with strength

“correlation (1-disturbance)” “secrecy” (1-Eve’s information)

If the noise-rate is below some threshold probability 𝜺𝟎 then secret key can be generated!

Putting it together: QKD protocols

Typical structure of a QKD protocol

1. Quantum communication/entanglement distribution

2. Measurement

3. Postprocessing

a) Parameter estimation

b) Information reconciliation

c) Privacy amplification

The BB84 protocol

BB84-encoding of bits in qubits

These are complementary bases:

BB84(without adversary)

information reconciliation & privacy amplification


intermediate situationat this stage

in the noise/adversary-free case:


Individual (incoherent attack)

Ancilla qubits are measured before the classical postprocessing

Every system is attacked independently, with the same strategy.

Collective attacks

(Some) ancilla qubits are kept until after the classical postprocessing, then (potentially) measured.

Every system is attacked independently, with the same strategy.

The measurement may depend on the post-processing transcript.

General (coherent) attacks

Eve can apply anysuperoperator to(all) qubits, keep ancillas.

The measurement may depend on the post-processing transcript.

The BB84 protocol: entanglement-based view




For an individual, as well as a collective attack:

the ideal state is replaced by a corrupted state

Parameter estimation is needed to

• bound Eve’s information• bound Alice and Bob’s correlation

Final remarks: topics yet to be discussed….• Security against collective attacks implies security against general attacks via a

symmetrization argument (de Finetti/postselection).

• Refined information measures need to be used to obtain optimal key rates.

• Finite-size regime important for practical applications.

• Going beyond quantum: device-independent security from Bell inequality violations only.

• Secure two- and multiparty computation

Some references

• Stefan Wolf, Information-Theoretically and Computationally Secure Key Agreement in Cryptography, PhD thesis 1999

• Valerio Scarani, Helle Bechmann-Pasquinucci, Nicolas J. Cerf, Miloslav Dušek, Norbert Lütkenhaus, Momtchil Peev, The security of practical quantum key distribution, REVIEWS OF MODERN PHYSICS, VOLUME 81, JULY–SEPTEMBER 2009

Documents

A tutorial on quantum key distribution - WebHome … · 2019. 6. 19. · Copenhagen QMATH Masterclass June 18, 2019 Robert König A tutorial on quantum key distribution