QUANTUM KEY DISTRIBUTION, PRACTICAL IMPLICATIONS & VULNERABILITIES Seyed Ali Hosseini Lavasani

Seyed Alireza Seif Tabrizi

B92 PROTOCOL Let and be two distinct, nonorthogonal states, and let and

be projection operators onto subspaces orthogonal to and , respectively. Thus annihilates , but yields a positive result with probability when applied to , and vice versa for .

To begin the key distribution, Alice prepares and sends Bob a random binary sequence of quantum systems, using states and to represent the bits 0 and 1, respectively. Bob then decides randomly and independently of Alice for each system, whether to subject it to a measurement of or . Next Bob publicly tells Alice in which instances his measurement had a positive result (but not, of course, which measurement he made), and the two parties agree to discard all the other instances.

If there has been no eavesdropping, the remaining instances , a fraction approximately of the original trials should be perfectly correlated, consisting entirely of instances in which Alice sent and Bob measured , or Alice sent and Bob measured . However, before Alice and Bob can trust this data as key, they must, as in other key distribution schemes, sacrifice some of it to verify that their versions of the key are indeed identical. This also certifies the absence of eavesdropping, which would necessarily have disturbed the states or in transit, causing them sometimes yield positive results when later subjected to measurements or , respectively.

AN EXAMPLE OF B92 QKD For example Alice preparing a polarized photon for each of

her bits according to the rules:

and sending it over the “quantum channel” to Bob.

Bob makes a polarization measurement on each photon he receives, according to the value of his bit as given by:

and records the result (“pass” = Y, “fail” = N).

In this experiment we see that for the first and fourth bits Alice and Bob had different bit values, so that Bob’s result is "N" in each case. However, for the second and third bits, Alice and Bob have the same bit values and the protocol is such that there is a probability of 0.5 that Bob’s result is a “Y” in each case. Of course, we cannot predict in any particular experiment which one will be a “Y,” but in this example the second bit was a “N” and the third bit was a “Y.”

EXPERIMENTAL REALIZATION IN OPTICAL FIBER

The probability that a photon injected by Alice is detected by Bob at his “L” detector

depends on both paths. Thus, if Alice and Bob use the phase angles (, ) = (0, 3/2) for their “0” bits (respectively) and (, ) = (/2, ) for their “1” bits they have an exact representation of B92 when Bob records photon arrivals at his “L” detector. Each path length is analogous to one of the polarizer angles in the explanation of B92 in the previous section.

The BB84 protocol can be realized with a detector in the “upper” output port, for which the single-photon detection probability is

Then, Alice transmits (0, 1) in either the first basis as = (0, ), or the second basis as = (/2, 3 /2), and Bob measures for photon detections at “U” or “L” with either the first basis, = 0, or the second basis, = /2. When Alice and Bob use the same basis, Bob’s “U” detector will fire to identify “1”s and his “L” detector will fire to identify “0”s.

TIME-MULTIPLEXED INTERFEROMETER FOR QUANTUM KEY DISTRIBUTION

FREE SPACE QUANTUM KEY DISTRIBUTION

IMPLICATIONS:EXPERIMENTAL

The highest bit rate system currently demonstrated exchanges secure keys at 1 Mbit/s (over 20 km of optical fiber) and 10 kbit/s (over 100 km of fiber), achieved by a collaboration between the University of Cambridge and Toshiba using the BB84 protocol with decoy pulses.

As of March 2007 the longest distance over which quantum key distribution has been demonstrated using optic fiber is 148.7 km, achieved by Los Alamos National Laboratory/NIST using the BB84 protocol. Significantly, this distance is long enough for almost all the spans found in today's fiber networks. The distance record for free space QKD is 144 km between two of the Canary Islands, achieved by a European collaboration using entangled photons (the Ekert scheme) in 2006, and using BB84 enhanced with decoy states in 2007. The experiments suggest transmission to satellites is possible, due to the lower atmospheric density at higher altitudes. For example although the minimum distance from the International Space Station to the ESA Space Debris Telescope is about 400 km, the atmospheric thickness is about an order of magnitude less than in the European experiment, thus yielding less attenuation compared to this experiment.

IMPLICATIONS:COMMERCIAL There are currently three companies offering

commercial quantum key distribution systems; id Quantique (Geneva), MagiQ Technologies (New York) and QuintessenceLabs (Australia). Several other companies also have active research programs, including Toshiba, HP, IBM, Mitsubishi, NEC and NTT

Quantum encryption technology provided by the Swiss company Id Quantique was used in the Swiss canton (state) of Geneva to transmit ballot results to the capitol in the national election occurring on October 21, 2007.

In 2004, the world's first bank transfer using quantum key distribution was carried in Vienna, Austria.

THE EPR PROTOCOL Alice and Bob share a set of n entangled pairs of qubits in

the EPR state:

Each of them make measurements in {, } basis or {, } basis randomly and store the results.

Then Alice and Bob announce the bases they’ve made their measurements over a public channel

They discard any bits that Bob measured different basis than Alice prepared.

AN EXAMPLE OF EPR PROTOCOL

Alice’s polarization

0 1 - + 1 0 +

Alice’s bit value

0 1 0 1 1 0 1

Bob’s polarization

+ + - 1 1 + +

Bob’s bit value

1 1 0 1 1 1 1

THE ORIGIN OF KEY BITS Since it is symmetric – Alice and Bob perform

identical tasks on their qubits, even possibly simultaneously – it cannot be said that either Alice or Bob generates the key. Rather, the key is truly random. In fact the same applies to the BB84 protocol, since it can be reduced to an instance of a generalized version of the EPR protocol key is undetermined until Alice or Bob performs a measurement on their EPR pair half. Similar observations can be made about the B92 protocol. For this reason, quantum cryptography is sometimes thought of not as secret key exchange or transfer, but rather as secret key generation, since fundamentally neither Alice nor Bob can pre-determine the key they will ultimately end up with upon completion of the protocol.

AN EXAMPLE OF VULNERABLE QKD PROTOCOL Li describes a QKD protocol using Greenberger-Horne-Zeilinger

(GHZ) states that requires no classical communication. The protocol is described as follows, for communicating parties Alice and Bob:

Li shows that this protocol is secure with respect to an attack in which Eve measures qubits returning from Bob to Alice, with a probability that Eve escapes detection of , for n qubits. It is also shown that the protocol is secure with respect to an attack where Eve executes a controlled-NOT operation on the qubits sent from Bob to Alice.

Unfortunately, the protocol is vulnerable to a quantum version of a classic man- in-the- middle attack, which we will refer to as an EPR man-in-the-middle attack, conducted as follows:

Ever since there’s been money, there’ve been people trying to counterfeit it

Previous work on the physics of money:

In his capacity as Master of the Mint, Isaac Newton added milled edges to English coins to make them harder to counterfeit

(Newton also personally oversaw hangings of counterfeiters)

Quantum Money

Today: Holograms, embedded strips, “microprinting,” special inks…

Leads to an arms race with no obvious winner

Problem: From a CS perspective, uncopyable cash seems impossible for trivial reasons

Any printing technology the good guys can build, bad guys can in principle build also

x (x,x) is a polynomial-time operation

What’s done in practice: Have a trusted third party authorize every transaction

OK, but sometimes you want cash, and that seems impossible to secure, at least in classical physics…

(BitCoin: “Trusted third party” is distributed over the Internet)

First Idea in the History of Quantum InfoWiesner 1969: Money that’s information-theoretically impossible to counterfeit, assuming quantum mechanics

Each banknote contains n qubits, secretly prepared in one of the 4 states |0,|1,|+,|-

In a giant database, the bank remembers how it prepared every qubit on every banknote

Want to verify a banknote? Take it to the bank. Bank uses its knowledge to measure each qubit in the right basis:

OR

(Recent) Theorem: A counterfeiter who doesn’t know

the state can copy it with

probability at most (3/4)n

DRAWBACKS OF WIESNER’S SCHEME1. Banknotes could decohere in microseconds in your

wallet—the “Schrödinger’s money problem”!The reason why quantum money isn’t yet practical, in contrast to (say) quantum key distribution

2. Bank needs a big database describing every banknoteSolution (Bennett et al. ‘82): Pseudorandom

functions

3. Only the bank knows how to verify the money

4. Scheme can be broken by interacting with the bank

Future Direction: Quantum Copy-Protection

Finally, a serious use for quantum computing

Goal: Quantum state |f that lets you compute an unknown function f, but doesn’t let you efficiently create more states with which f can be computed

QUANTUM CRYPTOGRAPHY COMES TO SMART PHONES A smart phone can do pretty much anything a PC can. But, aside

from password protection, phones have very little security—a real problem with more and more people using phones for online banking and shopping.

But researchers at Los Alamos National Lab hope quantum encryption can help. Quantum encryption typically requires a lot of processing power and covers only short distances. But Los Alamos says it's developed a minitransmitter that encodes the encryption key on a single photon. They call it the QKarD transmitter, short for Quantum Smart Card. Any change in the photon’s quantum information reveals an attempted hack and cancels the transaction.

QKarD faces a few challenges. You'd still need a password or some biometric security to make sure someone doesn't use your lost or stolen phone to make their own encrypted transactions. Also, Google's Wallet mobile payment service already uses encryption. It may not be as secure as quantum encryption, but many people may decide it’s good enough. 

One thing’s for sure: we're going to need more mobile gadget security to keep a step ahead of info-hungry hackers.

REFERENCES

C. H. Bennett, Phys. Rev. Lett. 68, 3121 (1992). C. H. Bennett and G. Brassard, Proceedings of IEEE International

Conference on Computers, Systems and Signal Processing, Bangalore (New York, IEEE, 1984).

arXiv:quant-ph/9904038v1 arXiv:quant-ph/0206092v1 arXiv:quant-ph/0305076v1 M. A. Nielsen an d I.L.Chuang, Quantum Computation and Quantum

Information, Cambridge University Press, UK, 2000. http://en.wikipedia.org/wiki/Quantum_key_distribution www.scottaaronson.com/talks/money-hs.ppt www.scottaaronson.com/talks/qmoney-uw.ppt http://www.scientificamerican.com/podcast/episode.cfm?

id=quantum-cryptography-comes-to-smart-12-02-02