1 / 15

A. Acín, Stefano Pironio (ICFO, Barcelona) N. Brunner, N. Gisin (Geneva) S. Massar (Brussels)

Device-Independent Security of Quantum Key Distribution. A. Acín, Stefano Pironio (ICFO, Barcelona) N. Brunner, N. Gisin (Geneva) S. Massar (Brussels) V. Scarani (Singapore). QIP 2008, New Delhi, December 2008. Introduction: How QKD works. X. Y. a. b. BOB. ALICE. ?.

moloney
Télécharger la présentation

A. Acín, Stefano Pironio (ICFO, Barcelona) N. Brunner, N. Gisin (Geneva) S. Massar (Brussels)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Device-Independent Security of Quantum Key Distribution A. Acín, Stefano Pironio (ICFO, Barcelona) N. Brunner, N. Gisin (Geneva) S. Massar (Brussels) V. Scarani (Singapore) QIP 2008, New Delhi, December 2008

  2. Introduction: How QKD works X Y a b BOB ALICE ? Eve holds a purification of the state Repeat protocol n times + public communication:  estimate P(ab|XY) Principle of QKD: P(a,b|x,y) bound on Eve’s information.

  3. Introduction: Devices and security 4 4 C C ­ 2 2 C C ­ ¾ ¾ x z ; Observed data in BB84 (ideal case): a,b,X,Y in {0,1} P(00|X = Y) = P(11|X = Y) = 1/2 P(a,b|X ≠ Y) = ¼ ... but these correlations can be distributed - with classical random variables: Security in BB84 = observed data + Knowledge of devices Hilbert space = Measurements = No security ! - or separable states in [Magniez, Mayers, Mosca, Ollivier 05] [Acín, Gisin, Masanes 06]

  4. Our scenario X Y a b BOB ALICE ? ? ? • Aim: Prove security using observed data P(ab|XY) only • knowing that P(ab|XY) originates from a quantum process • but without assuming anything about its actual implementation: Hilbert space dimension? Measurements performed? ...

  5. Our scenario: Assumptions BOB ALICE blue = trusted red = untrusted Y X ? ? ? Eve holds a purification of the state and controls the devices b a • Secure labs: no unwanted information must leak out of Alice and Bob’s labs • Trusted classical devices: e.g., RNG used to choose measurements, computers used to process raw data, etc • Quantum theory: Eve obeys the laws of quantum physics

  6. Our scenario: Motivation • Fundamental: base QKD on minimal set of assumptions • Side-channels: information leaked in other part of the spectrum, number of photons not controled, etc. • Q devices may be untrusted: for instance, if provided by a malevolent party

  7. Requirement for security: Bell inequality violation ( j ) P ( ) ( [ ] ) ( [ ] ) b ¸ ± ¸ ± b b ¸ P X Y P X Y ¡ ¡ a a a = ¸ ; ; A necessary condition for security is that the observed data P(ab|XY)violate a Bell inequality • If the data admit a local model:  a perfect copy of the local instructions λ can go to Eve [Ekert 91] [Barrett et al 05], [Masanes Winter 06], [Acín Massar Pironio 06], ... QKD against NS Eve • If the correlations do not violate any Bell inequality, they can bereproduced by measuring a separable state. Bell inequalities are the only entanglement witnesses that areindependent of the Hilbert space dimension

  8. The protocol X Y a b BOB ALICE ? ? ? • Alice has 3 choices of measurements X0,X1,X2 with outcomes a0,a1,a2 in {0,1} • Bob has 2 choices of measurements Y0,Y1 with outcomes b0,b1 in {0,1} • Raw key= (a2,b0) in particular QBER = Prob(a2≠ b0) • Eve’s information estimated from CHSH: • C=<a0b0> + <a0b1> + <a1b0> - <a1b1>

  9. Security: Collective attacks ­ ­ n n 1 H H H ( ) ( ) P ( ) ­ ­ B E S S ¡ ­ ( ) d E H j i j i i n  : ½ ½ à ª µ ¶ = j A B E b E p m b 0 1 2 = 0 A B E ( = ) 2 = C 1 2 1 0 + ¡ A B E ; ( ) h B E ·  : 2 Our result: • Let n be the number of bits of the raw key. We assume that • Alice, Bob, Eve share a state in • The measurement Mk yielding the kth outcome of Alice is a function of Alice’s setting only: Mk = M(X); and similarly for Bob • Remark: and M(X) chosen by Eve • Key rate • [Devetak Winter 04]: r ≥ I(A:B) – χ(B:E) • I(A:B) = 1 – h(Q) is the mutual information between A and B • is the Holevo information between Bob and Eve

  10. Attack that saturates the bond E d A l d B b h b i i t t t t t t ² v e s e n s o c e a n o e w o q u s a e S S 1 1 + ¡ + + ¡ ¡ j i h j j i h j Á Á Á Á + ½ = 2 2 p ( = ) 2 h S C 2 1 ¡ w e r e = d h d f l l i t t ² a n p r e p a r e s e m e a s u r e m e n e v c e s a s o o w s : S 1 X Y + ¾ ¾ ¾ = = 0 0 p p z x z 2 2 S S 1 1 + + S 1 X Y ¡ ¾ ¾ ¾ = = 1 1 p z p x x 2 2 S S 1 1 + + ( h b Y i Q 1 2 ¡ t w p r o ¾ = 0 z X = 2 d h b i Q 2 t r a n o m w p r o Difference with usual QKD: settings depends on the parameters QBER and CHSH

  11. Security bound Example: correlations s.t. C = 2√2(1-2Q) (arise from the state |Φ+> after going through a depolarizing channel with the measurements maximizing CHSH) usual scenario “singlet”  device-independent scenario CHSH = 2√2

  12. Basic idea of the security proof Objective: maximize χ(B:E) over all states and measurements {X0,X1,Y0,Y1} (defined in Hilbert space of arbitrary dimension) that yield a given violation C of CHSH P c X Y Y X A B c c c c c c ½ ½ ½ p ½ = A B A A B B j j i i c c Step 1: Can show that it is not restrictive to suppose that Eve sends to Alice and Bob a mixture of two-qubit states, together with a classica ancilla c (known to her) that determines the measurements and used on Step 2: Exploiting symmetry + freedom in the labeling, each state can be taken to be a Bell-diagonal state and the measurements and to be measurements in the (x,z) plane. Step 3: Given the above simplification, the maximization of χ(B:E) can be carried out j i à A B E

  13. Towards security against general attacks ( j j j j ) i i i i j j i i à à à à M M M M ª ª M M M ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ s A A A A B B B B E E E E A A B B E E 1 : : : : : : : : : : : : : : : ( ) M s ; s o 2 1 1 ; ( ) M 1 s ; s o s o 3 2 2 1 ; ; ; . . . Usual QKD Collective attacks General attacks state: measurements: de Finetti theorem [Renner 05] Device-independent QKD Collective attacks General attacks state: measurements: ? de Finetti theorem ? ? Other proof ?

  14. Loopholes in Bell tests • Our security is based on violation of Bell inequality, but up to now, all Bell tests • suffer from one of two loopholes: • Locality loophole: requirement that measurements of Alice and Bob be space-like separated.Not a problem here: we assume that no information can leak out of Alice and Bob’s labs • Detection loophole: detector effiency should be above a given threshold. If not, a local classical model is possible, with the detection event depending on which measurement is made.Need to be closed in a truly device-independent scenario, since Eve controls the measurement devices! Can still be useful against side-channels! Dev-ind QKD Usual QKD Eve does not control devices Eve controls all devices Eve controls devices, but detectors which are trusted

  15. SUMMARY • Usual QKD security scenario: assume knowledge of Hilbert space and measurements; devices are under control • Device-independent security can be defined, based on the violation of a Bell inequality • We have proved security against collective attaks • arXiv:quant-ph/0702152

More Related