150 likes | 161 Vues
Device-Independent Security of Quantum Key Distribution. A. Acín, Stefano Pironio (ICFO, Barcelona) N. Brunner, N. Gisin (Geneva) S. Massar (Brussels) V. Scarani (Singapore). QIP 2008, New Delhi, December 2008. Introduction: How QKD works. X. Y. a. b. BOB. ALICE. ?.
E N D
Device-Independent Security of Quantum Key Distribution A. Acín, Stefano Pironio (ICFO, Barcelona) N. Brunner, N. Gisin (Geneva) S. Massar (Brussels) V. Scarani (Singapore) QIP 2008, New Delhi, December 2008
Introduction: How QKD works X Y a b BOB ALICE ? Eve holds a purification of the state Repeat protocol n times + public communication: estimate P(ab|XY) Principle of QKD: P(a,b|x,y) bound on Eve’s information.
Introduction: Devices and security 4 4 C C 2 2 C C ¾ ¾ x z ; Observed data in BB84 (ideal case): a,b,X,Y in {0,1} P(00|X = Y) = P(11|X = Y) = 1/2 P(a,b|X ≠ Y) = ¼ ... but these correlations can be distributed - with classical random variables: Security in BB84 = observed data + Knowledge of devices Hilbert space = Measurements = No security ! - or separable states in [Magniez, Mayers, Mosca, Ollivier 05] [Acín, Gisin, Masanes 06]
Our scenario X Y a b BOB ALICE ? ? ? • Aim: Prove security using observed data P(ab|XY) only • knowing that P(ab|XY) originates from a quantum process • but without assuming anything about its actual implementation: Hilbert space dimension? Measurements performed? ...
Our scenario: Assumptions BOB ALICE blue = trusted red = untrusted Y X ? ? ? Eve holds a purification of the state and controls the devices b a • Secure labs: no unwanted information must leak out of Alice and Bob’s labs • Trusted classical devices: e.g., RNG used to choose measurements, computers used to process raw data, etc • Quantum theory: Eve obeys the laws of quantum physics
Our scenario: Motivation • Fundamental: base QKD on minimal set of assumptions • Side-channels: information leaked in other part of the spectrum, number of photons not controled, etc. • Q devices may be untrusted: for instance, if provided by a malevolent party
Requirement for security: Bell inequality violation ( j ) P ( ) ( [ ] ) ( [ ] ) b ¸ ± ¸ ± b b ¸ P X Y P X Y ¡ ¡ a a a = ¸ ; ; A necessary condition for security is that the observed data P(ab|XY)violate a Bell inequality • If the data admit a local model: a perfect copy of the local instructions λ can go to Eve [Ekert 91] [Barrett et al 05], [Masanes Winter 06], [Acín Massar Pironio 06], ... QKD against NS Eve • If the correlations do not violate any Bell inequality, they can bereproduced by measuring a separable state. Bell inequalities are the only entanglement witnesses that areindependent of the Hilbert space dimension
The protocol X Y a b BOB ALICE ? ? ? • Alice has 3 choices of measurements X0,X1,X2 with outcomes a0,a1,a2 in {0,1} • Bob has 2 choices of measurements Y0,Y1 with outcomes b0,b1 in {0,1} • Raw key= (a2,b0) in particular QBER = Prob(a2≠ b0) • Eve’s information estimated from CHSH: • C=<a0b0> + <a0b1> + <a1b0> - <a1b1>
Security: Collective attacks n n 1 H H H ( ) ( ) P ( ) B E S S ¡ ( ) d E H j i j i i n  : ½ ½ à ª µ ¶ = j A B E b E p m b 0 1 2 = 0 A B E ( = ) 2 = C 1 2 1 0 + ¡ A B E ; ( ) h B E ·  : 2 Our result: • Let n be the number of bits of the raw key. We assume that • Alice, Bob, Eve share a state in • The measurement Mk yielding the kth outcome of Alice is a function of Alice’s setting only: Mk = M(X); and similarly for Bob • Remark: and M(X) chosen by Eve • Key rate • [Devetak Winter 04]: r ≥ I(A:B) – χ(B:E) • I(A:B) = 1 – h(Q) is the mutual information between A and B • is the Holevo information between Bob and Eve
Attack that saturates the bond E d A l d B b h b i i t t t t t t ² v e s e n s o c e a n o e w o q u s a e S S 1 1 + ¡ + + ¡ ¡ j i h j j i h j Á Á Á Á + ½ = 2 2 p ( = ) 2 h S C 2 1 ¡ w e r e = d h d f l l i t t ² a n p r e p a r e s e m e a s u r e m e n e v c e s a s o o w s : S 1 X Y + ¾ ¾ ¾ = = 0 0 p p z x z 2 2 S S 1 1 + + S 1 X Y ¡ ¾ ¾ ¾ = = 1 1 p z p x x 2 2 S S 1 1 + + ( h b Y i Q 1 2 ¡ t w p r o ¾ = 0 z X = 2 d h b i Q 2 t r a n o m w p r o Difference with usual QKD: settings depends on the parameters QBER and CHSH
Security bound Example: correlations s.t. C = 2√2(1-2Q) (arise from the state |Φ+> after going through a depolarizing channel with the measurements maximizing CHSH) usual scenario “singlet” device-independent scenario CHSH = 2√2
Basic idea of the security proof Objective: maximize χ(B:E) over all states and measurements {X0,X1,Y0,Y1} (defined in Hilbert space of arbitrary dimension) that yield a given violation C of CHSH P c X Y Y X A B c c c c c c ½ ½ ½ p ½ = A B A A B B j j i i c c Step 1: Can show that it is not restrictive to suppose that Eve sends to Alice and Bob a mixture of two-qubit states, together with a classica ancilla c (known to her) that determines the measurements and used on Step 2: Exploiting symmetry + freedom in the labeling, each state can be taken to be a Bell-diagonal state and the measurements and to be measurements in the (x,z) plane. Step 3: Given the above simplification, the maximization of χ(B:E) can be carried out j i à A B E
Towards security against general attacks ( j j j j ) i i i i j j i i à à à à M M M M ª ª M M M s A A A A B B B B E E E E A A B B E E 1 : : : : : : : : : : : : : : : ( ) M s ; s o 2 1 1 ; ( ) M 1 s ; s o s o 3 2 2 1 ; ; ; . . . Usual QKD Collective attacks General attacks state: measurements: de Finetti theorem [Renner 05] Device-independent QKD Collective attacks General attacks state: measurements: ? de Finetti theorem ? ? Other proof ?
Loopholes in Bell tests • Our security is based on violation of Bell inequality, but up to now, all Bell tests • suffer from one of two loopholes: • Locality loophole: requirement that measurements of Alice and Bob be space-like separated.Not a problem here: we assume that no information can leak out of Alice and Bob’s labs • Detection loophole: detector effiency should be above a given threshold. If not, a local classical model is possible, with the detection event depending on which measurement is made.Need to be closed in a truly device-independent scenario, since Eve controls the measurement devices! Can still be useful against side-channels! Dev-ind QKD Usual QKD Eve does not control devices Eve controls all devices Eve controls devices, but detectors which are trusted
SUMMARY • Usual QKD security scenario: assume knowledge of Hilbert space and measurements; devices are under control • Device-independent security can be defined, based on the violation of a Bell inequality • We have proved security against collective attaks • arXiv:quant-ph/0702152