1 / 22

Paraty, Quantum Information School, August 2007

Quantum Cryptography (III). Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) www.icfo.es. Paraty, Quantum Information School, August 2007. Device-Independent QKD.

mauve
Télécharger la présentation

Paraty, Quantum Information School, August 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quantum Cryptography (III) Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) www.icfo.es Paraty, Quantum Information School, August 2007

  2. Device-Independent QKD • Quantum cryptography is the only provable secure way of transmitting information through an authenticated public channel. • Its security is based on Quantum Mechanics. Is the validity of Quantum Mechanics the only assumption required for secure QKD? NO! The honest parties should have some knowledge about their devices.

  3. Device-Independent QKD x y Example:BB84 a b Bob Alice The observed data are the same as those for perfect BB84 with qubits. • If x=y → perfect correlations • If x≠y → no correlations The state is separable. No secure QKD!

  4. Device-Independent QKD Standard QKD protocols based their security on: • Quantum Mechanics: any eavesdropper, however powerful, must obey the laws of quantum physics. • No information leakage: no unwanted classical information must leak out of Alice's and Bob's laboratories. • Alice and Bob have an authenticated public channel. • Knowledge of the devices: Alice and Bob have an (almost) perfect control of the devices.

  5. On assumptions • A QKD protocol should be based on testable assumptions. Alice and Bob local spaces have dimension equal to two. Is this a testable assumption? • What is an assumption? Any hypothesis that (i) is not needed in the perfect scenario where the honest parties share a secret key but (ii) is essential for the distribution of the secret key. Is no information leakage a real assumption?

  6. Device-Independent QKD The devices are nowseen as quantum black boxes. Alice and Bob estimate the observed probability distribution and bound Eve’s information. x y a b Bob Alice over all states such that Is there a protocol for secure QKD based on without requiring any assumption on the devices?

  7. Bell’s inequalities violation Bell’s inequality violation is a necessary condition for security If the correlations are local: A perfect copy of the local instructions can go to Eve. Barrett, Hardy & Kent • Whenever some correlations do not violate any Bell’s inequality, they can be reproduced by measuring a separable state. • Bell’s inequalities are the only entanglement witnesses which are independent of the Hilbert space dimension. Any protocol should be built from non-local correlations.

  8. CHSH Protocol x y a b • The settings x=0,1 and y=0,1 are used to compute the violation of the CHSH inequality. • The setting x=2 and y=1 are used in for the secret key. • The settings are depicted in a qubit-like picture for the sake of simplicity. They can be any measurements compatible with the observed statistics.

  9. CHSH Protocol The protocol is secure in the case of zero noise, i.e. when Alice and Bob observe the maximal violation of the CHSH inequality. Cirelson: The maximal quantum violation of the CHSH inequality is This violation can already be achieved by measuring a two-qubit maximally entangled state. Any other quantum realization of this violation is basically equivalent to a maximally entangled state of two qubits. Eve cannot be correlated at all at the point of maximal violation → Security

  10. Device-Independent QKD We have developed a device-independent QKD scheme and prove its security under the assumption of N copies of the same probability distribution. The obtained key rates are clearly comparable to those obtained for standard schemes. Less assumptions Stronger security! General security proof? De Finetti theorem for this situation, with uncharacterized devices?

  11. The boundary of quantum correlations Quantum correlations (QS): QM Classical Correlations Classical correlations (CS): Bell’s Theorem • The set of classical correlations, for finite alphabets of inputs and outputs defines a convex set with a finite number of extreme points. • The quantum set is also convex but does not have a finite number of extreme points. What’s the quantum boundary? Given , does it have a quantum origin?

  12. Practical implementations

  13. Quantum communication protocols Quantum channel Single-photon source Single-photon detector

  14. Practical implementations  Single photon source  Weak laser pulse | with ||<<1.  Quantum channel  Fiber optic.  Single photon detectors  Avalanche photodiodes. Real devices imperfections open security loopholes!

  15. Alice Bob 1 1 0 0 j f D 0 n h D 1 switch switch varia ble coupler variable coupler Time-bin qubit • qubit : • any qubit state can be created and measured in any basis

  16. Drawback: Trojan horse attacks Plug & Play Bob Alice • Perfect interference (V99%) without any adjustments, since: • both pulses travel the same path in inverse order • both pulses have exactly the same polarisation thanks to FM

  17. Photon number splitting attack Alice Bob Weak coherent pulse: The pulse contains n photons with probability If the channel has sufficiently large losses, Eve can use the presence of multi-photon pulses and break the protocol, without introducing any error.

  18. Photon number splitting attacks 1 photon, Pr(n=1) 2 photon, Pr(n=2). The imperfect source produces a clone! Lossy quantum channel (L) Alice Bob Eve blocks the single-photon pulses Eve keeps her photon until the basis reconciliation → she can read the information. Bob receives the qubit unperturbed. Eve keeps one of the photons and forwards the other to Bob through a perfect line. Eve If Eve can reproduce the losses in the channel via the two-photon pulses, BB84 remains insecure! This defines a critical value of the losses, or distance, for the implementation.

  19. Possible solution: SARG Change the encoding Change the encoding 0 0 Bob Alice 1 0 1 0 1 1 0 1 1 0 Consider the case where Alice has sent +z. The reconciliation works as follows: • Alice announces the sent state plus one of the neighbours, say +x. • If Bob measures z, he gets the result +z, so he cannot identify the state. In this case, the parties reject the symbol. • If Bob measures x, he may get the result –x, so he knows that the sent state was +z. The symbol is accepted. Otherwise it is rejected. If Eve keeps one photon, she is not able to read the information perfectly even after the reconciliation part of the protocol.

  20. Decoy state QKD Hwang Alice uses sources of different amplitudes for the encoding. Alice Bob If Eve applies the PNS attack, Alice and Bob will see a difference between the sources → they detect the attacks and abort the protocol. Thus, using the different amplitudes, Alice and Bob can estimate the amount of multi-photon pulses Eve is attacking and the information she is getting. Decoy-state QKD can be as robust as implementations using ideal single-photon sources.

  21. Conclusions Basic idea Protocols Security proofs More general scenarios Practical protocols Exact relation with entanglement? New privacy amplification theory Security proofs? Very inter-disciplinary line of research

  22. Thanks for your attention!

More Related