Quantum Information and Security

1
Quantum Information and Security

• 20 Oct 2005

2
List of Most Frequently Asked Questions

• 1. What is quantum information processing?
• 2. What is quantum information?
• 3. What quantum code-breaking can do?
• 4. What quantum code-making can do?
• 5. What quantum code-making CANNOT do?

3
What is Quantum Information Processing?
Figure 1. Synthesis of quantum mechanics with
other subjects.
4
What is Quantum Information?

• Classical Information
  Quantum Information
• Bit 0 or 1
  Qubit (quantum bit) superposition of 0 and 1.
• 
  
• 
  

where
and
are complex numbers.
Qubit any two-level quantum system e.g. an
electron with spin
There exist quantum data compression, quantum
error correction, etc. Classical Information
can be regarded as A special case of quantum
information.
0 ,
1 .
e.g. a photon with polarization
0 ,
1 .
Note that a general state is in a superposition
of 0 and 1.
5
Classical vs Quantum Computation

• Elementary Classical Operations
  Elementary Quantum Operations
• Logical operations AND, OR, a)
  Single-qubit operations rotations
• NOT, etc.
  b) Two-qubit operations e.g.
• 
  quantum controlled-NOT (XOR)
• 
  
• 
  
• 
  

Schematic representation of a quantum computation
Steps 1) preparation
3) measurement
2) evolution
measure
measure
measure
time
Input 000
Output110
6
Quantum Crypto Analysis

• 1. Quantum efficient factoring (Shor 1994)
• A quantum computer can efficiently factorize
  large integers, thus breaking RSA
• 2. If a quantum computer is ever built, much of
  public-key cryptography will fall apart!

7
Mathematical Structure Behind Shors Algorithm

• All those problems can be rephrased as an
  Abelian Hidden Subgroup Problem Given a finite
  group G and a set S and a mapping f G
  S with the promise that
• f (g1 ) f (g2 ) iff g1 and g2 are in the same
  coset of H where H is some (hidden) Abelian
  subgroup of G. The goal is to find H.
• Quantum computers can efficiently solve the
  Abelian Hidden Subgroup problem. Whether they
  can efficiently solve Non-Abelian Hidden Subgroup
  problem is a big open question in quantum
  algorithms.

8
Quantum cryptanalysis (contd.)

• Grovers search algorithm Finding a needle in a
  haystack.
• Given an unstructured data-base of N objects, how
  many searches are needed on average to find the
  correct object?
• Mathematically, given a function, f X
  0,1 with the
• Promise that f (x) 1 if x y for a unique y
  and 0 otherwise. Find y.
• Classically, clearly O (N) searches are needed.
  Surprisingly, quantum mechanically, only order
  square root of N searches are needed.
• Comment Grovers algorithm can be used for an
  exhaustive search, for example, exhaustive key
  search for Data Encryption Standard (DES) or
  Advanced Encryption Standard (AES). Therefore, a
  quantum computer can dramatically speed up the
  breaking of these codes.
• (Remedy Doubling the key length.)

9

• Properties of
• Quantum Information

10
Conjugate observables
0
1
0 1
Rectilinear basis
Diagonal basis
It is fundamentally IMPOSSIBLE to determine
the polarization of a single photon in the two
bases simultaneously. (The two self adjoint
operators representing the two observables do
NOT commute. Therefore, they cannot be
simultaneously diagonalized. And, it makes no
sense to talk about their simultaneous
eigenvectors.)
11
Corollary Quantum No-cloning Theorem
a?
a
a
IMPOSSIBLE
An unknown quantum state CANNOT be cloned! Proof.
If it were possible to clone an unknown quantum
state, by repeating the cloning operation, one
could measure two conjugate observables simultaneo
usly, which is forbidden in quantum mechanics.
12
Defeating Counterfeiters withUnclonable Quantum
Checks
Quantum Check Serial number 101001

Quantum Check Serial number 101001
( up, left, right, down, left, up )
Quantum checks are impossible to counterfeit
without basis information.
13
Conventional Cryptography
MILITARY, DIPLOMATIC AND INTELLIGENCE APPLICATIONS
SECURE E-BUSINESS AND E-COMMERCE
CRYPTOGRAPHY
COMPUTATIONAL ASSUMPTIONS (e.g. factoring is hard)
14
What is Wrong with Conventional Cryptography?

• Unanticipated Advances in Hardware and
  Algorithms.
• Quantum Code-breaking
• Quantum computers can efficiently factor large
  numbers (exponential speed-up!) , thus breaking
  RSA, the best-known encryption scheme. (Shor
  1994)
• If a quantum computer is ever built, much of
  conventional cryptography will fall apart!
  (Brassard)

15
Forward Security?

• Trade secrets and US government secrets are kept
  as secrets for decades
• A Big Problem RIGHT NOW
• If an adversary can factor in 2018, she can then
  decrypt all traffic sent in 2003

16
Quantum Cryptography
MILITARY, DIPLOMATIC AND INTELLIGENCE APPLICATIONS
SECURE E-BUSINESS AND E-COMMERCE
CRYPTOGRAPHY
QUANTUM MECHANICS
17
Quantum Cryptography

• Two potential applications
• Quantum key distribution (QKD)
• Quantum bit commitment

18
Key Distribution Problem
Alice
Bob
encryption key
decryption key
If Alice and Bob share a common long random
string of secret, then encryption is secure.
(Shannon 1949) QUESTION How to transfer the key?
19
Classical Key Distribution
Eves copying machine
Bob
(Representable as a string of Number 01101. )
Eve
All CLASSICAL key distribution schemes
are fundamentally INSECURE.
20
Quantum Key Distribution
a?
a
a
IMPOSSIBLE
Quantum No-cloning Theorem
Quantum information cannot be copied. An
eavesdropper Eve will be unable to copy a quantum
key without changing it.
21
Quantum key distribution

• Absolute security based on fundamental laws of
  quantum mechanics, rather than computational
  assumptions.
• Allow two persons who share a small amount of
  authentication information to communicate in
  absolute security in the presence of an
  eavesdropper.
• Any eavesdropping attack will essentially always
  be caught.
• Alice
  Bob

22
Quantum key distribution (QKD)

• Absolute security based on fundamental laws of
  quantum mechanics, rather than computational
  assumptions.
• Allow two persons who share a small amount of
  authentication information to communicate in
  absolute security in the presence of an
  eavesdropper.
• Any eavesdropping attack will essentially always
  be caught.
• Intrusion alert! Eve
  Intrusion alert!

23
The DARPA Quantum Network
Encrypted Traffic
Private
Private
via Internet
Enclave
Enclave
End-to-End Key Distribution
QKD Repeater
QKD Switch
QKD
QKD
Endpoint
Endpoint
QKD Switch
QKD Switch
Ultra-Long-
Distance Fiber
QKD Switch
Borrowed from BBNs website.
24
Procedure of standard BB84 QKD scheme
Step 5 Test for tampering by random sampling and
computing quantum bit error rate. If
error rate is OK, apply error correction
and privacy amplification. Otherwise, they
abort.
25
Experimental QKD

• Quantum key distribution is feasible with current
  technology.
• Over Telecom fibers
• About 67km LANL, BT (now Corning),Geneva
• Distance Limitation Need quantum repeaters.
• Open air experiment (about 23km).
• Proposal for ground to satellite experiments.

26
Proposed Ground to satellite QKD experiment
27
Long-term vision of global quantum network
Fibers For long-haul quantum communications
28
Is QKD secure?
The most important question in
quantum cryptography is to determine how secure
it really is. Gilles Brassard
and Claude Crepeau
Problems a) Real channels are all NOISY. Eve
may try to disguise herself as noise. b) Eve can
perform ANY attack consistent with quantum
mechanics. c) A priori, classical probabilistic
arguments do NOT work because of the well-known
Einstein-Podolsky-Rosen (EPR) paradox.
29
Proof of Unconditional Security of Quantum Key
Distribution (QKD)

• Mayers, quant-ph/9802025 Los Alamos preprint
  archive 1998 preliminary version Crypto96.
• Lo and Chau, Science 283, 2050 (1999).
• Biham et al., in Proceedings of Symposium on the
  Theory of Computing, STOC 2000, p. 715.
• Shor and Preskill, Phys. Rev. Lett. 85, 441
  (2000).
• Gottesman and Lo, http//xxx.lanl.gov/abs/quant-ph
  /0105121
• Inamori, Lutkenhaus and Mayers, quant-ph/0107017
  Los Alamos preprint archive 2001.

30
Techniques of Proof

• Noisy
• Quantum
• Problem

1)
Noiseless Quantum Problem
REDUCTION
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
3) Use Classical Probability Theory
31
Techniques of Proof

• Noisy
• Quantum
• Problem

1)
Noiseless Quantum Problem
REDUCTION
Fault-Tolerant Quantum Computation
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
3) Use Classical Probability Theory
32
Techniques of Proof

• Noisy
• Quantum
• Problem

1)
Noiseless Quantum Problem
REDUCTION
Fault-Tolerant Quantum Computation
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
Use Commuting Observables
3) Use Classical Probability Theory
33
Innovation of Lo - Chaus Proof

• Innovation Apply CLASSICAL probability theory to
  solve a QUANTUM problem. (Not obvious because of
  well-known EPR paradox. Did not seem like a
  promising approach, at first sight.)
• Solution Construct COMMUTING observables.
  (Mathematically, commuting Hermitian matrices
  have simultaneous eigenvectors.) This works even
  when those observables are non-local.
• Remark Hard part is to the actual construction.
• Example

commutes with
,
even though they are both non-local. Conclusion
One can safely assign CLASSICAL probabilities
to them.
34
Tolerable Bit Error Rates
Question Under what operating parameters will
BB84 be secure?
Proof (Quantum) Bit Error
Rate
Cf. Upper bound 25.

• Significance of our result
• Practical a) Extend distance of secure QKD.
• b) Higher key generation rate.
• c) Proved security of standard schemes e.g.
  Cascade
• 2) Conceptual a) Demonstrate the advantage of
  using two-way
• classical communications in classical
  post-processing
• of data generated in QKD.
• b) Introduce a new class of quantum codes.

35
Quantum Error Correction

• A well-known class of quantum codes is the
  Calderbank-Shor-Steane (CSS) codes
• Consider two binary linear codes, C1 and C2, of
  length n such that
• C2 is a subcode of C1
• C1 and the DUAL of C2 can each correct up to t
  errors.
• Then, one can define a QUANTUM error correcting
  code
• that can correct up to t general type of quantum
  errors in a quantum communication channel.
• The resulting quantum code is called a CSS code.

36
Age Problem
Im Y years old.
Im X years old.
Alice
Bob
How to find out whether x gt y without disclosing
the exact value of x and y to each other?
37
Impossibility of Quantum Bit Commitment

• Old belief The Age Problem can be solved through
  a basic primitive called quantum bit
  commitment.
• Surprising result (Mayers 96, Lo and Chau 96)
  Unconditionally secure quantum bit commitment is
  IMPOSSIBLE.

38
What is Bit Commitment?
1. Commit Phase
0
1
or
Alice
Bob
2. Opening Phase
Alice can prove to Bob that she has made up her
mind during the commit phase and she cannot
change it. Yet, Bob does not know her choice
until the opening phase.
39
Generality of the Proof of Impossibility of
Quantum Bit Commitment
Any quantum/classical hybrid protocol can be
equivalently be described by a purely quantum
protocol. (Analogy Any expression involving both
real numbers and complex numbers can be evaluated
by using complex analysis. There is no need to
switch back and forth between real and complex
analyses.)
40
Foundation of Security
DOABLE
IMPOSSIBLE
Quantum Key Distribution (No-cloning Theorem) M
ayers Lo and Chau Biham et al. Ben-Or Shor and
Preskill
Quantum bit commitment Quantum oblivious
transfer (Quantum cheating using Einstein -
Podolsky - Rosen Effect) Mayers Lo and Chau Lo
41
What is the Boundary? Why is there such a
Boundary?
DOABLE
IMPOSSIBLE
Quantum Key Distribution (No-cloning Theorem) M
ayers Lo and Chau Biham et al. Ben-Or Shor and
Preskill
Quantum bit commitment Quantum oblivious
transfer (Quantum cheating using Einstein
Podolsky - Rosen Effect) Mayers Lo and Chau Lo
Unclonable Quantum Encryption (Gottesman - Chuang)
Quantum Coin Tossing (Kitaev 2002)
42
What is the Physics?
Classical Description (Classical Probability Theo
ry) Simple
Quantum/ Classical Hybrid Description COMPLEX
Quantum Description (Unitary Description) Simple
Reduction?
Reduction?

43
What is the Physics?
Classical Description (Classical Probability Theo
ry) Simple
Quantum/ Classical Hybrid Description COMPLEX
Quantum Description (Unitary Description) Simple
Reduction
Reduction
Construct Commuting Observables
Always Possible
Classical information can be regarded as a
special case of quantum information.
44
Prologue Model Real-Life QKD Systems

• 1) All models of QKD are idealizations of
  real-life systems.
• Real-life QKD system is a complex system with
  many degrees of freedom.
• 2) Imperfections
• Imperfect single-photon sources
• Lossy channels
• Imperfect single-photon detection efficiency
• Detectors dark counts
• Trojan Horses attacks
• Denial-of-service attacks
• How to quantify (theoretically and
  experimentally) small imperfections and ensure
  security in the presence of those imperfections?
• How to perform secure QKD with REALISTIC amounts
  of computational power, communication bandwidth
  and random number generation rate?
• Cf. Mayers and Yao, quant-ph/9809039
• Inamori, Lutkenhaus and Mayers, quant-ph/0107017
• Gottesman, Lo, Lutkenhaus, and Preskill ,
  quant-ph/0212066

45
Open Question Quantum Version of Shannons
Channel Coding Theorem?

• How to compute channel capacity of a quantum
  channel for transmitting classical information?
• And, for transmitting quantum information?
• Remark While many different types of channel
  capacities have been formally defined, the analog
  of Shannons channel coding theorem remains
  UNPROVEN in the quantum case.

46
Perspectives

• There is only one information theory.
• QUANTUM INFORMATION THEORY is the natural
  generalization of classical information theory.
  Classical information theory can be regarded as a
  special case of quantum information theory.
• In the same way that the theory of complex
  numbers simplifies the theory of real numbers and
  makes it complete, quantum information theory
  makes classical information complete.

47
List of most frequently asked questions

• 1. What is quantum information processing?
• 2. What is quantum information?
• 3. What quantum code-breaking can do?
• 4. What quantum code-making can do?
• 5. What quantum code-making CANNOT do?

48
List of most frequently asked questions

• 1. What is quantum information processing?
• Synthesis of quantum mechanics with other
  subjects.
• 2. What is quantum information?
• Use superposition and manipulate quantum
  states.
• 3. What quantum code-breaking can do?
• Break standard encryption schemes including
  RSA.
• 4. What quantum code-making can do?
• Secure communications using unbreakable
  quantum key distribution.
• 5. What quantum code-making CANNOT do?
• Protect private information during public
  discussion,
• e.g. the Age Problem.

49
Survey Papers

• Gottesman and Lo, From quantum cheating to
  quantum security, Physics Today, Nov. 2000, p.
  22 www.physicstoday.org/pt/vol-53/iss-11/p22.html 
  
• Recent paper
• Gottesman and Lo, Security of Quantum Key
  Distribution with two-way classical
  communications, IEEE Transactions on Information
  Theory, Vol. 49,
• No. 2, p. 457, Feb. 2003.

50
Quantum Cheating using Einstein-Podolsky-Rosen
Effect
Quantum objects can exhibit correlations that are
stronger than what is allowed by any local
classical model.
Spin 0
When a spin-0 object decays into two spin-1/2
objects, from conservation of momentum, the two
resulting objects exhibit perfect
anti-correlations. Individual measurement
outcomes RANDOM Relative measurement outcomes
OPPOSITE Appearance of faster-than-light
transmission. Does not violate causality because
the outcomes are random.
51
Main Step of Shors Algorithm

• Note that the factoring problem can be reduced
  to a periodicity problem.
• Given an RSA number N pq and a random x
  co-prime with N. Suppose one can find the order,
  r, of x such that xr 1 (mod N).
• Compute gcd(xr/2 1, n). This fails to give a
  factor of N only if either r is odd or if xr/2
  -1 (mod N). It can be shown that the algorithm
  finds a factor of n with a probability at least
  1/4.
• Surprisingly, a quantum algorithm can find the
  periodicity of x efficiently (because quantum
  computers allow interference.)

52
Design Practical Protocols for Classical
Post-Processing of QKD

• Privacy amplification is a new concept in
  classical coding theory. (The dual of error
  correction.)
• Finite size codes (convolutional codes or block
  codes?)
• Security proofs usually deal with an infinitely
  long key.
• In practice, it is necessary to consider a final
  key of finite length.
• Fluctuations become very important.
• Limited REAL random number generator rate.
• Limited computational power.
• Limited memory space.
• Limited classical communication bandwidth.
• Need REAL-TIME (hardware?) implementation.
• Cost

53
Model Real-Life QKD Systems

• 1) All models of QKD are idealizations of
  real-life systems.
• Real-life QKD system is a complex system with
  many degrees of freedom.
• 2) Imperfections
• Imperfect single-photon sources
• Lossy channels
• Imperfect single-photon detection efficiency
• Detectors dark counts
• Trojan Horses attacks
• Denial-of-service attacks
• How to quantify (experimentally) small
  imperfections and ensure security in the presence
  of those imperfections?

54
Study Eavesdropping Attacks

• The best way to build a secure cryptographic
  system is to try hard to break it.
• Need to study theoretically and experimentally
  the feasibility and power of various
  eavesdropping attacks beam-splitting attacks,
  unambiguous state determination, Trojan Horse
  attacks, etc.

55
Future Directions in other Layers

• Optical layer
• integrated optics?
• single-photon sources
• single-photon detecting modules
• low loss fibers
• quantum switches
• quantum repeaters
• 2. Application layer
• How to use the key? one-time-pad encryption?
  network multi-casting? Applications beyond key
  distribution?
• System control issues
• What are the states of a QKD system? How to
  recover a system after
• Eavesdropping attacks? How to share the small
  initial authentication key?

56
Summary

• 1. What is quantum information processing?
• Synthesis of quantum mechanics with information
  processing.
• 2. What quantum code-breaking can do?
• Break standard encryption schemes including RSA.
• 3. What quantum code-making can do?
• Secure communications using unbreakable quantum
  key distribution (QKD).
• 4. What quantum code-making CANNOT do?
• Protect private information during
  discussionsAge problem.
• 5. What are my future directions?
• Design practical protocols for classical
  post-processing of data generated by QKD. Model
  real-life QKD systems. Study eavesdropping
  attacks. Construct test-bed QKD by integrating
  optical, classical post-processing and
  application layers.

57
Selected Original Papers

• Impossibility of bit commitment and oblivious
  transfer
• H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78,
  3410 (1997).
• H.-K. Lo and H. F. Chau, Physica D 120, 177
  (1998).
• H.-K. Lo, Phy. Rev. A 56, 1154 (1997).
• Security Proof of quantum key distribution
• H.-K. Lo and H. F. Chau, Science 283, 2050
  (1999).
• Towards Practical QKD
• D. Gottesman and H.-K. Lo, http//xxx.lanl.gov/abs
  /quant-ph/0105121
• H.-K. Lo, http//xxx.lanl.gov/abs/quant-ph/0201030

58
Three layers of QKD
Application layer
data
data
Secret key
Secret key
Classical Post-Processing Layer Error
correction, Privacy amplification,
Authentication, etc.
Raw key, Basis info, etc
Raw key, Basis info, etc
Optical Layer
RNG Random Number generator
Sender optics
Receiver optics
Alice
Bob
59
Efficient Classical Post-Processing Protocols for
QKD
EPP with one-way Communications (modified Lo-Chau
protocol)
Shor-Preskill
BB84
Use CSS codes
Remark EPP is a generalization of quantum error
correcting codes.
??
EPP with two-way communications
BB84
Motivations 1) Entanglement purification
protocols (EPPs) with two-way classical
communications are known to be more powerful than
those with only one-way comm. (Bennett,
DiVincenzo, Smolin and Wootters. See also,
Deutsch et al.) 2) To prove unconditional
security of standard protocols such as "Cascade".
60
Efficient Classical Post-Processing Protocols for
QKD
Shor-Preskill
Modified Lo-Chau Protocol (with only one-way
classical Communications)
BB84 (essentially Mayers proof)
Use CSS codes
61
Security of QKD (Intuition)

• A single photon cannot be split. Its
  polarization cannot be cloned. (Quantum
  No-Cloning Theorem. Heisenberg Uncertainty
  Principle.) Therefore, eavesdropper CANNOT have
  the same quantum information that Bob has.

a
a
a
IMPOSSIBLE
62
Experimental Implementations

• Current status Small scale Implementations.
• Entanglement of four atoms.
• Factor 153 x 5 in nuclear magnetic resonance
  machines.
• Proposals for scalable quantum computers Ion
  Traps, Cavity Quantum Electrodynamics, Nuclear
  Magnetic Resonance (NMR), Optical Lattices,
  Super-conducting qubits, Silicon-based proposal,
  Electrons flowing on Helium,

63
Towards Scalable Quantum Computers
Great Book Scalable Quantum Computers Edited by
Braunstein and Lo
64
Towards Scalable Quantum Computers

• Proposals
• Ion Traps
• Cavity Quantum Electrodynamics
• Nuclear Magnetic Resonance (NMR)
• Optical Lattices
• Super-conducting qubits
• Silicon-based proposals
• Electrons flowing on Helium
• 8. .
• 9. .

65
Towards Scalable Quantum Computers

• Summary
• Primitive (small scale) quantum computing has
  successfully been performed in experiments.
• Large scale experimental quantum computing is
  extremely challenging. But, this has not deterred
  researchers from working on the subject.
• Success of quantum computing depends on efforts,
  not time. (Eli Yablonovitch UCLA)

66
Current Research Activities in Quantum
Information Processing

• Industries MagiQ, ATT, Bell Labs, IBM,
  Microsoft,
• Universities Too many to list. (e.g. Caltech,
  MIT, Stanford, Princeton, UC Berkeley, UCLA, UC
  Santa Barbara,)
• National Labs NIST, Los Alamos
• Funding Agencies DARPA, ARO, NSA, NIST, NASA,
• (In the US alone, public government funding is
  over 50 million per year.)
• Motivation
• Go beyond the demise of Moores law. Look at
  Quantum information processing as the Second
  Phase of the IT revolution.