Title: From Quantum Cheating to Quantum Security
1From Quantum Cheating to Quantum Security
- Hoi-Kwong Lo
- Department of Physics
- Department of Elect. Computer Engineering (ECE)
- University of Toronto
- URL http//www.comm.utoronto.ca/hklo/
- Email hklo_at_comm.utoronto.ca
2List of most frequently asked questions
- 1. What is quantum information processing?
- 2. What is quantum information?
- 3. What quantum code-breaking can do?
- 4. What quantum code-making can do?
- 5. What quantum code-making CANNOT do?
3What is Quantum Information Processing?
.
Synthesis of quantum mechanics with other
subjects.
4What is Quantum Information?
- Classical Information
Quantum Information - Bit 0 or 1
Qubit (quantum bit) superposition of 0 and 1. -
-
where
and
are complex numbers.
Qubit any two-level quantum system e.g. an
electron with spin
0 ,
1 .
Remark There exist quantum data compression,
quantum error correction, etc. Classical Informati
on can be regarded as A special case of quantum
info.
e.g. a photon with polarization
0 ,
1 .
Note that a general state is in a superposition
of 0 and 1.
5Aside Classical vs Quantum Computation
- Elementary Classical Operations
Elementary Quantum Operations - Logical operations AND, OR, a)
Single-qubit operations rotations - NOT, etc.
b) Two-qubit operations e.g. -
quantum controlled-NOT (XOR) -
-
-
Schematic representation of a quantum computation
Steps 1) preparation
3) measurement
2) evolution
measure
measure
measure
time
Input 000
Output110
6Quantum cryptanalysis
- 1. Quantum efficient factoring (Shor 1994)
- A quantum computer can efficiently factorize
large integers, thus breaking RSA. More
generally, Shors algorithm can break
crypto-systems based on the discrete log problem
and elliptic curves. - If a quantum computer is ever built, much of
public-key cryptography will fall apart! -
7Mathematical structure behind Shors algorithm
- Remark All those problems can be rephrased as an
Abelian Hidden Subgroup Problem Given a finite
group G and a set S and a mapping - f G S with the promise that
- f (g1 ) f (g2 ) iff g1 and g2 are in the same
coset of H where H is some (hidden) Abelian
subgroup of G. The goal is to find H. - Remark Quantum computers can efficiently
solve the Abelian Hidden Subgroup problem.
Whether they can efficiently solve Non-Abelian
Hidden Subgroup problem is a big open question in
quantum algorithms.
8Quantum cryptanalysis (contd.)
- Grovers search algorithm Finding a needle in a
haystack. - Given an unstructured data-base of N objects, how
many searches are needed on average to find the
correct object? - Mathematically, given a function, f X
0,1 with the - Promise that f (x) 1 if x y for a unique y
and 0 otherwise. Find y. - Classically, clearly O (N) searches are needed.
Surprisingly, quantum mechanically, only order
square root of N searches are needed. - Remark Grovers algorithm can be used for an
exhaustive search, for example, exhaustive key
search for DES (Data Encryption Standard) or AES
(Advanced Encryption Standard). Therefore, a
quantum computer can dramatically speed up the
breaking of AES. - (Remedy Doubling the key length.)
9- Properties of
- Quantum Information
10Conjugate observables
0
1
0 1
Rectilinear basis
Diagonal basis
It is fundamentally IMPOSSIBLE to determine
the polarization of a single photon in the two
bases simultaneously. (The two self-adjoint
operators representing the two observables do
NOT commute. Therefore, they cannot be
simultaneously diagonalized. And, it makes no
sense to talk about their simultaneous
eigenvectors.)
11Corollary Quantum No-cloning Theorem
a?
a
a
IMPOSSIBLE
An unknown quantum state CANNOT be cloned! Proof.
If it were possible to clone an unknown quantum
state, by repeating the cloning operation, one
could measure two conjugate observables simultaneo
usly, which is forbidden in quantum mechanics.
12Defeating counterfeiters withunclonable quantum
checks (Wiesner)
Quantum Check Serial number 1011010
Quantum Check Serial number 1011010
( up, left, right, down, left, up )
Quantum checks are impossible to counterfeit
without basis information.
13CONVENTIONALCRYPTOGRAPHY
MILITARY AND DIPLOMATIC APPLICATIONS
SECURE E-BUSINESS AND E-COMMERCE
CRYPTOGRAPHY
COMPUTATIONAL ASSUMPTIONS (e.g. factoring is hard)
14What is wrong with conventional cryptography?
- Unanticipated Advances in Hardware and
Algorithms. - Quantum Code-breaking
- Quantum computers can efficiently factor large
numbers (exponential speed-up!) , thus breaking
RSA, the best-known encryption scheme. (Shor
1994) - If a quantum computer is ever built, much of
conventional cryptography will fall apart!
(Brassard)
15Forward security?
- Trade secrets and US government secrets are kept
as secrets for decades. - A Big Problem RIGHT NOW
- If adversary can factor in 2018, she can then
decrypt all traffic sent in 2003.
16CONVENTIONALCRYPTOGRAPHY
MILITARY AND DIPLOMATIC APPLICATIONS
SECURE E-BUSINESS AND E-COMMERCE
CRYPTOGRAPHY
COMPUTATIONAL ASSUMPTIONS
17QUANTUM CRYPTOGRAPHY
MILITARY AND DIPLOMATIC APPLICATIONS
SECURE E-BUSINESS AND E-COMMERCE
CRYPTOGRAPHY
QUANTUM MECHANICS
18Quantum Cryptography
- Two potential applications
- Quantum key distribution (QKD)
- Quantum bit commitment
19Key Distribution Problem
Alice
Bob
encryption key
decryption key
If Alice and Bob share a common long random
string of secret, then encryption is secure.
(Shannon 1949) QUESTION How to transfer the key?
20Classical Key Distribution
Eves copying machine
Bob
(Representable as a string of Number 01101. )
Eve
All CLASSICAL key distribution schemes
are fundamentally INSECURE.
21Quantum Key Distribution
a?
a
a
IMPOSSIBLE
Quantum No-cloning Theorem
Quantum information cannot be copied. An
eavesdropper Eve will be unable to copy a quantum
key without changing it.
22Quantum key distribution
- Absolute security based on fundamental laws of
quantum mechanics, rather than computational
assumptions. - Allow two persons who share a small amount of
authentication information to communicate in
absolute security in the presence of an
eavesdropper. - Any eavesdropping attack will essentially always
be caught. - Alice
Bob
23Quantum key distribution (QKD)
- Absolute security based on fundamental laws of
quantum mechanics, rather than computational
assumptions. - Allow two persons who share a small amount of
authentication information to communicate in
absolute security in the presence of an
eavesdropper. - Any eavesdropping attack will essentially always
be caught. - Intrusion alert! Eve
Intrusion alert!
24The DARPA Quantum Network
Encrypted Traffic
Private
Private
via Internet
Enclave
Enclave
End-to-End Key Distribution
QKD Repeater
QKD Switch
QKD
QKD
Endpoint
Endpoint
QKD Switch
QKD Switch
Ultra-Long-
Distance Fiber
QKD Switch
Borrowed from BBNs website.
25Procedure of standard BB84 QKD scheme
Step 5 Test for tampering by random sampling and
computing quantum bit error rate. If
error rate is OK, apply error correction
and privacy amplification. Otherwise, they
abort.
26Experimental QKD
- Quantum key distribution is feasible with current
technology. - Over Telecom fibers
- About 67km LANL, BT (now Corning),Geneva
- Distance Limitation Need quantum repeaters.
- Open air experiment (about 23km).
- Proposal for ground to satellite experiments.
27Proposed Ground to satellite QKD experiment
28Long-term vision of global quantum network
Fibers For long-haul quantum communications
29Is QKD secure?
The most important question in
quantum cryptography is to determine how secure
it really is. Gilles Brassard
and Claude Crepeau
Problems a) Real channels are all NOISY. Eve
may try to disguise herself as noise. b) Eve can
perform ANY attack consistent with quantum
mechanics. c) A priori, classical probabilistic
arguments do NOT work because of the well-known
Einstein-Podolsky-Rosen (EPR) paradox.
30Proof of unconditional security of quantum key
distribution (QKD)
- Mayers, quant-ph/9802025 Los Alamos preprint
archive 1998 preliminary version Crypto96. - Lo and Chau, Science 283, 2050 (1999).
- Biham et al., in Proceedings of Symposium on the
Theory of Computing, STOC 2000, p. 715. - Ben-Or, to appear.
- Shor and Preskill, Phys. Rev. Lett. 85, 441
(2000). - Gottesman and Lo, http//xxx.lanl.gov/abs/quant-ph
/0105121 - Inamori, Lutkenhaus and Mayers, quant-ph/0107017
Los Alamos preprint archive 2001. (Consider
imperfect photon sources, channel loss and
imperfect detectors.)
31Techniques of proof
1)
Noiseless Quantum Problem
REDUCTION
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
3) Use Classical Probability Theory
32Techniques of proof
1)
Noiseless Quantum Problem
REDUCTION
Fault-Tolerant Quantum Computation
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
3) Use Classical Probability Theory
33Techniques of proof
1)
Noiseless Quantum Problem
REDUCTION
Fault-Tolerant Quantum Computation
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
Use Commuting Observables
3) Use Classical Probability Theory
34Innovation of Lo-Chaus proof
- Innovation Apply CLASSICAL probability theory to
solve a QUANTUM problem. (Not obvious because of
well-known EPR paradox. Did not seem like a
promising approach, at first sight.) - Solution Construct COMMUTING observables.
(Mathematically, commuting Hermitian matrices
have simultaneous eigenvectors.) This works even
when those observables are non-local. - Remark Hard part is to the actual construction.
- Example
commutes with
,
even though they are both non-local. Conclusion
One can safely assign CLASSICAL probabilities
to them.
35Tolerable Bit Error Rates
Question Under what operating parameters will
BB84 be secure?
Proof (Quantum) Bit Error
Rate
Cf. Upper bound 25.
- Significance of our result
- Practical a) Extend distance of secure QKD.
- b) Higher key generation rate.
- c) Proved security of standard schemes e.g.
Cascade - 2) Conceptual a) Demonstrate the advantage of
using two-way - classical communications in classical
post-processing - of data generated in QKD.
- b) Introduce a new class of quantum codes.
36Quantum Error Correction
- A well-known class of quantum codes is the
Calderbank-Shor-Steane (CSS) codes - Consider two binary linear codes, C1 and C2, of
length n such that - C2 is a subcode of C1
- C1 and the DUAL of C2 can each correct up to t
errors. - Then, one can define a QUANTUM error correcting
code - that can correct up to t general type of quantum
errors in a quantum communication channel. - The resulting quantum code is called a CSS code.
37Quantum Key Distribution
Eve
Alice
Bob
38Beyond Quantum Key Distribution
666
666
Bob
Alice
39Age Problem
Im Y years old.
Im X years old.
Alice
Bob
How to find out whether x gt y without disclosing
the exact value of x and y to each other?
40Impossibility of Quantum Bit Commitment
- Old belief The Age Problem can be solved through
a basic primitive called quantum bit
commitment. - Surprising result (Mayers 96, Lo and Chau 96)
Unconditionally secure quantum bit commitment is
IMPOSSIBLE.
41Aside What is bit commitment?
1. Commit Phase
0
1
or
Alice
Bob
2. Opening Phase
Alice can prove to Bob that she has made up her
mind during the commit phase and she cannot
change it. Yet, Bob does not know her choice
until the opening phase.
42Generality of the proof of impossibility of
quantum bit commitment
Any quantum/classical hybrid protocol can be
equivalently be described by a purely quantum
protocol. (Analogy Any expression involving both
real numbers and complex numbers can be evaluated
by using complex analysis. There is no need to
switch back and forth between real and complex
analyses.)
43Foundation of security
DOABLE
IMPOSSIBLE
Quantum Key Distribution (No-cloning Theorem) M
ayers Lo and Chau Biham et al. Ben-Or Shor and
Preskill
Quantum bit commitment Quantum oblivious
transfer (Quantum cheating using Einstein-Podol
sky-Rosen Effect) Mayers Lo and Chau Lo
44WHAT IS THE BOUNDARY WHY IS THERE SUCH A BOUNDARY?
DOABLE
IMPOSSIBLE
Quantum Key Distribution (No-cloning Theorem) M
ayers Lo and Chau Biham et al. Ben-Or Shor and
Preskill
Quantum bit commitment Quantum oblivious
transfer (Quantum cheating using Einstein-Podol
sky-Rosen Effect) Mayers Lo and Chau Lo
Unclonable quantum Encryption (Gottesman-
Chuang)
Quantum coin tossing (Kitaev 2002)
45What is the physics?
Classical Description (Classical Probability Theo
ry) Simple
Quantum/ Classical Hybrid Description COMPLEX
Quantum Description (Unitary Description) Simple
Reduction?
Reduction?
46What is the physics?
Classical Description (Classical Probability Theo
ry) Simple
Quantum/ Classical Hybrid Description COMPLEX
Quantum Description (Unitary Description) Simple
Reduction
Reduction
Construct Commuting Observables
Always Possible
Classical information can be regarded as a
special case of quantum information.
47Prologue Model real-life QKD systems
- 1) All models of QKD are idealizations of
real-life systems. - Real-life QKD system is a complex system with
many degrees of freedom. - 2) Imperfections
- Imperfect single-photon sources
- Lossy channels
- Imperfect single-photon detection efficiency
- Detectors dark counts
- Trojan Horses attacks
- Denial-of-service attacks
- How to quantify (theoretically and
experimentally) small imperfections and ensure
security in the presence of those imperfections? - How to perform secure QKD with REALISTIC amounts
of computational power, communication bandwidth
and random number generation rate? - Cf. Mayers and Yao, quant-ph/9809039
- Inamori, Lutkenhaus and Mayers, quant-ph/0107017
- Gottesman, Lo, Lutkenhaus, and Preskill ,
quant-ph/0212066
48Open Question Quantum version of Shannons
channel coding theorem?
- How to compute channel capacity of a quantum
channel for transmitting classical information? - And, for transmitting quantum information?
- Remark While many different types of channel
capacities have been formally defined, the analog
of Shannons channel coding theorem remains
UNPROVEN in the quantum case.
49Perspectives
- There is only one information theory.
- QUANTUM INFORMATION THEORY is the natural
generalization of classical information theory.
Classical information theory can be regarded as a
special case of quantum information theory. - In the same way that the theory of complex
numbers simplifies the theory of real numbers and
makes it complete, Quantum information theory
makes classical information complete.
50List of most frequently asked questions
- 1. What is quantum information processing?
- 2. What is quantum information?
- 3. What quantum code-breaking can do?
- 4. What quantum code-making can do?
- 5. What quantum code-making CANNOT do?
51List of most frequently asked questions
- 1. What is quantum information processing?
- Synthesis of quantum mechanics with other
subjects. - 2. What is quantum information?
- Use superposition and manipulate quantum
states. - 3. What quantum code-breaking can do?
- Break standard encryption schemes including
RSA. - 4. What quantum code-making can do?
- Secure communications using unbreakable
quantum key distribution. - 5. What quantum code-making CANNOT do?
- Protect private information during public
discussion, - e.g. the Age Problem.
52Survey Paper
- Gottesman and Lo, From quantum cheating to
quantum security, Physics Today, Nov. 2000, p.
22 www.physicstoday.org/pt/vol-53/iss-11/p22.htmlÂ
- Recent paper
- Gottesman and Lo, Security of Quantum Key
Distribution with two-way classical
communications, IEEE Transactions on Information
Theory, Vol. 49, - No. 2, p. 457, Feb. 2003.
53Students/Postdocs Wanted
- For a combined study in the theory and
implementation of quantum key distribution. From
foundation of security, modeling physical
devices, protocol design to software/hardware
implementations. Please contact Hoi-Kwong Lo
( hklo_at_comm.utoronto.ca ) - www.comm.utoronto.ca/hklo
54Quantum cheating using Einstein-Podolsky-Rosen
effect
Quantum objects can exhibit correlations that are
stronger than what is allowed by any local
classical model.
Spin 0
When a spin-0 object decays into two spin-1/2
objects, from conservation of momentum, the two
resulting objects exhibit perfect
anti-correlations. Individual measurement
outcomes RANDOM Relative measurement outcomes
OPPOSITE Appearance of faster-than-light
transmission. Does not violate causality because
the outcomes are random.
55Main step of Shors algorithm
- Note that the factoring problem can be reduced
to a periodicity problem. - Given an RSA number N pq and a random x
co-prime with N. Suppose one can find the order,
r, of x such that xr 1 (mod N). - Compute gcd(xr/2 1, n). This fails to give a
factor of N only if either r is odd or if xr/2
-1 (mod N). It can be shown that the algorithm
finds a factor of n with a probability at least
1/4. -
- Surprisingly, a quantum algorithm can find the
periodicity of x efficiently (because quantum
computers allow interference.)
56Quantum Cryptography
- My contributions (Theory. Asymptotic results.)
- Proof of unconditional security of quantum key
distribution (QKD) - Efficient classical post-processing protocols for
QKD. - Impossibility of quantum bit commitment
- Future directions (PRACTICE. Finite size codes.)
- Develop classical post-processing layer of
QKD. - Design practical protocols for classical
post-processing of QKD. - Model real-life QKD systems.
- Study eavesdropping attacks.
- Work with others to construct a QKD test-bed with
all layers (optical, classical post-processing
and application) included.
57Design practical protocols for classical
post-processing of QKD.
- Remark Privacy amplification is a new
concept in classical coding theory. (The dual of
error correction.) - Finite size codes (convolutional codes or block
codes?) - Security proofs usually deal with an infinitely
long key. - In practice, it is necessary to consider a final
key of finite length. - Fluctuations become very important.
- Limited REAL random number generator rate.
- Limited computational power.
- Limited memory space.
- Limited classical communication bandwidth.
- Need REAL-TIME (hardware?) implementation.
- Cost
58Model real-life QKD systems
- 1) All models of QKD are idealizations of
real-life systems. - Real-life QKD system is a complex system with
many degrees of freedom. - 2) Imperfections
- Imperfect single-photon sources
- Lossy channels
- Imperfect single-photon detection efficiency
- Detectors dark counts
- Trojan Horses attacks
- Denial-of-service attacks
- How to quantify (experimentally) small
imperfections and ensure security in the presence
of those imperfections?
59Study eavesdropping attacks.
- The best way to build a secure cryptographic
system is to try hard to break it. - Need to study theoretically and experimentally
the feasibility and power of various
eavesdropping attacks beam-splitting attacks,
unambiguous state determination, Trojan Horse
attacks, etc.
60Future directions in other layers
- Optical layer
- integrated optics?
- single-photon sources
- single-photon detecting modules
- low loss fibers
- quantum switches
- quantum repeaters
- 2. Application layer
- How to use the key? one-time-pad encryption?
network multi-casting? Applications beyond key
distribution? - System control issues
- What are the states of a QKD system? How to
recover a system after - Eavesdropping attacks? How to share the small
initial authentication key?
61Summary
- 1. What is quantum information processing?
- Synthesis of quantum mechanics with information
processing. - 2. What quantum code-breaking can do?
- Break standard encryption schemes including RSA.
- 3. What quantum code-making can do?
- Secure communications using unbreakable quantum
key distribution (QKD). - 4. What quantum code-making CANNOT do?
- Protect private information during
discussionsAge problem. - 5. What are my future directions?
- Design practical protocols for classical
post-processing of data generated by QKD. Model
real-life QKD systems. Study eavesdropping
attacks. Construct test-bed QKD by integrating
optical, classical post-processing and
application layers.
62Selected Original Papers
- Impossibility of bit commitment and oblivious
transfer - H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78,
3410 (1997). - H.-K. Lo and H. F. Chau, Physica D 120, 177
(1998). - H.-K. Lo, Phy. Rev. A 56, 1154 (1997).
- Security Proof of quantum key distribution
- H.-K. Lo and H. F. Chau, Science 283, 2050
(1999). - Towards Practical QKD
- D. Gottesman and H.-K. Lo, http//xxx.lanl.gov/abs
/quant-ph/0105121 - H.-K. Lo, http//xxx.lanl.gov/abs/quant-ph/0201030
63Three layers of QKD
Application layer
data
data
Secret key
Secret key
Classical Post-Processing Layer Error
correction, Privacy amplification,
Authentication, etc.
Raw key, Basis info, etc
Raw key, Basis info, etc
Optical Layer
RNG Random Number generator
Sender optics
Receiver optics
Alice
Bob
64Efficient classical post-processing protocols for
QKD
EPP with one-way Communications (modified Lo-Chau
protocol)
Shor-Preskill
BB84
Use CSS codes
Remark EPP is a generalization of quantum error
correcting codes.
??
EPP with two-way communications
BB84
Motivations 1) Entanglement purification
protocols (EPPs) with two-way classical
communications are known to be more powerful than
those with only one-way comm. (Bennett,
DiVincenzo, Smolin and Wootters. See also,
Deutsch et al.) 2) To prove unconditional
security of standard protocols such as "Cascade".
65Efficient classical post-processing protocols for
QKD
Shor-Preskill
Modified Lo-Chau Protocol (with only one-way
classical Communications)
BB84 (essentially Mayers proof)
Use CSS codes
66Security of QKD (Intuition)
- A single photon cannot be split. Its polarization
cannot be cloned. (Quantum No-Cloning Theorem.
Heisenberg Uncertainty Principle.) Therefore,
eavesdropper CANNOT have the same quantum
information that Bob has.
a
a
a
IMPOSSIBLE
67Experimental Implementations
- Current status Small scale Implementations.
- Entanglement of four atoms.
- Factor 153 x 5 in nuclear magnetic resonance
machines. - Proposals for scalable quantum computers Ion
Traps, Cavity Quantum Electrodynamics, Nuclear
Magnetic Resonance (NMR), Optical Lattices,
Super-conducting qubits, Silicon-based proposal,
Electrons flowing on Helium,
68Towards scalable quantum computers III
Book Scalable Quantum Computers, edited
by Braunstein and Lo.
69Towards scalablequantum computers
- Proposals
- Ion Traps
- Cavity Quantum Electrodynamics
- Nuclear Magnetic Resonance (NMR)
- Optical Lattices
- Super-conducting qubits
- Silicon-based proposals
- Electrons flowing on Helium
- 8. .
- 9. .
70Towards scalable quantum computers IV
- Summary
- Primitive (small scale) quantum computing has
successfully been performed in experiments. - Large scale experimental quantum computing is
extremely challenging. But, this has not deterred
researchers from working on the subject. - Success of quantum computing depends on efforts,
not time. (Eli Yablonovitch UCLA)
71Research activities in quantum information
processing
- Industries MagiQ, ATT, Bell Labs, IBM,
Microsoft, - Universities Too many to list. (e.g. Caltech,
MIT, Stanford, Princeton, UC Berkeley, UCLA, UC
Santa Barbara,) - National Labs NIST, Los Alamos
- Funding Agencies DARPA, ARO, NSA, NIST, NASA,
- (In the US alone, public government funding is
over 50 million per year.) - Motivation Go beyond the demise of Moores law.
- Quantum information processing as the Second
Phase of the IT revolution.
72What is oblivious transfer?
Alice sends two pieces of information to Bob. Bob
can only choose to learn one piece of the
information, NOT both. Alice does not know which
piece of information Bob has learnt. For
example, Alice sends her age and height to
Bob. Bob can learn either Alices age or height,
but not both.
73Advances in quantum crypto