From Quantum Cheating to Quantum Security

1
From Quantum Cheating to Quantum Security

• Hoi-Kwong Lo
• Department of Physics
• Department of Elect. Computer Engineering (ECE)
• University of Toronto
• URL http//www.comm.utoronto.ca/hklo/
• Email hklo_at_comm.utoronto.ca

2
List of most frequently asked questions

• 1. What is quantum information processing?
• 2. What is quantum information?
• 3. What quantum code-breaking can do?
• 4. What quantum code-making can do?
• 5. What quantum code-making CANNOT do?

3
What is Quantum Information Processing?
.
Synthesis of quantum mechanics with other
subjects.
4
What is Quantum Information?

• Classical Information
  Quantum Information
• Bit 0 or 1
  Qubit (quantum bit) superposition of 0 and 1.
• 
  
• 
  

where
and
are complex numbers.
Qubit any two-level quantum system e.g. an
electron with spin
0 ,
1 .
Remark There exist quantum data compression,
quantum error correction, etc. Classical Informati
on can be regarded as A special case of quantum
info.
e.g. a photon with polarization
0 ,
1 .
Note that a general state is in a superposition
of 0 and 1.
5
Aside Classical vs Quantum Computation

• Elementary Classical Operations
  Elementary Quantum Operations
• Logical operations AND, OR, a)
  Single-qubit operations rotations
• NOT, etc.
  b) Two-qubit operations e.g.
• 
  quantum controlled-NOT (XOR)
• 
  
• 
  
• 
  

Schematic representation of a quantum computation
Steps 1) preparation
3) measurement
2) evolution
measure
measure
measure
time
Input 000
Output110
6
Quantum cryptanalysis

• 1. Quantum efficient factoring (Shor 1994)
• A quantum computer can efficiently factorize
  large integers, thus breaking RSA. More
  generally, Shors algorithm can break
  crypto-systems based on the discrete log problem
  and elliptic curves.
• If a quantum computer is ever built, much of
  public-key cryptography will fall apart!

7
Mathematical structure behind Shors algorithm

• Remark All those problems can be rephrased as an
  Abelian Hidden Subgroup Problem Given a finite
  group G and a set S and a mapping
• f G S with the promise that
• f (g1 ) f (g2 ) iff g1 and g2 are in the same
  coset of H where H is some (hidden) Abelian
  subgroup of G. The goal is to find H.
• Remark Quantum computers can efficiently
  solve the Abelian Hidden Subgroup problem.
  Whether they can efficiently solve Non-Abelian
  Hidden Subgroup problem is a big open question in
  quantum algorithms.

8
Quantum cryptanalysis (contd.)

• Grovers search algorithm Finding a needle in a
  haystack.
• Given an unstructured data-base of N objects, how
  many searches are needed on average to find the
  correct object?
• Mathematically, given a function, f X
  0,1 with the
• Promise that f (x) 1 if x y for a unique y
  and 0 otherwise. Find y.
• Classically, clearly O (N) searches are needed.
  Surprisingly, quantum mechanically, only order
  square root of N searches are needed.
• Remark Grovers algorithm can be used for an
  exhaustive search, for example, exhaustive key
  search for DES (Data Encryption Standard) or AES
  (Advanced Encryption Standard). Therefore, a
  quantum computer can dramatically speed up the
  breaking of AES.
• (Remedy Doubling the key length.)

9

• Properties of
• Quantum Information

10
Conjugate observables
0
1
0 1
Rectilinear basis
Diagonal basis
It is fundamentally IMPOSSIBLE to determine
the polarization of a single photon in the two
bases simultaneously. (The two self-adjoint
operators representing the two observables do
NOT commute. Therefore, they cannot be
simultaneously diagonalized. And, it makes no
sense to talk about their simultaneous
eigenvectors.)
11
Corollary Quantum No-cloning Theorem
a?
a
a
IMPOSSIBLE
An unknown quantum state CANNOT be cloned! Proof.
If it were possible to clone an unknown quantum
state, by repeating the cloning operation, one
could measure two conjugate observables simultaneo
usly, which is forbidden in quantum mechanics.
12
Defeating counterfeiters withunclonable quantum
checks (Wiesner)
Quantum Check Serial number 1011010

Quantum Check Serial number 1011010
( up, left, right, down, left, up )
Quantum checks are impossible to counterfeit
without basis information.
13
CONVENTIONALCRYPTOGRAPHY
MILITARY AND DIPLOMATIC APPLICATIONS
SECURE E-BUSINESS AND E-COMMERCE
CRYPTOGRAPHY
COMPUTATIONAL ASSUMPTIONS (e.g. factoring is hard)
14
What is wrong with conventional cryptography?

• Unanticipated Advances in Hardware and
  Algorithms.
• Quantum Code-breaking
• Quantum computers can efficiently factor large
  numbers (exponential speed-up!) , thus breaking
  RSA, the best-known encryption scheme. (Shor
  1994)
• If a quantum computer is ever built, much of
  conventional cryptography will fall apart!
  (Brassard)

15
Forward security?

• Trade secrets and US government secrets are kept
  as secrets for decades.
• A Big Problem RIGHT NOW
• If adversary can factor in 2018, she can then
  decrypt all traffic sent in 2003.

16
CONVENTIONALCRYPTOGRAPHY
MILITARY AND DIPLOMATIC APPLICATIONS
SECURE E-BUSINESS AND E-COMMERCE
CRYPTOGRAPHY
COMPUTATIONAL ASSUMPTIONS
17
QUANTUM CRYPTOGRAPHY
MILITARY AND DIPLOMATIC APPLICATIONS
SECURE E-BUSINESS AND E-COMMERCE
CRYPTOGRAPHY
QUANTUM MECHANICS
18
Quantum Cryptography

• Two potential applications
• Quantum key distribution (QKD)
• Quantum bit commitment

19
Key Distribution Problem
Alice
Bob
encryption key
decryption key
If Alice and Bob share a common long random
string of secret, then encryption is secure.
(Shannon 1949) QUESTION How to transfer the key?
20
Classical Key Distribution
Eves copying machine
Bob
(Representable as a string of Number 01101. )
Eve
All CLASSICAL key distribution schemes
are fundamentally INSECURE.
21
Quantum Key Distribution
a?
a
a
IMPOSSIBLE
Quantum No-cloning Theorem
Quantum information cannot be copied. An
eavesdropper Eve will be unable to copy a quantum
key without changing it.
22
Quantum key distribution

• Absolute security based on fundamental laws of
  quantum mechanics, rather than computational
  assumptions.
• Allow two persons who share a small amount of
  authentication information to communicate in
  absolute security in the presence of an
  eavesdropper.
• Any eavesdropping attack will essentially always
  be caught.
• Alice
  Bob

23
Quantum key distribution (QKD)

• Absolute security based on fundamental laws of
  quantum mechanics, rather than computational
  assumptions.
• Allow two persons who share a small amount of
  authentication information to communicate in
  absolute security in the presence of an
  eavesdropper.
• Any eavesdropping attack will essentially always
  be caught.
• Intrusion alert! Eve
  Intrusion alert!

24
The DARPA Quantum Network
Encrypted Traffic
Private
Private
via Internet
Enclave
Enclave
End-to-End Key Distribution
QKD Repeater
QKD Switch
QKD
QKD
Endpoint
Endpoint
QKD Switch
QKD Switch
Ultra-Long-
Distance Fiber
QKD Switch
Borrowed from BBNs website.
25
Procedure of standard BB84 QKD scheme
Step 5 Test for tampering by random sampling and
computing quantum bit error rate. If
error rate is OK, apply error correction
and privacy amplification. Otherwise, they
abort.
26
Experimental QKD

• Quantum key distribution is feasible with current
  technology.
• Over Telecom fibers
• About 67km LANL, BT (now Corning),Geneva
• Distance Limitation Need quantum repeaters.
• Open air experiment (about 23km).
• Proposal for ground to satellite experiments.

27
Proposed Ground to satellite QKD experiment
28
Long-term vision of global quantum network
Fibers For long-haul quantum communications
29
Is QKD secure?
The most important question in
quantum cryptography is to determine how secure
it really is. Gilles Brassard
and Claude Crepeau
Problems a) Real channels are all NOISY. Eve
may try to disguise herself as noise. b) Eve can
perform ANY attack consistent with quantum
mechanics. c) A priori, classical probabilistic
arguments do NOT work because of the well-known
Einstein-Podolsky-Rosen (EPR) paradox.
30
Proof of unconditional security of quantum key
distribution (QKD)

• Mayers, quant-ph/9802025 Los Alamos preprint
  archive 1998 preliminary version Crypto96.
• Lo and Chau, Science 283, 2050 (1999).
• Biham et al., in Proceedings of Symposium on the
  Theory of Computing, STOC 2000, p. 715.
• Ben-Or, to appear.
• Shor and Preskill, Phys. Rev. Lett. 85, 441
  (2000).
• Gottesman and Lo, http//xxx.lanl.gov/abs/quant-ph
  /0105121
• Inamori, Lutkenhaus and Mayers, quant-ph/0107017
  Los Alamos preprint archive 2001. (Consider
  imperfect photon sources, channel loss and
  imperfect detectors.)

31
Techniques of proof

• Noisy
• Quantum
• Problem

1)
Noiseless Quantum Problem
REDUCTION
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
3) Use Classical Probability Theory
32
Techniques of proof

• Noisy
• Quantum
• Problem

1)
Noiseless Quantum Problem
REDUCTION
Fault-Tolerant Quantum Computation
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
3) Use Classical Probability Theory
33
Techniques of proof

• Noisy
• Quantum
• Problem

1)
Noiseless Quantum Problem
REDUCTION
Fault-Tolerant Quantum Computation
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
Use Commuting Observables
3) Use Classical Probability Theory
34
Innovation of Lo-Chaus proof

• Innovation Apply CLASSICAL probability theory to
  solve a QUANTUM problem. (Not obvious because of
  well-known EPR paradox. Did not seem like a
  promising approach, at first sight.)
• Solution Construct COMMUTING observables.
  (Mathematically, commuting Hermitian matrices
  have simultaneous eigenvectors.) This works even
  when those observables are non-local.
• Remark Hard part is to the actual construction.
• Example

commutes with
,
even though they are both non-local. Conclusion
One can safely assign CLASSICAL probabilities
to them.
35
Tolerable Bit Error Rates
Question Under what operating parameters will
BB84 be secure?
Proof (Quantum) Bit Error
Rate
Cf. Upper bound 25.

• Significance of our result
• Practical a) Extend distance of secure QKD.
• b) Higher key generation rate.
• c) Proved security of standard schemes e.g.
  Cascade
• 2) Conceptual a) Demonstrate the advantage of
  using two-way
• classical communications in classical
  post-processing
• of data generated in QKD.
• b) Introduce a new class of quantum codes.

36
Quantum Error Correction

• A well-known class of quantum codes is the
  Calderbank-Shor-Steane (CSS) codes
• Consider two binary linear codes, C1 and C2, of
  length n such that
• C2 is a subcode of C1
• C1 and the DUAL of C2 can each correct up to t
  errors.
• Then, one can define a QUANTUM error correcting
  code
• that can correct up to t general type of quantum
  errors in a quantum communication channel.
• The resulting quantum code is called a CSS code.

37
Quantum Key Distribution
Eve
Alice
Bob
38
Beyond Quantum Key Distribution
666
666
Bob
Alice
39
Age Problem
Im Y years old.
Im X years old.
Alice
Bob
How to find out whether x gt y without disclosing
the exact value of x and y to each other?
40
Impossibility of Quantum Bit Commitment

• Old belief The Age Problem can be solved through
  a basic primitive called quantum bit
  commitment.
• Surprising result (Mayers 96, Lo and Chau 96)
  Unconditionally secure quantum bit commitment is
  IMPOSSIBLE.

41
Aside What is bit commitment?
1. Commit Phase
0
1
or
Alice
Bob
2. Opening Phase
Alice can prove to Bob that she has made up her
mind during the commit phase and she cannot
change it. Yet, Bob does not know her choice
until the opening phase.
42
Generality of the proof of impossibility of
quantum bit commitment
Any quantum/classical hybrid protocol can be
equivalently be described by a purely quantum
protocol. (Analogy Any expression involving both
real numbers and complex numbers can be evaluated
by using complex analysis. There is no need to
switch back and forth between real and complex
analyses.)
43
Foundation of security
DOABLE
IMPOSSIBLE
Quantum Key Distribution (No-cloning Theorem) M
ayers Lo and Chau Biham et al. Ben-Or Shor and
Preskill
Quantum bit commitment Quantum oblivious
transfer (Quantum cheating using Einstein-Podol
sky-Rosen Effect) Mayers Lo and Chau Lo
44
WHAT IS THE BOUNDARY WHY IS THERE SUCH A BOUNDARY?
DOABLE
IMPOSSIBLE
Quantum Key Distribution (No-cloning Theorem) M
ayers Lo and Chau Biham et al. Ben-Or Shor and
Preskill
Quantum bit commitment Quantum oblivious
transfer (Quantum cheating using Einstein-Podol
sky-Rosen Effect) Mayers Lo and Chau Lo
Unclonable quantum Encryption (Gottesman-
Chuang)
Quantum coin tossing (Kitaev 2002)
45
What is the physics?
Classical Description (Classical Probability Theo
ry) Simple
Quantum/ Classical Hybrid Description COMPLEX
Quantum Description (Unitary Description) Simple
Reduction?
Reduction?

46
What is the physics?
Classical Description (Classical Probability Theo
ry) Simple
Quantum/ Classical Hybrid Description COMPLEX
Quantum Description (Unitary Description) Simple
Reduction
Reduction
Construct Commuting Observables
Always Possible
Classical information can be regarded as a
special case of quantum information.
47
Prologue Model real-life QKD systems

• 1) All models of QKD are idealizations of
  real-life systems.
• Real-life QKD system is a complex system with
  many degrees of freedom.
• 2) Imperfections
• Imperfect single-photon sources
• Lossy channels
• Imperfect single-photon detection efficiency
• Detectors dark counts
• Trojan Horses attacks
• Denial-of-service attacks
• How to quantify (theoretically and
  experimentally) small imperfections and ensure
  security in the presence of those imperfections?
• How to perform secure QKD with REALISTIC amounts
  of computational power, communication bandwidth
  and random number generation rate?
• Cf. Mayers and Yao, quant-ph/9809039
• Inamori, Lutkenhaus and Mayers, quant-ph/0107017
• Gottesman, Lo, Lutkenhaus, and Preskill ,
  quant-ph/0212066

48
Open Question Quantum version of Shannons
channel coding theorem?

• How to compute channel capacity of a quantum
  channel for transmitting classical information?
• And, for transmitting quantum information?
• Remark While many different types of channel
  capacities have been formally defined, the analog
  of Shannons channel coding theorem remains
  UNPROVEN in the quantum case.

49
Perspectives

• There is only one information theory.
• QUANTUM INFORMATION THEORY is the natural
  generalization of classical information theory.
  Classical information theory can be regarded as a
  special case of quantum information theory.
• In the same way that the theory of complex
  numbers simplifies the theory of real numbers and
  makes it complete, Quantum information theory
  makes classical information complete.

50
List of most frequently asked questions

• 1. What is quantum information processing?
• 2. What is quantum information?
• 3. What quantum code-breaking can do?
• 4. What quantum code-making can do?
• 5. What quantum code-making CANNOT do?

51
List of most frequently asked questions

• 1. What is quantum information processing?
• Synthesis of quantum mechanics with other
  subjects.
• 2. What is quantum information?
• Use superposition and manipulate quantum
  states.
• 3. What quantum code-breaking can do?
• Break standard encryption schemes including
  RSA.
• 4. What quantum code-making can do?
• Secure communications using unbreakable
  quantum key distribution.
• 5. What quantum code-making CANNOT do?
• Protect private information during public
  discussion,
• e.g. the Age Problem.

52
Survey Paper

• Gottesman and Lo, From quantum cheating to
  quantum security, Physics Today, Nov. 2000, p.
  22 www.physicstoday.org/pt/vol-53/iss-11/p22.html 
  
• Recent paper
• Gottesman and Lo, Security of Quantum Key
  Distribution with two-way classical
  communications, IEEE Transactions on Information
  Theory, Vol. 49,
• No. 2, p. 457, Feb. 2003.

53
Students/Postdocs Wanted

• For a combined study in the theory and
  implementation of quantum key distribution. From
  foundation of security, modeling physical
  devices, protocol design to software/hardware
  implementations. Please contact Hoi-Kwong Lo
  ( hklo_at_comm.utoronto.ca )
• www.comm.utoronto.ca/hklo

54
Quantum cheating using Einstein-Podolsky-Rosen
effect
Quantum objects can exhibit correlations that are
stronger than what is allowed by any local
classical model.
Spin 0
When a spin-0 object decays into two spin-1/2
objects, from conservation of momentum, the two
resulting objects exhibit perfect
anti-correlations. Individual measurement
outcomes RANDOM Relative measurement outcomes
OPPOSITE Appearance of faster-than-light
transmission. Does not violate causality because
the outcomes are random.
55
Main step of Shors algorithm

• Note that the factoring problem can be reduced
  to a periodicity problem.
• Given an RSA number N pq and a random x
  co-prime with N. Suppose one can find the order,
  r, of x such that xr 1 (mod N).
• Compute gcd(xr/2 1, n). This fails to give a
  factor of N only if either r is odd or if xr/2
  -1 (mod N). It can be shown that the algorithm
  finds a factor of n with a probability at least
  1/4.
• Surprisingly, a quantum algorithm can find the
  periodicity of x efficiently (because quantum
  computers allow interference.)

56
Quantum Cryptography

• My contributions (Theory. Asymptotic results.)
• Proof of unconditional security of quantum key
  distribution (QKD)
• Efficient classical post-processing protocols for
  QKD.
• Impossibility of quantum bit commitment
• Future directions (PRACTICE. Finite size codes.)
• Develop classical post-processing layer of
  QKD.
• Design practical protocols for classical
  post-processing of QKD.
• Model real-life QKD systems.
• Study eavesdropping attacks.
• Work with others to construct a QKD test-bed with
  all layers (optical, classical post-processing
  and application) included.

57
Design practical protocols for classical
post-processing of QKD.

• Remark Privacy amplification is a new
  concept in classical coding theory. (The dual of
  error correction.)
• Finite size codes (convolutional codes or block
  codes?)
• Security proofs usually deal with an infinitely
  long key.
• In practice, it is necessary to consider a final
  key of finite length.
• Fluctuations become very important.
• Limited REAL random number generator rate.
• Limited computational power.
• Limited memory space.
• Limited classical communication bandwidth.
• Need REAL-TIME (hardware?) implementation.
• Cost

58
Model real-life QKD systems

• 1) All models of QKD are idealizations of
  real-life systems.
• Real-life QKD system is a complex system with
  many degrees of freedom.
• 2) Imperfections
• Imperfect single-photon sources
• Lossy channels
• Imperfect single-photon detection efficiency
• Detectors dark counts
• Trojan Horses attacks
• Denial-of-service attacks
• How to quantify (experimentally) small
  imperfections and ensure security in the presence
  of those imperfections?

59
Study eavesdropping attacks.

• The best way to build a secure cryptographic
  system is to try hard to break it.
• Need to study theoretically and experimentally
  the feasibility and power of various
  eavesdropping attacks beam-splitting attacks,
  unambiguous state determination, Trojan Horse
  attacks, etc.

60
Future directions in other layers

• Optical layer
• integrated optics?
• single-photon sources
• single-photon detecting modules
• low loss fibers
• quantum switches
• quantum repeaters
• 2. Application layer
• How to use the key? one-time-pad encryption?
  network multi-casting? Applications beyond key
  distribution?
• System control issues
• What are the states of a QKD system? How to
  recover a system after
• Eavesdropping attacks? How to share the small
  initial authentication key?

61
Summary

• 1. What is quantum information processing?
• Synthesis of quantum mechanics with information
  processing.
• 2. What quantum code-breaking can do?
• Break standard encryption schemes including RSA.
• 3. What quantum code-making can do?
• Secure communications using unbreakable quantum
  key distribution (QKD).
• 4. What quantum code-making CANNOT do?
• Protect private information during
  discussionsAge problem.
• 5. What are my future directions?
• Design practical protocols for classical
  post-processing of data generated by QKD. Model
  real-life QKD systems. Study eavesdropping
  attacks. Construct test-bed QKD by integrating
  optical, classical post-processing and
  application layers.

62
Selected Original Papers

• Impossibility of bit commitment and oblivious
  transfer
• H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78,
  3410 (1997).
• H.-K. Lo and H. F. Chau, Physica D 120, 177
  (1998).
• H.-K. Lo, Phy. Rev. A 56, 1154 (1997).
• Security Proof of quantum key distribution
• H.-K. Lo and H. F. Chau, Science 283, 2050
  (1999).
• Towards Practical QKD
• D. Gottesman and H.-K. Lo, http//xxx.lanl.gov/abs
  /quant-ph/0105121
• H.-K. Lo, http//xxx.lanl.gov/abs/quant-ph/0201030

63
Three layers of QKD
Application layer
data
data
Secret key
Secret key
Classical Post-Processing Layer Error
correction, Privacy amplification,
Authentication, etc.
Raw key, Basis info, etc
Raw key, Basis info, etc
Optical Layer
RNG Random Number generator
Sender optics
Receiver optics
Alice
Bob
64
Efficient classical post-processing protocols for
QKD
EPP with one-way Communications (modified Lo-Chau
protocol)
Shor-Preskill
BB84
Use CSS codes
Remark EPP is a generalization of quantum error
correcting codes.
??
EPP with two-way communications
BB84
Motivations 1) Entanglement purification
protocols (EPPs) with two-way classical
communications are known to be more powerful than
those with only one-way comm. (Bennett,
DiVincenzo, Smolin and Wootters. See also,
Deutsch et al.) 2) To prove unconditional
security of standard protocols such as "Cascade".
65
Efficient classical post-processing protocols for
QKD
Shor-Preskill
Modified Lo-Chau Protocol (with only one-way
classical Communications)
BB84 (essentially Mayers proof)
Use CSS codes
66
Security of QKD (Intuition)

• A single photon cannot be split. Its polarization
  cannot be cloned. (Quantum No-Cloning Theorem.
  Heisenberg Uncertainty Principle.) Therefore,
  eavesdropper CANNOT have the same quantum
  information that Bob has.

a
a
a
IMPOSSIBLE
67
Experimental Implementations

• Current status Small scale Implementations.
• Entanglement of four atoms.
• Factor 153 x 5 in nuclear magnetic resonance
  machines.
• Proposals for scalable quantum computers Ion
  Traps, Cavity Quantum Electrodynamics, Nuclear
  Magnetic Resonance (NMR), Optical Lattices,
  Super-conducting qubits, Silicon-based proposal,
  Electrons flowing on Helium,

68
Towards scalable quantum computers III
Book Scalable Quantum Computers, edited
by Braunstein and Lo.
69
Towards scalablequantum computers

• Proposals
• Ion Traps
• Cavity Quantum Electrodynamics
• Nuclear Magnetic Resonance (NMR)
• Optical Lattices
• Super-conducting qubits
• Silicon-based proposals
• Electrons flowing on Helium
• 8. .
• 9. .

70
Towards scalable quantum computers IV

• Summary
• Primitive (small scale) quantum computing has
  successfully been performed in experiments.
• Large scale experimental quantum computing is
  extremely challenging. But, this has not deterred
  researchers from working on the subject.
• Success of quantum computing depends on efforts,
  not time. (Eli Yablonovitch UCLA)

71
Research activities in quantum information
processing

• Industries MagiQ, ATT, Bell Labs, IBM,
  Microsoft,
• Universities Too many to list. (e.g. Caltech,
  MIT, Stanford, Princeton, UC Berkeley, UCLA, UC
  Santa Barbara,)
• National Labs NIST, Los Alamos
• Funding Agencies DARPA, ARO, NSA, NIST, NASA,
• (In the US alone, public government funding is
  over 50 million per year.)
• Motivation Go beyond the demise of Moores law.
• Quantum information processing as the Second
  Phase of the IT revolution.

72
What is oblivious transfer?
Alice sends two pieces of information to Bob. Bob
can only choose to learn one piece of the
information, NOT both. Alice does not know which
piece of information Bob has learnt. For
example, Alice sends her age and height to
Bob. Bob can learn either Alices age or height,
but not both.
73
Advances in quantum crypto