Security Perspectives for Quantum Key Distribution

Size: px

Start display at page:

Download "Security Perspectives for Quantum Key Distribution"

Virginia Greene
5 years ago
Views:

Department of Physics and Astronomy University of

1 Security Perspectives for Quantum Key Distribution Norbert Lütkenhaus Institute for Quantum Computing & Department of Physics and Astronomy University of Waterloo, Canada Ontario Research Funds DARPA Office of Naval Research

2 Task description of QKD EVE Alice Authenticated Classical Channel Bob key (X): Quantum Channel

3 Assumptions Security Proof Security Statement

4 Security definition: preparation input state ρ N input state ρ N QKD Protocol QKD Protocol abort? abort? Alice: classical s Bob: classical s Eve: quantum ρ E s,s Alice: classical s Bob: classical s Eve: quantum ρ E real output state µ p(s, s 0 ) sihs s 0 ihs 0 ρ s,s0 E X s,s 0 S 1 2 ρ(real) ABE ρ(ideal) ABE 1 <² ideal output state 1 sihs sihs ρ E S X s S Indistinguishability ensures: - correct (shared by Alice and Bob) - uniformly distributed - secret

5 Security Definition 1 2 ρ(real) ABE ρ(ideal) ABE 1 <² [Renner, PhD Thesis 2005] Key requirements: - correct (shared by Alice and Bob) - uniformly distributed - secret operational definition of ²: Security statement: the probability that - key protocol does not abort AND - the key is not ideal (requirements!) is smaller than ² 1) ² cannot be zero for QKD! 2) Definition does not condition on non-abortion of protocol always aborting protocols are secure by this definition (but useless)! 3) Clear interpretation of imperfection (insurance mathematics!)

6 Development of Security Proofs Actual Device e.g. reality based Assumptions Security Proof Security Statement modelling Quantum Optical Model e.g. mode based e.g. realistic sources (laser pulses) threshold detector models Security Model e.g. qubit based ρ ABE ρ AB ρ C 1 ² Security Proof

7 frequently used assumptions Characterized devices: know what our devices are doing o side-channel attacks o see also voltage levels of one-time pad encryption! access to randomness secure perimeter of devices

8 Characterized devices: qubit scenario BB84, six-state, Ekert, B92, SARG Results optical scenario laser pulses instead of single photons, threshold detectors new protocol classes (Continuous Variable Protocols, Differential Phase Shift Protocols ) protocols using only characterized sources (no trusted detectors) [measurement-device independent QKD] Uncharacterized devices: qubit/optical protocols where only one side needs to be characterized (rates reduces unless partial characterization is re-introduced loss!) Protocols where all devices are uncharacterized (but random choices are utilized) reduction in assumptions is possible trade-off to rate fundamental issue or proof techniques???

9 What is a Security Proof? Testing of Models e.g. by embedding into larger models - requires experience based cut-off no scientific proof possible Calibration (initial and ongoing) Alignment Initialization Software and Hardware Implementation -verified software (development & execution) -hardware security perimeter - key management -Model of Devices -e.g. QM description -quantum security perimeter -classical security perimeter -Exact Protocol -sequence of protocol steps -Error Correction method -Privacy Amplification function -security parameters - Scientific Security Proof perfect secret key with exception of probability ²

10 Testing of Models e.g. by embedding into larger models - requires experience based cut-off no scientific proof possible Calibration Models (initial are based and ongoing) experience (hacking, counter measures, scientific Alignment experience) Initialization need to find common level of acceptance (ETSI standardization) (testable/quantifyable or not) Software and Hardware Implementation -verified software (development & execution) -hardware security perimeter - key management What Boundary is a between Security scientific and Proof? acceptance can be moved (device independent security proofs) but never vanishes -Model of Devices -e.g. QM description -quantum security perimeter -classical security perimeter -Exact Protocol -sequence of protocol steps -Error Correction method -Privacy Amplification function -security parameters - Scientific Security Proof perfect secret key with exception of probability ² Security proof defined by scientific standard

11 Testing of Models e.g. by embedding into larger models - requires experience based cut-off no scientific proof possible Calibration Models (initial are based and ongoing) experience (hacking, counter measures, scientific Alignment experience) Initialization need to find common level of acceptance (ETSI standardization) (testable/quantifyable or not) Software and Hardware Implementation -verified software (development & execution) -hardware security perimeter - key management What Boundary is a between Security scientific and Proof? acceptance can be moved (device independent security proofs) but never vanishes -Model of Devices -e.g. QM description -quantum security perimeter -classical security perimeter -Exact Protocol -sequence of protocol steps -Error Correction method -Privacy Amplification function -security parameters So what remains? QKD provides secret key that is future-proof (on quantum side): the key is as secure for all future as it is at its creation! - Scientific Security Proof perfect secret key with exception of probability ² Security proof defined by scientific standard

Distance Scaling Use fiber optics devices log(k) key rate detector saturation channel loss detector noise distance maximum distance: just under 200 km scaling

12 Distance Scaling Use fiber optics devices log(k) key rate detector saturation channel loss detector noise distance maximum distance: just under 200 km scaling with distance (fiber): K exp(- α d/10) (no amplification possible!) Example: 1 THz clockrate 0.17 db/km 700 km = 120 db 1 bit/sec over 700 km (infinite key limit)

Distance Problem: Trusted Repeater Networks Romain Alleaume Realizations: DARPA Network 2002-2005 SECOQC Network 2004-2008 Tokyo Network (2010) South Africa Geneva use trusted classical nodes to

13 Distance Problem: Trusted Repeater Networks Romain Alleaume Realizations: DARPA Network SECOQC Network Tokyo Network (2010) South Africa Geneva use trusted classical nodes to propagate secrets through network can cover metropolitan area networks at reasonable key rates stability against failure of individual links Note: users of network should also be operators trust level must be high!

14 Distance Challenge: Moving Satellite Satellite User A User B

15 Quantum Repeater Quantum repeater network: (technologically challenging) [Application: Service Provider] Overcomes loss problem allows routing EPR source EPR source Alice Bob Memory Memory Memory Memory Bell measurement Bell measurement (classical)

16 Quantum Repeater Quantum repeater network: (technologically challenging) [Application: Service Provider] Overcomes loss problem allows routing EPR source EPR source Alice Memory Memory Effective Channel Memory Memory Bob Bell measurement Bell measurement (classical)

Marco Lucamarini, Martin Ward, Andrew Shields (Toshiba Research Europe Ltd)

UPDATE ON ETSI ISG QKD Marco Lucamarini, Martin Ward, Andrew Shields (Toshiba Research Europe Ltd) Industry Specification Group in Quantum Key Distribution Global Deployments of Quantum Key Distribution