Le avventure di Alice, Bob

1
Le avventure di Alice, Bob Eve nel mondo
dei quanti

• Stefano Mancini

Dipartimento di Fisica Università di Camerino
2
Alice
Bob
Eavesdropper
3
Code-breakers vs Code-makers
Cryptography
Cryptanalysis
4
Is there a pefect cipher?

• Vernam cipher (problem of key distribution)
• Public key cryptosystems
• Mathematical, security based on computational
  complexity (use of one-way functions)
• Can be broken by quantum computers!
• In 1994 factorization of RSA 129 was achieved,
  but with a cluster of 103 workstations working
  for 8 months. Shors algorithm would
  factor RSA-129 in few seconds running on a
  quantum computer at the speed of a desktop PC!
• Quantum cryptography
• Physical, security based on fundamental
  principles of
• quantum mechanics

5
Basic notions about QM

• The space of states of a physical system is a
  Hilbert space on C. A state is a vector of unit
  norm in such a space.
• The space of states of a composite system is the
  tensor product of the spaces of states of
  subsystems.
• Any physical process (on a closed system) is
  described by a unitary transformation on H.
• Any observable is described by a self-adjoint
  operator on H and the measurement process
  projects the systems state onto an eigenstate of
  the observable and gives the corresponding
  eigenvalue as result.

6
From Cbits to Q(u)bits

• Qubit is the smallest (dim2) Hilbert space
  associated to a physical system (e.g. spin,
  photon polarization, etc.).

7
Quantum Measurement
8
More on Quantum Measurement

• Quantum measurement is an irreversible process!
• Measuring Z on states prepared on its basis
  0gt,1gt would not disturb it
• Measuring X on states prepared on its basis
  gt,-gt would not disturb it
• Measuring Z on states prepared on X basis
  gt,-gt would project it into 0gt,1gt with
  Pr1/2
• Measuring X on states prepared on Z basis
  0gt,1gt would project it into gt,-gt with
  Pr1/2

9
Info gain implies disturbance

• Theorem. In any attempt to distinguish between
  two non-orthogonal quantum states, information
  gain is only possible at expenses of introducing
  some disturbance.

10
No-Cloning

• Theorem. An unknown quantum state cannot be
  copied.

11
What is information ?How much information ?

• The Entropy measures uncertainty
• Logarithm to base 2 gives bits
• Example Binary entropy h(p)-plog
  p-(1-p)log(1-p)
• Coin flip has uncertainty of 1 bit!

12
There are several Entropies
H(X,Y)
H(X)
H(Y)
H(XY)
H(XY)
H(YX)
13
Quantum Key Distribution
BB84 protocol

• Alice uses two random bits a and a to prepare
  the state of a qubit yaa gt
• y00 gt0gt
• y10 gt1gt
• y01 gtgt
• y11 gt-gt
• Alice sends the qubit to Bob through a quantum
  channel. Since Alice hasnt revealed a, Eve can
  only guess the basis and in the wrong case she
  disturbes the qubit. However also Bob does not
  know a.

14

• Bob measures the qubit in the basis X or Z as
  determined by a random bit b which he creates on
  his own (0-Z, 1-X). Let Bobs measurement result
  be b (0-positive eigenvalue, 1-negative
  eigenvalue).
• Alice publicly announces a through a public
  classical channel.
• The above procedure is repeated 4n times. Then
  Alice and Bob by a discussion over a public
  channel discard all bits except those for which
  ab (raw key, approx 2n bits).
• Alice selects n bits (of her 2n) at random and
  publicly announces the selection. Then Alice and
  Bob compare the values of these check bits to
  establish the error rate (or Eves presence).
• Eventually the remaining n bits are the sifted
  key.

15
a
b
ab implies perfect correlations


usable bits
R
_________________________

( transmit. qubits)( transmit. bits)



R 1/6


16
What is gained by using qubits?
Example a simple intercept-resend strategy
Z (0gt, p1/2)
Z (p1/2)
Z (0gt, p1/4)
0gt
X (p1/2)
Z (1gt, p1/4)
17
What is gained by using qubits?

• For a simple intercept-resend eavesdropping,the
  prob that Eve is present and Alice and Bob choose
  n uncorrupted (coincident) bits for the check is
  (3/4)n which goes to zero as n goes to infinity
• In this simple example Eve gets 0.5 bits
  H(ae)0.5 of info per bit in the sifted key
  for an induced QBER of 25 d0.25
• We expect H(ae) is an increasing function of d,
  nevertheless, provided d?0 Alice and Bob would be
  able to outwit Eve (ideal situation of no noise
  in the channel!)

18
Once Alice and Bob have reconcilied the basis
p(a0)p(a1)1/2 H(a)h(1/2)1
p(b0a1)p(b1a0)d QBER p(b0a0)p(b1a
1)1-d
p(b0,a1)p(b0a1)p(a1)d/2 p(b1,a0)p(b1a
0)p(a0)d/2 p(b0,a0)p(b0a0)p(a0)(1-d)/2
p(b1,a1)p(b1a1)p(a1)(1-d)/2 H(a,b)1h(d)
p(b0)p(b0,a1)p(b0,a0)1/2 p(b1)p(b1,b1)
p(b1,a0)1/2 H(b)1
H(ab)H(a)H(b)-H(a,b)1-h(d)
19
Information Reconciliation Privacy
Amplification
In a realistic situation how Alice and Bob would
distinguish the effect of Eve intrusion from that
of the noise? Suppose at some point Alice, Bob
and Eve perform measurements with outcomes a,b,e
with P(a,b,e), then Theorem (Csiszar Korner
1978). For a given P(a,b,e) Alice and Bob can
establish a secret key (using only Information
Reconciliation and Privacy Amplification)
iff H(ab)gtH(ae)
20
(No Transcript)
21
The ultimate security proof
Measuring d how to know whether H(ab) gt H(ae) ?
Lets find a bound for H(ae) by considering
collective attacks. Theorem (Hall 1995). Let E
and B be two observables in a N (2n) dim
Hilbert space. Denote e,b,egt,bgt the
corresponding eigenvalues, eigenvectors and
let cmaxe,bltebgt then H(ae)H(ab) lt
2log(Nc) This theorem states that if Eve performs
a measurement providing her with some info
H(ae), then because of perturbation Bobs info
is necessarily limited
22
Suppose Alice sends out a large number of qubits
and n were received by Bob in the correct basis
(N2n). Relabel the bases such that Alice uses
n-times the X-basis, hence Bobs observable is
X?X? ?X We can bound Eves info assuming she
measures Z?Z? ?Z (remember her max info
corresponds to her max disturb) Thus e.g. clt0
? ? lt0gt ? ? gt2-n/2 and by Halls
th. H(ae)H(ab) lt 2log(2n2-n/2)n The sum of
Eves and Bobs info per qubit is ? 1 By using
the above inequality together with the
Csizar Korner th. we get H(ab)gtn/2. Then
H(ab)1-h(d)n gtn/2 ? dlt11
23
Security condition
H(ae)
H(ab)
d (QBER)
Now H(ae)0.5 with d0.11 !
24
Experimental Quantum Cryptography

• First demonstration on a table at IBM labs using
  photons traveling over a distance of 30 cm (1989)
• Experiments with fibres (over a distance of 30-50
  Km, 1996-2004) using faint laser pulses
• Experiments in free space (over a distance of few
  Km)
• Quantum Cryptography Devices already available in
  the market!

25
For further information and research at
University of Camerino see http//fisica.unicam.i
t/stefanomancini/ or contact me at
stefano.mancini_at_unicam.it