UNIVERSITY OF CALGARY
Telecommunication Components for Fast Quantum Key Distribution
by
Itzel Lucio Martinez
A THESIS SUBMITTED TO THE FACULTY OF GRADUATE STUDIES IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE
DEPARTMENT OF PHYSICS AND ASTRONOMY
CALGARY,ALBERTA May, 2008
© Itzel Lucio Martinez 2008 Library and Bibliotheque et 1*1 Archives Canada Archives Canada Published Heritage Direction du Branch Patrimoine de I'edition
395 Wellington Street 395, rue Wellington Ottawa ON K1A0N4 Ottawa ON K1A0N4 Canada Canada
Your file Votre reference ISBN: 978-0-494-44272-2 Our file Notre reference ISBN: 978-0-494-44272-2
NOTICE: AVIS: The author has granted a non L'auteur a accorde une licence non exclusive exclusive license allowing Library permettant a la Bibliotheque et Archives and Archives Canada to reproduce, Canada de reproduire, publier, archiver, publish, archive, preserve, conserve, sauvegarder, conserver, transmettre au public communicate to the public by par telecommunication ou par Plntemet, prefer, telecommunication or on the Internet, distribuer et vendre des theses partout dans loan, distribute and sell theses le monde, a des fins commerciales ou autres, worldwide, for commercial or non sur support microforme, papier, electronique commercial purposes, in microform, et/ou autres formats. paper, electronic and/or any other formats.
The author retains copyright L'auteur conserve la propriete du droit d'auteur ownership and moral rights in et des droits moraux qui protege cette these. this thesis. Neither the thesis Ni la these ni des extraits substantiels de nor substantial extracts from it celle-ci ne doivent etre imprimes ou autrement may be printed or otherwise reproduits sans son autorisation. reproduced without the author's permission.
In compliance with the Canadian Conformement a la loi canadienne Privacy Act some supporting sur la protection de la vie privee, forms may have been removed quelques formulaires secondaires from this thesis. ont ete enleves de cette these.
While these forms may be included Bien que ces formulaires in the document page count, aient inclus dans la pagination, their removal does not represent il n'y aura aucun contenu manquant. any loss of content from the thesis. Canada Abstract
Quantum Key Distribution in combination with the one-time pad encryption protocol promises unconditional secure communication. However, current Quantum Key Distribution (QKD) systems distribute keys with low rates, making the implementation of the highly key consum ing one-time pad impractical. This thesis describes a detailed characterization of telecommu nication components in view of possible use for high rate QKD through telecommunication fibre networks, and a proof-of-principle demonstration of a QKD system using the compo nents studied. Specific problems have been identified, and solutions are suggested Acknowledgements
I would like to thank my supervisor, Dr. Wolfgang Tittel, for all his guidance, help, patience and great sense of humor throughout the duration of this work. I would also like to thank
Xiaofan Mo, a postdoc in our group, for all of his time, advice, help and for making the lab an enjoyable place. I would like to thank Steve Hosier and Philip Chan, members of the
QC2 group and the Quantum Cryptography project for their help in all sort of things during this work.
I would specially like to thank my family, Tofio, Alejandrina and Jose Luis, for their encouragement and support throughout my life, without them I would not be who I am today.
I would like to thank Tim for all the delicious meals and many good moments we have shared that have made my time in Canada so enjoyable. I would like to thank Michael S.,
Mike D., Georg, Frank and all the people in IQIS that have shared their friendship with me.
I could not forget all my coworkers in the QC2 group (Gina, Ahdiyeh, Josh, Allison, Cecilia,
Erhan, Felix, John, Mike, Neil and Vladimir) who create such a pleasant atmosphere in the office and the lab.
Finally, I would like to thank CONACyT and the Mexican public education system for giving me, and many other Mexican people, the opportunity to improve our quality of life.
m Table of Contents
Abstract ii Acknowledgements iii Table of Contents iv List of Tables vii List of Figures viii 1 Introduction 1 1.1 Background 1 1.2 Classical Cryptography 2 1.2.1 Asymmetric Cryptography 2 1.2.2 Public-Key Cryptography 3 1.2.3 Classical symmetric-key cryptography 4 1.2.4 Advanced Encryption Standard 6 1.3 Key Distribution 7 1.4 Quantum Cryptography 8 1.5 This work 9 1.5.1 Motivation 9 1.5.2 Organization 11 2 Quantum Key Distribution (QKD) 12 2.1 Quantum key distribution protocols 12 2.1.1 BB84 12 2.1.2 Ekert91 14 2.1.3 BBM92 14 2.2 Classical Post-processing 15 2.2.1 Error Correction 16 2.2.2 Privacy Amplification 17 2.3 Eavesdropping 18 2.3.1 Qubit attacks 18 2.3.2 Individual attacks 20 2.3.3 Coherent attacks 21 2.3.4 Photon number splitting attack 22 2.3.5 Other channel attacks 28 2.4 Experimental QKD: The State of the Art 29 2.4.1 Fiber-based QKD 29 2.4.2 Free-Space QKD 31 2.4.3 Networking 32 3 Experimental investigations 33 3.1 The set-up 33 3.1.1 Alice 33 3.1.2 Bob 36 3.2 Components 37 3.2.1 The Laser Diodes 37 3.2.2 Intensity Modulator 41
iv V
3.2.3 The Phase Modulator 42 3.2.4 Polarization Controller 47 3.2.5 Single Photon Detector 49 3.3 Quantum Key Distribution 52 3.3.1 Measurement of the QBER and Key generation rate 52 4 Discussion 55 4.1 Components 55 4.1.1 Laser Diode 55 4.1.2 Intensity Modulator 55 4.1.3 Phase Modulator 58 4.1.4 Polarization Stabilizer 59 4.1.5 Single Photon Detector 59 4.2 Performance of the QKD system 60 4.2.1 Decoy State protocol 60 4.2.2 Detector noise based distance limitations 61 5 Summary and Outlook 62 Bibliography 65 vi
Glossary a Absorption coefficient r\ Quantum efficiency of single photon detectors A Wavelength H Signal state (mean photon number of 0.5) v\ First decoy state (mean photon number of 0.1) vQ Second decoy state (vacuum state) AES Advanced Encryption Standard (symmetric cryptosystem) APD Avalanche Photodiode Att Attenuator AWG Arbitrary Waveform Generator BS Beamsplitter CG Clock Generator Det Detector e Quantum bit error rate e\ Single photon pulse error rate eM Multi-photon pulse error rate FM Faraday mirror Y12 Shannon entropy IM Intensity modulator LDc Classical laser diode LDQ Quantum laser diode LDPC Low density parity check n Index of refraction P Power PD Dark count probability of a single photon detector PBS Polarization Beam Splitter PM Phase modulator PSY Polarization synthesizer/analyzer (polarization controller) Qi Single photon detection rate Qn Signal state detection rate Qv Decoy state detection rate QBER Quantum bit error rate QKD Quantum Key Distribution RSA Rivest, Shamir and Adleman (asymmetric cryptosystem) s Secret key yield per sifted key SPD Single Photon Detector t Transmission coefficient TDC Time-to-digital converter V Voltage Yi Conditional probability of a detection event for an i-photon state sent Y0 Background rate List of Tables
1.1 Encryption using the one-time pad 5 1.2 Comparision of classical cryptographic schemes 7
3.1 Dark counts and Quantum Efficiency for 4 different detectors 50 3.2 Results of the measurements of the QBER for signal and decoy states 54
4.1 Single photon gain and error rate assessed via decoy states 61
vn List of Figures
2.1 Polarization states represented on the Poincare sphere 13 2.2 Flow diagram showing Quantum Key Distribution 19 2.3 Information vs. QBER 22 2.4 The plug-and-play system 30 2.5 Free-space QKD 31
3.1 The entire QKD system 34 3.2 Classical header and quantum data 35 3.3 Alice's setup 36 3.4 Bob's setup 37 3.5 Screen shots of LD pulses 38 3.6 Measurement of output power stability of quantum and classical LD 39 3.7 Measurement of polarization stability and extinction ratio of the quantum LD 40 3.8 Intensity modulator 41 3.9 Measurement of the output power stability of the IM 42 3.10 Phase modulator 43 3.11 Measurement of the polarization extinction ratio of the PM 44 3.12 Performance of the PM 46 3.13 Working principle of the PSY 47 3.14 Compensation of polarization transformation with a PSY 48 3.15 Time response of a PSY for compensating polarization transformation. ... 49 3.16 Measurement of afterpulses 51 3.17 Our QKD system 53
4.1 Home-made IM 56
via Chapter 1
Introduction
Cryptography is the science of hiding the meaning of a message. The purpose of a cryp tographic system is to help a party, typically called Alice, to send a message to a receiver,
Bob, using a public channel, and to prevent the eavesdropper, Eve, from learning the message when eavesdropping the transmission.
1.1 Background
A possible solution to the problem of secret communication, besides cryptography, is steganog- raphy which consists in hiding the message rather than hiding the meaning of it. The security of the information transmitted relies on the security of the message. An example can be the story of Demeratus who sent a warning about a forthcoming attack to Greece by writing it on a wooden panel and covering it in wax [1],
In order to better understand cryptography, I will introduce some of the terminology used in this field. In cryptography, the plaintext is referred to as the message before being encrypted. The process of converting information to make it indecipherable to anyone, except those who posses a key (additional information), is called encryption, and the reverse of the process is called decryption. A cryptosystem refers to a set of algorithms (ciphers), needed to implement a particular form of encryption/decryption. A plaintext that has been encrypted is called ciphertext.
Cryptography is as old as writing itself. Among the oldest cryptosystems are transpo sition and substitution ciphers [1]. In transposition ciphers, the order of the letters in a message is rearranged (e.g. "go left" becomes "og eltf"). In substitution ciphers, some let ters or group of letters are replaced with other letters (e.g. "do not move" becomes "fq pqv 2 oqxg", where each letter has been replaced by the second next in the alphabet). Transpo sition and substitution ciphers require a key to decrypt the ciphertext but it can be found very easily. Old cryptosystems where often broken because the encryption algorithm was not secure, for instance, frequency analysis allows to crack substitution ciphers.
In the 19th century, Auguste Kerchoffs recognized that the secrecy of a cipher is not a good safeguard; in fact, a good cipher should remain secure when under attack if the key is secure. This fundamental principle is generally called Kerckhoffs' principle [2].
Different physical devices have been used to assist with ciphers. Encryption/decryption devices were created using rods, cylinders and disks. Early in the 20th century the devices became more complex and included rotor machines. The most famous example is the Enigma machine, used by Germany in World War II. All these technological advances increased the cryptanalytic difficulty. With the development of electronics and digital computers, much more complex ciphers were produced. One of the biggest changes introduced by this technology was the representation of data in binary format, rendering linguistic approaches more complicated.
1.2 Classical Cryptography
At present many different cryptosystems exist. They can be divided into two groups, asym metrical systems and symmetrical systems. In the following paragraphs, I give a more detailed description of each kind of system, and its applications.
1.2.1 Asymmetric Cryptography
Asymmetrical cryptosystems use two different keys, a public key with which anyone can encrypt a message and a private key, belonging to an authorized party, normally the receiver of the message, which can decrypt the message. 3
1.2.2 Public-Key Cryptography
Public-key cryptography classifies as an asymmetrical cryptosystem. Current use of elec tronic communications, including e-mail, e-commerce and e-banking use public-key cryp tography to protect sensitive data transmitted through public channels. Public-key cryp tography was invented in the early 1970's by James H. Ellis, Clifford Cocks, and Malcolm
Williamson in the UK but their work was not published; their invention became what now is known as Dime-Hellman key exchange [3] who reinvented it in 1976.
To understand how public-key cryptography works I will introduce one-way functions.
One-way functions are easy to compute in one direction but it is computationally hard to reverse the calculation. As an example consider a function / that takes two prime numbers and multiplies them; this is easy to compute in the sense that some algorithm can compute the function in a time that is no greater than a polynomial function of the number of bits required to represent the prime numbers. On the other hand, inverting the function requires solving the factoring problem for which there is no known efficient algorithm: in the factoring problem the number of steps increases exponentially with the number of bits required to represent the number that we want to factorize.
The security of public-key cryptography relies on the difficulty to solve one-way func tions. All known algorithms used to decrypt the data would take an impractical amount of time when long enough keys are used to encrypt the message. The security of public-key cryptosystems is based on the assumption that the eavesdropper has only limited computa tional power. Therefore it is only computational secure. If the eavesdropper, Eve, had access to different algorithms that could solve the factoring problem in a more efficient way than the ones known today, then the security of the ciphertext would be compromised since Eve could decrypt the message in a reasonable short time. In addition, the possibility of using a quantum computer to execute Shor's algorithm1 would allow fast factorization of integers [4],
1 Quantum algorithm for factoring exponentially faster than the best currently known algorithm running on a classical computer. 4 and thereby reading recent as well as past encrypted messages.
Since its invention, public-key cryptography has been improved and now different ciphers exist [5]. One of the most popular method is RSA (named after Rivest, Shamir and Adle- man), invented in 1977 at MIT [6]. This cryptosystem can be used to establish a shared secret key over a public communication channel and it is widely used in electronic commerce protocols. The basic idea behind RSA is the following:
Bob: picks two large prime numbers pi,p2 and calculates b = p\ • p2.
Bob: publicly announces b.
Alice: calculates ciphertext c = f(m,b).
Alice: sends c over public channel.
Bob: calculates m = g(c,p\,p2) where b is the public key, pi,p2 form the private key, / is a one-way function and m represents the message. One of the disadvantages of this cipher is that it is very time-consuming and its performance depends severely on hardware. Typical times to encrypt and decrypt a
2048 bit key are 30ms. For this reason this cryptosystem is used mostly for an initial key establishment. After this, classical symmetric-key cryptography is generally employed.
1.2.3 Classical symmetric-key cryptography
In symmetric systems both parties use the same key for encryption and decryption. The key represent a shared secret between the parties that can be used to maintain a private information link.
In comparison with asymmetric cryptosystems, symmetric cryptosystems are typically hundred to thousand times faster. A very important example of symmetric-key cryptog raphy is the One-Time Pad or Vernam, Cipher [7]. While public-key cryptography is only computational secure, it has been proven that the one-time pad is an unconditional secure 5
Table 1.1: Encryption using the one-time pad. Text Binary format Operation Message from Alice "NO" 0110111001101111 Me {0,1}" Key 1010111001110010 K e {o,i}n Encryption "192;" 1100000000011101 Message to Bob "192;" 1100000000011101 C = M®K Key 1010111001110010 Decryption "NO" 0110111001101111 C@K={M®K)®K = M
encryption algorithm. Unconditional secure (or information theoretic secure) means that the security of the protocol does not depend on the computational power or the algorithms used by the adversary.
The one-time pad fulfills three conditions to ensure perfect security:
• The key must be generated randomly, with uniform distribution of symbols.
• The key must be used only once and kept secret.
• The key must be as long as the message to be encrypted.
In the one-time pad protocol a message is first converted into binary form, a string of 0's and l's; the key is another binary string. The message is encrypted by combining each bit of the plaintext with the respective bit of the key using addition modulo 2 (also known as
XOR and represented by ©). The ciphertext is sent to Bob using a public channel. Bob, in turn, combines each bit of the ciphertext with the same key, and since applying the XOR operation twice is the identity, he recovers the initial message, as illustrated in table 1.1.
Claude Shannon proved that in the one-time pad the ciphertext does not reveal any new or additional information about the message [8], in agreement with Kerckhoffs' principle. If the key used is created randomly, the ciphertext will be random too. The only option left for an eavesdropper is to do an exhaustive key search. By doing this, Eve will obtain the correct message but with the same probability she will also obtain any other message of the 6 same length (i.e 2n different messages if the ciphertext contains n bits). In fact it is not possible for her to know which message is the correct one. Therefore, having more powerful computers would not help and this makes the one-time pad unconditional secure.
1.2.4 Advanced Encryption Standard
The Advanced Encryption Standard (AES), or Rijndael cipher, is another example of symmetric- key cryptography, more specifically of block ciphers. It was developed by two Belgian cryp tographers, Joan Daemen and Vincent Rijmen; the name Rijndael comes from a combination of the name of the authors. In 2001, AES was announced as an encryption standard by the
U.S government as FIPS (Federal Information Processing Standard); the new standard is
now used as a worldwide cryptographic standard by banks, administrations and industry.
Symmetric key ciphers are generally divided into stream ciphers and block ciphers. In stream ciphers the plaintext bits are encrypted one at a time. Block ciphers operate on a fixed length string of bits, and the length of the bit string is the block size. AES typically has a fixed block size of 128 bits.
AES can be used to compute message authentication codes (MACs), that is, to protect the integrity and authenticity of a message, but it is also used for encryption. It uses the concept of diffusion and confusion in multiple rounds (10 rounds for a 128-bit key) to construct the
ciphertext. Confusion is related to operations made using the key and the plaintext to make the relationship between them as confusing and involved as possible. Diffusion refers to the property of "dissipating" the redundancy in the frequency distribution of symbols of the
plaintext.
As a new encryption standard, AES is being utilized on a large scale since it is fast in both, software and hardware, it is relatively easy to implement, and requires little memory.
Still, the key in used for AES is changed infrequently, and is used to encode many messages.
Therefore, AES does not offer information theoretic security, in opposition to the One-Time
Pad. 7
In table 1.2, the cryptosystenis mentioned before are compared: their performance, mini mum key length needed to encrypt a message and the type of security offered are summarized.
Table 1.2: Comparision of classical cryptographic schemes Type Cryptosystems Performance Key length Security Asymmetric RSA 2048-bit key takes 30ms 1024 or 2048 bits Computational Symmetric AES Gbit/sec range 128-256 bits Computational Symmetric One-time pad Gbit/sec range =message length Unconditional
1.3 Key Distribution
At present, cryptography uses publicly known algorithms; the security of transmitted sensi tive data lies in a secret key shared between the parties, as explained in previous sections. In this approach the problem of securing information consists thus in the ability to distribute these keys among legitimate parties, guaranteeing their secrecy. This is known as the key es tablishment problem. This problem is particularly severe for information theoretic encoding via the one-time pad, where a lot of key material is needed.
As explained before the security of public-key cryptography is based on assumptions about computational resources of the eavesdropper. If the eavesdropper has access to unan ticipated computational power (e.g. quantum computer) or algorithms, the encrypted mes sage could be decoded in a period of time which might be shorter than expected at present.
The key could also be distributed by an encounter of the two parties, or the use of a trusted courier; however this is very impractical considering the amount of key material we need nowadays to secure all our electronic communications.
Common to all classical key distribution protocol is the fact that the integrity of the key can not be assessed after its distribution
All these facts lead to the conclusion that there is an urgent need to develop key dis tribution systems that can deliver secret keys at high rates to ensure the secrecy of the 8 transmission of sensitive data over the internet despite the rapid development of computa tional systems.
1.4 Quantum Cryptography
Quantum Cryptography, or more correctly Quantum Key Distribution (QKD) [9], enables two parties, Alice and Bob, to share a key known only to them. The secrecy of the key is guaranteed by the use of quantum mechanics to distribute the key.
Based on the particular properties of single quantum systems such as individual photons,
QKD enables Alice and Bob to establish a key, whose secrecy can be proven after key distribution, as opposed to classical key distribution where the security relies on assumptions such as the computational power of the eavesdropper. Alice can encode key material in individual quantum systems and then send them to Bob using a quantum channel. The information that Bob receives, after measurement, is a random sequence of bits, i.e. a key.
An eavesdropper, Eve, who tries to gain information about the quantum states sent from
Alice to Bob has to perform some kind of measurement on the quantum systems. However, in quantum mechanics a measurement, in general, disturbs the system to be measured, leading to a detectable disturbance, which allows, in turn, to assess the information gained by her.
The quantum states exchanged between Alice and Bob are called qubils, a short term for quantum bits [10]. A qubit is the quantum analogue of a classical bit or carrier of information in QKD. The information contained in a qubit is described by a state vector of a two-level quantum mechanical system in a two-dimensional Hilbert space. It is represented in the
Dirac notation by \ip) (ket psi). Qubits, like classical bits, can have a binary value of 0 or
1, assigned to one of the two orthogonal vectors of a specific basis, \%jj) = |0) or j-i/'} = |1).
Furthermore, a qubit can be in a superposition of these two states too, \ip) = a|0) + 0\1), where a and j3 are the probability amplitudes and in general are complex.
Qubits can physically be implemented using the spin of a physical system or the polar- 9 ization of photons. For example, it is possible to use vertical and horizontal polarization to represent the bit values 0 and 1, respectively. Alternatively one could use the circular polarization, where R (right circular polarization) represents the bit 1 and L (left circular polarization) represents the bit 0.
When Alice and Bob compare, using a classical channel, a randomly chosen subset of the data obtained from the qubits, they can assess the error rate and thereby upper bound the information Eve may have obtained (see sec. 2.3). If the number of errors in the key they share is below a certain threshold, a secret key can be extracted by means of error correction and privacy amplification. Note that the classical channel shared by Alice and Bob can be public and untrusted but it must be authenticated to prevent man-in-the-middle attacks.
Hence, before QKD, Alice and Bob must initially share a short secret key to authenticate all classical communication. QKD can thus be seen as quantum key expansion, rendering a long secret key from a shorter one. Part of the long key will be retained for the next authentication procedures and the remaining key can be used to encrypt and decrypt any message. For perfect security the one-time pad is used.
On the other hand when the error is too high, Alice and Bob simply discard the key and start the key distribution process again. Note that the key itself does not contain any information.
1.5 This work
1.5.1 Motivation
The development of information technologies (IT) has led to an enormous increment of trans mission of sensitive information through public channels. Advances in classical computer technology, algorithms or the possibility of building a quantum computer, is threatening for the security of sensitive information that has been encoded with cryptographic schemes that offer only computational security. It is thus necessary to develop better key distribu- 10 tion systems. QKD has the potential to provide a solution to the key distribution problem guaranteeing unconditional security.
Although commercial QKD systems are already available [11, 12], they are limited to bit rates of the order of kbits/s, making the implementation of the one-time pad impractical.
Hence, faster QKD systems are required, which is currently an important research topic. Two
QKD systems which can generate sifted keys at rates of Mbit/s have been developed [13, 14] by using frequency upconversion and Si avalanche detectors instead of detectors based on
InGaAs APDs. However, the problem in these systems is the data acquisition which slows down the process of distilling a secret key even if the sifted key generation rate at Bob's side is high. Furthermore, current point to point QKD systems should also be easily adapted for use in telecommunication networks, as is investigated in [15, 16]. Also, standards that ensure that QKD systems from different vendors are compatible should be created. It is highly desirable that such new QKD systems work with small, robust and low cost components.
Finally, the distillation of secret keys is currently limited to a distance of ^100 km between
Alice and Bob. One way to overcome this distance barrier would be the development of quantum repeaters [17].
The ultimate goal of our quantum cryptography group is to develop a QKD system with the afore mentioned characteristics, except for distance. Such a QKD system should work at
1550nm wavelength and deliver secret keys over a distance of a few tens of km over optical fibres in a real-world setting, i.e. outside the laboratory and in a network environment. This thesis concerns the study of specific telecommunication components used to build a QKD system and a proof-of-principle demonstration of such a QKD system. The implementation of this system into telecommunication networks is facilitated by the addition of a classical data header which contains routing information plus information regarding protocol and type of encoding utilized and allows synchronization and stabilization. To the best of our knowledge this is the first time that this type of header is included in a QKD system. Our 11 system is intended to produce a secret key with Gbits per second (Gbps) clock rate, this will allow distillation of a secret key at Mbps (mega bits per second). Yet, fast single photon detectors are not available at the moment, but they can be included into the system once they become available.
1.5.2 Organization
In this chapter I have introduced classical cryptography, in particular, encryption schemes such as RSA, AES and the One-Time Pad. I also introduced the concepts of computational security and unconditional security.
Chapter 2 contains a detailed explanation of the QKD protocol utilized in our system, the so called BB84 protocol, and a short description of other QKD protocols (Ekert91 and
BBM92). I also describe in detail specific methods used for classical post-processing and I present an introduction to some eavesdropping strategies that have been studied as well as possible solutions to overcome such attacks. At the end of the chapter I describe relevant proof-of-principle demonstrations that have been realized so far, including different kinds of encodings such as polarization encoding and time-bin encoding.
In chapter 3 I present the complete characterization of each component used and I give a detailed description of our proof-of-principle demonstration of the QKD system. Given that our QKD system works with polarization encoding and uses the decoy state protocol, I also describe how these protocols are implemented in our system by means of telecommunication components.
A discussion about the results obtained is presented in Chapter 4, including possible solutions to the problems encountered with certain components in the system.
Finally, in chapter 5, I give a summary of this work and I discuss the improvements that should be done in the near future in order to build a complete, integrated QKD system operating in a real world fiber link and delivering secret keys at Mbps. Chapter 2
Quantum Key Distribution (QKD)
Many different QKD protocols exist and most of them have been implemented experimen tally. In this chapter I will introduce the protocol used in our QKD system and I will give a brief introduction to some other important protocols. Finally, I will also introduce some of the most important realization of principle of QKD and eavesdropping attacks that have been realized so far.
2.1 Quantum key distribution protocols
2.1.1 BB84
The first and best-known QKD protocol was published by C.H. Bennett (IBM) and G.
Brassard (University of Montreal) in 1984. It is now known as BB84 [18].
In this protocol Alice and Bob share two communication channels, a quantum channel that is used to transmit qubits, in our case single photons in different polarization states, and a classical channel for classical information. In our case both channels are optical fibers.
In the BB84 protocol, four quantum states are used. They form two bases, with basis vectors chosen such that the overlap between any pair of vectors, one from each basis, is the same.
For example, the bases used in this work are {|+), |—)} and {\R), \L)}; where +, - refers to the +45° and —45° diagonal linear polarization, with respect to a previously established frame of reference, and R, L to right circular and left circular polarization states of a photon
(see fig. 2.1). For these states |(+|i?-)|2 = 1/2 and the same holds for the other pairs of vectors from different bases. We attribute the binary value 0 to the states |+) and \R), and
1 to the states |—) and \L).
In the BB84 protocol Alice sends individual photons to Bob in different qubit states, 13
-45 (1)
R(0)
Figure 2.1: Four polarization states represented on the Poincare sphere. Each pair (square or circle, respectively) represents a basis. Two different bases are shown. which are chosen uniformly and at random among the four states. Bob in turn chooses randomly among the same two bases, from now on referred to as "Bob's bases", to measure the photons received from Alice. Bob now announces to Alice the qubits that he detected.
Whenever Alice and Bob choose the same basis, their bit value should be equal. When different bases are used, their bit values are uncorrelated. At this point of the protocol,
Alice and Bob share a raw key, and the error rate in the key is 25%.
To discard the events when the bases do not match, Alice and Bob must do a basis reconciliation process in which they publicly announce and compare the bases used to prepare and measure each photon. Note that they do not announce the result obtained from each measurement. Since the bases were chosen randomly, in half of the cases, on average, they will coincide. The bits for which the bases do not coincide, about 50% of the raw key, are discarded. During the basis reconciliation process Alice and Bob use a public channel where
Eve can listen but cannot modify the transmitted message. The resulting key is called sifted key.
Alice and Bob now estimate the quantum bit error rate (QBER). This step is done by disclosing randomly selected bits and comparing their values. The QBER is the ratio of the number of wrong bits to the total number of bits received, 14
QBER = ^^.. (2.1) Ntotal
The QBER can originate from a number of different sources, including noisy detectors, poor state preparation, or eavesdropping. From a conservative point of view, all the errors should be assigned to Eve trying to extract information from the transmitted qubits. As we will discuss in sec. 2.3 different eavesdropping attacks lead to different relations between the
QBER and Eve's information with Alice and Bob. Assuming one-way communication and provided Eve's information is smaller than the information shared between Alice and Bob, they can distill an error-free secret key by means of error correction and privacy amplification
(see section 2.2).
2.1.2 Ekert91
In this protocol, proposed by Artur Ekert in 1991 [19], Alice and Bob are linked to each other by a common source. The source emits two qubits in a maximally entangled state. Alice and
Bob choose uniform and at random between two maximally conjugate bases to measure the qubits. Alice and Bob should have correlated results in the cases where the bases they used to measure coincide. As proposed by Ekert, Alice and Bob can use a third basis to measure the violation of a Bell inequality [20, 21]. Only when the inequality is violated a secret key can be distilled from the sifted key.
2.1.3 BBM92
The BBM92 protocol was proposed by Bennett, Brassard and Mermin in 1992 [22]. This protocol combines elements from both, BB84 and Ekert91. As before, qubits are distributed to Alice and Bob in maximally entangled states, i.e. \ij)~) = -4|(|01) — |10)). They randomly choose between two maximally conjugate bases (as in the BB84 protocol) to measure the photons. If they choose the same basis, the results they have should be perfectly corre- 15 lated, provided Eve did not eavesdrop the transmission. After this the processes of QBER estimation, error correction and privacy amplification are performed.
2.2 Classical Post-processing
Regardless the protocol used, Alice and Bob will share a sifted key. Although they discard
all the events where the bases do not match, the sifted key may contain errors and these errors may originate from different sources. A first possible source is the channel they share,
which in general will be noisy, that is a channel where qubits may be modified. A second possible source of errors is an eavesdropper who might have been listening and could have obtained partial information on the sifted key. In order to distill an error-free secret key
Alice and Bob perform classical post-processing on the sifted key they share.
According to the Csisar-Korner bound [23], for one-way error correction (such as low density parity check matrix based) Alice and Bob can distill a secret key as long as their mutual information is larger than the mutual information between Alice and Eve or the
mutual information between Bob and Eve, whatever is smaller
I(A : B) > min(l{A : E),I{B : E)) (2.2) where
I(A : B) = 1 - Me) (2-3) is the mutual information between A and B, e is the quantum bit error rate, see sec. 2.2.1
and /12 is the Shannon entropy given by,
Me) = -elog2(e) - (1 - e)log2(l - e). (2.4) 16
Classical post-processing is common to all QKD systems regardless of the protocol used to establish a key. Nevertheless different methods of error correction and privacy amplification can be implemented. In the following paragraphs I will discuss in more detail the procedures required for distilling a secret key.
2.2.1 Error Correction
The first step is to apply an error correction protocol to the sifted key. The most well-known code for error correction in the quantum cryptography community is the cascade code [24].
Although the cascade code is efficient (the information exchange for error correction ap proaches the Shannon limit), it requires multiple rounds of bidirectional communication, which is a time consuming process. In a future QKD system where the quantum key can be delivered at a high bit rate and over a long distance, error correction may become the bottleneck in the key distillation procedure.
An algorithm that could work better is based on low density parity check matrices
(LDPC) [25], the advantage being that it requires only one-way communication. Either
Bob can correct the error in his sifted key (forward error correction) or Alice can correct the errors in her sifted key (backwards error correction). In forward error correction Alice sends to Bob additional information (parity bits represented by vector p) calculated by means of a known low density parity check matrix and her sifted key.
p = Ha (2.5) where H is the low density parity check matrix and a is a vector containing Alice's key bits.
Bob, knowing p, has to find the new sifted key b' using b, his sifted key before being corrected, so that p = Hb'. To do this he takes into account the error in b, i.e. the probability of having a bit value 0 given that Alice sent a bit value of 1 or vice versa, which he knows from having assessed the QBER. The error correction algorithm is iterative and it 17 stops when the probability for each element of b' to be one is 0 + e or 1 — e.
The amount of parity bits required for error correction depends on the error rate. Using the channel capacity given by
= I(X : Y) = 1 - h2(e) (2.6) where I is the number of bits to be corrected, p is the amount of parity bits, e is the QBER and /12 is the Shannon entropy, we find the number of parity bits needed to be
P = lh2(e). (2.7)
At this point of the protocol Alice and Bob share an identical key, but Eve could have obtained partial information during the transmission of qubits or during the error correction process. Therefore Alice and Bob need to reduce Eve's information to an arbitrary low value.
To do so they use privacy amplification.
2.2.2 Privacy Amplification
During the privacy amplification process Alice and Bob randomly choose a compression function (hash function) to eliminate the partial information Eve may have. Hash functions map a large amount of possible message strings (Alice's and Bob's error corrected key) to a smaller amount of possible hash values (the secret key) so that the probability that another message (Eve's key after error correction) is hashed to the same value is very small, at most
P = 1/2™, where n is the number of bits in the secret key. In the context of QKD this means that the probability that Alice's key and Eve's key are the same is very small.
Before the key distillation process Alice and Bob agree to use a randomly chosen hash 18
function gab from a set of possible hash functions G: