Quantum Quantum Cryptography, Or How Alice Outwits

Quantum Crypto ?? Quantum Cryptography or How Alice Outwits Eve

Cani Samuel J. Lomonaco, Jr. Dept. of Comp. Sci. & Electrical Engineering University of Maryland Baltimore County Baltimore, MD 21250 Email: [email protected] WebPage: http://www.csee.umbc.edu/~lomonaco

L-O-O-P

This work is supported by: Introducing Alice & Bob

! • The Defense Advance Research Projects ob Alice hr Bob Agency (DARPA) & Air Force Research T Laboratory (AFRL), Air Force Materiel Command, USAF Agreement Number F30602-01-2-0522. • The National Institute for Standards and Technology (NIST) Sender Receiver • The Mathematical Sciences Research Eve Bah ! Institute (MSRI). Humbug ! • L-O-O-P The L-O-O-P Fund. • The Institute of Scientific Interchange Eavesdropper

Introducing Alice & Bob Key Idea b ! Alice ro RobertoBob Th Quantum cryptography provides a new mechanism enabling the parties communicating with one another to: Sender Receiver Automatically detect eavesdropping. EvePia Bah ! Consequently, it provides a means of Humbug ! Spia determining when an encrypted communication has been compromised.

Eavesdropper

1 The Dilemma Alice Takes a Cryptography Course How can I outwit Eve How do I prevent ??? Eve from eavesdropping ??? ? ? ? ? ? ?

Alice

Alice

Classical Shannon The Bit Classical Decisive World Individual

0 or 1

Classical Bits Can Be Copied

In Out Cryptographic Copying Machine Systems

2 A Classical Cryptographic Communication System Catch 22

Eavesdropper Il cane che si morde la coda Eve Transmitter Receiver Alice Bob

Info Insecure Info Encrypter Decrypter Source Channel Sink There are perfectly good ways to

Key communicate in secret provided P = Plaintext C = Ciphertext P = Plaintext we can already communicate in secret … Secure Channel

Classical Crypto Systems Types of Communication Security • Practical Secrecy (Circa 106 BC) Ciphertext breakable after x years CHECK LIST Examples: Data Encryption Standard (DES), Catch 22 Solved ? NO Examples: Data Encryption Standard (DES), • Advanced Data Encryption Standard (AES) • Authentication ? NO • Eavesdropping Detection ? NO • Perfect Security (Shannon, 1949) Ciphertext C without key gives no information about plaintext P

Prob() P|C= Prob ()P

An Example of Perfect Security Difficulties The Vernam Cipher, a.k.a., the One-Time-Pad Consider a random sequence of bits • PROBLEM: Long random bit sequences == must be sent over a secure channel Key K K12 K K n Encrypting algorithm • CATCH 22: There are perfectly good ways =+ CPKii imod 2 to communicate in secret provided we can communicate in secret … P = 0110 0101 1101 K = 1010 1110 0100 KEY PROBLEM in CRYPTOGRAPHY: ⊕= • C 1100 1011 1001 We need some way to securely communicate key • Perfectly secure if key K is unknown • Easy to decode with Key = K

3 Objective of All Crypto Systems: Safety Objective of All Crypto Systems: Safety

Old Idea: New Idea: Unconditional Security Computational Security

The crypto system can resist any cryptanalitic attack no matter The crypto system is unbreakable how much computation is involved. because of the computational cost of cryptanalysis, but would succumb to an attack with unlimited computation.

Computational Security Computational Security (Diffie-Hellman, circa 1970) For example, the crypto system: For example, the crypto system: Public Key Crypto Systems … Example: RSA 30 • Requires 10 years to be broken on the Public Phone • E fastest known computer EB Directory C 100 C • Or, requires 10 bits of memory to break Insecure Channel • Or, requires 1030 euros to break • Encrypter Decrypter D C DB P P System computationally safe implies safe for Eavesdropper all practical purposes Info Eve Info Source Sink Idea comes from a field in computer science called Computational Complexity. Transmitter Receiver Alice Bob

Public Key Crypto Systems Alice Takes a Quantum Mechanics Course

CHECK LIST • Catch 22 Solved ? Yes & No •Authentication ? Yes •Eavesdropping Detection ? No

Alice

4 Introducing the Quantum Bit … The Qubit The Look Here Indecisive Quantum Individual World Can be both 0 & 1 at the same time !

Quantum Representations of Qubits Quantum Representations of Qubits 1 Example 1. A spin- particle Example 2. The polarization state of a photon 2

Vertical Horizontal Polarization Polarization

1 = 0 =↔ Spin Up Spin Down 1 0 1 0

Where does a Qubit live ? H = Def. A Hilbert Space is a vector space H over together with an inner Home product −− ,: HH × → such that A Qubit is a quantum += + += + system whose state is 1) uuv12,,, uvuv 1 2 & vu ,,, 12 u vu 1 vu 2 2) uv,,λλ= uv represented by a Ket ∗ 3) uv,,= vu lying in a 2-D Hilbert ∈ 4) ∀ Cauchy sequu,,… in H , lim un H 12 n→∞ Space H The elements of H will be called kets, and will be denoted by label

5 Superposition of States “Collapse” of the Wave Function Qubit A typical Qubit is ??? αα01+= e 01 iv is c =+αα !! e 0101 ! Observer d h n s I o o 22 h αα+= W where 011 2 b | o i The above Qubit is in a Superposition of states r a P | 0 and 1 = i It is simultaneously both 0 and 1 !!!

Another Activity in Quantum Village:

Measurement MeasurementMeasurement Measurement

Connecting Quantum Village to the Classical World

Group of Friendly Physicists

Another Activity in Quantum Village: Observables ???

Measurement Measurement What does our observer Measurement actually observe ?

Observables = Hermitian Operators

O A HH→

where T = Group of Angry Physicists OOA A

6 ??? Observables (Cont.) ??? Observables (Cont.) ??? What does our observer observe ? What does our observer actually observe ? The state of an n-Qubit register can be written in the eigenket basis as Ψ= α ϕ ϕ ∑ i ii Let i be the eigenkets of O A , and let a i denote the corresponding eigenvalues , i.e., = α 2 So with probability p ii , the observer ϕϕ= a O Aia ii observes the eigenvalue i , and !! h os Caveat: We only consider observables whose ho eigenkets form an orthonormal basis of H ϕ W i

Measurement Revisited Important Feature of Observable MacroWorld Eigenvalue Observable MacroWorld λ Quantum Mechanics j O It is important to mention that: Physical =ψψ Out Prob Pj In Reality

Philosopher We cannot completely P ψ Turf ψ = j ψ j ψψP control the outcome of BlackBox j quantum measurement Q. Sys. Quantum Q. Sys. State World State

O = λ P where ∑ j jjSpectral Decomposition

More Dirac Notation

Hilbert Space of morphisms from H to * More Let HH= Hom(), Dirac * We call the elements of H Bra’s, and Notation denote them as label

7 More Dirac Notation Dirac Notation (Cont.) * There is a dual correspondence between and H H • Consider a Quantum System in the state † B t r ψ Ket Ke ψψ↔ a * • Suppose we measure many of these Hermitian There exists a bilinear map HH×→ • states with the observable A Operator defined by ()ψψ()∈ 12 • Then the average value of all these which we more simpy denote by measurements w.r.t. A is: Avg. ψψ| of A 12 ψψ()AAA== ψψ|| BraBra-c-KetKet

Heisenberg’s Uncertainty Principle = 1 The No-Cloning Theorem Definition. Observables A and B are compatible if []AB,0=−= AB BA Dieks, Wootters, Zurek Otherwise, A and B are incompatible. ∆= − Let AA A In Out Copying Heisenberg’s Uncertainty Principle Machine 221 2 ()∆∆≥AB() [] AB, 4

()∆ 2 A is the Standard Deviation. It is a measure of the uncertainty of the observable A .

Particle vs Wave Picture of Matter Young’s 2-slit Experiment

An Example of E

E Heisenberg’s E E

B L Uncertainty O E C Principle K

8 Particle vs Wave Picture of Matter Particle vs Wave Picture of Matter Young’s 2-slit Experiment Young’s 2-slit Experiment

B E L O C E K E

E

E Particle not observed An interferenceBut a wave patternobserved appears

Particle vs Wave Picture of Matter Application of Heisenberg’s Uncetainty Principle Young’s 2-slit Experiment Observables X Position Operator = 1

O P Momentum Operator b se er ve Note: X and P are incompatible observables; for: []XP,0=− i ≠ Therefore, by Heisenberg’s Uncertainty Principle:

2211 ()∆∆≥XP() [] XP, = 44 What happens if we observe which of the two slits each electron passes ? Uncertainty Uncertainty the two slits each electron passes ? in Position in Momentum

The interference pattern disappears !! Ergo, to know precisely which of the two slits the Wave not observed; electron passed through, forces the momentum to be But a particle is observed ! uncertain

Alice Daydreams Alice Has an Idea How can I But How ??? outwit Eve How do I prevent ??? Idea: Couldn’t I somehow Eve from use Heisenberg’s Uncertainty Principle to eavesdropping ??? detect Eve’s eavesdropping ? ? ??? ? ? ? ?

Alice Alice

9 Alice Bob Bob Alice Bob

Eve

What if the evil Eve tries to listen in ??? What if I use the the electron gun to send Bob a message, i.e., an interference pattern ??? Aha! Bob knows the evil Eve is listening in !!!

A Quantum Crypto System for the Alice Invents the BB84 BB84 Protocol Quantum Crypto Protocol

Two-Way Communication

Public Channel BB84 = Bennett-Brasard 1984 Second Stage Second Stage

Alice Eve Bob

First Stage First Stage Quantum Channel

One-Way Communication

Two Bases of 2-D Hilbert Space H The Quantum Channel • The vertical and horizontal polarization states • Alice will communicate over the quantum and ↔ channel by sending 0’s and 1’s, each encoded form a basis of H which we will call the as a quantum polarization state of an individual vertical/horizontal (V/H) basis photon.

• Reminder: We note that the polarization state of an individual photon is an element • The slanted polarization states ψ of a 2-D Hilbert space H . and also form a basis of H which we will call the oblique basis

10 Quantum Channel Encoding Conventions Using Heisenberg’s Uncertainty Principle

• For the V/H basis , Alice & Bob agree to communicate via the following quantum alphabet • Because of Heisenberg’s uncertainty principle, "1" = Alice & Bob know that observations with respect to the basis are incompatible with "0"=↔ observations with respect to the basis.

• For the oblique basis , Alice & Bob agree to communicate via the following quantum alphabet • So Alice communicates to Bob by randomly choosing between the two quantum alphabets "1" = choosing between the two quantum alphabets and . "0"=

BB84: Eve Not Present (No Noise is Assumed) BB84: Eve Is Present (No Noise is Assumed)

Alice If Eve is eavesdropping, then she will create ↔ ↔ (because of Heisenberg’s uncertainty principle) an error rate between Alice’s & Bob’s RAW KEY. 1 0 0 1 1 0 0 1 0 1

Thus, Alice and Bob can determine Eve’s presence by W C W C C C C W C W publicly comparing a small portion of their respective RAW KEYs. If there are errors, they know Eve is Bob present, discard their RAY KEYs, and start all over again. If there are no errors, they will then 1 0 1 1 1 0 0 0 0 0 discard the publically disclosed portion. Then the undisclosed portion of their RAW KEYs agree, and is 0 1 1 0 0 0 now an uncompromised secret FINAL KEY shared by Alice and Bob. Raw Key

Summary

Public Discussion Topic: Which Observable Did You Use ? Classical Public Channel Second Communication What Happens Bob Alice 2-Way if Quantum Channel Eve Listens In ? First Communication 1-Way 50% of Bits Discarded Result: Raw Key Their Raw Keys agree if Eve not eavesdropping

11 BB84: Eve Is Present (No Noise is Assumed) Choosing Quantum Alphabets

Alice’s - 0 - 1 1 0 0 - 0 - Raw Key Raw Key Prob=1/2 100%

Alice Prob=1/2 ↔ ↔ Raw Key Prob=1/2 50% 1 0 0 1 1 0 0 1 0 1 50% Prob=1/2 Eve Prob=1/2 1 0 1 1 1 1 0 1 0 0 Raw Key Prob=1/2 50% Bob Prob=1/2 1 0 1 1 1 1 1 0 0 0 Raw Key 100% Bob’s Alice’s Eve’s Bob’s Raw Key - 0 - 1 1 1 1 - 0 - Choice Choice Choice

BB84: Eve Is Present (No Noise is Assumed) The BB84 Protocol Step by Step No Noise • Over the quantum channel, Alice sends her message to Bob, randomly choosing between the quantum alphabets

• Over the public channel, Bob communicates to Alice which quantum alphabets he used for each measurement. Hence, if Eve eavesdrops, then Alice quantum alphabets he used for each measurement. & Bob’s Raw Keys disagree by 25%. • Over the public channel, Alice responds by telling Bob which of his measurements were made with the correct alphabet.

• Alice & Bob then delete all bits for which they used incompatible quantum alphabets to produce their resulting RAW KEYs.

• If Eve has not eavesdropped, their their two RAW KEYs will be the same.

The BB84 Protocol Step by Step (Cont.) The BB84 With Noise No Noise Raw Key is Noisy

• Over the public channel, Alice & Bob compare small portions of their RAW KEYs, and then delete the disclosed bits from • Bob can not distinquish between their RAW Key to produce their FINAL KEY. • Error caused by Noise • Error caused by Eve • If Alice & Bob find through their public disclosure that no errors were revealed, then they know Eve was not present, and now share a common secret FINAL KEY. • Bob adopts the working assumption • All errors caused by Eve • Ergo, Eve has some portion of RAW KEY

12 Solution: Privacy Amplification Preamble to Privacy Amplification

• Alice & Bob begin by permuting RAW KEY with a publically disclosed random permutation.

Privacy Amplification: Distilling a smaller • Alice & Bob publicly compare blocks of RAW KEY secret key from a larger partially secret to estimate error rate Q. key. • Alice & Bob discard any portion of the RAW KEY that has been publicly disclosed.

≥ • Q Threshold ⇒ Privacy Amplification not possible! Restart everything !

Privacy Amplification Begins Change in Role for Crytanalysts

If Q < Threshold, then Privacy Amplification is possible • Based on Q , Alice & Bob estimate that ≤ k • Old Role: Crack ciphers ! bits out of n are known by Eve.

• Let s = a security parameter to be adjusted as required. • New Role: Detect eavesdroppers ! • Alice & Bob compute the parities of n-k-s publicly chosen random subsets.

• Both Alice & Bob keep these parities secret. These parities form the FINAL SECRET KEY.

Quantum Crypto Protocols The B92 Prtocol

• Uses 2-D Hilbert space H for • BB84 polarized photons

• B92 • Use only one Quantum Alphabet θ 1 = • EPR where 0/2<<θπ 0 =

• Others |sin2= ()θ

13 Measurement: POVM Binary Erasure Chanel (BEC) p 1 = r 1− ? A = Non-Commuting r + 0 = 1| Observables p

1− == A = pA|| || A 1|+ ===()θ rR|sin2 0 =− − AAA? 1 • There are eavesdropping strategies that do modify inconclusive results (i.e., % of erasures).

• There are eavesdropping strategies which do not.

Eavesdropping Strategies Opaque Eavesdropping

• Opaque eavesdropping

• Translucent eavesdropping without Eve intercepts Alice’s message, and entanglement then masquerades as Alice by sending on her received message to Bob • Translucent eavesdropping with entanglement

• Lie low eavesdropping strategies

• Other eavesdropping strategies ?

Translucent Eavesdropping Without Entanglement Translucent Eavesdropping With Entanglement

Eve makes the information carrier interact To increase her information, Eve may attempt unitarily with her probe, and then lets it to entangle the state of her probe and the proceed on to Bob in a slightly modified state carrier that she is resending: 00'ψψ⇒ + 00'1'ψαψβψ⇒ +−+

11'ψψ⇒ − 11'0'ψβψαψ⇒ −++

ψ where denotes the state of the where ψ denotes the state of the probe. probe.

14 Optical Implementations Next ???

• Over 100 kilometers of fiber optic cable • Earth/Satellite Communication

• Over 2 kilometers of free space • Single photon sources

• There are many testbed implementations both in USA and the EU

Difficulties

• Multi-User Quantum Crypto Protocols

• A more rigorous mathematical proof that quantum crypto protocols are impervious to all possible eavesdropping strategies. TheThe EndEnd

Quantum ComComputationputation and Information, Samuel J. Lomonaco, Samuel J., Jr., An Entangled Tale Lomonaco, Jr. and Howard E. Brandt (editors), AMS of Quantum Entanglement, in AMS PSAPM/58, CONM/305, (2002). (2002), pages 305 – 349.

15 Other PowerPoint Talks to Be Found at Elementary http://www.csee.umbc.edu/~lomonaco

• A Rosetta Stone for Quantum Computation

• Three Quantum Algorithms

• Quantum Hidden Subgroup Algorithms

• An Entangled Tale of Quantum Entanglement

Advanced

16