andreas poppe ait - austrian institute of...

Quantenkryptographie geknackt?

FacultyFaculty of of PhysicsPhysicsQuantum Quantum OpticsOptics

Andreas PoppeAndreas Poppe

Prof. Anton Zeilinger

AIT AIT -- Austrian Institute of TechnologyAustrian Institute of TechnologyDepartment Department SafetySafety & & SecuritySecurity

Quantum TechnologiesQuantum Technologies

DonauDonau--City Strasse 1City Strasse 11220 1220 ViennaVienna

Austria / EuropeAustria / Europe

[email protected]@ait.ac.at

Quantum Key Distribution

Outlook:1. Introduction + Motivation

2. “Quantum Information” and single photons

3.Quantum systems for QKD

4.Entanglement: concept, generation + QKD

5.Experiments via fibers and over free-space & space

6.Permanent QKD-link test-pad in Vienna

7.Quantum Hacking

8.Summary


Outlook:1. Introduction + Motivation2. “Quantum Information” and single photons





7.Quantum Hacking

8.Summary

Cryptographic Primitives

are low level building blocks for implementing cryptographic systems

encryption (confidentiality)authentication (integrity, proof of origin)key distributiondigital signature scheme (proof of origin, integrity, non repudiation)+ other primitives for commitment schemes, oblivious transfer...

For each primitive exist different “flavours” with different security levels

16

Introduction

Security Levels of Cryptographic Primitives

(using the example of an encryption primitive...)

Computational security: there is a lower bound on the number of operations necessary to break a cipher. Achieving the lower bound is beyond current technology

Information theoretical security (ITS): the amount of information in the ciphertext is (without having the key) upper bounded by a constant ε> 0 during encryption. ε can be made arbitrarily small (ε possibly 2-100)

Perfect security: probability to get ciphertext C is exactly the same for all possible plaintext messages Mi, that is C gives exactly zero information about the plaintext (even with unlimited computing power)

15

ciphertextor cryptogram plaintextplaintext decrypt with

cipher and keyencrypt with

cipher and key

Introduction

Some “facts” on ITS

Not only gradually “higher” security - Fundamentally different kind of securityNo speedup in computer technology (quantum computer) will put ITS out of business

Yes, implementations of ITS schemes have side channels (like any other security ICT system implementation)QKD even has additional side channels related to its optical subsystemSide channels can be controlled.

It may occur that QKD systems (specific implementations) be compromised. But QKD by itself, as method, will not be compromised

14

Introduction

Motivations for using ITS primitives

They are definitely not replacements for computationally secure primitives

Requirement of long term confidentiality (forward security)Government, defenseMedical data, health data, genetic codesPersonal data (private data)

Highest security requirementsCritical information - when a break leads to unrecoverable disaster

Additional MotivationsEfficient solution for highest security standardsCompetitive and reputation advantage (confidence)Alternative solution for demanding usersBeing in regulatory conformity

12

Introduction

Collection of ITS Primitives

“Toolkit” for building highly secure applications

Encryption: One Time Pad (is in fact perfectly secure)Authentication: Wegman CarterKey distribution: QKD

Quantum random number generator

13

Introduction

One Time Pad - Vernam

Unconditional security:Unconditional security:• true random key• same length as message• used only once “One time pad”

G. Vernam J. Am. Institute of ElectricalEngineering Vol XLV, 109 (1926)

E.C. Shannon, Bell SystemsTechnicalJournal 28 656 (1949)

T. Jennewein, C. Simon, G. Weihs, H. Weinfurter, and A. Zeilinger „Quantum Cryptographywith Entangled Photons,“Phys. Rev. Lett. 84, 4730 (2000).

But:But:

Key distributionRandom

That calls for That calls for quantum quantum

cryptography! cryptography!

• One time pad• AES• DES

• RSA rely on one-way-functions,a) easy to calculateb) impossible (i.e. „hard“) to solve.

(e.g. factorization of prime-numbers, logarithmic curves)

Symmetric Ciphers:

Public Key Cryptosystems:

Classical Cryptography

21039 − 1

*K. Aoki et al. http://eprint.iacr.org/2007/205

Largest number, year 2007, to be factorized*> 1024 bit (typical RSA modulus)

RSA still secure because of special number

But previous record from 2006 was 913 bits

Why will QKD be needed?

1. Classical algorithmic gets better whileand computational power increased


2. Quantum computer may be realized (when?)→ Algorithm by Shor

Presented at QuantumComm 2009, Sorrento


3. New (optical) algorithms possible

Alice and Bob want to share a key

Classical Channel

• Eve can easily buy \ steal \ copy classicaldata without being detected

Quantum Channel

• Use of quantum channel

Secure Communication

0110101001010?

Cloning Attack: Eve tries to „amplify“ single qubitIntercept – Resend attack

Alice shares qubits with Bob

Whatever Eve does: Laws of physics prevent herto extract information without disturbing the qubits!

Quantum world:

No-Cloning Theorem !!!!

Attacks from Eve

Alice and Bob must evaluate the errors on the quantum line

Solution for key distribution

plaintext plaintext

secret key

encryptionalgorithm

QKDdeviceAlice

QKDdevice

Bob

key expansion

secret key

decryptionalgorithm

key expansion

Receiver (Bob)Sender (Alice)public channel

(email, ftp, ...)

public data channel

quantum channel


Use correlations from entanglement



2.“Quantum Information” and single photons3.Quantum systems for QKD




7.Quantum Hacking

8.Summary

Information Information isis storedstored as a:as a:

BitBit QubitQubit„„00““ oror „„11““ „„00““ andand „„11““

SchrSchröödingersdingers CatCat

Quantum Information

Separation between |H> and |V>:

| H⟩|V⟩ The electric field vector is perpendicular or parallelto i.e. optical table.

|V⟩

| H⟩

Polarizingbeamsplitter

PBS

+) handling of photons easy -) storage of photons difficult

BIT: Information Encoded inthe Polarization of Light

Laser Modulator

“1” or “0”

or|V⟩ | H⟩

“1” “0”

Superposition of Qubits

Information stored on individual quantum systems = QUBITSe.g. polarized single photons:

=

=

Superposition of qubits:

Detector

Single PhotonSource

0 1

Bennet and Brassard Proc of. Int.Conf. Computers, Systems & Signal Processing, Bangalore India 175 (1984)

The BB84 Protocol

HSPSH

V

measureprepare

PBS 0°

Alice Bob

Eavesdropping

H

Eavesdropping

PBS 0°

HV

measure resend

SPSSPS HH

V

measureprepare

PBS 0°

Case 1: Eve guesses the measurement basis

Alice BobEve

H

PBS 45°

Alice BobEve

PM

measure resend

SPSSPS P

HV

measureprepare

PBS 0°

Case 2: Wrong guess

Error!




3.Quantum systems for QKD4.Entanglement: concept, generation + QKD



7.Quantum Hacking

8.Summary

Basic BB84-QKD schemes

( , )!

nP n e

nμμμ −=

0 1 2 3 4 50,0

0,2

0,4

0,6

0,8

P(n)

n

<n>=0.1 <n>=1

Poissonian Statistics:

• Decreased pulse energy to single photon level• :-) easy, cheap, reliable• :-( not a real single photon source

Weak Coherent Pulses (WCP)

Solomon, Pelton, Yamamoto, PRL 86 (2001) 3903

Visser, Allaart, Lenstra, quant-ph/0210170

Quantum Dots (“artificial Atoms”)

True Single Photon Sources

Basic QKD schemes





4.Entanglement: concept, generation + QKD5.Experiments via fibers and over free-space & space


7.Quantum Hacking

8.Summary

Erwin Schrödinger

• The individual event has no cause• Information is carried by correlations• violates local realism (Bell-Inequality)

Entanglement

Signal(vertical)

Idler(horizontal)

BBO crystal

UV-pump

Kwiat et al, PRL 75, 4337 (1995)

Spontaneous ParametricDownconversion - SPDC

Type II

idlersignal pump ωωω +=

idlersignal pump kkkrrr

+≈

BBOBBO

AliceAlice

SPDC at the breadboard levelSPDC at the breadboard levelLaserLaser

BobBob

BBM92 (Bennet, Brassard and Mermin, PRL (68), 557,1992EPR-QKD protocols are equivalent to BB84

QKD Protocol BBM92

Polarization-Entangled Photons are created, coupledinto optical fibers and sent to Alice and BobAlice and Bob announce their measurement bases. Events measured in different bases are discarded –> Sifted Key.

Sifted Key: 010111…

Alice and Bob measure the polarization of the photonsrandomly in one of two bases (H/V, +/-) -> Raw Key

Entanglement based QKD

Cloning Attack: Eve tries to „amplify“ single qubitIntercept – Resend attack

Alice shares qubits with Bob

Whatever Eve does: Laws of physics prevent herto extract information without disturbing the qubits!

Quantum world:

No-Cloning Theorem !!!!

Attacks from Eve

Alice and Bob must evaluate the errors on the quantum line

( ( , ) ( , ))net siftedR R I a b I a e= −

Eve‘s Information

Bob’s Information

counts allcounts false

=QBER

Mutual information between Alice and Bob

What about errors?








7.Quantum Hacking

8.Summary

Bank-Experiment

A. Poppe, et. al., "Practical quantum key distribution with polarizationentangled photons," Opt. Express 12, 3865-3871 (2004)http://www.opticsinfobase.org/abstract.cfm?URI=oe-12-16-3865

Quantum Channel

1.45 km 810 nm OpticalSM–Fiber, Overall attenuation 6dB

Classical Channels

Synchronization: 1.45km 1550 nm SMF

TCP/IP: 2 x 1550nm SMF

A Real-World Scenario

First QKD secured bank wire transfer.

A

B

M. Aspelmeyer, H.R. Böhm, T. Gyatso, T. Jennewein, R. Kaltenbaek, M. Lindenthal, G. Molina-Tereza, A. Poppe, K. Resch, M. Taraba, R. Ursin, P. Walther, A. Zeilinger Science 301 (2003) p621

Outdoor Experiment

8km8km

7,2km

8km

KufnerKufner -- SternwarteSternwarte

TwintowersTwintowersMillenniumstowerMillenniumstower

~5km ~5km ensprichtensprichtSatellitenlinkSatellitenlink

8km8km

K. Resch et. al., "Distributing entanglement and single photons through an intra-city, free-space quantum channel," Opt. Express 13, 202-209 (2005)

144 km

La Palma and Tenerife

International Space Station (ISS)

Columbus laboratory(ESA)

Aspelmeyer et al., quant-ph/0305105Kaltenbaek et al., quant-ph/0308174Pfennigbauer et al., JON 4, 549-560 (2005)

Entangled photon source

Electronics

Two downlink telescops

Space-QUEST

QBB - Physical Nodes

Results

BB 84

Det 810

Sourceentangled

photonpairs

810nm

Det1550

Trigger pulses for Bob’s detector

Optical fiber

BB 84

ALICEEmbedded

systemPower-PC

BOBEmbedded

systemPower-PC

1550nm

public channel

AliceBob

Long-time testin a deployed

fiber of theQKD-network

H. Hübel et al., Opt. Expr. 15, 7853-7862 (2007)

Periodically poled crystals

20000 polarisationentangled pairs

measuredat 810/1550 nm

Visibilities: >95%







6.Permanent QKD-link test-pad in Vienna7.Quantum Hacking

8.Summary

Permanent QKD linkUnder construction: a permanent quantum cryptography link between AIT and University of Vienna

Permanent QKD-link








7.Quantum Hacking8.Summary

Side Channel Attacks

QKD allows to detect attacks on the single photon

attack other parts of the system, the implementation

Every system leak can be used to gain information!

“Thus, our prototype was unconditionally secure against any eavesdropper who happened to be deaf!”Charles Bennett

First realisation of BB84 protocol (1989)C. Bennet et al., “Experimental Quantum Cryptography”, Journal of Cryptology, 5, 3-28 (1992)

Power supply for Pockels-cell make voltage dependent noise

Historic example:

noise reveals polarisation

1. Detector efficiency mismatch

Practical QKD setup: quantum efficiency of detectors are not perfectly matched

leads to asymmetrical statistics in the raw-key

0 1

50%

0 1

50%

Ideal case: Practical case:

Solutions:

Additional privacy amplification

- Simple (just another component in the PA-function)

- Reduces size of secure key

Adjust bias-voltage of detectors to level count rates

- detectors need interface (RS232, Ethernet … ) to access bias-voltage

- for our system: in work

2. Detector Timing Mismatch

Trigger circuit: detection event creates sync-pulse

WD

M

Problem: practical detectors have different response times

Eve can obtain the bit-value by measuring the time-difference

See also A. Lamas-Linares and C. Kurtsiefer, Opt. Expr. 15, 2007

3. Time Shift Attack

B. Qi, et al., Quant. Info. Compu. 7, 73 (2007)

Eve actively introduces delay tD between gate and photon

Perfectly synchronised detectors: reduced count rates on both detectors

Not perfectly synchronised: different count rates

asymmetric statistic in the raw-key

Quick variation of two delays +tD and –tD

same average rates for both detectors

4. Detector blinding

Vadim Makarov, New J. Phys. 11, 2009

Error in the circuit of Perkin Elmer Si-APDs

Strong laser pulse brings detector from Geiger to linear mode

Eve can control Bob: Eve can decide which detector will fire

SPCM-AQ4C

Applicable to our system? No!

- a SPCM-AQ4C module is used for Alice

- Not connected to quantum channel

Eve cannot apply the attack

Is attack applicable to gated InGaAsdetectors like id201 ???

Attack is easily detectable

Detector blinding

Hacking Perkin-Elmer APDs


Kurzer, starker Puls Detektor wechselt in den linear mode

Detektor bleibt im linear mode!

Weiterer Puls Detektor klickt nie oder immer (je nach Leistung!)


Fake-State-Attack (modified intercept & resend)

Eve:

1. Measure state of Alice’s photon (=fake Bob)

2. Blind Bob’s detectors (e.g. right-circular bright pulse, some mW)

3. Send fake state (~2*threshold-power)

4. Bob’s measurement outcome is always the same as Eve’s (no 25% error!)

Hacking detectors








7.Quantum Hacking

8.Summary

Summary

QKD QuantumSystems

ForQKD

Downconversion Experiments Space

Permanent QKD linkUnder construction: a permanent quantum cryptography link between AIT and University of Vienna

Permanent QKD-link

andreas poppe ait - austrian institute of...

Documents