post processing for quantum key distribution
TRANSCRIPT
11
PostPost--processing for processing for quantum key distributionquantum key distribution
Xiongfeng MaXiongfeng MaCQIQC, University of TorontoCQIQC, University of Toronto
Institute for Quantum ComputingInstitute for Quantum ComputingChiChi--Hang Fred Fung, JeanHang Fred Fung, Jean--Christian Boileau, Hoi Fung ChauChristian Boileau, Hoi Fung Chau
Computers & Security 30, 172 Computers & Security 30, 172 –– 177 (2011)177 (2011)Phys. Rev. A 81, 012318 (2010)Phys. Rev. A 81, 012318 (2010)
22
OutlineOutline
IntroductionIntroductionSecurity proofSecurity proofFinite key analysisFinite key analysisPostPost--processingprocessingConclusionConclusion
33
IntroductionIntroduction
44
Private key cryptosystemPrivate key cryptosystem
Alice and Bob share two identical keys Alice and Bob share two identical keys secretly: onesecretly: one--time padtime pad
Key Distribution
Encode
10010110101
00111010100
10101100001
XORMessage
Code
Alice
Key
Decode
00111010100XOR
10101100001
10010110101 Message
Code
Bob
Key
55
Quantum key distributionQuantum key distribution
BB84 (Bennett & Brassard 1984)BB84 (Bennett & Brassard 1984)
Alice
0101100
0:1:
01X11X001X11X0
Bob
0101110
Eve
1110100
11010011X10X0
66
Biased basis choiceBiased basis choiceStandard BB84Standard BB84
Alice and Bob choose XAlice and Bob choose X-- and Zand Z--basis with equal basis with equal probabilities (50/50)probabilities (50/50)Basis sift factor: 1/2Basis sift factor: 1/2
Efficient BB84Efficient BB84Alice and Bob choose XAlice and Bob choose X-- and Zand Z--basis with different basis with different probabilities, i.e., with a biasprobabilities, i.e., with a biasBasis sift factor: approaches to 1 asymptoticallyBasis sift factor: approaches to 1 asymptotically
TradeTrade--offoffIn practice, a larger bias leads to less accurate phase In practice, a larger bias leads to less accurate phase error rate estimation. Think about the extreme case.error rate estimation. Think about the extreme case.
H.H.--K. Lo, H. F. Chau, and M. Ardehali, J. Crypto. 18, 133 (2005).K. Lo, H. F. Chau, and M. Ardehali, J. Crypto. 18, 133 (2005).
77
In practiceIn practice
Biased basis ratio, e.g., 90% for ZBiased basis ratio, e.g., 90% for Z--basis basis and 10% for Xand 10% for X--basisbasisBit reconciliationBit reconciliation
Error correction: straightforward*Error correction: straightforward*Authentication and error verificationAuthentication and error verificationPrivacy amplificationPrivacy amplification
Amount: phase error rate estimationAmount: phase error rate estimationEfficiency: hash matrix constructionEfficiency: hash matrix construction
Confidence level on the final keyConfidence level on the final keySecurity parametersSecurity parameters
88
ObjectivesObjectivesLink between security analyses and Link between security analyses and experimentsexperiments
InfiniteInfinite--key analysis to finitekey analysis to finite--key analysiskey analysisPostPost--processingprocessing
From raw key to final key, step by stepFrom raw key to final key, step by stepParameter optimizationParameter optimization
Biased basis choiceBiased basis choiceSecurity parameter vs. secureSecurity parameter vs. secure--key costkey cost
Towards a security analysis standardTowards a security analysis standardSecurity claimSecurity claimFinal key size evaluationFinal key size evaluationUnderlying assumptionsUnderlying assumptions
99
TakeTake--home messageshome messagesA practical postA practical post--processing scheme: step by stepprocessing scheme: step by step
Basis independent sourceBasis independent sourceSquashing model compatible detection systemSquashing model compatible detection system
Biased basis ratioBiased basis ratioTypically, 90:10Typically, 90:10
Authentication: can be done efficiently in practiceAuthentication: can be done efficiently in practiceError verification: essentially an authentication schemeError verification: essentially an authentication scheme
Phase error estimation: a strict bound Phase error estimation: a strict bound Main contribution to the finiteMain contribution to the finite--key effectkey effect
Efficiency of privacy amplification: highEfficiency of privacy amplification: highOther sources and protocols: yet to be doneOther sources and protocols: yet to be done
Decoy state, COW, DPS, Decoy state, COW, DPS, ……
X. Ma, C.X. Ma, C.--H. F. Fung, J.H. F. Fung, J.--C. Boileau, H. F. Chau, C. Boileau, H. F. Chau, Computers & Computers & Security 30, 172 Security 30, 172 –– 177 (2011)177 (2011)
1010
Why is it secure?Why is it secure?
1111
A quick reviewA quick reviewPreparePrepare--andand--measure protocolsmeasure protocols
BB84, sixBB84, six--statestate……Entanglement based protocolsEntanglement based protocols
Ekert91, BBM92Ekert91, BBM92Unconditional security proof Unconditional security proof
Mayers (1996) Mayers (1996) Lo and Chau (1999)Lo and Chau (1999)Shor and Preskill (2000)Shor and Preskill (2000)Devetak and Winter (2003), Renner (2005)Devetak and Winter (2003), Renner (2005)
Security analysis for QKD with imperfect devicesSecurity analysis for QKD with imperfect devicesE.g. Mayers, LE.g. Mayers, Lüütkenhaus, ILMtkenhaus, ILMKoashiKoashi--PreskillPreskillGottesmanGottesman--LoLo--LLüütkenhaustkenhaus--Preskill (GLLP)Preskill (GLLP)
1212
Entanglement based protocolsEntanglement based protocols
Alice (or Eve) prepares an EPR pairAlice (or Eve) prepares an EPR pair
Alice and Bob each measures one half of the Alice and Bob each measures one half of the pairpair
Estimate bit and phase error ratesEstimate bit and phase error ratesZ basis measurement (bit)Z basis measurement (bit)
|0> or |1>|0> or |1>X basis measurement (phase)X basis measurement (phase)
|0>+|1> or |0>|0>+|1> or |0>--|1>|1>
)1100(2
1 +=ΨAB
C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, and W. K. WootterC. H. Bennett, D. P. DiVincenzo, J. A. Smolin, and W. K. Wootterss,,PRA 54, 3824 (1996).PRA 54, 3824 (1996).
1313
Entanglement distillation protocolEntanglement distillation protocol
Entanglement distillation (Lo & Chau 99)Entanglement distillation (Lo & Chau 99)1.1. Bit error correctionBit error correction2.2. Phase error correctionPhase error correction3.3. Share (Share (almostalmost) pure EPR pairs) pure EPR pairs4.4. Measure in Z basis to get final keyMeasure in Z basis to get final keyReduce to prepareReduce to prepare--andand--measure schemes measure schemes (Shor & Preskill 00)(Shor & Preskill 00)
Put the final key measurement ahead by moving 4 Put the final key measurement ahead by moving 4 ahead of 1ahead of 1Error correctionError correctionPrivacy amplificationPrivacy amplification
1414
Underlying assumptionsUnderlying assumptionsCharacterized source or basisCharacterized source or basis--independent sourceindependent source
Single photon (qubit) sourceSingle photon (qubit) sourceCoherent state source: decoy stateCoherent state source: decoy stateEntangled sourceEntangled source
Detection system: compatible with the squashing modelDetection system: compatible with the squashing modelThreshold detectorThreshold detectorNo efficiency mismatchNo efficiency mismatch
Classical accessoriesClassical accessoriesauthentication; error correction; classical communication; authentication; error correction; classical communication; random number generators; key management; random number generators; key management; Secure key cost: asymptotically negligibleSecure key cost: asymptotically negligible
Infinite key limitInfinite key limitRates Rates →→ probabilitiesprobabilitiesFailure probability Failure probability →→ 00
N. J. Beaudry, T. Moroder, and N. LN. J. Beaudry, T. Moroder, and N. Lüütkenhaus,tkenhaus, Phys. Rev. Lett. , 101, Phys. Rev. Lett. , 101, 093601, (2008).093601, (2008).
1515
Basis independent setupBasis independent setup
BBM92 (Bennett, Brassard & Mermin 1992)BBM92 (Bennett, Brassard & Mermin 1992)
M. Koashi and J. Preskill, Phys. Rev. Lett. , 90, 057902, (2003)M. Koashi and J. Preskill, Phys. Rev. Lett. , 90, 057902, (2003)..X. Ma, C.X. Ma, C.--H. F. Fung, and H.H. F. Fung, and H.--K. Lo, PRA 76, 012307 (2007).K. Lo, PRA 76, 012307 (2007).
One can assume One can assume Eve has a full Eve has a full control of the control of the source. source. The basis choice is The basis choice is independent of the independent of the state in the channel.state in the channel.The source can be The source can be treated as a perfect treated as a perfect single photon (qubit) single photon (qubit) or EPR source. or EPR source. EveEve
1616
Finite key analysisFinite key analysis
1717
FiniteFinite--key issueskey issuesInitial keyInitial key
Authentication: manAuthentication: man--inin--thethe--middle attackmiddle attackOther uses: encryption of classical communication in the postOther uses: encryption of classical communication in the post--processingprocessing
ComposabilityComposabilityGenerated key may be used for the next round of QKDGenerated key may be used for the next round of QKDKey growth rather than key distributionKey growth rather than key distribution
No perfect key in realNo perfect key in real--lifelifeIdentical: Alice and Bob share the same keyIdentical: Alice and Bob share the same keyRealReal--life: no perfect error correction code, i.e., any error life: no perfect error correction code, i.e., any error correction code can only guarantee with a certain confidence correction code can only guarantee with a certain confidence intervalintervalPrivate: Eve knows nothing about the final keyPrivate: Eve knows nothing about the final keyRealReal--life: Eve can just guess the bit values of the initial key with life: Eve can just guess the bit values of the initial key with a successful probability, a successful probability, εε=2=2--kk
1818
NaNaïïve security definitionsve security definitionsSecure key cost in postSecure key cost in post--processingprocessing
Key cost (k) < key generation (n)Key cost (k) < key generation (n)A fixed failure probability for an arbitrary number of A fixed failure probability for an arbitrary number of rounds, rounds, εε, [too strong], [too strong]
With EveWith Eve’’s simple guess + mans simple guess + man--inin--thethe--middle attack: middle attack: εε=2=2--kk, for , for each roundeach roundThe failure probability for n rounds (potentially n attacks) is The failure probability for n rounds (potentially n attacks) is at at least n2least n2--kk, linear dependence, linear dependence
Small portion of the initial key known by Eve, [too weak]Small portion of the initial key known by Eve, [too weak]Even exponentially small is not strong enough due to continuous Even exponentially small is not strong enough due to continuous use of the QKD systemuse of the QKD systemRequirement of composabilityRequirement of composability
1919
Composable securityComposable securityConfidence interval / Failure probabilityConfidence interval / Failure probability
Confidence interval: the probability that the final key is identConfidence interval: the probability that the final key is identical ical and private, and private, 11--εεThe failure probability for n rounds: nThe failure probability for n rounds: nεε, linear dependence, linear dependenceExponentially decreasing with key cost kExponentially decreasing with key cost kA rough guess: A rough guess: εε=2=2--O(k)O(k) per roundper roundSmaller than a certain threshold determined by some practical Smaller than a certain threshold determined by some practical use of the key, say 10use of the key, say 10--1010
Remark: Remark: it does not mean Eve knows nit does not mean Eve knows nεε--bit information about bit information about the final keythe final key
Composable security definitionComposable security definitionFailure probability is smaller than the preFailure probability is smaller than the pre--determined threshold determined threshold for for allall rounds of QKD system usagesrounds of QKD system usages
M. BenM. Ben--Or et al, in TCC (2005), 386.Or et al, in TCC (2005), 386.R. Renner and R. KR. Renner and R. Köönig, in TCC (2005), 407.nig, in TCC (2005), 407.
Security measuresSecurity measuresFidelity: failure probabilityFidelity: failure probability
Lo, Chau and other prior worksLo, Chau and other prior worksM. HayashiM. HayashiM. KoashiM. Koashi
Trace distanceTrace distanceR. Canetti (2001)R. Canetti (2001)M. BenM. Ben--Or, M. Horodecki, D. W. Leung, D. Mayers, and Or, M. Horodecki, D. W. Leung, D. Mayers, and J. J. Oppenheim (2005)Oppenheim (2005)R. Renner and R. KR. Renner and R. Köönig (2005)nig (2005)
Workshop, FiniteWorkshop, Finite--Size Effects in QKD (Singapore, Size Effects in QKD (Singapore, 2008)2008)
Two approaches are equivalentTwo approaches are equivalentRenner: we should use trace distanceRenner: we should use trace distance
2020
2121
ToTo--do listdo listReRe--exam security proofsexam security proofs
Underlying assumptionsUnderlying assumptionsFormulas from asymptotic security analyses should be reFormulas from asymptotic security analyses should be re--derivedderivedNote: all the security analyses are about Note: all the security analyses are about privacy amplificationprivacy amplification
Calculate failure probability and secureCalculate failure probability and secure--key costkey costFor each step: basis sift, error correction, authentication, errFor each step: basis sift, error correction, authentication, error or verification, and phase error rate estimationverification, and phase error rate estimationEfficiency of privacy amplificationEfficiency of privacy amplification
Parameter optimizationParameter optimizationBiased basis choice Biased basis choice securesecure--key cost for each stepkey cost for each step
We have all the recipes ready: put them togetherWe have all the recipes ready: put them together
2222
PostPost--processingprocessing
2323
Underlying assumptionsUnderlying assumptions
A single photon (qubit) source or a basisA single photon (qubit) source or a basis--independent sourceindependent source
Coherent state (e.g., with decoy state) QKD: Coherent state (e.g., with decoy state) QKD: in progressin progress
A detection system: compatible with the A detection system: compatible with the squashing modelsquashing modelClassical communicationClassical communicationRandom number generator and key Random number generator and key management management
Flow chartFlow chartM. Hayashi, M. Hayashi, D. W. Leung, D. W. Leung, H.H.--K. Lo, N. LK. Lo, N. Lüütkenhaus, tkenhaus, M. Koashi, X. Mo, M. Koashi, X. Mo, B. Qi, B. Qi, R. Renner, V. Scarani, D. R. Renner, V. Scarani, D. Stebila, K. Tamaki, W. Stebila, K. Tamaki, W. TittelTittelWorkshop, Quantum Workshop, Quantum Works QKD Meeting Works QKD Meeting (Waterloo, Canada)(Waterloo, Canada)Workshop, FiniteWorkshop, Finite--Size Size Effects in QKD Effects in QKD (Singapore)(Singapore)N. LN. Lüütkenhaus, Phys. tkenhaus, Phys. Rev. A 59, 3301 (1999): Rev. A 59, 3301 (1999): using error verification to using error verification to replace error testing.replace error testing.
2424
2525
Procedures IProcedures IKey sift [neither authenticated nor encrypted]Key sift [neither authenticated nor encrypted]
Discard all noDiscard all no--clicks and randomly assign doubleclicks and randomly assign double--clicksclicksOther sift scheme might be applied, e.g., Ma, Moroder Other sift scheme might be applied, e.g., Ma, Moroder and Land Lüütkenhaustkenhaus, arXiv:0812.4301 (2008)arXiv:0812.4301 (2008)
Basis sift [authenticated but not encrypted]Basis sift [authenticated but not encrypted]Use a 2kUse a 2k--bit secure key to generate a Toeplitz matrixbit secure key to generate a Toeplitz matrixCalculate the tag by multiply the matrix with her/his Calculate the tag by multiply the matrix with her/his basis stringbasis stringSend each other the basis string with the tagSend each other the basis string with the tagDiscard those bits that used different basesDiscard those bits that used different basesOther sift scheme might be applied, e.g., SARGOther sift scheme might be applied, e.g., SARG’’0404
2626
Procedures IIProcedures II
Error correction [not authenticated but encrypted]Error correction [not authenticated but encrypted]Any error correction scheme can be applied hereAny error correction scheme can be applied hereCount the number of bits in the classical Count the number of bits in the classical communicationcommunication
Error verification [essentially an authentication Error verification [essentially an authentication problem]problem]
Alice sends an encrypted tag to BobAlice sends an encrypted tag to BobBob verify the tagBob verify the tagIf failed, they can go back to error correction againIf failed, they can go back to error correction again
2727
Procedures IIIProcedures III
Phase error rate estimationPhase error rate estimationProb.{phase error} = Prob.{bit error}Prob.{phase error} = Prob.{bit error}Asymptotically, rates Asymptotically, rates →→ probabilitiesprobabilitiesA simple random sampling problemA simple random sampling problem
2828
Procedure IVProcedure IV
Privacy amplification [authenticated but Privacy amplification [authenticated but not encrypted]not encrypted]
Alice generates an Alice generates an nnxx+n+nzz+l+l--11bit random bit bit random bit string and sends it to Bob through an string and sends it to Bob through an authenticated channelauthenticated channelThey use this random bit string to generate a They use this random bit string to generate a Teoplitz matrix to do privacy amplificationTeoplitz matrix to do privacy amplification
2929
Final key rateFinal key rateKey rate formulaKey rate formula
FiniteFinite--key effectkey effectPhase error rate estimation, which determines the Phase error rate estimation, which determines the biased basis choicebiased basis choicekk33: cost of authentication, error verification, efficiency : cost of authentication, error verification, efficiency of privacy amplificationof privacy amplification
3030
OptimizationOptimization
Parameters to be optimizedParameters to be optimizedFailure probabilities:Failure probabilities:
Key costs: Key costs: FiniteFinite--key effectkey effect
Net key growth: NRNet key growth: NR≥≥ll--kkecec--kk33Failure probability: Failure probability: εε==εεphph + + εε33The contribution of The contribution of εε33 is negligible, when the is negligible, when the final key length >> 37 bitsfinal key length >> 37 bits
3131
FiniteFinite--key effectskey effects
Error correction [fixed]Error correction [fixed]
Phase error Phase error rate estimation:rate estimation:
The amount of The amount of privacy privacy amplificationamplificationOptimal basis Optimal basis biasbias
Other partsOther partsAuthenticationAuthenticationError Error verificationverificationEfficiency of Efficiency of privacy privacy amplificationamplification
3232
Quick resultsQuick resultsAn extreme exampleAn extreme example
Raw key size n=10Raw key size n=103030 and and εε=10=10--3030; ; kk33=947 bits and =947 bits and εε33<10<10--3232
A typical exampleA typical examplen=10n=1077, , εε=10=10--77; ; kk33=202 bits and =202 bits and εε33<10<10--99
ObservationObservationMain effect comes from phase error estimationMain effect comes from phase error estimationThe efficiency of privacy amplification is close to 1The efficiency of privacy amplification is close to 1The costs of authentication and error verification are The costs of authentication and error verification are negligible in a normal (say, data size >10k) negligible in a normal (say, data size >10k) experimentexperiment
333310
210
410
610
810
1010
120.5
0.55
0.6
0.65
0.7
0.75
0.8
0.85
0.9
0.95
1
Raw key data size
Bia
s
px set by Alice
qx obtained by Bob
eexx=e=ezz=4%=4%εε==1010--77
100% error correction efficiency100% error correction efficiency
343410
210
410
610
810
1010
120
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Raw key data size
Key
rate
per
raw
key
Finite keyAsymptotic key
eexx=e=ezz=4%=4%εε=10=10--77
100% error correction efficiency100% error correction efficiency
353510
-10010
-8010
-6010
-4010
-2010
010
2
103
104
105
failure probability ε
min
dat
a si
ze to
yie
ld a
pos
itive
key
minimun data size
eexx=e=ezz=4%=4%100% error correction efficiency100% error correction efficiency
3636
ConclusionConclusion
A practical postA practical post--processing scheme with processing scheme with failure probability as the security definition failure probability as the security definition Error verification: essentially an Error verification: essentially an authentication schemeauthentication schemePhase error estimation: a strict bound Phase error estimation: a strict bound Efficiency of privacy amplification: highEfficiency of privacy amplification: highParameter optimization: main finiteParameter optimization: main finite--key key effect comes from phase error rate effect comes from phase error rate estimationestimation
3737
Further discussionFurther discussionFurther improvement in the privacy amplification Further improvement in the privacy amplification step: no classical communication needed?step: no classical communication needed?
Efficiency: failure probability, secureEfficiency: failure probability, secure--key costkey costExtractors for privacy amplificationExtractors for privacy amplification
Detector efficiency mismatchDetector efficiency mismatchSquashing modelSquashing model
FiniteFinite--key analysis for the decoykey analysis for the decoy--state QKDstate QKDStatistics (software)Statistics (software)HardwareHardware
Computational complexityComputational complexityOnOn--line postline post--processingprocessing
Random number consumptionRandom number consumptionExtractorsExtractors
3838
ReferencesReferencesX. Ma, C.X. Ma, C.--H. F. Fung,H. F. Fung, J.J.--C. Boileau, H. F. Chau, C. Boileau, H. F. Chau, Computers & Computers & Security 30, 172 Security 30, 172 –– 177 (2011)177 (2011)C.C.--H. F. Fung, X. Ma, and H. F. Chau, Phys. Rev. A 81, 012318 H. F. Fung, X. Ma, and H. F. Chau, Phys. Rev. A 81, 012318 (2010)(2010)H. Krawczyk, in Advances in Cryptology H. Krawczyk, in Advances in Cryptology -- CRYPTO'94 (SpringerCRYPTO'94 (Springer--Verlag, 1994), 893, 129Verlag, 1994), 893, 129--139.139.N. LN. Lüütkenhaus, Phys. Rev. A 59, 3301 (1999).tkenhaus, Phys. Rev. A 59, 3301 (1999).M. Koashi and J. Preskill, Phys. Rev. Lett. , 90, 057902, (2003)M. Koashi and J. Preskill, Phys. Rev. Lett. , 90, 057902, (2003)..M. BenM. Ben--Or et al, in TCC (2005), 386.Or et al, in TCC (2005), 386.R. Renner and R. KR. Renner and R. Köönig, in TCC (2005), 407.nig, in TCC (2005), 407.M. Hayashi, Phys. Rev. A 74, 022307 (2006).M. Hayashi, Phys. Rev. A 74, 022307 (2006).X. Ma, C.X. Ma, C.--H. F. Fung, and H.H. F. Fung, and H.--K. Lo, PRA 76, 012307 (2007).K. Lo, PRA 76, 012307 (2007).V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501 (2008).V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501 (2008).T. Tsurumaru and K. Tamaki, Phys. Rev. A 78, 032302 (2008).T. Tsurumaru and K. Tamaki, Phys. Rev. A 78, 032302 (2008).N. J. Beaudry, T. Moroder, and N. LN. J. Beaudry, T. Moroder, and N. Lüütkenhaus, Phys. Rev. Lett. 101, tkenhaus, Phys. Rev. Lett. 101, 093601 (2008).093601 (2008).
3939
Another interesting topicAnother interesting topic
Efficiency loopholeEfficiency loopholeLong existing problem in BellLong existing problem in Bell’’s inequality testss inequality tests
QKD systemQKD systemDetector efficiency mismatchDetector efficiency mismatchDead time / after pulseDead time / after pulse
Attacks Attacks TimeTime--shift attackshift attackOther freedoms: space, frequency, Other freedoms: space, frequency, ……Even practical oneEven practical one--time encryptiontime encryption
EfficiencyEfficiency--loophole free QKDloophole free QKDX. Ma, T. Moroder, and N. LX. Ma, T. Moroder, and N. Lüütkenhaus, arXiv:0812.4301, (2008).tkenhaus, arXiv:0812.4301, (2008).
4040
Thank you!Thank you!
XiongfengXiongfeng Ma, July 06Ma, July 06thth, 2011, 2011