Post on 03-Feb-2018
Submitted to Mrs. Rubal Gill and Miss Anjali Panday Seminar Coordinator 8th Semester(ComputerEngineering)
Submitted byAmit Sharma
Computer Science07EAICS016
QUANTUM CRYPTOGRAPHY
ASEMINAR REPORT
ON
QUANTUM CRYPTOGRAPHY
Submitted under partial fulfillment of the degree of Bachelor of Technology in Computer Engineering
Session 2010-2011
Department of Computer EngineeringSwami Keshwanand Institute of Technology, Management &
Gramothan, Jaipur(Rajasthan Technical University, KOTA)
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 1
QUANTUM CRYPTOGRAPHY
ACKNOWLEDGEMENT
I would like to extend a warm acknowledgement to all those who have contributed a lot for the
successful completion of this seminar report and helped me with their valuable guidance and
suggestions for improvement. Mainly, I am extremely grateful to our Head of Department Mr.
C.M. Chaudhary for supporting me with best facilities and atmosphere for creative work and
innovations.
In addition to that, I would also like to thank the seminar coordinator Mrs. Rubal Gill and Miss
Anjali Panday for her support and supervision that helped me a lot throughout the task. Also, the
cooperation of my friends cannot be overlooked.
Most of all, I would like to thank my parents and the almighty without whose blessing I would
not be able to accomplish my goal.
AMIT SHAMRA
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 2
QUANTUM CRYPTOGRAPHY
ABSTRACT
Quantum cryptography uses quantum mechanics to guarantee secure communication. It
enables two parties to produce a shared random bit string known only to them, which can be used
as a key to encrypt and decrypt messages.
An important and unique property of quantum cryptography is the ability of the two
communicating users to detect the presence of any third party trying to gain knowledge of the
key. This results from a fundamental part of quantum mechanics: the process of measuring a
quantum system in general disturbs the system. A third party trying to eavesdrop on the key must
in some way measure it, thus introducing detectable anomalies. By using quantum superpositions
or quantum entanglement and transmitting information in quantum states, a communication
system can be implemented which detects eavesdropping. If the level of eavesdropping is below
a certain threshold a key can be produced which is guaranteed as secure, otherwise no secure key
is possible and communication is aborted.
The security of quantum cryptography relies on the foundations of quantum mechanics,
in contrast to traditional public key cryptography which relies on the computational difficulty of
certain mathematical functions, and cannot provide any indication of eavesdropping or guarantee
of key security.
Quantum cryptography is only used to produce and distribute a key, not to transmit any message data. This key can then be used with any chosen encryption algorithm to encrypt and decrypt a message, which can then be transmitted over a standard communication channel. The algorithm most commonly associated with QKD is the one-time pad, as it is provably secure when used with a secret, random key.
qubit, uncertainty, entanglement, bit commitment, BB84 protocol, Ekert protocol, key distribution, one-time-pad
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 3
KEY WORDS:
QUANTUM CRYPTOGRAPHY
CONTENTS
1. INTRODUCTION……………………………………………………………………….…..5
2. CLASSICAL CRYPTOGRAPHY………………………………………………….………6
2.1. DEFINITION……………………………….…………………………………………………………………………………..…..6
2.2. ONE-TIME-PAD ………………..……………………………………………………….………..……8
2.3. LIMITATIONS…………...…………………………………………………………...…………….....8
3. QUBIT………………………………..……………………………………………….............9
3.1. QUBIT REPRESENTATION...………………………………………………………...…………..10
4. QUATUM CRYPTOGRAPHY……………………………………….…….……………..11
4.1. UNCERTAINITY…………..……………………….…………….........…………………………….12
4.2. ENTANGLEMENT………………………...…………………….….........................................................13
4.3. BB84 PROTOCOL……………………………...……………….…...........................................................13
4.4. EKERT PROTOCOL……………………………...………………..............................................................15
5. QUANTUM BIT COMMITMENT PROTOCOL………..................................................16
5.1. BB84 QUANTUM BIT COMMITMENT PROTOCOL………………………………………………………….17
5.1.1. THE COMMIT PROCEDURE……………………...…….……………………………...…..18
5.1.2. THE UNVEIL PROCEDURE……………………...…………………………………....……18
6. OUTLOOKS…………………………………….……………………………………….….22
6.1. OTHER QUANTUM KEY DISTRIBUTION PROTOCOLS..……………………………………………..…...23
6.2. EXPERIMENTAL STATUS…………………………………………………………………………………..23
6.3. CURRENT CHALLENGES…………………………….……………………………………………….…...24
7. CONCLUSION & FUTURE SCOPE…………………………………………………..…26
8. REFERENCES……………………………………………………………………………...27
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 4
QUANTUM CRYPTOGRAPHY
1. INTRODUCTION
Cryptography is the science of keeping private information from unauthorized access, of
ensuring data integrity and authentication, and other tasks. In this survey, we will focus on
quantum-cryptographic key distribution and bit commitment protocols and we in particular will
discuss their security. Before turning to quantum cryptography, let me give a brief review of
classical cryptography, its current challenges and its historical development.
Two parties, Alice and Bob, wish to exchange messages via some insecure channel in a
way that protects their messages from eavesdropping. An algorithm, which is called a cipher in
this context, scrambles Alice’s message via some rule such that restoring the original message is
hard—if not impossible—without knowledge of the secret key. This “scrambled” message is
called the cipher text. On the other hand, Bob (who possesses the secret key) can easily decipher
Alice’s cipher text and obtains her original plaintext. Figure 1 in this section presents this basic
cryptographic scenario.
Communication between Alice and Bob, with Eve listening.
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 5
QUANTUM CRYPTOGRAPHY
Quantum cryptography uses our current knowledge of physics to develop a cryptosystem
that is not able to be defeated - that is, one that is completely secure against being compromised
without knowledge of the sender or the receiver of the messages. The word quantum itself refers
to the most fundamental behavior of the smallest particles of matter and energy: quantum theory
explains everything that exists and nothing can be in violation of it.
Quantum cryptography is different from traditional cryptographic systems in that it relies
more on physics, rather than mathematics, as a key aspect of its security model.
Essentially, quantum cryptography is based on the usage of individual particles/waves of
light (photon) and their intrinsic quantum properties to develop an unbreakable cryptosystem -
essentially because it is impossible to measure the quantum state of any system without
disturbing that system. It is theoretically possible that other particles could be used, but photons
offer all the necessary qualities needed, their behavior is comparatively well-understood, and
they are the information carriers in optical fiber cables, the most promising medium for
extremely high-bandwidth communications.
2. CLASSICAL CRYPTOGRAPHY
Overviews of classical cryptography can be found in various text books (see, e.g., Rothe
[2005] and Stinson [2005]). Here, we present just the basic definition of a cryptosystem and give
one example of a classical encryption method, the one-time pad.
Definition 2.1. A (deterministic, symmetric) cryptosystem is a five-tuple (P, C, K, E, D)
satisfying the following conditions:
P is a finite set of possible plaintexts.
C is a finite set of possible ciphertexts.
K is a finite set of possible keys.
For each k є K, there are an encryption rule ek є E and a corresponding decryption rule dk
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 6
QUANTUM CRYPTOGRAPHY
є D, where ek: P→ C and dk : C→ P are functions satisfying dk (ek (x)) = x for each plaintext
element x є P.
In the basic scenario in cryptography, we have two parties who wish to communicate
over an insecure channel, such as a phone line or a computer network. Usually, these parties are
referred to as Alice and Bob. Since the communication channel is insecure, an eavesdropper,
called Eve, may intercept the messages that are sent over this channel. By agreeing on a secret
key k via a secure communication method, Alice and Bob can make use of a cryptosystem to
keep their information secret, even when sent over the insecure channel. This situation is
illustrated in Figure 1.
The method of encryption works as follows. For her secret message m, Alice uses the key
k and the encryption rule ek to obtain the ciphertext c = ek (m). She sends Bob the ciphertext c
over the insecure channel. Knowing the key k, Bob can easily decrypt the
ciphertext by the decryption rule dk :
dk (c) = dk (ek (m)) = m.
Knowing the ciphertext c but missing the key k, there is no easy way for Eve to determine
the original message m.
There exist many cryptosystems in modern cryptography to transmit secret messages. An
early well-known system is the one-time pad, which is also known as the Vernam cipher. The
one-time pad is a substitution cipher. Despite its advantageous properties, which we will discuss
later on, the one-time pad’s drawback is the costly effort needed to transmit and store the secret
keys.
Fig.2. Letters and punctuation marks encoded by numbers from 0 to 29.
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 7
QUANTUM CRYPTOGRAPHY
Fig. 3. Encryption and decryption example for the one-time pad.
Example 2.2 (One-Time Pad). For plaintext elements in P , we use capital letters and
some punctuation marks, which we encode as numbers ranging from 0 to 29, see Figure2. As is
the case with most cryptosystems, the ciphertext space equals the plaintext space. Furthermore,
the key space K also equals P , and we have P =C= K={0, 1, . . . , 29}.
Next, we describe how Alice and Bob use the one-time pad to transmit their messages. A
concrete example is shown in Figure 3. Suppose Alice and Bob share a joint secret key k of
length n = 12, where each key symbol kiє {0, 1, . . . , 29} is chosen uniformly at random. Let m =
m1m2. . . mnbe a given message of length n, which Alice wishes to encrypt. For each plaintext
letter mi, where 1 ≤ i ≤ n, Alice adds the plaintext numbers to the key numbers. The result is
taken modulo 30. For example, the last letter of the plaintext from Figure 3, “D,” is encoded by
“m12=03.” The corresponding key is “m12= 28,” so we have c12= 3 + 28 = 31. Since 31 ≡ 1 mod
30, our plaintext letter “D” is encrypted as “B.” Decryption works similarly by subtracting,
character by character, the key letters from the corresponding ciphertext letters. So the
encryption and decryption can be written as respectively ci= (mi+ ki) mod 30 and mi=(ci− ki) mod
30, 1 ≤ i ≤ n.
2.3. Limitations
Cryptographic technology in use today relies on the hardness of certain mathematical
problems. Classical cryptography faces the following two problems. First, the security of many
classical cryptosystems is based on the hardness of problems such as integer factoring or the
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 8
QUANTUM CRYPTOGRAPHY
discrete logarithm problem. But since these problems typically are not provably hard, the
corresponding cryptosystems are potentially insecure. For example, the famous and widely used
RSA public-key cryptosystem [Rivest et al. 1978] could easily be broken if large integers were
easy to factor. The hardness of integer factoring, however, is not a proven fact but rather a
hypothesis.1.We mention in passing that computing the RSA secret key from the corresponding
public key is polynomial-time equivalent to integer factoring [May 2004].
Second, the theory of quantum computation has yielded new methods to tackle these
mathematical problems in a much more efficient way. Although there are still numerous
challenges to overcome before a working quantum computer of sufficient power can be built, in
theory many classical ciphers (in particular public-key cryptosystems such as RSA) might be
broken by such a powerful machine. However, while quantum computation seems to be a severe
challenge to classical cryptography in a possibly not so distant future, at the same time it
offers new possibilities to build encryption methods that are safe even against attacks performed
by means of a quantum computer. Quantum cryptography extends the power of classical
cryptography by protecting the secrecy of messages using the physical laws of quantum
mechanics.
3. QUBITS
The most important unit of information in computer science is the bit. There are two
possible values that can be stored by a bit: the bit is either equal to “0” or equal to “1.” These two
different states can be represented in various ways, for example by a simple switch or by a
capacitor: if not charged, the capacitor holds the value zero; if charged, it holds the value one.
There exist many possibilities to physically represent a qubit in practice, as every quantum
system with at least two states can serve as a qubit. For example, the spin of an atom or the
polarization5 of a light particle can represent the state of a qubit. Even a cat with its two basic
states “dead” and “alive,” introduced by Schrödinger [1935] to visualize fundamental concepts
of quantum mechanics, might serve as a representation. The cat’s problem—or fortune from the
animal’s point of view—when being used as a quantum system is its sheer size compared to that
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 9
QUANTUM CRYPTOGRAPHY
of an atom or light particle. There is no way to protect such a big quantum instance from
interaction with its environment, which in turn will result in decoherence of the superposition of
the cat.
3.1. Qubit Representation
In general, a quantum state |ψ) is an element of a finite-dimensional complex vector
space (or Hilbert space) H. We denote the scalar product of two states |ψ) and |φ) by (ψ|φ),
where (ψ| = |ψ) T is the conjugate transpose of |ψ). It is convenient to deal with normalized
states, so we require (ψ|ψ) = 1 for all states |ψ) that have a physical meaning.
The quantum analog of the bit is called qubit, which is derived from quantum bit. A qubit
|ψ) is an element of a two-dimensional Hilbert space, in which we can introduce an orthonormal
basis, consisting of the two states |0) and |1). Unlike its classical counterpart, the quantum state
can be in any coherent superposition of the basis states:
|ψ) = α|0) + β|1), (1)
where α and β are, in general, complex coefficients. This is due to the fact that the
quantum mechanical equation of motion, the Schrödinger equation, is linear: Any linear
superposition of its solutions (the quantum states) is also a solution. Since we require quantum
states to be normalized, we find that the coefficients in (1) have to fulfill
|α|2 + |β|2 = 1, where | · | denotes the absolute value.
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 10
QUANTUM CRYPTOGRAPHY
4. QUANTUM CRYPTOGRAPHY
Quantum Cryptography, or Quantum Key Distribution (QKD), uses quantum
mechanics to guarantee secure communication. It enables two parties to produce a shared
random bit string known only to them, which can be used as a key to encrypt and decrypt
messages. An important and unique property of quantum cryptography is the ability of the two
communicating users to detect the presence of any third party trying to gain knowledge of the
key. This results from a fundamental part of quantum mechanics: the process of measuring a
quantum system in general disturbs the system. A third party trying to eavesdrop on the key must
in some way measure it, thus introducing detectable anomalies. By using quantum superpositions
or quantum entanglement and transmitting information in quantum states, a communication
system can be implemented which detects eavesdropping. If the level of eavesdropping is below
a certain threshold a key can be produced which is guaranteed as secure (i.e. the eavesdropper
has no information about), otherwise no secure key is possible and communication is aborted.
The security of quantum cryptography relies on the foundations of quantum mechanics,
in contrast to traditional public key cryptography which relies on the computational difficulty of
certain mathematical functions, and cannot provide any indication of eavesdropping or guarantee
of key security.
Quantum cryptography is only used to produce and distribute a key, not to transmit any
message data. This key can then be used with any chosen encryption algorithm to encrypt (and
decrypt) a message, which can then be transmitted over a standard communication channel. The
algorithm most commonly associated with QKD is the one-time pad, as it is provably secure
when used with a secret, random key.
Quantum cryptography exploits the quantum mechanical property that a qubit cannot be
copied or amplified without disturbing its original state. This is the statement of the No-Cloning
Theorem [Wootters and Zurek 1982], which is easily proven: Assume there exists a unitary
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 11
QUANTUM CRYPTOGRAPHY
transformation U that can copy two states |ψ1) and |ψ2):
where |0) is an arbitrary input state. If we equate the scalar products of the left-hand and
right-hand sides, it follows by the unitarity of U that (ψ1|ψ2) = (ψ1|ψ2)2, which implies that (ψ1|
ψ2) equals 0 or 1. This means that we can copy only orthogonal or identical states. In contrast,
arbitrary unknown states cannot be perfectly cloned. (Note that orthogonal or identical states are
not viewed as “unknown” states, since we do know they are orthogonal, for example.)
The essence of this theorem is the main ingredient of quantum key distribution, where
Alice and Bob use a quantum channel to exchange a sequence of qubits, which will then be used
to create a key for the one-time pad in order to communicate over an insecure channel. Any
disturbance of the qubits, for example caused by Eve trying to measure the qubits’ state, can be
detected with high probability.
Quantum cryptographic devices typically employ individual photons of light and take
advantage of either the Heisenberg Uncertainity principle or Quantum Entanglement.
4.1. Uncertainity
Unlike in classical physics, the act of measurement is an integral part of quantum
mechanics. So it is possible to encode information into quantum properties of a photon in such a
way that any effort to monitor them disturbs them in some detectable way. The effect arises
because in quantum theory, certain pairs of physical properties are complementary in the sense
that measuring one property necessarily disturbs the other. This statement is known as the
Heisenberg uncertainty principle. The two complementary properties that are often used in
quantum cryptography, are two types of photon's polarization, e.g. rectilinear (vertical and
horizontal) and diagonal (at 45° and 135°).
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 12
QUANTUM CRYPTOGRAPHY
4.2. Entanglement
It is a state of two or more quantum particles, e.g. photons, in which many of their
physical properties are strongly correlated. The entangled particles cannot be described by
specifying the states of individual particles and they may together share information in a form
which cannot be accessed in any experiment performed on either of the particles alone. This
happens no matter how far apart the particles may be at the time.
4.3. BB84 Protocol
The BB84 protocol was proposed by Charles H.Bennett and Gilles Brassard [1984]. This
is the first protocol designed to employ quantum mechanics for two parties to agree on a joint
secret key. In this protocol, Alice and Bob use a quantum channel to send qubits. They are also
connected by a classical channel, which is insecure against an eavesdropper but unjammable.
Alice and Bob use four possible quantum states in two conjugate bases (say, the rectilinear
basis+and the diagonal basis×).We use |0)+ and |0)× = (|0)++|1)+ )/√2 for the classical signal “0,”
and we use |1)+ and |1)× = (|0)+ − |1)+ )/√2 for the classical signal “1.” Note that the two bases are
connected by the so-called Hadamard transformation
in the following way: We have H|0)+ = |0)× and H|1)+ = |1)× , and vice-versa, since
H2 = 1.
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 13
QUANTUM CRYPTOGRAPHY
The protocol works as follows (see also Table I for illustration):
Alice randomly prepares 2n qubits, each in one of the four states |0)+, |0)×, |1)+, or|1)×,
and sends them to Bob.
For each qubit that Bob receives, he chooses at random one of the two bases (+ or ×) and
measures the qubit with respect to that basis. In the case of a perfectly noiseless channel, if Bob
chooses the same basis as Alice, his measurement result is the same as the classical bit that Alice
prepared. If the bases differ, Bob’s result is completely random.
Alice tells Bob via the classical channel which basis she used for each qubit. They keep
the bits where Bob has used the same basis for his measurement as Alice. This happens in about
half the cases, so they will have approximately n bits left. These are forming the so-called sifted
key.
Alice and Bob choose a subset of the sifted key to estimate the error-rate. They do so by
announcing publicly the bit values of the subset. If they differ in too many cases, they abort the
protocol, since its security cannot be guaranteed.
Finally, Alice and Bob obtain a joint secret key from the remaining bits by performing
error correction and privacy amplification.
Eve’s goal is to learn at least some part of the key. Thus, an obvious strategy for her is to
intercept the qubits being transmitted from Alice to Bob. She cannot simply copy the qubits,
since this would contradict the No-Cloning Theorem. In order to extract some information, she is
forced to measure (and thus destroy) them. But since she does not know the basis in which they
were prepared (Alice announces this information only after Bob received all signals), she can
only guess or just flip a coin for the selection of the measurement basis. In about half the cases,
she will happen to choose the same basis as Alice and get completely correlated bit values. In the
other half, her results will be random and uncorrelated. Bob certainly expects to receive
something from Alice, so Eve needs to send some qubits to him. However, she still has no idea
which basis Alice used, so she prepares each qubit in the same basis as she measured it (or she
chooses a basis at random). These newly created qubits again match Alice’s bases in only half of
the cases. After Bob receives Eve’s qubits, he measures them, and Alice and Bob apply the
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 14
QUANTUM CRYPTOGRAPHY
sifting. Because of Eve’s disturbance, about half of Bob’s key was measured in a different basis
than it was prepared by Alice. Since Bob’s result is random in those cases, his sifted key will
contain about 25% errors. In the error-estimation stage, if Alice and Bob obtain such a high error
rate, it would be wise for them to abort the protocol.
If the error rate is below an agreed threshold value, Alice and Bob can eliminate errors with (classical)
error correction. A simple method for error correction works as follows: Alice chooses two bits at
random and tells Bob the XOR-value of the two bits. Bob tells Alice if he has the same value. In this case,
they keep the first bit and discard the second bit. If their values differ, they discard both bits. The
remaining bits form the key.
The last stage of the protocol is privacy amplification [Maurer 1993; Bennett et al. 1995]—a
procedure in which Alice and Bob eliminate (or, at least, drastically reduce) Eve’s knowledge
about the key. They do so by choosing random pairs of bits of the sifted key and replacing them
by their corresponding XOR-values. Thus, they halve the length of the key, in order to “amplify”
their privacy. Note that Eve has less knowledge about the XOR-value, even if she knew the
values of the single bits with high probability (but not with certainty).
Note that these simple methods for error correction and privacy amplification do not always
work. For the general case, there exist more sophisticated strategies.
4.4. Ekert Protocol
In 1991 Artur Ekert proposed a new QKD protocol whose security relies on the entangled
pairs of photons. These can be created by Alice, by Bob, or by some source separate from both
of them, including eavesdropper Eve. The photons are distributed so that Alice and Bob each end
up with one photon from each pair.
The scheme relies on two properties of entanglement. First, the entangled states are perfectly
correlated in the sense that if Alice and Bob both measure whether their particles have vertical or
horizontal polarizations, they will always get the same answer with 100% probability. The same
is true if they both measure any other pair of complementary (orthogonal) polarizations.
However, the particular results are completely random; it is impossible for Alice to predict if she
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 15
QUANTUM CRYPTOGRAPHY
(and thus Bob) will get vertical polarization or horizontal polarization.
Second, any attempt at eavesdropping by Eve will destroy these correlations in a way that
Alice and Bob can detect.
5. QUANTUM BIT COMMITMENT PROTOCOL
When talking about quantum cryptography, everyone is thinking about key distribution.
There are, however, other cryptographic applications as well, such as bit commitment. A bit
commitment protocol based on quantum mechanics was introduced by Brassard et al. [1993].
The unconditional security of the protocol (which means that the security of the protocol is
independent of the computational resources, such as computing time, amount of memory used,
and computer technology of the cheater) has been accepted without proof [Yao 1995]. Two years
after it had been proposed, the protocol turned out to be insecure [Mayers 1995].
A commitment protocol is a procedure in which one party, say Alice, deposits a message
such that no one (and in particular not Alice) can read it nor change it. At some point in the
future, Alice can announce her message, and with high certainty it can be proven that the
revealed message is the same as the one Alice had deposited originally. To illustrate this
situation, suppose Bob wants to auction off a diamond ring, subject to the condition that each
person wishing to participate in the auction can bid only one single amount of money. After each
person has chosen a specific amount, the highest bidder gets the ring. So everyone writes their
own bid on a piece of paper, puts it into a personal safe, which is then locked and given to Bob.
Until all bids have been submitted to Bob, each bidder keeps the key matching the lock of his or
her safe. In this way Bob cannot see any of the bids, which in turn cannot be changed once they
have been submitted, since only Bob has access to the committed safes. All keys are handed over
to Bob after he has received all safes from the people participating in the auction. The different
offers are compared in public, so that everybody can be sure that only the highest bidder walks
away with the diamond and an empty wallet.
We can describe this commitment protocol mathematically as follows: The protocol has two
stages, the commit phase and the unveil phase. Alice commits herself to the data m by computing
c = f (m), and she sends c to Bob. Alice unveils the commitment by showing Bob the preimage m
of c. In classical cryptography, and in particular in public-key cryptography, one-way functions
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 16
QUANTUM CRYPTOGRAPHY
are used for commitment. In quantum cryptography, we want to make use of the laws of
quantum mechanics to create a fair protocol for both sides. Bit commitment is a special case of a
commitment protocol, where the data m consists of only one single bit.
It is widely believed that it is impossible to create a perfectly secure classical bit
commitment protocol. Regarding the extension to the quantum world, it was shown that
unconditionally secure quantum bit commitment is also impossible [Mayers 1997; Lo and Chau
1997]. However, when relaxing the security constraints, quantum bit commitment becomes
possible in slightly modified frameworks. One example is Kent’s quantum bit commitment
protocol, which is based on special relativity theory [Kent 1999]. Another example is due to
Damgard et al. [2005] who proposed a quantum bit commitment protocol that is secure in the
bounded storage model.
5.1. BB84 Quantum bit commitment protocol
A quantum bit commitment protocol can be created from the BB84 quantum key
distribution protocol with a few minor changes in the BB84 protocol[Bennett and Brassard
1984]. Just as in the classical bit commitment protocol, the quantum protocol starts with the
commit phase and ends with the unveil phase.
5.1.1. The commit procedure:
(1) Alice chooses a bit b є {0, 1}.
(2) Alice creates a random binary string w = w1 · · ·wn with n bits.
(3) If Alice wants to commit to 0, she does a quantum encoding of each bit wi in the two
basis states of the rectilinear basis +. If she wants to commit to 1, she encodes the bits in the
two basis states of the diagonal basis ×. Let θi denote the basis chosen for wi .
(4) Alice sends the sequence of n encoded quantum states to Bob.
(5) Bob chooses a random measurement basis (rectilinear or diagonal) for each of the
received quantum states, i.e., he chooses a string of random bases = 1 · · n є {+,
×}n. He measures the ith state in the basis i , and denotes the outcome by .
If we take a look at the two density matrices for the n states corresponding to b = 0 and b = 1,
respectively, it is easy to see that they are the same, and equal to the identity matrix. Thus, Bob
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 17
QUANTUM CRYPTOGRAPHY
has no chance to get any information about the bit b.
5.1.2. The unveil procedure:
(1) Alice publishes b (i.e., the basis that she used for encoding) and the string w.
(2) For about half of the n states, Bob used the same basis for his measurement as Alice used for
encoding. In these cases Bob can verify that Alice’s revealed bits are matching his
measurement results.
How could a dishonest party cheat in this protocol? For example, Alice could choose the bit
b = 1 for the commit phase, so she encodes the states with the diagonal basis ×. Later during the
unveil phase, she changes her mind and tells Bob that she committed to the bit b = 0, so Bob
assumes that Alice has used the rectilinear basis +. In approximately n/2 cases, Bob measures the
states with the rectilinear basis +, and in these cases Alice has to guess the bits Bob measured.
Since Alice’s success to make a right guess for one bit is 1/2, her overall cheating will not be
detected with a probability of (1/2)n/2. Once n is chosen large enough, Alice has practically no
chance to manipulate the protocol by this probabilistic method.
But what if Alice uses specially entangled states? Alice could create n pairs of entangled
states and send one part of each pair to Bob. She doesn’t have to commit to a bit in the
beginning, because she can perform a measurement right before the unveil phase. If, for
example, she chooses bit b = 0, she measures the states that she has kept in the rectilinear basis
+. Bob’s measurement results will be perfectly correlated, due to the shape of the entangled state.
If Alice wants to choose bit b = 1 instead, she measures the states that she has kept in the
diagonal basis ×. The state is form-invariant under a basis rotation by 45◦, Alice’s announced
encoded states will again match Bob’s measurement results. Thus, Bob has no chance to notice
the attack.
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 18
QUANTUM CRYPTOGRAPHY
How It Works in Theory:
In theory, quantum cryptography works in the following manner (this view is the
"classical" model developed by Bennett and Brassard in 1984 - some other models do exist):
Assume that two people wish to exchange a message securely, traditionally named Alice
and Bob. Alice initiates the message by sending Bob a key, which will be the mode for
encrypting the message data. This is a random sequence of bits, sent using a certain type of
scheme, which can see two different initial values represent one particular binary value (0 or 1).
Let us assume that this key is a stream of photons travelling in one direction, with each of
these photon particles representing a single bit of data (either a 0 or 1). However, in addition to
their linear travel, all of these photons are oscillating (vibrating) in a certain manner. These
oscillations can occur in any 360-degree range across any conceivable axis, but for the purpose
of simplicity (at least as far as it is possible to simplify things in quantum cryptography), let us
assume that their oscillations can be grouped into 4 particular states: we'll define these as
UP/DOWN, LEFT/RIGHT, UPLEFT/RIGHTDOWN and UPRIGHT/LEFTDOWN. The angle
of this vibration is known as the polarization of the photon. Now, let us introduce a polarizer into
the equation. A polarizer is simply a filter that permits certain photons to pass through it with the
same oscillation as before and lets others pass through in a changed state of oscillation (it can
also block some photons completely, but let's ignore that property for this exercise). Alice has a
polarizer that can transmit the photons in any one of the four states mentioned - in effect, she can
choose either rectilinear (UP/DOWN and LEFT/RIGHT) or diagonal (UPLEFT/RIGHTDOWN
and UPRIGHT/LEFTDOWN) polarization filters.
Alice swaps her polarization scheme between rectilinear and diagonal filters for the
transmission of each single photon bit in a random manner. In doing so, the transmission can
have one of two polarizations represent a single bit, either 1 or 0, in either scheme she uses.
When receiving the photon key, Bob must choose to measure each photon bit using either
his rectilinear or diagonal polarizer: sometimes he will choose the correct polarizer and at other
times he will choose the wrong one. Like Alice, he selects each polarizer in a random manner. So
what happens with the photons when the wrong polarizer is chosen?
The Heisenberg Uncertainty Principle states that we do not know exactly what will
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 19
QUANTUM CRYPTOGRAPHY
happen to each individual photon, for in the act of measuring its behavior, we alter its properties
(in addition to the fact that if there are two properties of a system that we wish to measure,
measuring one precludes us from quantifying the other). However, we can make a guess as to
what happens with them as a group. Suppose Bob uses a rectilinear polarizer to measure
UPLEFT/RIGHTDOWN and UPRIGHT/LEFTDOWN (diagonal) photons. If he does this, then
the photons will pass through in a changed state - that is, half will be transformed to UP/DOWN
and the other half to LEFT/RIGHT. But we cannot know which individual photons will be
transformed into which state (it is also a reality that some photons may be blocked from passing
altogether in a real world application, but this is not relevant to the theory).
Bob measures some photons correctly and others incorrectly. At this point, Alice and Bob
establish a channel of communication that can be insecure - that is, other people can listen in.
Alice then proceeds to advise Bob as to which polarizer she used to send each photon bit - but
not how she polarized each photon. So she could say that photon number 8597 (theoretically)
was sent using the rectilinear scheme, but she will not say whether she sent an UP/DOWN or
LEFT/RIGHT. Bob then confirms if he used the correct polarizer to receive each particular
photon. Alice and Bob then discard all the photon measurements that he used the wrong polarizer
to check. What they have, is, on average, a sequence of 0s and 1s that is half the length of the
original transmission...but it will form the basis for a one-time pad, the only cryptosystem that, if
properly implemented, is proven to be completely random and secure.
Now, suppose we have an eavesdropper, Eve, who attempts to listen in, has the same
polarizers that Bob does and must also randomly choose whether to use the rectilinear or
diagonal one for each photon. However, she also faces the same problem that Bob does, in that
half the time she will choose the wrong polarizer. But Bob has the advantage of speaking to
Alice to confirm which polarizer type was used for each photon. This is useless to Eve, as half
the time she used the wrong detector and will misinterpret some of the photons that will form
that final key, rendering it useless.
Furthermore, there is another level of security inherent in quantum cryptography - that of
intrusion detection. Alice and Bob would know if Eve was eavesdropping on them. The fact that
Eve is on the "photon highway" can become obvious because of the following.
Let's say that Alice transmits photon number 349 as an UPRIGHT/LEFTDOWN to Bob,
but for that one, Eve uses the rectilinear polarizer, which can only measure UP/DOWN or
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 20
QUANTUM CRYPTOGRAPHY
LEFT/RIGHT photons accurately. What Eve will do is transform that photon into either
UP/DOWN or LEFT/RIGHT, as that is the only way the photon can pass. If Bob uses his
rectilinear polarizer, then it will not matter what he measures as the polarizer check Alice and
Bob go through above will discard that photon from the final key. But if he uses the diagonal
polarizer, a problem arises when he measures its polarization; he may measure it correctly as
UPRIGHT/LEFTDOWN, but he stands an equal chance, according to the Heisenberg
Uncertainty Principle, of measuring it incorrectly as UPLEFT/RIGHTDOWN. Eve's use of the
wrong polarizer will warp that photon and will cause Bob to make errors even when he is using
the correct polarizer.
To discover Eve's nefarious doings, they must perform the above procedures, with which
they will arrive at an identical key sequence of 0s and 1s - unless someone has been
eavesdropping, whereupon there will be some discrepancies. They must then undertake further
measures to check the validity of their key. It would be foolish to compare all the binary digits of
the final key over the unsecured channel discussed above, and also unnecessary.
Let us assume that the final key comprises 4,000 binary digits. What needs to be done is
that a subset of these digits be selected randomly by Alice and Bob, say 200 digits, in terms of
both position (that is, digit sequence number 2, 34, 65, 911 etc) and digit state (0 or 1). Alice and
Bob compare these - if they match, then there is virtually no chance that Eve was listening.
However, if she was listening in, then her chances of being undiscovered are one in countless
trillions, that is, no chance in the real world. Alice and Bob would know someone was listening
in and then would not use the key - they would need to start the key exchange again over a
secure channel inaccessible to Eve, even though the comparisons between Alice and Bob
discussed above can still be done over an insecure channel. However, even if Alice and Bob have
concluded that the their key is secure, since they have communicated 200 digits over an un-
secure channel, these 200 digits should be discarded from the final key, turning it from a 4,000
into a 3,800 bit key).
Thus, quantum cryptography is a way to combine the relative ease and convenience of
key exchange in public key cryptography with the ultimate security of a onetime pad.
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 21
QUANTUM CRYPTOGRAPHY
How It Works in Practice:In practice, quantum cryptography has been demonstrated in the laboratory by IBM and
others, but over relatively short distances. Recently, over longer distances, fiber optic cables with
incredibly pure optic properties have successfully transmitted photon bits up to 60 kilometers.
Beyond that, BERs (bit error rates) caused by a combination of the Heisenberg Uncertainty
Principle and microscopic impurities in the fiber make the system unworkable. Some research
has seen successful transmission through the air, but this has been over short distances in ideal
weather conditions. It remains to be seen how much further technology can push forward the
distances at which quantum cryptography is practical.
Practical applications in the US are suspected to include a dedicated line between the
White House and Pentagon in Washington, and some links between key military sites and major
defense contractors and research laboratories in close proximity.
6. OUTLOOKS
The security of quantum key distribution relies on the inviolable laws of quantum
mechanics: nonorthogonal quantum states are used as signal states in the BB84 protocol. The
impossibility of perfect cloning of nonorthogonal states implies the security of this protocol.
In the security proof for the BB84 protocol, we have employed an equivalent
entanglement-based protocol. The main idea is that local measurements on a maximally
entangled state, shared by Alice and Bob, have perfectly correlated outcomes that can be used as
the key. A maximally entangled state is necessarily pure, and a pure state cannot be entangled
with an eavesdropper’s state—thus Eve cannot learn anything about the key. The idea for
quantum cryptography with entangled states goes back to Ekert [1991], who suggested to
confirm the existence of quantum correlations in the state of Alice and Bob by a Bell inequality
test.
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 22
QUANTUM CRYPTOGRAPHY
6.1. Other quantum key distribution protocols
A variety of quantum key distribution protocols can be found in the literature. All known
prepare-and-measure schemes can be seen as variations of the BB84 protocol, which are
obtained by changing the number and/or dimension of the quantum states. Bennett [1992]
proposed a protocol—which now is named after him the B92 protocol— in which only two
nonorthogonal states are used. In the so-called six-state protocol [Bruß 1998; Bechmann-
Pasquinucci and Gisin 1999], the six eigenstates of the three Pauli operators are used. In this
protocol, it is more difficult for Eve to retrieve any information, thus the security is enhanced.
A recently suggested protocol [Scarani et al. 2004] introduces a new sifting method:
rather than announcing the basis, Alice gives Bob a list of two nonorthogonal states from which
the signal state was taken. This protocol has certain security advantages that are connected with
experimental implementations of quantum cryptography.
6.2. Experimental status
In recent years, much effort has been devoted to experiments on quantum cryptography,
and much progress has been made. In most experiments, polarized photons are representing the
qubits: photons are polarized if their electromagnetic field oscillates in a fixed direction of space.
Polarization-based encoding works best for free-space communication systems rather
than fiber-optic lines. Data are transmitted faster in free-space systems, but they
cannot traverse the longer distances of fiber-optic links. In March 2004, NEC scientists in Japan
sent a single photon over a 150-km fiber-optic link, breaking the transmission distance record for
quantum cryptography.
The most commercially viable QKD systems rely on fiber-optic links limited to 100 to
120 km. At longer distances, random noise degrades the photon stream. Quantum keys cannot
travel far over fiber optic lines, and, thus, they can work only between computers directly
connected to each other.
As of March 2007 the longest distance over which quantum key distribution has been
demonstrated using optic fiber is 148.7 km, achieved by Los Alamos/NIST using the BB84
protocol. Significantly, this distance is long enough for almost all the spans found in today's fiber
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 23
QUANTUM CRYPTOGRAPHY
networks. The distance record for free space QKD is 144km between two of the Canary Islands,
achieved by a European collaboration using entangled photons (the Ekert scheme) in 2006, and
using BB84 enhanced with decoy states[8] in 2007. The experiments suggest transmission to
satellites is possible, due to the lower atmospheric density at higher altitudes. For example
although the minimum distance from the International Space Station to the ESA Space Debris
Telescope is about 400 km, the atmospheric thickness is about an order of magnitude less than in
the European experiment, thus yielding less attenuation compared to this experiment.
6.3. Current Challenges
Like everything in the world of information security, quantum cryptography is not
panacea. The main drawbacks of quantum cryptography are due to the following two reasons:
Man in the middle attack
Quantum cryptography is vulnerable to a man-in-the-middle attack when used without
authentication to the same extent as any classical protocol, since no principle of quantum
mechanics can distinguish friend from foe. As in the classical case, Alice and Bob cannot
authenticate each other and establish a secure connection without some means of verifying each
other's identities (such as an initial shared secret). If Alice and
Bob have an initial shared secret then they can use an unconditionally secure
authentication scheme (such as Carter-Wegman,) along with quantum key distribution to
exponentially expand this key, using a small amount of the new key to authenticate the next
session. Several methods to create this initial shared secret have been proposed, for example
using a 3rd party or chaos theory.
Photon number splitting attack
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 24
QUANTUM CRYPTOGRAPHY
In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice
many implementations use laser pulses attenuated to a very low level to send the quantum states.
These laser pulses contain a very small amount of photons, for example 0.2 photons per pulse,
which are distributed according to a Poissonian distribution. This means most pulses actually
contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few
pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split
of the extra photons and transmit the remaining single photon to Bob. This is the basis of the
photon number splitting attack, where Eve stores these extra photons in a quantum memory until
Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then
measure her photons in the correct basis and obtain information on the key without introducing
detectable errors.
There are several solutions to this problem. The most obvious is to use a true single
photon source instead of an attenuated laser. While such sources are still at a developmental
stage QKD has been carried out successfully with them. However as current sources operate at a
low efficiency and frequency key rates and transmission distances are limited. Another solution
is to modify the BB84 protocol, as is done for example in the SARG04 protocol, in which the
secure key rate scales as t3 / 2. The most promising solution is the decoy state idea, in which
Alice randomly sends some of her laser pulses with a lower average photon number. These
decoy states can be used to detect a PNS attack, as Eve has no way to tell which pulses are signal
and which decoy. Using this idea the secure key rate scales as t, the same as for a single photon
source. This idea has been implemented successfully in several QKD experiments, allowing for
high key rates secure against all known attacks.
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 25
QUANTUM CRYPTOGRAPHY
7. CONCLUSION AND FUTURE SCOPE
Quantum cryptography promises to revolutionize secure communication by providing
security based on the fundamental laws of physics, instead of the current state of mathematical
algorithms or computing technology. The devices for implementing such methods exist and the
performance of demonstration systems is being continuously improved. Within the next few
years, if not months, such systems could start encrypting some of the most valuable secrets of
government and industry.
Future developments will focus on faster photon detectors, a major factor limiting the
development of practical systems for widespread commercial use. Chip Elliott, BBN's principal
engineer, says the company is working with the University of Rochester and NIST's Boulder
Laboratories in Colorado to develop practical superconducting photon detectors based on
niobium nitride, which would operate at 4 K and 10 GHz.
The ultimate goal is to make QKD more reliable, integrate it with today's
telecommunications infrastructure, and increase the transmission distance and rate of key
generation. Thus the Long-term goals of quantum key distribution are the realistic
implementation via fibers, for example, for different buildings of a bank or company , and free
space key exchange via satellites. Quantum cryptography already provides the most advanced
technology of quantum information science, and is on the way to achieve the (quantum) jump
from university laboratories to the real world.
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 26
QUANTUM CRYPTOGRAPHY
8. REFERENCES
1. Quantum Cryptography: A Survey
DAGMAR BRUSS, GÁBOR ERDÉ LYI, TIM MEYER, TOBIAS RIEGE, and JÖ RG ROTHE
ACM Computing Surveys, Vol. 39, No.2, Article 6, Publication date: June 2007
2. http://en.wikipedia.org/wiki/Quantum_cryptography
3. http://www.aip.org/tip/INPHFA/vol-10/iss-6/p22.html
4. http://www.perimeterinstitute.ca/personal/dgottesman/QKD.html
5. http://www.cs.brandeis.edu/~pablo/qbc/node4.html
DEPARTMENT OF COMPUTER SCIENCE, SKIT Page | 27