Quantum Key Exchange
Symmetric Key Encryption
Alice
Bob
Encryption
\(c=E(k,m)\)
message \(m\)
key \(k\)
Decryption
\(m=D(k,c)\)
key \(k\)
ciphertext \(c\)
message \(m\)
Insecure channel
Secure channel
Symmetric Key Encryption
- Problem: need a secure channel to exchange key first
- But there is theoretically no "secure channel"
- In principle, every classical channel can always be passively observed without the users being aware
- Asymmetric key exchange: key exchange in "insecure channel", where it is computational hard to recover key from observed information
DH Key Exchange
Alice
Bob
key \(k=g^{xy}\)
\(g,g^x\)
Insecure channel
secret \(x\)
key \(k=g^{xy}\)
secret \(y\)
\(g^y\)
Although able to observe all transmitted value, computational hard to calculate the key
CDH Assumption: given \(g,g^x,g^y\), hard to calculate \(g^{xy}\)
Asymmetric Key Exchange
- Problem: computational hard "assumptions", not "guarantees"
- It is hard to prove a computational hard assumption true
- Most modern cryptography uses asymmetric cryptography somewhere, either in key exchange part of the encryption part
- Can we find a information-theoretically secure key exchange protocol?
Symmetric Key Encryption
- Problem: need a secure channel to exchange key first
- But there is theoretically no "secure channel"
- In principle, every classical channel can always be passively observed without the users being aware
- This is not true for quantum channels!
- For example, observing a qubit in a entangled pair breaks the entanglement!
- By utilizing quantum mechanics, we can create various quantum key exchange protocols
Difference
- The main difference of quantum and classical key exchange is that we can now detect eavesdropper
- Also, the security is based on informational theory, not computational hardness
E91 Protocol
Concept
- Alice and Bob randomly chooses a basis from a basis set for each qubit's observation
- \(n\) pairs of entangled qubit pairs are split and given to Alice and Bob
- After observing the qubits, they announce the bases used for each qubit through
- The qubits observed using same bases will be identical due to entanglement, which can be used as the key
- The other qubits observed using different bases will be used to calculate correlation and detect eavesdropping
Process - 1
Alice
Bob
entangled
Alice's basis set
Bob's basis set
Entanglement is preserved across orthonormal bases
\(A_1\)
\(A_2\)
\(A_3\)
\(B_1\)
\(B_2\)
\(B_3\)
observe
0
observe
0
observe
1
observe
0
observe
1
observe
0
observe
1
observe
1
Process - 2
Alice
Bob
entangled
observe
0
observe
0
observe
1
observe
0
observe
1
observe
0
observe
1
observe
1
\(A_2, A_1, A_2, A_3\)
Alice's basis set
\(A_1\)
\(A_2\)
\(A_3\)
Bob's basis set
\(B_1\)
\(B_2\)
\(B_3\)
\(B_1, B_3, B_2, B_2\)
observe
1
observe
0
observe
0
observe
1
key \(k=01\)
key \(k=01\)
Expected \(\frac{2}{9}\) of the bits used as key!
Process - 3
Alice's basis set
\(A_1\)
\(A_3\)
Bob's basis set
\(B_1\)
\(B_3\)
In the bases that don't match, leave only those in \(\{A_1,A_3\}\times\{B_1,B_3\}\)
Correlation:
\((A_1, B_1), (A_3, B_1), (A_3, B_3)\) positively correlated,
\((A_1, B_3)\) negatively correlated
Process - 3
Alice's basis set
\(A_1\)
\(A_3\)
Bob's basis set
\(B_1\)
\(B_3\)
In the bases that don't match, leave only those in \(\{A_1,A_3\}\times\{B_1,B_3\}\)
Correlation:
Calculate the value
\(S=E(A_1,B_1)+E(A_3, B_1)+E(A_3,B_3)-E(A_1,B_3)\)
Normally, \(S=\frac{\sqrt 2}{2} \times 4 = 2\sqrt 2\)
Bell-CHSH Inequality
\(S=E(A_1,B_1)+E(A_3, B_1)+E(A_3,B_3)-E(A_1,B_3)\)
The classical bound for \(S\) is \(S \le 2\)
proof: Let \(\lambda\) be the public signal, in classic settings, \(a_i,b_j\) are independent given \(\lambda\).
Bell-CHSH Inequality
Observe that one of \((b_1-b_3),(b_1+b_3)\) is zero, another is \(\pm2\).
Bell-CHSH Inequality
- Classical bound for \(S\) is \(S \le 2\)
- However, we showed earlier that \(S = 2\sqrt 2\) under the quantum entanglement and bases settings
- Actually, under quantum settings, \(S \le 2\sqrt 2\)
- If an attacker Eve attempts to observe the whole communication, entanglement is broken totally
- Then it falls back to the classical setting, so Bell-CHSH inequality must hold!
- Check the value \(S\) to detect eavesdroppers
E91 Protocol's Security
-
information vs. disturbance tradeoff:
- The attacker can of course not observe the whole communication to decrease the probability of being detected
- But this decrease the information gained by the attacker too
-
No-cloning theorem:
- The attacker cannot clone the status of the entangled pair and observe it separately
Discussion & QA
- With quantum mechanism, we can practically exchange secret keys without computationally hard assumptions
- It's even possible to use One-Time-Pads now for extremely security critical scenarios
- Note that this only guarantees confidentiality over insecure channel, not integrity over unauthenticated channel
- We still need to use it in complement with authentication methods to prevent attacks like Man-In-The-Middle
Quantum Key Exchange
By Howard Yang
Quantum Key Exchange
- 43