Quantum Key Exchange

Symmetric Key Encryption

Alice

Bob

Encryption

\(c=E(k,m)\)

message \(m\)

key \(k\)

Decryption

\(m=D(k,c)\)

key \(k\)

ciphertext \(c\)

message \(m\)

Insecure channel

Secure channel

Symmetric Key Encryption

Problem: need a secure channel to exchange key first
But there is theoretically no "secure channel"
In principle, every classical channel can always be passively observed without the users being aware
Asymmetric key exchange: key exchange in "insecure channel", where it is computational hard to recover key from observed information

DH Key Exchange

Alice

Bob

key \(k=g^{xy}\)

\(g,g^x\)

Insecure channel

secret \(x\)

key \(k=g^{xy}\)

secret \(y\)

\(g^y\)

Although able to observe all transmitted value, computational hard to calculate the key

CDH Assumption: given \(g,g^x,g^y\), hard to calculate \(g^{xy}\)

Asymmetric Key Exchange

Problem: computational hard "assumptions", not "guarantees"
It is hard to prove a computational hard assumption true
Most modern cryptography uses asymmetric cryptography somewhere, either in key exchange part of the encryption part
Can we find a information-theoretically secure key exchange protocol?

Symmetric Key Encryption

Problem: need a secure channel to exchange key first
But there is theoretically no "secure channel"
In principle, every classical channel can always be passively observed without the users being aware
This is not true for quantum channels!
For example, observing a qubit in a entangled pair breaks the entanglement!
By utilizing quantum mechanics, we can create various quantum key exchange protocols

Difference

The main difference of quantum and classical key exchange is that we can now detect eavesdropper
Also, the security is based on informational theory, not computational hardness

E91 Protocol

Concept

Alice and Bob randomly chooses a basis from a basis set for each qubit's observation
\(n\) pairs of entangled qubit pairs are split and given to Alice and Bob
After observing the qubits, they announce the bases used for each qubit through
The qubits observed using same bases will be identical due to entanglement, which can be used as the key
The other qubits observed using different bases will be used to calculate correlation and detect eavesdropping

Process - 1

Alice

Bob

entangled

Alice's basis set

\beta_{00}=\frac{|00\rangle + |11\rangle}{\sqrt 2}=\frac{|++\rangle + |--\rangle}{\sqrt 2}

Bob's basis set

Entanglement is preserved across orthonormal bases

\(A_1\)

\(A_2\)

\(A_3\)

\(B_1\)

\(B_2\)

\(B_3\)

observe

Process - 2

Alice

Bob

entangled

observe

\(A_2, A_1, A_2, A_3\)

Alice's basis set

\(A_1\)

\(A_2\)

\(A_3\)

Bob's basis set

\(B_1\)

\(B_2\)

\(B_3\)

\(B_1, B_3, B_2, B_2\)

observe

key \(k=01\)

Expected \(\frac{2}{9}\) of the bits used as key!

Process - 3

Alice's basis set

\(A_1\)

\(A_3\)

Bob's basis set

\(B_1\)

\(B_3\)

In the bases that don't match, leave only those in \(\{A_1,A_3\}\times\{B_1,B_3\}\)

Correlation:

\text{Let }a_i= \begin{cases} 1, &\text{if observed }1\text{ with }A_i\\ -1, &\text{if observed }0\text{ with }A_i \end{cases}

\((A_1, B_1), (A_3, B_1), (A_3, B_3)\) positively correlated,
\((A_1, B_3)\) negatively correlated

E(A_i, B_j) = E(a_ib_j)

Process - 3

Alice's basis set

\(A_1\)

\(A_3\)

Bob's basis set

\(B_1\)

\(B_3\)

In the bases that don't match, leave only those in \(\{A_1,A_3\}\times\{B_1,B_3\}\)

Correlation:

Calculate the value
\(S=E(A_1,B_1)+E(A_3, B_1)+E(A_3,B_3)-E(A_1,B_3)\)
Normally, \(S=\frac{\sqrt 2}{2} \times 4 = 2\sqrt 2\)

E(A_i, B_j) = E(a_ib_j)

Bell-CHSH Inequality

\(S=E(A_1,B_1)+E(A_3, B_1)+E(A_3,B_3)-E(A_1,B_3)\)

The classical bound for \(S\) is \(S \le 2\)

proof: Let \(\lambda\) be the public signal, in classic settings, \(a_i,b_j\) are independent given \(\lambda\).

\begin{aligned} S&=E(A_1,B_1)+E(A_3, B_1)+E(A_3,B_3)-E(A_1,B_3)\\ &=\int_{\Lambda}a_1b_1p(\lambda)d\lambda+\int_{\Lambda}a_3b_1p(\lambda)d\lambda+\int_{\Lambda}a_3b_3p(\lambda)d\lambda-\int_{\Lambda}a_1b_3p(\lambda)d\lambda\\ &=\int_{\Lambda}(a_1b_1+a_3b_1+a_3b_3-a_1b_3)p(\lambda)d\lambda\\ &=\int_{\Lambda}(a_1(b_1-b_3)+a_3(b_1+b_3))p(\lambda)d\lambda \end{aligned}

Bell-CHSH Inequality

Observe that one of \((b_1-b_3),(b_1+b_3)\) is zero, another is \(\pm2\).

\begin{aligned} S&=\int_{\Lambda}(a_1(b_1-b_3)+a_3(b_1+b_3))p(\lambda)d\lambda\\ &\le\int_{\Lambda}2 p(\lambda)d\lambda \le 2 \end{aligned}

Bell-CHSH Inequality

Classical bound for \(S\) is \(S \le 2\)
However, we showed earlier that \(S = 2\sqrt 2\) under the quantum entanglement and bases settings
Actually, under quantum settings, \(S \le 2\sqrt 2\)
If an attacker Eve attempts to observe the whole communication, entanglement is broken totally
Then it falls back to the classical setting, so Bell-CHSH inequality must hold!
Check the value \(S\) to detect eavesdroppers

E91 Protocol's Security

information vs. disturbance tradeoff:
- The attacker can of course not observe the whole communication to decrease the probability of being detected
- But this decrease the information gained by the attacker too
No-cloning theorem:
- The attacker cannot clone the status of the entangled pair and observe it separately

Discussion & QA

With quantum mechanism, we can practically exchange secret keys without computationally hard assumptions
It's even possible to use One-Time-Pads now for extremely security critical scenarios
Note that this only guarantees confidentiality over insecure channel, not integrity over unauthenticated channel
We still need to use it in complement with authentication methods to prevent attacks like Man-In-The-Middle

Quantum Key Exchange

By Howard Yang

Quantum Key Exchange

Symmetric Key Encryption

Symmetric Key Encryption

DH Key Exchange

Asymmetric Key Exchange

Symmetric Key Encryption

Difference

E91 Protocol

Concept

Process - 1

Process - 2

Process - 3

Process - 3

Bell-CHSH Inequality

Bell-CHSH Inequality

Bell-CHSH Inequality

E91 Protocol's Security

Discussion & QA

Quantum Key Exchange

More from Howard Yang