Cryptography and System State Estimation Using Polarization States Subhash Kaka, Pramode Vermab, and Greg MacDonaldb Department of Computer Science, Oklahoma State University, Stillwater, OK 74078 b Telecommunications Engineering Program, School of Electrical and Computer Engineering, University of Oklahoma-Tulsa, Tulsa, OK 74135 E-mail:
[email protected];
[email protected];
[email protected]
a
ABSTRACT We present new results on cryptography and system state estimation using polarization states of photons. Current quantum cryptography applications are based on the BB84 protocol which is not secure against photon siphoning attacks. Recent research has established that the information that can be obtained from a pure state in repeated experiments is potentially infinite. This can be harnessed by sending a burst of photons confined to a very narrow time window, each such burst containing several bits of information. The proposed method represents a new way of transmitting secret information. While polarization shift-keying methods have been proposed earlier, our method is somewhat different in that it proposes to discover the polarization state of identical photons in a burst from a laser which codes binary information. We also present results on estimating the state of a system based on the polarization of the received photons which can have applications in intrusion detection. Keywords: Cryptography using photons, system state estimation, intrusion detection
1. INTRODUCTION This paper deals with the problem of information in a photon and the use of it for communication and cryptography purposes as well as estimating the state of the fiber if both the input and the output states were available. It is important to note that no consistent wave function for a single photon can be constructed.1,2 Most currently available photon sources have non-zero multi-photon probability. Using a very weak laser beam, the number of photons reaching the detector in a given period of time may be precisely known, but the photons will arrive at random times. Pulse lasers can’t be rigged to produce single photons on schedule. For example, a dye-based system to generate single photons produces such photons only 74 percent of the time.1 The photon may be seen as oscillating electric field E and magnetic field H vectors that are mutually perpendicular and orthogonal to the direction of propagation S, the Poynting vector. If Cartesian coordinates with the direction of propagation S along the positive z-axis (towards the reader), the electric field E vector (for a quasi-monochromatic source) may be written as the sum of two orthogonal components: E0 = E0x + iE0y The corresponding wave function is: E = E0 exp i(kz-ωt) where k is the propagation constant, z is the distance in the direction of propagation, and ω is the angular frequency. If E0 is real, light is linearly polarized, if E0 is complex it is elliptically polarized, and if the real and imaginary parts of E0 are equal one has circularly polarized light.
1
Consider a photon that is linearly polarized and its polarization in the x and y directions is represented as 0 and 1. If seen as a qubit (a | 0 b | 1 ) , the photon will collapse to | 0 or | 1 but since this collapse is random, it does not communicate any useful information to the receiver. Maximum information is communicated to the receiver if the sender prepares the photon in one of the two orthogonal states, say, | 0 or | 1 , which the receiver is able to determine upon observation. It is assumed that the sender and the receiver have agreed upon the communication protocol and the measurement bases. If the agreement on the nature of the communication is not been made in advance, the receiver cannot, in general, obtain useful information from the stream of photons (excepting in their presence or absence) since he does not know the basis states of the sender, or know if these states are fixed or variable. If the recipient knew the basis states of the sender, he will obtain the maximum of one bit of information from each qubit. Quantum information is traditionally measured by the von Neumann entropy, S n ( ) tr ( log ) , where ρ is the density operator associated with the state.3 This entropy may be written also as
S n ( ) x log x x
where
x are the eigenvalues of ρ. It follows that a pure state has zero von Neumann entropy (we will take “log” in the
expression to base 2 implying the units are bits). The von Neumann measure is independent of the receiver. This is unsatisfactory from a communications perspective because if the sender is sending an unknown pure state to the receiver, it should, in principle, communicate information. Suppose that the sender and the receiver have agreed that the sender will choose, say, one of 16 different polarization states of the photon. The sender picks one of these and sends several photons of this specific polarization. Since all these photons are the same pure state, the information associated with them, according to the von Neumann measure, is zero. But, the information in this choice, from the communications point of view, is log2 16 = 4 bits. Although the classical entropy and the von Neumann entropy measures look similar mathematically, there is a difference between the two expressions, as the first one relates to probabilities and the second to the eigenvalues associated with a matrix. Section 2 of the paper summarizes issues related to information in mixed and pure states. Section 3 considers parallels between classical and quantum protocols for transmission of information. Section 4 describes quantum cryptography and section 5 presents the framework for the use of polarization states in an experimental setting. Section 6 describes a model for system state estimation and the implementation of a polarization based intrusion detection system. Section 7 summarizes directions for future research.
2. INFORMATION IN MIXED AND PURE STATES A given photon may be in a pure or mixed quantum state, and these two cases are very different from the point of view of measurement. A mixed state is a statistical mixture of component pure states, and its entropy computed by the von Neumann measure is similar to the entropy for classical states. The maximum information provided by a single mixed state photon is one bit. The zero entropy of the entangled state is unreasonable also from the perspective that it could have been in one of many different forms and therefore have potential for carrying information. For example, with the assumption that the probability amplitudes be real and equal, the state function could be either
1 1 (| 00 | 11 ) or (| 00 | 11 ) , 2 2
communicating information equal to one bit. Information in classical theory measures the reduction in uncertainty regarding the message based on the received communication. It is predicated on the mutuality underlying the sender and the receiver. Therefore the receipt of an unknown pure state should communicate information to the recipient of the state.4
2
In our examination of the question of information in an unknown pure state | a | 0 b | 1 , we take it that multiple copies of the state are available. The received copies can be used by the recipient to estimate the values of a and b. If the objective is the estimation of the density matrix ρ, we can do so by finding average values of the observables ρ, Xρ, Yρ, Zρ, where X, Y, Z are the Pauli operators, by means of the expansion:
1 2
(tr ( ) I tr ( X ) X tr (Y )Y tr ( Z ) Z ) The operators tr(Xρ) etc are average values and therefore the probabilistic convergence of ρ to its correct value would depend on the number of observations made. Considering a more constrained setting, assume that the information that user A, the preparer of the states, is trying to communicate to the user B, is the ratio a/b, expanded as a numerical sequence, m. For further simplicity it is assumed that A and B have agreed that a and b are real, then a
| a | 0 b | 1 or a mixed state | 1 a | 0 b | 1 and | 2 a | 0 b | 1 .
state
m 1 m
2
and b
consisting
of
an
1 1 m2 equal
Alternatively, one may communicate the ratio a2/b2=m. In this case, a
. One may use either a pure mixture
m 1 m
of
the
and b
states
1 1 m
.
1 , one needs to merely determine the sequence corresponding to the reciprocal of 1+m for the 1 m probability of the component state | 1 . Since b 2
The sender and the receiver may agree in advance to code the contents of the message in the probability amplitudes in other ways. For example, they may agree on the following table relating binary sequence and the probability amplitude a: 000 001 010 011 100 101 110 111
0 1/8 2/8 3/8 4/8 5/8 6/8 7/8
Thus the binary sequence 101 will map to the qubit
3 5 | 1 . | 0 8 8
In general, the preparer of the quantum state can choose out of infinity of possibilities, and depending on the mutual relationship between the preparer and the receiver the pure state’s information will vary from one receiver to another. In case the pure state chosen by the sender is aligned to the measurement basis of the receiver, the information transmitted is zero. The information generated by the source equals the probability of choosing the specific state out of the possibilities available (this is the states a priori probability). If the set of choices is infinite, then the information generated by the source is unbounded. On the other hand, due to the probabilistic nature of the reception process, not all the information
3
at the source is obtained at the receiver by a single measurement. The more the number of copies of the photon the receiver is sent, the more information will be extracted. A single photon will of course communicate at best only one bit of information.
3. PARALLEL BETWEEN CLASSICAL AND QUANTUM PROTOCOLS We have spoken of sending information using a single pure quantum state using many of its copies. This may be compared, in the classical case, to the representation of the contents of an entire book by a single signal, V, obtained by converting the binary file of the book into a number by putting a “dot” before it to make it less than 1. If a large number of copies of this signal are sent, it is possible that the receiver can, in principle, determine its value even in the presence of noise, ε, taken to be symmetrically distributed about zero. This would be accomplished by summing a large number of received signals W, so that E(W) = E(V) + E(ε) = V + E(ε) may be calculated accurately. As the number of copies available to be summed increases, the value E(ε) goes to zero and E(W) → V Although such a method is not practical for very many bits, more than one binary symbol of a message are coded into a single amplitude in non-binary systems. If one wished to use a pure state to transmit information in several binary bits in a practical implementation, the transmission must contain several copies of the pure state to enable the receiver to extract the relevant information from it. If the pure state is used to transmit a single bit, then we have the case of the information being sent by choice between two alternatives.
4. QUANTUM CRYPTOGRAPHY The BB843 and the three-stage quantum cryptography protocols5 may be seen as emerging naturally from the different perspectives of computing signal operations on two sets of bases (mixed state scenario) and a single set (for each user). In the BB84 protocol it is essential that single photons be transmitted since otherwise siphoning of the photons by the eavesdropper can reveal the information. In the three-stage protocol, even if bunches of photons are transmitted for each data point, that will not compromise the system since each transmission can have a different polarization chosen for it by the sender. In the general case of information transmitted in terms of polarization value, the receiver can make his estimate by adjusting the basis vectors so that he gets closer to the unknown pure state. The information that can be obtained from such a state in repeated experiments is potentially infinite in the most general case. Clearly, it is assumed that several photons with identical polarization state are being used for each encoded sequence. A distinction may be made in the situation for discrete (and finite) and continuous geometries. Since the measure of information in a pure state is a consequence of its “distance” from the observer’s computational basis, information in a continuous geometry would for almost each observer (excepting for the one who starts out exactly aligned, the probability of which is zero) remain infinite. Conversely, for a finite discrete geometry, a smaller “distance” will translate into lesser information, making some observers more privileged than others. Some implementations of quantum cryptography based on the BB84 protocol based on the use of quantum phase modulation rather than polarization are already in the market. The application of the three-stage protocol has been proposed for securing optical burst channels.6
5. POLARIZATION STATES The general state of polarization (SoP) of a light source is described in terms of four Stokes parameters {S0, S1, S2, and S3}. The total intensity is S0 while S1, S2, and S3 describe the SoP. These quantities are determined by measuring the intensity of light after it has passed through various optical elements. The last three parameters {S1, S2, and S3} can be mapped onto the Poincare sphere to conveniently represent all SoPs. Linearly polarized light is found on the equator, circularly polarized light is found at the poles, and elliptically polarized light is found between the equator and the
4
poles. Fully polarized light is represented by a point on the surface of the sphere while partially polarized light is represented as a point in the interior of the sphere (Figure 1). In terms of the Poincare sphere, the four Stokes parameters are mapped as follows: S0 = I = total intensity of the beam S1 = Ip cos(2χ)cos(2ψ) S2 = Ip cos(2χ)sin(2ψ) S3 = Ip sin(2χ) S0 = {(S1)2 + (S2)2 + (S3)2 }1/2 (for fully polarized light) where the degree of polarization p is defined as: p = {S12 + S22+ S32} / S0 A few examples of specific states of polarization and corresponding Stokes parameters (S0, S1, S2, S3)T follow: (1, 1, 0, 0)T
linearly polarized light (horizontal)
(1, 0, 1, 0)T
linearly polarized light (+45 deg)
(1, 0.71, 0, 0.71)T elliptically polarized light (horizontal) (1, 0, 0.71, 0.71)T elliptically polarized light (+45 deg)
Figure 1. Stokes parameters and the Poincaré sphere The “normalized” Stokes parameters are: s1 = S1/S0 s2 = S2/S0 s3 = S3/S0
5
where for fully polarized light, S0 = {(S1)2 + (S2)2 + (S3)2 }1/2 . In the general case:
p
S12 S 22 S 32 S0
Polarization shift-keying (2-POLSK, 4-POLSK, and 8-POLSK systems) described by Benedetto7 was used by MacDonald8 to develop a simple 256-POLSK technique that involves dividing the Poincaré sphere into 256 functional zones to produce 256 different states of polarization, each SOP representing 1 of the 256 different bit combinations (hexadecimal 00 through FF). The MacDonald scheme uses the following constellation space: 1) 8 circles parallel to the Poincare sphere equator at S3= {-0.8, -0.6, -0.4, -0.2, +0.2, +0.4, +0.6, +0.8} defining 256 data regions, and 2) 1 circle at S3=0 (the equator) for polarization tracking. Different SoPs represented by the Stokes parameters at the center of each data region were used to represent 256 different 8-bit data sequences. The polarization tracking circle is required for transmission channels that modify the transmitted state of polarization (e.g., single mode fiber). The polarization based modulation scheme suggests the following applications: • • •
Polarization based data hiding/encryption Polarization based data compression/encryption Polarization based intrusion detection
In polarization based data hiding/encryption the data to be transmitted is no longer encoded in an OOK sequence but is encoded in the SoP. Polarization based data compression/encryption encodes data compactly in a polarized pulse. The encryption feature comes naturally for channels that modify the launched SoP. For example, due to birefringence in single mode fiber, the SoP of the launched pulse changes in a random fashion as the pulse propagates along the fiber. An adversary would have to know the current state of the polarization transfer matrix (derived from polarization tracking) in order to make reasonable sense of the transmitted data. An 8-bit sequence encoded into the corresponding SoP has different representations in time and space during propagation along the fiber. For these applications a reasonably rapid polarization modulation rate is required.
6. POLARIZATION BASED SYSTEM STATE ESTIMATION We now apply these ideas to the development of system state identification for fiber optic network security. The two states represent “no intrusion attempt” (state=undisturbed) and “intrusion attempt” (state=disturbed). In contrast to data coding or encryption, polarization based intrusion detection can be implemented at much slower modulation rates. In polarization based intrusion detection polarized light is used to monitor for intrusion attempts in fiber optic links. For highly secure fiber optic networks, current methods of protecting the fiber link include cement encasement (deters but does not detect) and installation in pressurized pipe (detects with mild deterrence). Intrusions are accomplished with optical taps. Optical tapping methods are described by Shaneman and Gray9 and include fiber bending, optical splitting and evanescent coupling. Tapping methods require some disturbance of the optical fiber. Due to the birefringence properties of fiber, these physical disturbances can be detected by unexpected or large changes in the received SoP. The variation of the SoP in fiber (state=undisturbed) is relatively slow. The following figure shows the normalized Stokes parameter measurements from a 100 meter single mode fiber cable over a 3 day period (measurement interval = 15 seconds). Notice the path traced about Poincare sphere is confined to a relatively small area.
6
Figure 2. Normalized Stokes parameters for 100 meter fiber link over a 3 day timeframe and their mapping to the Poincare sphere This relatively slow varying component can be tracked using specific SoPs along the polarization tracking circle defined in the 256-POLSK design. These are calibration SoPs. Assuming the transmitter and receiver have decided on the sequence of calibration SoPs, measurements of the received SoPs Sr can be used to construct the Mueller matrix M that describes the transformation the fiber has applied to the launched SoP St. Applying the inverse of the updated Mueller matrix to the next arriving calibration SoP Sr results in recovery of the Expected SoP St’.
Sr = M*St
’
M-1*Sr = St’
St = St state=undisturbed (no intrusion)
SoP variations in disturbed fiber can be relatively large. The following figure shows the normalized Stokes parameter measurements from a 100 meter single mode fiber cable over an 8 minute period (measurement interval = 2 seconds). Changes in fiber geometry result in large variations to the received SoP.
Figure 3. Normalized Stokes parameters for 100 meter fiber link over an 8 minute timeframe and their mapping to the Poincare sphere.
7
Depending on when the disturbance occurs, either the most recent update to the Mueller matrix will be in error, or the update will be correct but will no longer describe the current transformation. In either case, St ≠ St ’ State=Disturbed (fiber geometry changed, fiber disturbed, likely intrusion attempt)
The following diagram illustrates the experimental configuration used for the above demonstrations. It should be noted that the laser (λ=1550 nm) was internal to the polarization controller.
SOP Encoder
Polarization Controller
Polarization Analyzer
Decoder
fiber link
Figure 4. Experimental Configuration While the full 256-POLSK design may be needed for the more complex polarization based data hiding and compression applications, it is probably not needed for the polarization based intrusion detection application. If fact, it is conceivable that a fixed SoP is all that is needed. Small differences in successively received SoPs would indicate state=undisturbed, while larger differences would indicate state=disturbed.
7. CONCLUSIONS The research described in this paper opens up avenues that could lead to advanced communications and computing security. Polarization encoding can be a new technique of cryptography as well as data hiding and data compression. The following problems are proposed: 1. 2. 3. 4. 5.
Investigate performance over longer spans of fiber. Correlate the nature and location of intrusion or disturbance with the change in polarization. Investigate a variety of codes to compensate for polarization drift and search for optimal codes. Investigate the performance of polarization based encoding as a function of signal strength. Investigate performance in the presence of noise,10,11 and uncertainty.
We believe that the cryptographic ideas proposed in this paper could have significant applications in communications and security.
8
REFERENCES [1] Oxborrow, M. and Sinclair, A.G., “Single-photon sources,” Contemporary Physics 46, 173-206 (2005). [2] Mandel, L., and Wolf, E., Optical Coherence and Quantum Optics. Cambridge University Press (1995). [3] Nielsen, M.A. and Chuang, I.L., Quantum Computation and Quantum Information. Cambridge University Press (2000). [4] Kak, S., “Quantum information and entropy,” International Journal of Theoretical Physics 46, 860-876 (2007). [5] Kak, S., “A three-stage quantum cryptography protocol,” Foundations of Physics Letters 19, 293-296 (2006). [6] Chen, Y., Verma, P.K., Kak, S., “Embedded security framework for integrated classical and quantum cryptography services in optical burst switching networks,” Security and Communication Networks 2, 546554 (2009). [7] Benedetto, S., Gaudino, R., and Poggiolini, P., “Polarization recovery in optical polarization shift-keying Systems,” IEEE Transactions on Communications 45, 1269-1279 (1997). [8] MacDonald, G.G. and Sluss, Jr., J.J., “A Byte/Symbol-Stuffing Protocol Utilizing Polarization-Shift Keying for Enhanced Optical Network Security,” Frontiers in Optics (FiO), TuP6, Tucson, AZ (2003). [9] Shaneman, K. and Gray, S. “Optical Network Security: Technical Analysis of Fiber Tapping Mechanisms and Methods for Detection and Prevention,” Military Communications Conference, 2004. MILCOM 2004, IEEE., Vol. 2, 711-716 (2004). [10] Kak, S., “Information, physics and computation,” Foundations of Physics 26, 127-137 (1996). [11] Kak, S., “The initialization problem in quantum computing,” Foundations of Physics 29, 267-279 (1999).
9
