Research Directions in Quantum Cryptography - Semantic Scholar

14 downloads 134232 Views 312KB Size Report
application of cryptography, it is used nowadays to achieve broader objectives, such as authentication, digital signatures [10]. To achieve this goal, an algorithm ...
Research Directions in Quantum Cryptography Rajni Goel Department of Information Systems & Decision Sciences Howard University 2600 6th Street, NW Washington, DC 20059 [email protected] Abstract Quantum Cryptography is an approach to securing communications by applying the phenomena of quantum physics. Unlike traditional classical cryptography, which uses mathematical techniques to restrict eavesdroppers, quantum cryptography is focused on the physics of information. Quantum cryptography provides secure communication, whose security depends only on the validity of quantum theory, i.e., it is guarantied directly by the laws of physics. This is a substantial difference from any classical cryptographic techniques. This article summarizes the current state of quantum cryptography and provides potential extensions of its feasibility as a mechanism for securing existing communication systems.

I. Introduction The physics of quantum cryptography opens a door to tremendously intriguing possibilities for cryptography, the art and science of communicating in the presence of adversaries [1,2]. Interesting characteristics of quantum mechanics include the existence of indivisible quanta and of entangled systems, both of which lie at the root of quantum cryptography (QC). QC is one of the few commercial applications of quantum physics at the single quantum level. Other applications of quantum mechanics to cryptography, which tend to come in three flavors: • Quantum mechanics can be used to break classical cryptographic protocols (as with quantum factoring).

Moses Garuba, Anteneh Girma Department of Systems & Computer Science Howard University 2300 6th Street NW Washington, DC 20059 {moses, agirma}@scs.howard.edu





Quantum states can make possible new or improved cryptographic protocols protecting classical information (as with quantum key distribution or uncloneable encryption). Cryptographic methods can be applied to protect quantum information instead of classical information. Examples would include quantum secret sharing schemes and quantum authentication protocols.

We investigate the differences between classical cryptographic techniques and quantum cryptography, as well potential advantages and applications of each. In section 2, we present attributes of classical cryptography and its difference with quantum cryptography and Section 3 summarizes Quantum Key distribution and Quantum Entanglement. Section 4 and 5 describes the quantum cryptographic protocols, eavesdropping, and we conclude with a discussion on the current progress and quantum crypto network debuts.

2. Classical Cryptography Cryptography is the art of rendering a message unintelligible to any unauthorized party. Although confidentiality is the traditional application of cryptography, it is used nowadays to achieve broader objectives, such as authentication, digital signatures [10]. To achieve this goal, an algorithm (also called a cryptosystem or cipher) is used to combine a message with some additional information (known as the key) and produce a cryptogram. The primary application of cryptography is to send secret messages.

International Conference on Information Technology (ITNG'07) 0-7695-2776-0/07 $20.00 © 2007 Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY MADRAS. Downloaded on February 9, 2009 at 00:16 from IEEE Xplore. Restrictions apply.

Many cryptographic systems are based on computational assumptions. Decrypting is equivalent to solving some computationally difficult problem, one that cannot be answered in polynomial time in some security parameters. The central problem in cryptography is the key distribution problem, for which there are essentially two solutions: one based on mathematics, classical cryptography, and one based on Physics (quantum cryptography). While classical cryptography relies on the computational difficulty of factoring large integers, quantum cryptography relies on what we believe to be the universal laws of quantum mechanics. These classical cryptosystems come in two flavors: symmetric systems, and asymmetric systems [6]. The security of public key cryptosystems is based on computational complexity. The idea is to use mathematical objects called one-way functions. So far, no one has proved the existence of any one-way function with a trapdoor; so, the existence of secure asymmetric cryptosystems is not proven. This poses a serious threat to these cryptosystems. For instance, an overnight breakthrough in mathematics could make electronic money instantly worthless. To limit such economic and social risks, there is no alternative but to turn to symmetrical cryptosystems. QC has a role to play in such alternative systems.

Secret key cryptography • Requires secure channel for key distribution • In principle every classical channel can be monitored passively • Security is mostly based on complicated non proven algorithms Public key cryptography • Security is based on non proven mathematical assumptions (e. g. in RSA cipher, difficulty of factoring large numbers) • Break through renders messages insecure retroactively.

3. Quantum Cryptography The idea of quantum cryptography was first proposed in the 1970s [14,15], though it is only now that the field is applied to information security. One aspect of quantum cryptography is to create cryptographic protocols to protect quantum States that do have the property that they cannot be copied [11,12]. The main advantage of quantum cryptography is that it gives us perfectly secure data transfer. The first successful quantum cryptographic device could translate a secret key over 30 centimeters using polarized light, calcite crystal(s), and other electro-optical devices.

2.2. Symmetrical (secret key) cryptosystems Symmetrical ciphers require the use of a single key for both encryption and decryption. The symmetrical cryptosystems in use for routine applications such as e-commerce employ rather short keys. Like asymmetrical cryptosystems, they offer only computational security. However, for a given key length, symmetrical systems are more secure than their asymmetrical counterparts. In practical implementations, asymmetrical algorithms are used not so much for encryption, because of their slowness, but rather for distribution of session keys for symmetrical cryptosystems such as DES. Because the security of those algorithms is not proven, the security of the whole implementation can be compromised. If these algorithms were broken by mathematical advances, QC would constitute the only way to solve the key distribution problem.

Figure 3: A Quantum Cryptographic communication system for securely transferring random key.

2.3 Barriers of Classical cryptography

3.1 Quantum Entanglement

International Conference on Information Technology (ITNG'07) 0-7695-2776-0/07 $20.00 © 2007 Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY MADRAS. Downloaded on February 9, 2009 at 00:16 from IEEE Xplore. Restrictions apply.

2

Entanglement is a kind of quantum correlation that is stronger, in a certain sense, than any classical one. If some quantum system, consisting of several subsystems, is in an entangled state (even in a pure entangled state) its individual subsystems cannot be described by pure quantum states. Entangled states can be used to serve for quantum key distribution and quantum teleportation. Quantum entanglement is a quantum mechanical phenomenon in which the quantum of two or more objects have to be described with reference to each other, even though the individual objects may be spatially separated [3]. This leads to correlations between observable physical properties of the systems. As a result, measurements performed on one system seem to be instantaneously influencing other systems entangled with it.

generated. No leakage of information occurs, since the key is just a random sequence. The primary proposed application of QKD is to create a secret key, which is then used with the one-time pad to send unconditionally secure messages. We ensure secure communications by using one-time pads in conjunction with quantum key distribution. The main drawback for classical one-time pads is the distribution of encryption/decryption keys, and this is not a problem for quantum cryptography as we can transfer key data in a totally secure fashion. One of the best-known protocols for quantum key distribution is usually called BB84, since it was proposed by Bennett and Brassard in 1984 [4]. In BB84, Alice sends Bob a random sequence of quantum bits (or qubits). These quantum bits are equally likely to be in one of four possible states, see table 1.

3.2 Quantum Key Distribution

State Basis Value |0> Z 0 |1> Z 1 |0> + |1> X 0 |0> - |1> X 1

Quantum mechanics has multiple cryptographic applications as well (see [8] for a survey). The best known is quantum key distribution (QKD) [11], which enables Alice and Bob to create a secure classical secret key despite the potential presence of an eavesdropper. QKD requires only an insecure quantum channel and authenticated (but unencrypted) classical channels, but unfortunately requires multiple rounds of backand-forth communication between Alice and Bob. QKD is a means of distributing keys from one party to another, and detecting eavesdropping. It allows two parties to establish a common random secret key by taking advantage of the fact that quantum mechanics does not allow for distinguishing non-orthogonal states with certainty. Within the framework of classical physics, information encoded into a property of a classical object, can be acquired without affecting the state of the object. However, if information is encoded into a property of a quantum object, any attempt to discriminate its non-orthogonal states inevitably changes the original state with a nonzero probability. And since eavesdropping is also governed by the laws of quantum mechanics, these changes cause errors in transmissions and reveal the eavesdropper. QKD cannot prevent from eavesdropping, but it enables legitimate users to discover it. If any eavesdropping is detected, the key is simply thrown away and a new one is

Table 1: States of quantum bits When Bob receives a qubit, he randomly chooses to measure it either in the Z basis or the X basis, and records the results. Then Alice announces which basis the state she sent came from (the "Basis" column in the table), but not what the state actually was, and Bob announces which basis he measured in. If Bob measured in the same basis that Alice used to prepare the state, he should have gotten the result in the "Value" column of the table. Alice and Bob keep the results for which they used the same basis and discard the other bits. In the absence of errors and eavesdropping, they now have an identical string of bits, which can act as their private key. But, note that a clever Eve can adopt many possible strategies to fool Alice and Bob, including subtle quantum attacks entangling all of the particles sent by Alice. Taking all possibilities into account, along with the effects of realistic imperfections in Alice and Bob's apparatus and channel, has been difficult. A long series of partial results has appeared over the years, addressing restricted sets of strategies by Eve, [2] but only in the past few years have complete proofs appeared.

International Conference on Information Technology (ITNG'07) 0-7695-2776-0/07 $20.00 © 2007 Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY MADRAS. Downloaded on February 9, 2009 at 00:16 from IEEE Xplore. Restrictions apply.

3

One class of proofs, by Dominic Mayers [3] and subsequently by others, including Eli Biham and collaborators and Michael Ben-Or, [4] attacks the problem directly and proves that the standard BB84 protocol is secure. Another approach, by (HKL) and H. F. Chau [5]. proves the security of a new QKD protocol that uses quantum error-correcting codes [6]. The two approaches have been unified by Peter Shor and John Preskill, [7], who showed that a quantum error-correcting protocol could be modified to become BB84 without compromising its security. The proof of the security of QKD is a fine theoretical result, but it does not mean that a real QKD system would be secure [8]. Some known and unknown security loopholes might prove to be fatal. Apparently minor quirks of a system can sometimes provide a lever for an eavesdropper to break the encryption. For instance, instead of producing a single photon, a laser may produce two; Eve can keep one and give the other to Bob. She can then learn what polarization Alice sent without revealing her presence. There are various possible solutions to this particular problem; it is the unanticipated flaws that present the greatest security hazard. Ultimately, we cannot have confidence that a real-life quantum cryptographic system is secure until it has withstood attacks from determined real-life adversaries. Traditionally, breaking cryptographic protocols has been considered to be as important as making them--the protocols that survive are more likely to be truly secure. The same standard will have to be applied to QKD. Quantum key distribution is perhaps the best-known example of an application of quantum mechanics to cryptography, but there are many others. For instance, quantum key distribution is closely related to a slightly stronger protocol called uncloneable encryption, which uses quantum states to send an encrypted classical message which cannot be read or even copied by Eve.

4. Quantum Cryptographic Protocols Recent interest in quantum cryptography has been stimulated by the fact that quantum algorithms, such as Shor’s algorithms for integer factorization and discrete logarithm [9], threaten the security of classical cryptosystems. A range of quantum cryptographic protocols for key distribution, bit commitment, oblivious transfer and other problems [10] have been extensively studied. Furthermore, the implementation of

quantum cryptographic protocols has turned out to be significantly easier than the implementation of quantum algorithms. Quantum cryptographic protocols are designed with the intention that their security is guaranteed by the laws of quantum physics. Naturally it is necessary to prove, for any given protocol, that this is indeed the case. The most notable result in this area is Mayers’ proof [3] of the unconditional security of the quantum key distribution protocol “BB84” [12]. This proof guarantees the security of BB84 in the presence of an attacker who can perform any operation allowed by quantum physics; hence the security of the protocol will not be compromised by future developments in quantum computing. Mayers’ results, and others of the same kind [4,3], are extremely important contributions to the study of quantum cryptography. However, a mathematical proof of the security of a protocol does not in itself guarantee the security of an implemented system which relies on the protocol. Experience of classical cryptography has shown that, during the progression from an idealized protocol to an implementation, many security weaknesses can arise. For example: the system might not correctly implement the desired protocol; there might be security flaws which only appear at the implementation level and which are not visible at the level of abstraction used in proofs; problems can also arise at boundaries between systems and between components which have different execution models or data representations. Quantum cryptographic systems must be analyzed at a level of detail that is closer to a practical implementation. Computer scientists have developed a range of techniques and tools for the analysis and verification of communication systems and protocols. Those particularly relevant to security analysis are surveyed by Ryan et al. [7]. This approach has two key features. The first is the use of formal languages to precisely specify the behavior of the system and the properties which it is meant to satisfy. The second is the use of automated software tools to either verify that a system satisfies a specification or to discover flaws. There are classical solutions to insecure communication all rely on making some sort of assumption, about the computational power of a cheater, about the number of cheaters, or something of this kind. Based on quantum key distribution, one might hope that a quantum computer might allow us to weaken or remove these assumptions. For instance, it is possible to

International Conference on Information Technology (ITNG'07) 0-7695-2776-0/07 $20.00 © 2007 Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY MADRAS. Downloaded on February 9, 2009 at 00:16 from IEEE Xplore. Restrictions apply.

4

make a quantum digital signature, which is secure against all attacks allowed by quantum mechanics. Many classical cryptographic protocols work by building up the protocol from simpler protocols. Two particularly useful simple protocols are Authentication of quantum messages [8] and the other called bit commitment. Standard classical cryptographic protocols for bit commitment rely on Bob having limited computational power. For a while, it was thought quantum bit commitments protocols existed which were unconditionally secure. However, it turns out that if Alice and Bob have quantum computers, any protocol for which Bob cannot determine the value of Alice's bit allows Alice to safely change the bit without Bob finding out. This was a great disappointment, and later results proved that many other quantum cryptographic protocols were also impossible. However, there are still a number of possible protocols that have not been ruled out, including some of considerable interest. Quantum computation may allow us to perform some of these operations more safely than any classical protocol.

5. Eavesdropping Eavesdropping is the intercepting and reading of messages and conversations by unintended recipients. One who participates in eavesdropping, i.e. someone who secretly listens in on the conversations of others, is called an eavesdropper. The origin of the term is literal, from people who would literally hide out in the eaves of houses to listen in on other people's private conversations. Eavesdropping can also be done over telephone lines, email, instant messages, and any other method of communication considered private. (If a message is publicly broadcast, witnessing it does not count as eavesdropping). Messages can be protected against eavesdropping by employing a security service of confidentiality (or privacy). This security service is usually implemented by encryption.

6. Quantum crypto network debuts Quantum cryptography has the potential to guarantee perfectly secure communications, but until now the entire prototype systems have been

point-to-point links rather than networks that share connections. BBN Technologies, Harvard University and Boston University researchers have built a sixnode quantum cryptography network that operates continuously to provide a way to exchange secure keys between BBN and Harvard, which is about 10 kilometers away [3]. The researchers will soon move one of the network nodes across town to link Boston University into the network. The network is resilient because any node in the network can act as a relay to connect two other nodes. Because there are multiple connections to and from any given node, "failure of a link or node does not mean that we have lost quantum cryptography. The quantum network uses secure point-to-point connections between nodes and allows a given node to relay secure cryptographic keys between two other nodes. Because the quantum properties of photons are lost if they are observed, they cannot be copied, but making copies of light signals is the way signals are boosted along ordinary telecommunications lines. Quantum repeaters, which are under development at several research labs around the world, would instead transfer the quantum state of one photon to another through interactions with atoms or through the strange quantum phenomenon of entanglement, which allows traits of two or more particles to be linked regardless of the distance between them. The network's photon sources are currently heavily filtered lasers, which are extremely dim and sometimes emit more than one photon at a time[9]. The quantum cryptography network works with Internet protocols including the secure Internet Protocol (IPsec) and creates a type of virtual private network, which provides secure communications over unsecured networks like the Internet at large. The idea is that even if an eavesdropper is able to listen in on a line, he would be unable to learn much about the communications traversing it. The network is ready for practical applications today. Magiq Technologies is creating a new line of products that it says could help make quantum encryption theoretically impossible to crack -more palatable to mainstream customers. The New York-based company said it has signed a deal with Cavium Networks, under which Cavium's network security chips will be included inside Magiq's servers and networking boards

International Conference on Information Technology (ITNG'07) 0-7695-2776-0/07 $20.00 © 2007 Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY MADRAS. Downloaded on February 9, 2009 at 00:16 from IEEE Xplore. Restrictions apply.

5

Magiq and Cavium will also create reference designs for networking boards and cards, with all of the necessary silicon to create a quantum encryption system. Quantum properties other than polarization can encode the value of a bit for the quantum key, says Gregoire Ribordy, CEO of Swiss start-up Swiss start-up ID Quantique His company introduced the first commercial quantumcryptography products in 2002: single-photon detectors and random-number generators, two essential components for quantum-cryptography systems. In 2003, the company partnered with two electronic-security firms to develop a commercial system.

7. Conclusion 8. References [1] Bennett, C. H., and Brassard, G. Quantum public key distribution reinvented. Sigact News 18(4) (1987), 51–53. [2] Bennett, C. H., Brassard, G., and Ekert, A. K. Quantum cryptography. Sci. Am. 267, 4 (Oct. 1992), 50. [3] Bennett, C. H., and DiVincenzo, D. P. Quantum information and computation. Nature 404 (2000), 247–55. [4] Bennett, C. H., and Shor, P. W. Quantum information theory. IEEE Transactions on Information Theory 44, 6 (1998), 2724–42. [5] Brassard, G. Cryptology column — 25 years of quantum cryptography. Sigact News 27(3) (1996), 13–24. [6] Gottesman, D., and Lo, H.-K. From quantum cheating to quantum security. Physics Today 53, 11 (Nov. 2000), 22.

As this quantum cryptography is a new science in a cryptosystem technology and many researchers from around the world are discovering a way of incorporating some new devices and have already made a breakthrough, it looks quantum cryptography will be an advanced code- making technology which is theoretically uncrackable. This is because of the laws of quantum physics that dictate an eavesdropper could not measure the properties of a single photon without the risk of altering those properties. In other words, even if an eavesdropper is able to listen in on a line, he/she could be unable to learn much about the communications traversing it. [9] Brassard, G., 1988, Modern Cryptology: A Tutorial, Lecture Notes in Computer Science, Vol. 325 (Springer, New York). [10] Shannon, C. E., 1949, ‘‘Communication theory of secrecy systems, ’’ Bell Syst. Tech. J. 28, 656–715. [11] Stallings, W., 1999, Cryptography and Network [12] Wiesner, S., 1983, ‘‘Conjugate coding,’’ SIGACT News, 15,78–88 [13] Bennett, C. H., and G. Brassard, 1984, in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, (IEEE, New York), pp.175–179. [14] Bennett, C. H., and G. Brassard, 1985, ‘‘Quantum public key distribution system,’’ IBM Tech. Discl. Bull. 28, 3153–3163. [15] W. K. Wootters and W. H. Zurek, “A single quantum cannot be cloned,” Nature 299, 802 (1982).

[7] Lo, H.-K. Quantum Cryptology. World Scientific, 1998. [8] Singh, S., 1999, The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography (Fourth Estate, London).

International Conference on Information Technology (ITNG'07) 0-7695-2776-0/07 $20.00 © 2007 Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY MADRAS. Downloaded on February 9, 2009 at 00:16 from IEEE Xplore. Restrictions apply.

6