Physicist Hoi-Kwong Lo on quantum key distribution, “flying qubits”, and quantum hacking
It has been said that “the human desire to keep a secret is almost as old as writing itself.” With the rise of the internet, the importance of cryptography is growing every day. Unfortunately, standard encryption schemes are often based on unproven computational assumptions such as the hardness of factoring large integers and are thus vulnerable to unanticipated advances in hardware and code-breaking including the construction of a large-scale quantum computer.Indeed, in 1994 Peter Shor invented a quantum algorithm for efficient factoring—thus breaking standard encryption schemes including RSA. As Gilles Brassard, a co-inventor of quantum cryptography, says, if a large-scale quantum computer is ever built, much of conventional cryptography will fall apart. Many scientists and engineers are racing in the world to address the grand challenge of building a large-scale quantum computer these days. Recently, the US National Security Agency has announced plans to plan for transition to quantum-safe crypto systems including quantum cryptography. In summary, the risk of quantum computing to conventional cryptography must not be under-estimated.
A key application of quantum cryptography is called “quantum key distribution” (QKD), whose main goal is to provide unconditional security in communications based on the laws of physics only. Suppose two users, Alice and Bob, would like to communicate, but there is an eavesdropper, Eve, who is wiretapping the channel. It is well known in classical cryptography that if Alice and Bob share a secret key as long as their message, then they achieve unconditional security via the one-time-pad method. The catch is: how do they generate a long encryption key that is secret from Eve in the first place?
This is the motivation behind quantum key distribution (QKD), which was invented by Charles Bennett and Gilles Brassard in 1984. Also, in 1991 Ekert invented an entanglement-based QKD protocol. QKD provides unconditional security based on quantum mechanics and it is secure against even quantum computers. More concretely, Alice, by sending Bob quantum signals (e.g. single photons encoded one of the four polarizations (horizontal, vertical, 45-degree polarized and 135-degree polarized)) would like the two parties to generate a secure key between them and able to detect any eavesdropper in QKD. If Eve is detected, Alice and Bob can simply abort the protocol without losing any confidential information and try it again in future.
The first QKD experiment was done in 1992 over the transmission of 30cm of open air. Tremendous experimental progress has been made in QKD over the last 25 years. QKD has now been successfully performed over hundreds of kilometers of telecom fibers and open air. Commercial QKD systems are currently being deployed. Some countries such as the US and China are currently installing quantum communication networks (with trusted relays)between major cities (e.g. between Shanghai and Beijing).
In theory, quantum communication is perfectly secure.In practice, currently there are various loopholes and “quantum hacking”has been performed by various research groups including Vadim Makarov’s group and mine.
Loopholes could appear in both the source and the detectors.Practical sources and detectors rarely conform to the idealized theoretical model used in security proof. For instance, in a gated detector, its detection efficiency is switched by a biased voltage and is thus a function of time. Ideally, there are two detectors,one for the bit, 0, and one for the bit, 1 and it is important to ensure that the detection efficiencies of the two detectors are perfectly matched.
In practice, we have shown that a tiny mismatch in the timing of the biased voltage could introduce a big mismatch in the detection efficiencies. This is the principle behind time-shift attack.This is just one example. Various loopholes have been found in QKD systems.
As a counter-measure to quantum hacking, recently there has been a lot of theoretical and experimental interest in measurement-device-independent quantum key distribution (MDI-QKD), an idea proposed by me, Marcos Curty and Bing Qi in 2012. This is because MDI-QKD is automatically immune to all detector attacks.
As mentioned above, there are loopholes in both detectors and sources. The most fatal loopholes are often at the detectors. This is because Eve is allowed to send it any signal, including a strong classical pulse, into Bob’s devices and it is hard to predict what will happen under such a situation.
Note that the important point is that Charles can be totally untrusted in MDI-QKD. Alice and Bob could *verify* Charles’ honestly by comparing their data with Charles’ claim of post-selected generation of a Bell state. If Charles is dishonest, Alice and Bob will simply abort QKD and this does not affect their security.
The price to pay for MDI-QKD is that, just like standard BB84 protocol, Alice and Bob still have to trust their sources.
With MDI-QKD only the source flaws of QKD remain an issue.
In the longer term, all photonics quantum repeaters, if realized,
will be a great way to extend the idea of MDI-QKD to longer distances.
In the far future, the ultimate solution will be (full)device-independent (DI)-QKD. The security of full DI-QKD relies on the testing of Bell inequalities. A Bell test is a test of the idea of local reality.Two systems are said to obey local reality if we could assign a local physical reality (i.e.,a specific mixed state) to each system individually.It was John Bell who showed that systems that obey local reality must satisfy a set of inequalities (commonly called Bell’s inequalities these days).
Unfortunately, a remarkable feature of quantum mechanics is that it violates local reality. This puzzled even Einstein.An “entangled” quantum state can be stronger than local classical correlations. In this sense, quantum mechanics is non-local. In particular, experimentally quantum mechanics violates Bell inequalities.
There are various loopholes that could render a Bell test irrelevant.In the few decades, there have been a lot efforts in closing those loopholes in Bell tests.
Quantum mechanics allows stronger than classical correlations that cannot be explained by any local hidden variable theory. The complementarity in quantum mechanics provides the very foundation of security to quantum communication.Incidentally, this year we have witnessed three experimental demonstrations of loophole-free Bell tests. This is an impressive achievement in physics.
[A caveat: Of course, once a key has been measured,it becomes classical. A classical message can be copied.So, the leakage of classical signals will always remain a fundamental problem in cryptography. One must secure one’s classical key against an eavesdropper.]
The distance of quantum communication is limited by the loss in standard telecom fibers. For instance, for a distance of 1000km, it has been estimated that the loss is so big that it takes almost one century to send one bit of signal. Therefore, some sort of quantum repeaters are needed (if one does not trust classical relays). Owing to the aforementioned quantum no-cloning theorem,it is not possible to amplify quantum signals. Instead, in a quantum repeater, one must preserve the one and only one copy of quantum information that one has.One can think of quantum repeaters as a form of primitive quantum computer that simply stores and preserves quantum information in a communication channel.
Up till now, all quantum repeaters proposals require matter quantum memories in various relay nodes and the interface of “flying qubits” (usually photons) with matter quantum memories.Both requirements—good matter quantum memories and efficient interface between flying qubits and stationary matter quantum memories—are rather demanding.
Our new proposal—all photonics quantum repeaters—is different. It completely removes the above two requirements.Instead, our proposal relies on the creation and distribution of highly entangled cluster states between relay nodes. For the first time, it is conceptually possible to achieve long-distance quantum communication with only photons.
A theoretical challenge is to simplify the design and codes used in the cluster states for all photonics quantum repeaters.Currently, the number of photons needed is very big (e.g. billions).We suspect that some optimizations can be performed to cut the numbers dramatically.
In the longer term, there is a lot of interest in developing single-photon sources. Singe-photon sources are useful for applications such as linear optics quantum computing. While they are not strictly necessary for QKD, they can enhance the key rate of QKD.
An ideal single-photon source is an on-demand one. i.e.,whenever one pushes a button, one photon comes out.Currently, for QKD, we often use instead an attenuated laser pulse, which gives a Poissonian distribution in photon numbers. Therefore, there is no-zero probability of getting more than one photon. Single-proton sources will be needed to make all photonics quantum repeaters practical.
We hope that our work will stimulate the interest in research of single-photon sources. In recent years, there have already been a lot of progress in the development of high-efficiency single-photon detectors. Now, we think single-photon *sources* will be the next big thing. With both good sources and detectors,we are moving closer to the development of all photonics quantum repeaters and also linear optics quantum computer proposal by KLM (Knill, Laflamme and Milburn).
Will photons ultimately win the race towards large-scale quantum computers?This is the big question. We do not claim to know the answer ourselves.