Quantum Cryptography

Physicist Hoi-Kwong Lo on quantum key distribution, “flying qubits”, and quantum hacking

faq | February 17, 2016

It has been said that “the human desire to keep a secret is almost as old as writing itself.” With the rise of the internet, the importance of cryptography is growing every day. Unfortunately, standard encryption schemes are often based on unproven computational assumptions, such as the hardness of factoring large integers, and are thus vulnerable to unanticipated advances in hardware and code-breaking, including the construction of a large-scale quantum computer. Indeed, in 1994 Peter Shor invented a quantum algorithm for efficient factoring—thus breaking standard encryption schemes, including RSA. As Gilles Brassard, a co-inventor of quantum cryptography, says, if a large-scale quantum computer is ever built, much of conventional cryptography will fall apart. Many scientists and engineers are racing in the world to address the grand challenge of building a large-scale quantum computer these days. Recently, the US National Security Agency has announced plans to plan for transition to quantum-safe cryptosystems, including quantum cryptography. In summary, the risk of quantum computing to conventional cryptography must not be underestimated.

Quantum Key Distribution

A key application of quantum cryptography is called “quantum key distribution” (QKD), whose main goal is to provide unconditional security in communications based on the laws of physics only. Suppose two users, Alice and Bob, would like to communicate, but there is an eavesdropper, Eve, who is wiretapping the channel. It is well known in classical cryptography that if Alice and Bob share a secret key as long as their message, then they achieve unconditional security via the one-time-pad method. The catch is: how do they generate a long encryption key that is secret from Eve in the first place?

Physicist Seth Lloyd on quantum mechanics, classical vs quantum computers and the “universal digital computation”
This is called the key distribution problem. All classical key distribution methods are fundamentally insecure because there is nothing that prevents an eavesdropper from simply copying the key during its distribution process. In contrast, in quantum mechanics, the “quantum no-cloning theorem” forbids the perfect copying of an unknown quantum state. The intuition behind the quantum no-cloning theorem is the idea of conjugate observables. In quantum mechanics, some observables, such as position and momentum, cannot be determined simultaneously.

This is the motivation behind quantum key distribution (QKD), which was invented by Charles Bennett and Gilles Brassard in 1984. Also, in 1991 Ekert invented an entanglement-based QKD protocol. QKD provides unconditional security based on quantum mechanics, and it is secure against even quantum computers. More concretely, Alice, by sending Bob quantum signals (e.g. single photons encoded by one of the four polarizations (horizontal, vertical, 45-degree polarized, and 135-degree polarized)) would like the two parties to generate a secure key between them and able to detect any eavesdropper in QKD. If Eve is detected, Alice and Bob can simply abort the protocol without losing any confidential information and try it again in future.

The first QKD experiment was done in 1992 over the transmission of 30cm of open air. Tremendous experimental progress has been made in QKD over the last 25 years. QKD has now been successfully performed over hundreds of kilometers of telecom fibers and open air. Commercial QKD systems are currently being deployed. Some countries, such as the US and China, are currently installing quantum communication networks (with trusted relays)between major cities (e.g., between Shanghai and Beijing).

The security of quantum communication

In theory, quantum communication is perfectly secure. In practice, currently, there are various loopholes, and “quantum hacking” has been performed by various research groups, including Vadim Makarov’s group and mine.

Loopholes could appear in both the source and the detectors. Practical sources and detectors rarely conform to the idealized theoretical model used in security proof. For instance, in a gated detector, its detection efficiency is switched by a biased voltage and is thus a function of time. Ideally, there are two detectors, one for the bit, 0, and one for the bit, 1, and it is important to ensure that the detection efficiencies of the two detectors are perfectly matched.

In practice, we have shown that a tiny mismatch in the timing of the biased voltage could introduce a big mismatch in the detection efficiencies. This is the principle behind the time-shift attack. This is just one example. Various loopholes have been found in QKD systems.

Measurement-device-independent quantum key distribution

As a counter-measure to quantum hacking, recently, there has been a lot of theoretical and experimental interest in measurement-device-independent quantum key distribution (MDI-QKD), an idea proposed by me Marcos Curty and Bing Qi in 2012. This is because MDI-QKD is automatically immune to all detector attacks.

As mentioned above, there are loopholes in both detectors and sources. Fatal loopholes are often at the detectors. This is because Eve is allowed to send any signal, including a strong classical pulse, into Bob’s devices, and it is hard to predict what will happen in such a situation.

Physicist Mikhail Lukin on quantum computers, atomic clocks, and new tools for exploring biological systems
The idea of MDI-QKD is to automatically remove all loopholes at the detectors. In MDI-QKD, the two users, Alice and Bob, each send signals (phase randomized decoy states) to an *untrusted* relay, Charles, who is supposed to perform a Bell-state measurement on the joint state of the photons.

Note that the important point is that Charles can be totally untrusted in MDI-QKD. Alice and Bob could *verify* Charles’ honesty by comparing their data with Charles’ claim of a post-selected generation of a Bell state. If Charles is dishonest, Alice and Bob will simply abort QKD and this does not affect their security.
The price to pay for MDI-QKD is that, just like standard BB84 protocol, Alice and Bob still have to trust their sources.

With MDI-QKD, only the source flaws of QKD remain an issue.

In the longer term, all photonics quantum repeaters, if realized,
will be a great way to extend the idea of MDI-QKD to longer distances.

Device-independent QKD

In the far future, the ultimate solution will be (full)device-independent (DI)-QKD. The security of full DI-QKD relies on the testing of Bell inequalities. A Bell test is a test of the idea of local reality. Two systems are said to obey local reality if we could assign a local physical reality (i.e., a specific mixed state) to each system individually. It was John Bell who showed that systems that obey local reality must satisfy a set of inequalities (commonly called Bell’s inequalities these days).

Unfortunately, a remarkable feature of quantum mechanics is that it violates local reality. This puzzled even Einstein. An “entangled” quantum state can be stronger than local classical correlations. In this sense, quantum mechanics is non-local. In particular, experimentally, quantum mechanics violates Bell inequalities.

There are various loopholes that could render a Bell test irrelevant. In the few decades, there have been a lot of efforts in closing those loopholes in Bell tests.

Quantum mechanics allows stronger than classical correlations that cannot be explained by any local hidden variable theory. The complementarity in quantum mechanics provides the very foundation of security to quantum communication. Incidentally, this year we have witnessed three experimental demonstrations of loophole-free Bell tests. This is an impressive achievement in physics.

[A caveat: Of course, once a key has been measured, it becomes classical. A classical message can be copied. So, the leakage of classical signals will always remain a fundamental problem in cryptography. One must secure one’s classical key against an eavesdropper.]

Quantum Repeaters

The distance of quantum communication is limited by the loss of standard telecom fibers. For instance, for a distance of 1000km, it has been estimated that the loss is so big that it takes almost one century to send one bit of signal. Therefore, some sort of quantum repeaters are needed (if one does not trust classical relays). Owing to the aforementioned quantum no-cloning theorem, it is not possible to amplify quantum signals. Instead, in a quantum repeater, one must preserve one and only one copy of quantum information that one has. One can think of quantum repeaters as a form of primitive quantum computer that simply stores and preserves quantum information in a communication channel.

Up till now, all quantum repeaters’ proposals require quantum matter memories in various relay nodes and the interface of “flying qubits” (usually photons) with matter quantum memories. Both requirements—good matter quantum memories and efficient interface between flying qubits and stationary matter quantum memories—are rather demanding.

Our new proposal—all photonics quantum repeaters—is different. It completely removes the above two requirements. Instead, our proposal relies on the creation and distribution of highly entangled cluster states between relay nodes. For the first time, it is conceptually possible to achieve long-distance quantum communication with only photons.

Current challenges

A theoretical challenge is to simplify the design and codes used in the cluster states for all photonics quantum repeaters. Currently, the number of photons needed is very big (e.g., billions). We suspect that some optimizations can be performed to cut the numbers dramatically.

MIT Prof. Daniel Kleppner on atom cavity oscillations, quantum entanglement and mechanical systems that are deeply quantum
An experimental challenge is to provide a proof-of-principle demonstration of the idea of all photonics quantum repeaters. Such a demonstration will show that the idea is not that far-fetched and will stimulate further research.

In the longer term, there is a lot of interest in developing single-photon sources. Singe-photon sources are useful for applications such as linear optics quantum computing. While they are not strictly necessary for QKD, they can enhance the key rate of QKD.

An ideal single-photon source is an on-demand one. i.e., whenever one pushes a button, one photon comes out. Currently, for QKD, we often use instead an attenuated laser pulse, which gives a Poissonian distribution in photon numbers. Therefore, there is no-zero probability of getting more than one photon. Single-proton sources will be needed to make all photonics quantum repeaters practical.

Future of the field

We hope that our work will stimulate interest in the research of single-photon sources. In recent years, there has already been a lot of progress in the development of high-efficiency single-photon detectors. Now, we think single-photon *sources* will be the next big thing. With both good sources and detectors, we are moving closer to the development of all photonics quantum repeaters and also linear optics quantum computer proposals by KLM (Knill, Laflamme, and Milburn).

Will photons ultimately win the race toward large-scale quantum computers? This is the big question. We do not claim to know the answer ourselves.

Professor, Center for Quantum Information and Quantum Control, Department of Electrical and Computer Engineering &Department of Physics, University of Toronto
Did you like it? Share it with your friends!
Published items
To be published soon