BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion How to increase BB84 Robustness through Continuous Variable Methods arXiv:0907.2897 Fabio Grazioso Frédéric Grosshans Lab. Photonique Quantique et Moléculaire, CNRS / ENS Cachan, September 26, 2011 BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion 1 The BB84 protocol and Photon Number Splitting attacks 2 SARG04 Protocol 3 Interlude : Continuous variables QKD from last century 4 Sifting-less 4-States Protocol 5 Sifting-less m-States Protocol 6 Decoy States 7 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion Motivation The most common QKD experiment is BB84 with weak coherent pulse. What is the longest secret key one can extract from such an experiment ? BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion 1 The BB84 protocol and Photon Number Splitting attacks 2 SARG04 Protocol 3 Interlude : Continuous variables QKD from last century 4 Sifting-less 4-States Protocol 5 Sifting-less m-States Protocol 6 Decoy States 7 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States BB84 protocol with perfect single photons Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States BB84 protocol with perfect single photons 1 Alice send one state at random Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States BB84 protocol with perfect single photons 1 Alice send one state at random 2 Bob measure in a random basis Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion BB84 protocol with perfect single photons 1 Alice send one state at random 2 Bob measure in a random basis 3 Alice and Bob compare their bases. They keep the good data (as here) BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion BB84 protocol with perfect single photons 1 Alice send one state at random 2 Bob measure in a random basis 3 Alice and Bob compare their bases. They keep the good data and discard the bad one (as here). BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion BB84 protocol with perfect single photons 1 Alice send one state at random 2 Bob measure in a random basis 3 Alice and Bob compare their bases. They keep the good data and discard the bad one (as here). Security Nonorthogonal states ⇒ spying induces errors E No error ⇒ No spying BB84&PNS SARG CV history 4-States m-States Decoy States Photon Number Splitting Attack Sometime, Alice sends 2 photons (or more) Eve can have the full information on 2-photon pulses Blocked 2 Photons Transmied to Bob Y₁ Transmied to Bob Y₂ Stored by Eve measured later Received by Bob Sent by Alice 1 Photon Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion Strategies against PNS Attacks Single Photon Source or entanglement based system Decoy States Protocols Using brighter states to detect the the attack PNS-robust protocols SARG04 or this work What is the most robust protocol ? What is the price to pay ? BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion 1 The BB84 protocol and Photon Number Splitting attacks 2 SARG04 Protocol 3 Interlude : Continuous variables QKD from last century 4 Sifting-less 4-States Protocol 5 Sifting-less m-States Protocol 6 Decoy States 7 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion SARG04 Physical protocol = BB84 but Alice and Bob do not reveal their bases, but instead Alice gives a set of two adjacent states Bob says wether or his measurement was ambiguous or not. BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion SARG04 Physical protocol = BB84 but Alice and Bob do not reveal their bases, but instead 1/2 1/4 1/4 Alice gives a set of two adjacent states Bob says wether or his measurement was ambiguous or not. 0 The sifting rate is 1 4 instead of 1 2 BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion SARG04 Physical protocol = BB84 but Alice and Bob do not reveal their bases, but instead 1/4 0 1/2 Alice gives a set of two adjacent states Bob says wether or his measurement was ambiguous or not. 1/4 The sifting rate is 1 4 instead of 1 2 BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion SARG’s security PNS Attacks : Eve now has to distinguish between non-orthogonal states ⇒ she only gets partial information on 2-photons. BB84&PNS SARG CV history 4-States Decoy States m-States Conclusion SARG’s security PNS Attacks : Eve now has to distinguish between non-orthogonal states ⇒ she only gets partial information on 2-photons. 3-photons : IRUD Attack Intercept-Resend Unambigous Discrimination |k, 3i = ⊗3 + ik |1i) √ √ 00 + 3ik 10 + 3i2k 20 + i3k 30 √1 (|0i 2 3 = 2− 2 Unambiguous discrimination with P(UD) = 1 2 BB84&PNS SARG CV history 4-States m-States Decoy States SARG Security II IRUD attack kills SARG when P(n = 3) · P(UD) ≥ P(Received) µ3 1 ≥ Tµ 3! 2 µ2 ≥T 12 In general, the optimal attack is a combination of IRUD and PNS Conclusion BB84&PNS SARG CV history 4-States m-States SARG04 vs BB84 2 identical set-ups but different rates. At fixed µ, the best one depends of T Decoy States Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion 1 The BB84 protocol and Photon Number Splitting attacks 2 SARG04 Protocol 3 Interlude : Continuous variables QKD from last century 4 Sifting-less 4-States Protocol 5 Sifting-less m-States Protocol 6 Decoy States 7 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States XXth century CVQKD At the end of XXth century it was obvious that a generalization of QKD to continuous variables could be interesting. Problem : discrete bits , continuous variable Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States XXth century CVQKD At the end of XXth century it was obvious that a generalization of QKD to continuous variables could be interesting. Problem : discrete bits , continuous variable Adapting BB84? Mark Hillery, “Quantum Cryptography with Squeezed States”, arXiv:quant-ph/9909006/PRA 61 022309 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States XXth century CVQKD At the end of XXth century it was obvious that a generalization of QKD to continuous variables could be interesting. Problem : discrete bits , continuous variable Natural modulation + information theory! Nicolas J. Cerf, Marc Lévy, Gilles Van Assche : “Quantum distribution of Gaussian keys using squeezed states”, arXiv:quant-ph/0008058/PRL 63 052311 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Analogy with discrete QKD Quite frequent discussion with discrete quantum cryptographers : DQC : How do you encode a 0 or a 1 in CVQKD? Me : I don’t care, C. E. Shannon tells me “∀ε > 0, ∃ code of rate I − ε.” Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion Analogy with discrete QKD Quite frequent discussion with discrete quantum cryptographers : DQC : How do you encode a 0 or a 1 in CVQKD? Me : Gilles/Jérôme/Anthony/Sébastien developed a really efficient code. Only he knows how it works. BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion Analogy with discrete QKD Quite frequent discussion with discrete quantum cryptographers : DQC : How do you encode a 0 or a 1 in CVQKD? Me : Gilles/Jérôme/Anthony/Sébastien developed a really efficient code. Only he knows how it works. Let’s do the same with BB84 ! BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion 1 The BB84 protocol and Photon Number Splitting attacks 2 SARG04 Protocol 3 Interlude : Continuous variables QKD from last century 4 Sifting-less 4-States Protocol 5 Sifting-less m-States Protocol 6 Decoy States 7 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion What happens without sifting ? 1/2 I(X : Y) = 0.5 bits = BB84 1/4 1/4 0 Same IRUD attack on 3 photon pulses than SARG04 2-photon pulses : χ(Y : E) = 0.1887 bits < SARG04 BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion How to do it ? 1/2 Bob tells his measurement basis to Alice 1/4 1/4 Bob gives the syndrome of a rate 21 erasure correcting code Alice does NOT tell her basis. 0 The key is Bob’s data. BB84&PNS SARG CV history 4-States m-States Decoy States Suppose Alice only sends 2-photon pulses. Alice knows where the error can be. Eve doesn’t. Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Suppose Alice only sends 2-photon pulses. Alice knows where the error can be. Eve doesn’t. Textual analogy Can you read “NNTERLEREJCKS” ? Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Suppose Alice only sends 2-photon pulses. Alice knows where the error can be. Eve doesn’t. Textual analogy Can you read “NNTERLEREJCKS” ? Can you read “.NTER.ERE.C.S” ? Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Suppose Alice only sends 2-photon pulses. Alice knows where the error can be. Eve doesn’t. Textual analogy Can you read “NNTERLEREJCKS” ? Can you read “.NTER.ERE.C.S” ? You can read “INTERFERENCES” Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Suppose Alice only sends 2-photon pulses. Alice knows where the error can be. Eve doesn’t. More formally I(Y : X) = 1 2 log 2 (erasure rate 12 ) χ(Y : E) = log 2 − h( 41 ) = .1887 bits (error rate 41 ) Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Suppose Alice only sends 2-photon pulses. Alice knows where the error can be. Eve doesn’t. More formally I(Y : X) = 1 2 log 2 (erasure rate 12 ) χ(Y : E) = log 2 − h( 41 ) = .1887 bits (error rate 41 ) K←|n=2 = I(Y : X) − χ(Y : E) = .3113 bits Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States When n > 2 m=4 key rate contribution of n-photon pulses - K˜ n (Tn ) 0.5 0.4 n=1 n=2 n=3 n=4 n=1 n=5 n=6 n=7 n=2 0.3 n=3 0.2 0.1 0.0 0.0 0.2 0.4 0.6 0.8 transmission for n-photon pulses - Tn 1.0 n=4 n=5 n=6 n=7 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion 1 The BB84 protocol and Photon Number Splitting attacks 2 SARG04 Protocol 3 Interlude : Continuous variables QKD from last century 4 Sifting-less 4-States Protocol 5 Sifting-less m-States Protocol 6 Decoy States 7 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion Basic Idea We can do better with m states Idea from m-SARG, where i⊗n h 2ikπ n |k, m, ni := 2− 2 |0i + e m |1i ⇒ IRUD on m − 1-photon pulses P(l|k) = 1 m (1 − cos l−k m 2π) ⇒ Rate ∝ 1 m3 BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion Basic Idea We can do better with m states Idea from m-SARG, where i⊗n h 2ikπ n |k, m, ni := 2− 2 |0i + e m |1i ⇒ IRUD on m − 1-photon pulses P(l|k) = 1 m (1 − cos l−k m 2π) ⇒ Rate ∝ For us: m−1 2kπ 1 X 2kπ I(X:Y) = (1 − cos ) log(1 − cos ) m m m k=0 I(X:Y|m = 3) = 0.5850 bits and I(X:Y|m → ∞) = 0.4427 bits The “raw rate” is almost m-independent. 1 m3 BB84&PNS SARG CV history 4-States m-States Rates with µ = 0.1 laser pulses Decoy States Conclusion BB84&PNS SARG CV history 4-States Decoy States m-States Conclusion Rates with optimized µ 2 0 Allows a rate Kopt ' Km−1 m−1 2·m−2! m 1 m−2 1 T1+ m−2 0.25T² 0.415T³/² 0.126T³/² 0.293T¹⁵/¹⁴ 0.022T¹⁵/¹⁴ 0.5T BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion 1 The BB84 protocol and Photon Number Splitting attacks 2 SARG04 Protocol 3 Interlude : Continuous variables QKD from last century 4 Sifting-less 4-States Protocol 5 Sifting-less m-States Protocol 6 Decoy States 7 Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Decoy states A “few” decoy states + numerics ⇒ Tn known ∀n BB84 K = T1 P1 log 2 2 = Tµe−µ Optimal for µ = 1, K log 2 2 T log 2 = 2e = .1839T bits Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Decoy states A “few” decoy states + numerics ⇒ Tn known ∀n m-states When T < min(P(UD|n)) = m21−m , K= ' m−2 X n=1 m−2 X Pn Tn Kn = m−2 X Pn (1 − (1 − T)n )Kn n=1 Pn TnKn n=1 For m = 4 1K1 = .5 bits, 2K2 = .6226 bits. µopt ∼ 1.5, Key rate increased to 0.3237T i.e. +75.96% Conclusion BB84&PNS SARG CV history Key rates /T 4-States m-States Decoy States Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion 1 The BB84 protocol and Photon Number Splitting attacks 2 SARG04 Protocol 3 Interlude : Continuous variables QKD from last century 4 Sifting-less 4-States Protocol 5 Sifting-less m-States Protocol 6 Decoy States 7 Conclusion BB84&PNS SARG CV history 4-States m-States Conclusion and Outlook Sifting-less protocols are clearly better Are they optimal ? Decoy States Conclusion BB84&PNS SARG CV history 4-States m-States Conclusion and Outlook Sifting-less protocols are clearly better Are they optimal ? Missing for practical applications : Effect of errors; Relevant correcting codes. Decoy States Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion and Outlook Sifting-less protocols are clearly better Are they optimal ? Missing for practical applications : Effect of errors; Relevant correcting codes. Protocol variants : (usual) 6-states, ‘spheric’, QPSK, COW, . . . Combination with subpoissonian sources; asymmetric variants. Conclusion BB84&PNS SARG CV history 4-States m-States Decoy States Conclusion and Outlook Sifting-less protocols are clearly better Are they optimal ? Missing for practical applications : Effect of errors; Relevant correcting codes. Protocol variants : (usual) 6-states, ‘spheric’, QPSK, COW, . . . Combination with subpoissonian sources; asymmetric variants. Sponsors: ANR Prospiq, ANR/NSERC Frequency, EU STREP Equind, EU ERANET Nedqit arXiv:0907.2897 Conclusion

© Copyright 2020