150 likes | 172 Views
Explore the principles and applications of Quantum Key Distribution (QKD) against potential threats, focusing on security through observed data only, without assumptions on implementation. Includes Bell inequality violation, protocols, attacks, and key rate calculations.
E N D
Device-Independent Security of Quantum Key Distribution A. Acín, Stefano Pironio (ICFO, Barcelona) N. Brunner, N. Gisin (Geneva) S. Massar (Brussels) V. Scarani (Singapore) QIP 2008, New Delhi, December 2008
Introduction: How QKD works X Y a b BOB ALICE ? Eve holds a purification of the state Repeat protocol n times + public communication: estimate P(ab|XY) Principle of QKD: P(a,b|x,y) bound on Eve’s information.
Introduction: Devices and security 4 4 C C 2 2 C C ¾ ¾ x z ; Observed data in BB84 (ideal case): a,b,X,Y in {0,1} P(00|X = Y) = P(11|X = Y) = 1/2 P(a,b|X ≠ Y) = ¼ ... but these correlations can be distributed - with classical random variables: Security in BB84 = observed data + Knowledge of devices Hilbert space = Measurements = No security ! - or separable states in [Magniez, Mayers, Mosca, Ollivier 05] [Acín, Gisin, Masanes 06]
Our scenario X Y a b BOB ALICE ? ? ? • Aim: Prove security using observed data P(ab|XY) only • knowing that P(ab|XY) originates from a quantum process • but without assuming anything about its actual implementation: Hilbert space dimension? Measurements performed? ...
Our scenario: Assumptions BOB ALICE blue = trusted red = untrusted Y X ? ? ? Eve holds a purification of the state and controls the devices b a • Secure labs: no unwanted information must leak out of Alice and Bob’s labs • Trusted classical devices: e.g., RNG used to choose measurements, computers used to process raw data, etc • Quantum theory: Eve obeys the laws of quantum physics
Our scenario: Motivation • Fundamental: base QKD on minimal set of assumptions • Side-channels: information leaked in other part of the spectrum, number of photons not controled, etc. • Q devices may be untrusted: for instance, if provided by a malevolent party
Requirement for security: Bell inequality violation ( j ) P ( ) ( [ ] ) ( [ ] ) b ¸ ± ¸ ± b b ¸ P X Y P X Y ¡ ¡ a a a = ¸ ; ; A necessary condition for security is that the observed data P(ab|XY)violate a Bell inequality • If the data admit a local model: a perfect copy of the local instructions λ can go to Eve [Ekert 91] [Barrett et al 05], [Masanes Winter 06], [Acín Massar Pironio 06], ... QKD against NS Eve • If the correlations do not violate any Bell inequality, they can bereproduced by measuring a separable state. Bell inequalities are the only entanglement witnesses that areindependent of the Hilbert space dimension
The protocol X Y a b BOB ALICE ? ? ? • Alice has 3 choices of measurements X0,X1,X2 with outcomes a0,a1,a2 in {0,1} • Bob has 2 choices of measurements Y0,Y1 with outcomes b0,b1 in {0,1} • Raw key= (a2,b0) in particular QBER = Prob(a2≠ b0) • Eve’s information estimated from CHSH: • C=<a0b0> + <a0b1> + <a1b0> - <a1b1>
Security: Collective attacks n n 1 H H H ( ) ( ) P ( ) B E S S ¡ ( ) d E H j i j i i n  : ½ ½ à ª µ ¶ = j A B E b E p m b 0 1 2 = 0 A B E ( = ) 2 = C 1 2 1 0 + ¡ A B E ; ( ) h B E ·  : 2 Our result: • Let n be the number of bits of the raw key. We assume that • Alice, Bob, Eve share a state in • The measurement Mk yielding the kth outcome of Alice is a function of Alice’s setting only: Mk = M(X); and similarly for Bob • Remark: and M(X) chosen by Eve • Key rate • [Devetak Winter 04]: r ≥ I(A:B) – χ(B:E) • I(A:B) = 1 – h(Q) is the mutual information between A and B • is the Holevo information between Bob and Eve
Attack that saturates the bond E d A l d B b h b i i t t t t t t ² v e s e n s o c e a n o e w o q u s a e S S 1 1 + ¡ + + ¡ ¡ j i h j j i h j Á Á Á Á + ½ = 2 2 p ( = ) 2 h S C 2 1 ¡ w e r e = d h d f l l i t t ² a n p r e p a r e s e m e a s u r e m e n e v c e s a s o o w s : S 1 X Y + ¾ ¾ ¾ = = 0 0 p p z x z 2 2 S S 1 1 + + S 1 X Y ¡ ¾ ¾ ¾ = = 1 1 p z p x x 2 2 S S 1 1 + + ( h b Y i Q 1 2 ¡ t w p r o ¾ = 0 z X = 2 d h b i Q 2 t r a n o m w p r o Difference with usual QKD: settings depends on the parameters QBER and CHSH
Security bound Example: correlations s.t. C = 2√2(1-2Q) (arise from the state |Φ+> after going through a depolarizing channel with the measurements maximizing CHSH) usual scenario “singlet” device-independent scenario CHSH = 2√2
Basic idea of the security proof Objective: maximize χ(B:E) over all states and measurements {X0,X1,Y0,Y1} (defined in Hilbert space of arbitrary dimension) that yield a given violation C of CHSH P c X Y Y X A B c c c c c c ½ ½ ½ p ½ = A B A A B B j j i i c c Step 1: Can show that it is not restrictive to suppose that Eve sends to Alice and Bob a mixture of two-qubit states, together with a classica ancilla c (known to her) that determines the measurements and used on Step 2: Exploiting symmetry + freedom in the labeling, each state can be taken to be a Bell-diagonal state and the measurements and to be measurements in the (x,z) plane. Step 3: Given the above simplification, the maximization of χ(B:E) can be carried out j i à A B E
Towards security against general attacks ( j j j j ) i i i i j j i i à à à à M M M M ª ª M M M s A A A A B B B B E E E E A A B B E E 1 : : : : : : : : : : : : : : : ( ) M s ; s o 2 1 1 ; ( ) M 1 s ; s o s o 3 2 2 1 ; ; ; . . . Usual QKD Collective attacks General attacks state: measurements: de Finetti theorem [Renner 05] Device-independent QKD Collective attacks General attacks state: measurements: ? de Finetti theorem ? ? Other proof ?
Loopholes in Bell tests • Our security is based on violation of Bell inequality, but up to now, all Bell tests • suffer from one of two loopholes: • Locality loophole: requirement that measurements of Alice and Bob be space-like separated.Not a problem here: we assume that no information can leak out of Alice and Bob’s labs • Detection loophole: detector effiency should be above a given threshold. If not, a local classical model is possible, with the detection event depending on which measurement is made.Need to be closed in a truly device-independent scenario, since Eve controls the measurement devices! Can still be useful against side-channels! Dev-ind QKD Usual QKD Eve does not control devices Eve controls all devices Eve controls devices, but detectors which are trusted
SUMMARY • Usual QKD security scenario: assume knowledge of Hilbert space and measurements; devices are under control • Device-independent security can be defined, based on the violation of a Bell inequality • We have proved security against collective attaks • arXiv:quant-ph/0702152