Security and implementation of differential phase … zThe BB84 quantum key distribution protocol...

Security and implementation of differential phase shift quantum key distribution systems

Eleni Diamanti

University Ph.D. Oral Examination

June 1st, 2006

Classical cryptography

cryptography = κρυπτός + γράφω = write secretly

Ancient GreeceScytale

World War IIEnigma

Today computational security

e.g. computational difficulty of factoring large integers

Unconditional security – One time padAlice Bob

Eve

01011100 message M11001010 key K10010110 cryptogram S = M⊕K

cryptogram S 10010110key K 11001010message M = S⊕K 01011100

cryptogram 10010110

Quantum cryptography

Quantum cryptography relies on fundamental laws of quantum mechanics to solve the key distribution problem → Quantum Key Distribution (QKD)

Information is encoded in quantum bits (qubits) → vector in a twodimensional Hilbert space:

Photons are ideal qubits for QKD because they can be transmitted over long distances in optical fibers

Public channel

Quantum channel

01110010

InformationError

0 1ψ α β= +

Limitations in quantum cryptography

First proposal of using the quantum properties of light by Bennett and Brassard in 1984 → BB84 QKD protocol

First demonstration of a quantum cryptography system in 1992, information was transmitted over 32 cm of free space

Performance of current fiber-optic QKD systems is mainly limited by two factors:

Vulnerability of QKD protocols to powerful eavesdropping attacks, when classical light from a laser is used instead of non-classical light from a single-photon sourceSingle-photon detectors → communication rate remains very low, communication distance is limited to a few tens of kilometers

ChallengeInvent ways of extending the distance and increasing the speed of QKD systems

Outline

The BB84 quantum key distribution protocol

Differential phase shift quantum key distribution (DPS-QKD)

The up-conversion single-photon detector

Implementation of a 1 GHz DPS-QKD system


Conclusion – Future directions

The BB84 QKD protocol

Quantum transmissionInformation is encoded in two non-orthogonal basesRaw key generation rate:

raw ( 4 )R T dν μ= +

Single-photon source

Electro-optic modulator

V 45+H 45−

Alice Quantum channel

50/50 BS

Single-photon detectors

Bob

PBS

basis,H V

45 , 45+ − basis

0 1 0 1

Repetition rate Transmission efficiency( ) /1010 rL LT αη − +=

Dark counts per clock cycle

Average photon number per pulse

SiftingAlice and Bob discard the bits for which they chose a different basisSifted key generation rate:

If the transmission is error-free, sifted key is unconditionally secure, any eavesdropping will unavoidably cause errorsBut all practical systems have errors…

Sifting and error correction

sifted raw1 1 ( 4 )2 2

R R T dν μ= = +

Error correctionAlice provides Bob with additional information about the key to correct errors, e.g. parity check by segmentLeakage of additional information to Eve → need algorithm to minimize number of revealed bits

[ ]2 2lim ( ) log (1 ) log (1 )n f e e e e enκ

→∞ = − + − −Length of sifted key

Length of error correction string

Shannon’s noiseless coding theorem

Efficiency of error correction algorithm

Privacy amplification

[ ]{ }secure sifted 2 2( ) log (1 ) log (1 )R R f e e e e eτ= + + − −

22

1log 2 22

e eτ ⎛ ⎞= − + −⎜ ⎟⎝ ⎠

Privacy amplificationKey information has leaked to Eve

Innocent error rate due to system imperfectionsError correction

We need to compress key so that Eve’s information becomes exponentially small, e.g. randomly choose two bits and calculate XOR → secure keyGeneralized privacy amplification theory:

Eve uses innocent system error rate to obtain key information by general quantum measurements on individual single photons →shrinking factor calculated from security proof:

Photon number splitting attacks in BB84

Alice

Eve

BobQND photon number measurement

Quantum memory

Lossless channel

Delayed measurement

For multi-photon states, Eve learns bit information without causing any error

As the channel loss increases she blocks more and more single-photon states

Modified shrinking factor:

2 20

21log 2 22

ee e TT

μ μτ β ββ β μ

=⎡ ⎤⎛ ⎞ −

= − + − ⎯⎯→ =⎢ ⎥⎜ ⎟⎝ ⎠⎢ ⎥⎣ ⎦

Fraction of single-photon states

Poisson source

Secure key distribution distance for BB84

2poissonR Tμ μ−∼

idealR T∼

2opt poissonT R Tμ →∼ ∼

For e ~ 0, d ~ 0:

Quadratic decrease with channel transmission

Linear decrease with channel transmission

BB84 with Poisson source is vulnerable to photon number splitting attacks

Outline








Sifted key generation rate:

sifted raw ( 2 )R R T dν μ= = +

Coherent light source

Alice Quantum channel

DET1 (0)

Bob

PMATT0 0 0π(0,π)

Δt

Δt

DET2 (1)

BS BS

1 21 1 2 ... ...n Ni ii ie e e n e NN

φ φφ φψ ⎡ ⎤= + + + + +⎣ ⎦

Principle of security → non-deterministic collapse of a wavefunction in a quantum measurement

Detection event occurs at a time instance randomly and reveals phase difference Δφn=φn+1-φn

n

Beamsplitter attack

One beam with average photon number N μT is sent to Bob, another with average photon number N μ(1-T ) is used by Eve

Each photon in Eve’s wavefunction is detected randomly at one of N time instances → probability that she obtains the value of a bit at a certain time given that Bob detected a photon at that time is 2μ(1-T )

She obtains complete bit information for a fraction 2μ(1-T ) of bits without causing any error

Alice

Eve

Bob

Quantum memory

Lossless channel

T

Optical switch

Intercept and resend attack

Induces 25 % error rateIf innocent system error rate is e, Eve can attack 4e bits → she obtains complete bit information for a fraction 2e of bits

1 2 (1 ) 2T eτ μ= − − −

Alice

Eve

Single-photon source Bob

X

X

[ ]{ }secure sifted 2 2( ) log (1 ) log (1 )R R f e e e e eτ= + + − −

Hybrid beamsplitter + intercept and resend attack: Eve does not have bit information for a fraction 1-2μ(1-T )-2e of bits →

General individual attacks

Eavesdropping strategy:

Photon number splitting attack: QND measurement on total photon number in wavefunction, Eve sends N μT photons to Bob and keeps N μ(1-T ) photons, which are stored and measured individually → equivalent to beamsplitter attack

Optimal measurement on individual single photons, which spread over many pulses with a fixed phase modulation pattern in DPS-QKD

Privacy amplification shrinking factor becomes:

[ ]2

022

(1 6 )1 2 (1 ) log 1 1 2 (1 )2

eeT e Tτ μ μ=⎡ ⎤−= − − − − − ⎯⎯→ − −⎢ ⎥

⎣ ⎦

Secure key distribution distance for DPS-QKD

DPS

opt DPS

(1 2 )( )

R Tf T R Tμ μ

μ−

≠ →∼

∼

Linear decrease with channel transmission →illustrates robustness to photon number splitting attacks

For e ~ 0, d ~ 0:

Performance determined by robustness to photon number splitting attacks, which is accounted for in both analyses.

DPS-QKD uses a Poisson source and is robust to photon number splitting attacks

Outline


Differential phase shift quantum key distribution





Current single-photon detectors

Small → non-gated modeLarge → gated modeAfterpulse effects

～50 counts/s～104 counts/sDark count rate

～70 %～10 %Quantum efficiency

500-900 nm1300-1600 nmWavelength

Si APDInGaAs/InP APD

Gate width (~1 ns)

Gate period 1/fg (~1 μs)

No probability of detection

Dead time td (~50 ns)

All pulses are possibly detected

sifted gated gR f Tμ= sifted non-gateddTtR Te νμνμ −=


1.5 μm single-photon signal

1.3 μm strong pump

700 nm single-photon idler Si APD

ωpump

ωsignal

ωSFG

Sum frequency generation

ωpump + ωsignal = ωSFG

Periodically poled lithium niobate (PPLN) waveguide

bulk waveguide

Birefrigent phase-matching:kpump + ksignal = kSFG

Quasi-phase-matching (QPM):kpump + ksignal + K = kSFG , |K| = 2π/Λ

QPM can be achieved for any desired interaction using nonlinear coefficients that couple waves of same polarization, which may be stronger →very efficient nonlinear interactions

Tight confinement of interacting fields in entire crystal → higher signal conversion efficiency

1.55 μm single-photon detection experimental setup

1.32 μmpump source

30 dB isolator VATT

20 dB splitter

99%

Polarization controller

1%Power monitor 1310/1550

WDM

Fixed attenuators

20 dB splitter

Power monitor

99%

1%VATT

1.55 μmsignal source

Temperature-controlled oven

Fiber-coupled PPLN waveguide

Lens SHG Filter Dichroic

BS

PrismLens Si APD

Mirror


Pump, signal

Quantum efficiency

signal SFGint ernal in out collection Si APD

LT e T Tαη η η−=

( )2SFGint ernal nor

signal

( ) sin(0)

N L pLN

η η= =

Coupled mode theory for three-wave interactions in a waveguide with undepleted pump and lossless propagation:

99.9 % signal conversion efficiency in waveguide with ~100 mW of coupled pump powerreduced to 83 % due to propagation lossesreduced to 65 % due to input coupling, output coupling, fiber pigtail, reflection, and collection setup losses46 % overall quantum efficiency

Dark counts

8×105 dark counts/s at maximum quantum efficiency pointDark counts are not determined by Si APD but by a parasitic nonlinear process, which strongly depends on pump power

Dark count origin

Spectral feature appears at SFG wavelength → noise photons at 1.55 μm are up-converted via SFG process

ωpump

ωStokes

ωphonon

ωanti-Stokes ωpump

ωphonon

Stokesanti-Stokes

Solution: use longer pump wavelength than signal wavelength

Possible source of noise photons: spontaneous Raman scattering in fiber and waveguide

8×105 dark counts/s

2×104 dark counts/s

Summary

DPS-QKD protocol simple system architecturerequires only practical, telecommunication components robust to photon number splitting attacks

Up-conversion detectorhigh efficiency (maximum 46 %) in the 1.5 μm telecommunication bandquantum efficiency and dark counts depend on pump power →convenient tuning tool for optimal operation regime depending on the applicationnon-gated mode operation with small dead time enables fast communication

Outline







1 GHz DPS-QKD experimental setup

1.55 μm cwlight source IM PM

(0,π)

15 GHz PPG

1 GHz DG

Clock source

20 dB splitter

1%Power monitor

99%VATT VATT


Optical fiber

1 ns

66 ps

Temperature-controlled PLC Mach-Zehnder

interferometer

1.55 μm up-conversion single-photon detectors

Time Interval Analyzer

Logic unit

START

STOP 1 ns

1 ns

Measurement time window

DET1

DET2

Insertion loss: 2.5 dB Extinction ratio: 20 dB


Experimental setup in the lab

Alice

Bob

Detector

Quantum channel

Detector timing jitter characteristics

Pulse broadening due to timing jitter of Si APD induces errors → apply measurement time window, which also reduces effective dark counts

66 ps pulses, 105 counts/s

FWHM: 75 ps

FWTM: 240 ps

We can use small measurement time window without significant degradation of the signal to noise ratio

Experimental results

( ) [ ]2

2secure sifted 2 2 2

1 6[1 2 (1 )]log 1 ( ) log (1 ) log (1 )

2e

R R T e f e e e e eμ⎧ ⎫⎡ ⎤−⎪ ⎪= − − − − − + + − −⎢ ⎥⎨ ⎬

⎢ ⎥⎪ ⎪⎣ ⎦⎩ ⎭

(b) η = 0.4 %D = 350 counts/stime window = 100 ps

→ d = 3.5×10-8

(a) 2 Mbit/s → 468 kbit/s @ 10 km(b) 166 bit/s @ 100 km

(a) η = 6 %D = 9.8×104 counts/stime window = 200 ps→ d = 1.95×10-5

0.20-0.22

(a) 2 Mbit/s → 468 kbit/s @ 10 km

Comparison with existing systems

Outline







10 GHz DPS-QKD experimental setup

1.55 μm, 10 GHzmode-locked laser PM

(0,π)

10 GHz PPG

Clock source

20 dB splitter

1%Power monitor

99%VATT VATT


Optical fiber

100 ps

10 ps

Temperature-controlled PLC Mach-Zehnder

interferometer

1.55 μm up-conversion single-photon detectors

Time Interval Analyzer

Logic unit

START

STOP 100 ps

100 ps

Measurement time window DET1

DET2

Insertion loss: 2.5 dB Extinction ratio: 19-20 dB

Detector timing jitter characteristics

10 ps pulses, 3×105 counts/s

FWHM: 30 ps

FWTM: 116 ps

Time (1 ns/div.)

Histogram of detected photons for fixed phase modulation pattern

Experimental results

Narrow pulse width and narrow FWHM → we can use very narrow measurement time window → extremely small contribution of dark counts to error rate

Also verified by independence of total bit error rate on fiber length

Error dominated by timing jitter, which is slightly higher for small fiber losses

Threshold error rate for secure communication against general individual attacks is 4.5 % → secure keys cannot be generated with ~10 % error rate

93.8

10.1

0.035

30

15.5

9.2

0.19

75

3.69267Sifted key generation rate (kbit/s)

9.710.9Bit error rate (%)

0.880.012Bit error rate due to dark counts (%)

10510Fiber length (km)

η = 0.27 %, D = 320 counts/s, time window = 10 ps → d = 3.2×10-9

Conclusion

We introduced and proved the security of the DPS-QKD protocolsimple system architecture, robust to photon number splitting attacks excellent candidate for long distance fiber-optic quantum cryptography systems

We demonstrated a fast and efficient single-photon detector in the 1.5 μm telecommunication band

We implemented a practical DPS-QKD system operating at 1 GHz2 Mbit/s sifted key generation rate over 10 kmdistribution of secure keys over 100 km of optical fiberhigh speed and long distance quantum cryptography possible with currently available technology

We implemented a DPS-QKD system operating at 10 GHzdid not yield secure keys due to high error rate, limited by the detector timing jitter

Future directions

Up-conversion detector improvements can lead to megahertz secure key generation rate and communication distance exceeding 250 km

Reduce dark countsImprove timing jitter characteristics of avalanche photodiodes

Superconducting single-photon detectors have very small dark counts and Gaussian responseEntanglement-based BBM92 can withstand larger channel losses

Quantum computation and quantum networking

Proof of unconditional security for DPS-QKD

Security and implementation of differential phase … zThe BB84 quantum key distribution protocol...

Documents

Transcript of Security and implementation of differential phase … zThe BB84 quantum key distribution protocol...