Security and implementation of differential phase shift quantum key distribution systems
Eleni Diamanti
University Ph.D. Oral Examination
June 1st, 2006
Classical cryptography
cryptography = κρυπτός + γράφω = write secretly
Ancient GreeceScytale
World War IIEnigma
Today computational security
e.g. computational difficulty of factoring large integers
Unconditional security – One time padAlice Bob
Eve
01011100 message M11001010 key K10010110 cryptogram S = M⊕K
cryptogram S 10010110key K 11001010message M = S⊕K 01011100
cryptogram 10010110
Quantum cryptography
Quantum cryptography relies on fundamental laws of quantum mechanics to solve the key distribution problem → Quantum Key Distribution (QKD)
Information is encoded in quantum bits (qubits) → vector in a twodimensional Hilbert space:
Photons are ideal qubits for QKD because they can be transmitted over long distances in optical fibers
Public channel
Quantum channel
01110010
InformationError
0 1ψ α β= +
Limitations in quantum cryptography
First proposal of using the quantum properties of light by Bennett and Brassard in 1984 → BB84 QKD protocol
First demonstration of a quantum cryptography system in 1992, information was transmitted over 32 cm of free space
Performance of current fiber-optic QKD systems is mainly limited by two factors:
Vulnerability of QKD protocols to powerful eavesdropping attacks, when classical light from a laser is used instead of non-classical light from a single-photon sourceSingle-photon detectors → communication rate remains very low, communication distance is limited to a few tens of kilometers
ChallengeInvent ways of extending the distance and increasing the speed of QKD systems
Outline
The BB84 quantum key distribution protocol
Differential phase shift quantum key distribution (DPS-QKD)
The up-conversion single-photon detector
Implementation of a 1 GHz DPS-QKD system
Implementation of a 10 GHz DPS-QKD system
Conclusion – Future directions
The BB84 QKD protocol
Quantum transmissionInformation is encoded in two non-orthogonal basesRaw key generation rate:
raw ( 4 )R T dν μ= +
Single-photon source
Electro-optic modulator
V 45+H 45−
Alice Quantum channel
50/50 BS
Single-photon detectors
Bob
PBS
basis,H V
45 , 45+ − basis
0 1 0 1
Repetition rate Transmission efficiency( ) /1010 rL LT αη − +=
Dark counts per clock cycle
Average photon number per pulse
SiftingAlice and Bob discard the bits for which they chose a different basisSifted key generation rate:
If the transmission is error-free, sifted key is unconditionally secure, any eavesdropping will unavoidably cause errorsBut all practical systems have errors…
Sifting and error correction
sifted raw1 1 ( 4 )2 2
R R T dν μ= = +
Error correctionAlice provides Bob with additional information about the key to correct errors, e.g. parity check by segmentLeakage of additional information to Eve → need algorithm to minimize number of revealed bits
[ ]2 2lim ( ) log (1 ) log (1 )n f e e e e enκ
→∞ = − + − −Length of sifted key
Length of error correction string
Shannon’s noiseless coding theorem
Efficiency of error correction algorithm
Privacy amplification
[ ]{ }secure sifted 2 2( ) log (1 ) log (1 )R R f e e e e eτ= + + − −
22
1log 2 22
e eτ ⎛ ⎞= − + −⎜ ⎟⎝ ⎠
Privacy amplificationKey information has leaked to Eve
Innocent error rate due to system imperfectionsError correction
We need to compress key so that Eve’s information becomes exponentially small, e.g. randomly choose two bits and calculate XOR → secure keyGeneralized privacy amplification theory:
Eve uses innocent system error rate to obtain key information by general quantum measurements on individual single photons →shrinking factor calculated from security proof:
Photon number splitting attacks in BB84
Alice
Eve
BobQND photon number measurement
Quantum memory
Lossless channel
Delayed measurement
For multi-photon states, Eve learns bit information without causing any error
As the channel loss increases she blocks more and more single-photon states
Modified shrinking factor:
2 20
21log 2 22
ee e TT
μ μτ β ββ β μ
=⎡ ⎤⎛ ⎞ −
= − + − ⎯⎯→ =⎢ ⎥⎜ ⎟⎝ ⎠⎢ ⎥⎣ ⎦
Fraction of single-photon states
Poisson source
Secure key distribution distance for BB84
2poissonR Tμ μ−∼
idealR T∼
2opt poissonT R Tμ →∼ ∼
For e ~ 0, d ~ 0:
Quadratic decrease with channel transmission
Linear decrease with channel transmission
BB84 with Poisson source is vulnerable to photon number splitting attacks
Outline
The BB84 quantum key distribution protocol
Differential phase shift quantum key distribution (DPS-QKD)
The up-conversion single-photon detector
Implementation of a 1 GHz DPS-QKD system
Implementation of a 10 GHz DPS-QKD system
Conclusion – Future directions
Differential phase shift quantum key distribution (DPS-QKD)
Sifted key generation rate:
sifted raw ( 2 )R R T dν μ= = +
Coherent light source
Alice Quantum channel
DET1 (0)
Bob
PMATT0 0 0π(0,π)
Δt
Δt
DET2 (1)
BS BS
1 21 1 2 ... ...n Ni ii ie e e n e NN
φ φφ φψ ⎡ ⎤= + + + + +⎣ ⎦
Principle of security → non-deterministic collapse of a wavefunction in a quantum measurement
Detection event occurs at a time instance randomly and reveals phase difference Δφn=φn+1-φn
n
Beamsplitter attack
One beam with average photon number N μT is sent to Bob, another with average photon number N μ(1-T ) is used by Eve
Each photon in Eve’s wavefunction is detected randomly at one of N time instances → probability that she obtains the value of a bit at a certain time given that Bob detected a photon at that time is 2μ(1-T )
She obtains complete bit information for a fraction 2μ(1-T ) of bits without causing any error
Alice
Eve
Bob
Quantum memory
Lossless channel
T
Optical switch
Intercept and resend attack
Induces 25 % error rateIf innocent system error rate is e, Eve can attack 4e bits → she obtains complete bit information for a fraction 2e of bits
1 2 (1 ) 2T eτ μ= − − −
Alice
Eve
Single-photon source Bob
X
X
[ ]{ }secure sifted 2 2( ) log (1 ) log (1 )R R f e e e e eτ= + + − −
Hybrid beamsplitter + intercept and resend attack: Eve does not have bit information for a fraction 1-2μ(1-T )-2e of bits →
General individual attacks
Eavesdropping strategy:
Photon number splitting attack: QND measurement on total photon number in wavefunction, Eve sends N μT photons to Bob and keeps N μ(1-T ) photons, which are stored and measured individually → equivalent to beamsplitter attack
Optimal measurement on individual single photons, which spread over many pulses with a fixed phase modulation pattern in DPS-QKD
Privacy amplification shrinking factor becomes:
[ ]2
022
(1 6 )1 2 (1 ) log 1 1 2 (1 )2
eeT e Tτ μ μ=⎡ ⎤−= − − − − − ⎯⎯→ − −⎢ ⎥
⎣ ⎦
Secure key distribution distance for DPS-QKD
DPS
opt DPS
(1 2 )( )
R Tf T R Tμ μ
μ−
≠ →∼
∼
Linear decrease with channel transmission →illustrates robustness to photon number splitting attacks
For e ~ 0, d ~ 0:
Performance determined by robustness to photon number splitting attacks, which is accounted for in both analyses.
DPS-QKD uses a Poisson source and is robust to photon number splitting attacks
Outline
The BB84 quantum key distribution protocol
Differential phase shift quantum key distribution
The up-conversion single-photon detector
Implementation of a 1 GHz DPS-QKD system
Implementation of a 10 GHz DPS-QKD system
Conclusion – Future directions
Current single-photon detectors
Small → non-gated modeLarge → gated modeAfterpulse effects
~50 counts/s~104 counts/sDark count rate
~70 %~10 %Quantum efficiency
500-900 nm1300-1600 nmWavelength
Si APDInGaAs/InP APD
Gate width (~1 ns)
Gate period 1/fg (~1 μs)
No probability of detection
Dead time td (~50 ns)
All pulses are possibly detected
sifted gated gR f Tμ= sifted non-gateddTtR Te νμνμ −=
The up-conversion single-photon detector
1.5 μm single-photon signal
1.3 μm strong pump
700 nm single-photon idler Si APD
ωpump
ωsignal
ωSFG
Sum frequency generation
ωpump + ωsignal = ωSFG
Periodically poled lithium niobate (PPLN) waveguide
bulk waveguide
Birefrigent phase-matching:kpump + ksignal = kSFG
Quasi-phase-matching (QPM):kpump + ksignal + K = kSFG , |K| = 2π/Λ
QPM can be achieved for any desired interaction using nonlinear coefficients that couple waves of same polarization, which may be stronger →very efficient nonlinear interactions
Tight confinement of interacting fields in entire crystal → higher signal conversion efficiency
1.55 μm single-photon detection experimental setup
1.32 μmpump source
30 dB isolator VATT
20 dB splitter
99%
Polarization controller
1%Power monitor 1310/1550
WDM
Fixed attenuators
20 dB splitter
Power monitor
99%
1%VATT
1.55 μmsignal source
Temperature-controlled oven
Fiber-coupled PPLN waveguide
Lens SHG Filter Dichroic
BS
PrismLens Si APD
Mirror
Polarization controller
Pump, signal
Quantum efficiency
signal SFGint ernal in out collection Si APD
LT e T Tαη η η−=
( )2SFGint ernal nor
signal
( ) sin(0)
N L pLN
η η= =
Coupled mode theory for three-wave interactions in a waveguide with undepleted pump and lossless propagation:
99.9 % signal conversion efficiency in waveguide with ~100 mW of coupled pump powerreduced to 83 % due to propagation lossesreduced to 65 % due to input coupling, output coupling, fiber pigtail, reflection, and collection setup losses46 % overall quantum efficiency
Dark counts
8×105 dark counts/s at maximum quantum efficiency pointDark counts are not determined by Si APD but by a parasitic nonlinear process, which strongly depends on pump power
Dark count origin
Spectral feature appears at SFG wavelength → noise photons at 1.55 μm are up-converted via SFG process
ωpump
ωStokes
ωphonon
ωanti-Stokes ωpump
ωphonon
Stokesanti-Stokes
Solution: use longer pump wavelength than signal wavelength
Possible source of noise photons: spontaneous Raman scattering in fiber and waveguide
8×105 dark counts/s
2×104 dark counts/s
Summary
DPS-QKD protocol simple system architecturerequires only practical, telecommunication components robust to photon number splitting attacks
Up-conversion detectorhigh efficiency (maximum 46 %) in the 1.5 μm telecommunication bandquantum efficiency and dark counts depend on pump power →convenient tuning tool for optimal operation regime depending on the applicationnon-gated mode operation with small dead time enables fast communication
Outline
The BB84 quantum key distribution protocol
Differential phase shift quantum key distribution
Implementation of a 1 GHz DPS-QKD system
Implementation of a 10 GHz DPS-QKD system
Conclusion – Future directions
The up-conversion single-photon detector
1 GHz DPS-QKD experimental setup
1.55 μm cwlight source IM PM
(0,π)
15 GHz PPG
1 GHz DG
Clock source
20 dB splitter
1%Power monitor
99%VATT VATT
Polarization controller
Optical fiber
1 ns
66 ps
Temperature-controlled PLC Mach-Zehnder
interferometer
1.55 μm up-conversion single-photon detectors
Time Interval Analyzer
Logic unit
START
STOP 1 ns
1 ns
Measurement time window
DET1
DET2
Insertion loss: 2.5 dB Extinction ratio: 20 dB
Polarization controller
Experimental setup in the lab
Alice
Bob
Detector
Quantum channel
Detector timing jitter characteristics
Pulse broadening due to timing jitter of Si APD induces errors → apply measurement time window, which also reduces effective dark counts
66 ps pulses, 105 counts/s
FWHM: 75 ps
FWTM: 240 ps
We can use small measurement time window without significant degradation of the signal to noise ratio
Experimental results
( ) [ ]2
2secure sifted 2 2 2
1 6[1 2 (1 )]log 1 ( ) log (1 ) log (1 )
2e
R R T e f e e e e eμ⎧ ⎫⎡ ⎤−⎪ ⎪= − − − − − + + − −⎢ ⎥⎨ ⎬
⎢ ⎥⎪ ⎪⎣ ⎦⎩ ⎭
(b) η = 0.4 %D = 350 counts/stime window = 100 ps
→ d = 3.5×10-8
(a) 2 Mbit/s → 468 kbit/s @ 10 km(b) 166 bit/s @ 100 km
(a) η = 6 %D = 9.8×104 counts/stime window = 200 ps→ d = 1.95×10-5
0.20-0.22
(a) 2 Mbit/s → 468 kbit/s @ 10 km
Comparison with existing systems
Outline
The BB84 quantum key distribution protocol
Differential phase shift quantum key distribution
The up-conversion single-photon detector
Implementation of a 10 GHz DPS-QKD system
Conclusion – Future directions
Implementation of a 1 GHz DPS-QKD system
10 GHz DPS-QKD experimental setup
1.55 μm, 10 GHzmode-locked laser PM
(0,π)
10 GHz PPG
Clock source
20 dB splitter
1%Power monitor
99%VATT VATT
Polarization controller
Optical fiber
100 ps
10 ps
Temperature-controlled PLC Mach-Zehnder
interferometer
1.55 μm up-conversion single-photon detectors
Time Interval Analyzer
Logic unit
START
STOP 100 ps
100 ps
Measurement time window DET1
DET2
Insertion loss: 2.5 dB Extinction ratio: 19-20 dB
Detector timing jitter characteristics
10 ps pulses, 3×105 counts/s
FWHM: 30 ps
FWTM: 116 ps
Time (1 ns/div.)
Histogram of detected photons for fixed phase modulation pattern
Experimental results
Narrow pulse width and narrow FWHM → we can use very narrow measurement time window → extremely small contribution of dark counts to error rate
Also verified by independence of total bit error rate on fiber length
Error dominated by timing jitter, which is slightly higher for small fiber losses
Threshold error rate for secure communication against general individual attacks is 4.5 % → secure keys cannot be generated with ~10 % error rate
93.8
10.1
0.035
30
15.5
9.2
0.19
75
3.69267Sifted key generation rate (kbit/s)
9.710.9Bit error rate (%)
0.880.012Bit error rate due to dark counts (%)
10510Fiber length (km)
η = 0.27 %, D = 320 counts/s, time window = 10 ps → d = 3.2×10-9
Conclusion
We introduced and proved the security of the DPS-QKD protocolsimple system architecture, robust to photon number splitting attacks excellent candidate for long distance fiber-optic quantum cryptography systems
We demonstrated a fast and efficient single-photon detector in the 1.5 μm telecommunication band
We implemented a practical DPS-QKD system operating at 1 GHz2 Mbit/s sifted key generation rate over 10 kmdistribution of secure keys over 100 km of optical fiberhigh speed and long distance quantum cryptography possible with currently available technology
We implemented a DPS-QKD system operating at 10 GHzdid not yield secure keys due to high error rate, limited by the detector timing jitter
Future directions
Up-conversion detector improvements can lead to megahertz secure key generation rate and communication distance exceeding 250 km
Reduce dark countsImprove timing jitter characteristics of avalanche photodiodes
Superconducting single-photon detectors have very small dark counts and Gaussian responseEntanglement-based BBM92 can withstand larger channel losses
Quantum computation and quantum networking
Proof of unconditional security for DPS-QKD
Top Related