# Le avventure di Alice Bob Eve nel mondo

Le avventure di Alice, Bob & Eve nel mondo dei quanti Stefano Mancini Dipartimento di Fisica Università di Camerino

Alice Bob Eavesdropper

Code-breakers vs Code-makers

Is there a pefect cipher? n n Vernam cipher (problem of key distribution) Public key cryptosystems Mathematical, security based on computational complexity (use of one-way functions) ¨ Can be broken by quantum computers! ¨ In 1994 factorization of RSA 129 was achieved, but with a cluster of 103 workstations working for 8 months. Shor’s algorithm would factor RSA-129 in few seconds running on a quantum computer at the speed of a desktop PC! ¨ n Quantum cryptography ¨ Physical, security based on fundamental principles of quantum mechanics

Basic notions about QM n n The space of states of a physical system is a Hilbert space on C. A state is a vector of unit norm in such a space. The space of states of a composite system is the tensor product of the spaces of states of subsystems. Any physical process (on a closed system) is described by a unitary transformation on H. Any observable is described by a self-adjoint operator on H and the measurement process projects the system’s state onto an eigenstate of the observable and gives the corresponding eigenvalue as result.

From Cbits to Q(u)bits n Qubit is the smallest (dim=2) Hilbert space associated to a physical system (e. g. spin, photon polarization, etc. ).

Quantum Measurement

More on Quantum Measurement n n n Quantum measurement is an irreversible process! Measuring Z on states prepared on its basis {|0>, |1>} would not disturb it Measuring X on states prepared on its basis {|+>, | ->} would not disturb it Measuring Z on states prepared on X basis {|+>, |->} would project it into {|0>, |1>} with Pr=1/2 Measuring X on states prepared on Z basis {|0>, |1>} would project it into {|+>, |->} with Pr=1/2

Info gain implies disturbance n Theorem. In any attempt to distinguish between two non-orthogonal quantum states, information gain is only possible at expenses of introducing some disturbance.

No-Cloning n Theorem. An unknown quantum state cannot be copied.

What is information ? How much information ? The Entropy measures uncertainty: Logarithm to base 2 gives bits n n Example: Binary entropy h(p)=-plog p-(1 -p)log(1 -p) Coin flip has uncertainty of 1 bit!

There are several Entropies… H(X, Y) H(X|Y) H(X: Y) H(Y|X)

Quantum Key Distribution BB 84 protocol n n Alice uses two random bits a and a’ to prepare the state of a qubit |yaa’ >: |y 00 >=|0> |y 10 >=|1> |y 01 >=|+> |y 11 >=|-> Alice sends the qubit to Bob through a quantum channel. Since Alice hasn’t revealed a’, Eve can only guess the basis and in the wrong case she disturbes the qubit. However also Bob does not know a’.

n n n Bob measures the qubit in the basis X or Z as determined by a random bit b’ which he creates on his own (0 -Z, 1 -X). Let Bob’s measurement result be b (0 -positive eigenvalue, 1 -negative eigenvalue). Alice publicly announces a’ through a public classical channel. The above procedure is repeated 4 n times. Then Alice and Bob by a discussion over a public channel discard all bits except those for which a’=b’ (raw key, approx 2 n bits). Alice selects n bits (of her 2 n) at random and publicly announces the selection. Then Alice and Bob compare the values of these check bits to establish the error rate (or Eve’s presence). Eventually the remaining n bits are the sifted key.

a’ b a’=b’ implies perfect correlations R= # usable bits _____________ (# transmit. qubits)+(# transmit. bits) R= 1/6

What is gained by using qubits? Example: a simple intercept-resend strategy Z (|0>, p=1/2) |0> Z (p=1/2) X (p=1/2) Z (|0>, p=1/4) Z (|1>, p=1/4)

What is gained by using qubits? n n n For a simple intercept-resend eavesdropping, the prob that Eve is present and Alice and Bob choose n uncorrupted (coincident) bits for the check is (3/4)n which goes to zero as n goes to infinity In this simple example Eve gets 0. 5 bits [H(a: e)=0. 5] of info per bit in the sifted key for an induced QBER of 25% [d=0. 25] We expect H(a: e) is an increasing function of d, nevertheless, provided d 0 Alice and Bob would be able to outwit Eve (ideal situation of no noise in the channel!)

Once Alice and Bob have reconcilied the basis p(a=0)=p(a=1)=1/2 H(a)=h(1/2)=1 p(b=0|a=1)=p(b=1|a=0)=d p(b=0|a=0)=p(b=1|a=1)=1 -d QBER p(b=0, a=1)=p(b=0|a=1)p(a=1)=d/2 p(b=1, a=0)=p(b=1|a=0)p(a=0)=d/2 p(b=0, a=0)=p(b=0|a=0)p(a=0)=(1 -d)/2 p(b=1, a=1)=p(b=1|a=1)p(a=1)=(1 -d)/2 H(a, b)=1+h(d) p(b=0)=p(b=0, a=1)+p(b=0, a=0)=1/2 p(b=1)=p(b=1, b=1)+p(b=1, a=0)=1/2 H(b)=1 H(a: b)=H(a)+H(b)-H(a, b)=1 -h(d)

Information Reconciliation & Privacy Amplification In a realistic situation how Alice and Bob would distinguish the effect of Eve intrusion from that of the noise? Suppose at some point Alice, Bob and Eve perform measurements with outcomes a, b, e with P(a, b, e), then: Theorem (Csiszar & Korner 1978). For a given P(a, b, e) Alice and Bob can establish a secret key (using only Information Reconciliation and Privacy Amplification) iff H(a: b)>H(a: e)

The ultimate security proof Measuring d how to know whether H(a: b) > H(a: e) ? Let’s find a bound for H(a: e) by considering collective attacks. Theorem (Hall 1995). Let E and B be two observables in a N (=2 n) dim Hilbert space. Denote e, b, |e>, |b> the corresponding eigenvalues, eigenvectors and let then c=maxe, b{|<e|b>|} H(a: e)+H(a: b) < 2 log(Nc) This theorem states that if Eve performs a measurement providing her with some info H(a: e), then because of perturbation Bob’s info is necessarily limited

Suppose Alice sends out a large number of qubits and n were received by Bob in the correct basis (N=2 n). Relabel the bases such that Alice uses n-times the X-basis, hence Bob’s observable is X X …… X We can bound Eve’s info assuming she measures Z Z …… Z (remember her max info corresponds to her max disturb) Thus e. g. c=|<0| … <0|+> … |+>|=2 -n/2 and by Hall’s th. H(a: e)+H(a: b) < 2 log(2 n 2 -n/2)=n The sum of Eve’s and Bob’s info per qubit is 1 By using the above inequality together with the & Korner th. we get H(a: b)>n/2. Then H(a: b)=[1 -h(d)]n >n/2 d<11% Csizar

Security condition H(a: e) H(a: b) Now H(a: e)=0. 5 with d=0. 11 ! d (QBER)

Experimental Quantum Cryptography n n First demonstration on a table at IBM labs using photons traveling over a distance of 30 cm (1989) Experiments with fibres (over a distance of 30 -50 Km, 1996 -2004) using faint laser pulses Experiments in free space (over a distance of few Km) Quantum Cryptography Devices already available in the market!

For further information and research at University of Camerino see: http: //fisica. unicam. it/stefanomancini/ or contact me at: stefano. mancini@unicam. it

- Slides: 25