Vadim Makarov - vad1.com · 1 candidate: Vadim Makarov and Defence for the degree doktor ingeniør...
Transcript of Vadim Makarov - vad1.com · 1 candidate: Vadim Makarov and Defence for the degree doktor ingeniør...
1
candidate: Vadim Makarov
and
Defence for the degree doktor ingeniør
at the Norwegian University of Science and Technology, April 30, 2007
SPbSPUSt. Petersburg StatePolytechnic University
2
ca. 1970
2004 First commercial offers
Concept (“money physically impossible
to counterfeit”)
...... Market?
1984 Key distribution protocol (BB84)
1989 Proof-of-the-principle experiment
1993 Key transmission over fiber optic link
Quantum cryptography timeline
3
Encoder Decoder
Open (insecure)channel
BobAlice
Key
Secure channel
MessageMessage
Encoded message
• Secret key cryptography requires secure channel
for key distribution.
• Quantum cryptography distributes the key
by transmitting quantum states in open channel.
Key distribution
4
Retained bit sequence 1 – – 1 0 0 – 1 0 0 – 1 – 0
Bob’s measurement 1 0 0 1 0 0 1 1 0 0 0 1 0 0
Bob’s detection basis
Alice’s bit sequence 1 0 1 1 0 0 1 1 0 0 1 1 1 0
Light source
Alice
Bob
Diagonaldetector basis
Horizontal-verticaldetector basis
Diagonalpolarization filters
Horizontal-verticalpolarization filters
Image reprinted from article: W. Tittel, G. Ribordy, and N. Gisin, "Quantum cryptography," Physics World, March 1998
Quantum key distribution
0
0
1
1
5
ϕA = – 45° or + 45° : 0
Detector bases:
ϕB = – 45° : X
ϕB = + 45° : Zϕ
A = +135° or – 135° : 1
ϕA
Lightsource
D0ϕB
Alice Bob
LA
SA
Transmission
lineSB
LB
D1
Interferometric QKD channel
6
Quantum cryptography at NTNU
Fiber optic QKD setup
1. Optimal tracking of phase drift
2. Single photon detector
with afterpulse blocking
Security against practical attacks
3. Large pulse attack: experiment
4. Faked states attack
5. Detector efficiency mismatch ”0"
”1"
t
BOB
7
QKD setup
Bob
Laser
APD
1310 nm
Pulse rate = 10 MHz
Line
Polarizationсontroller
Attenuator
Alice’sPC
Publiccommunication(TCP/IP)
Bob’sPC
Polarizationcombiner
Polarizationсombiner
Phasemodulator 2
Polarizingsplitter
Phasemodulator 1
PM coupler50/50
Variabledelay linePolarizer
Variable ratioPM coupler
“1”
“0”
Alice
PM fiberstandard SM fiber
8
Photo 1. Alice (uncovered, no thermoisolation installed)
9
Photo 2. Bob (uncovered, no thermoisolation installed)
10
Tracking phase drift
To get phase accuracy ∆φ within ±10° (QBERopt ∆ϕ < 1%),
no more than Na = ~ 200 detector counts per adjustment
are required.
Optimally counted at ±90° points from the extreme of the
interference curves. Exact required number of counts
where k is the number of standard deviations of not exceeding ∆φ.
( ) ,
2
2
2
QBER21
12
−ϕ∆= k
Na
J. Appl. Opt. 43, 4385 (2004)
11
Tracking phase drift
+π
–π
0
0 60 minTime
J. Appl. Opt. 43, 4385 (2004)
To get phase accuracy ∆φ within ±10° (QBERopt ∆ϕ < 1%),
no more than Na = ~ 200 detector counts per adjustment
are required.
Experiment: adjustment every 3 s, Na = 230:
12
Test of QKD in laboratory conditions
Test run No. 2
QBER =
.5.7% average
QB
ER
, %
50
11
00 5 min
Time
Test run No. 1
best QBER
~ 4%
QB
ER
, %
50
11
00 5 min
Time
13
tgate down to 1ns
Gate pulse rate = 20 MHz
VE
Vbias
VB
t
T=1/(Gate pulse rate)
tgate–VAPD
Single photon detector:avalanche photodiode in Geiger mode
APD: Ge FD312L
T=77K, QE=16%, DC=5·10
–5
APD inside cryostatC = CAPD
Differential
amplifier
50 Ω coaxial cables
Gate pulse
generator Bias
14
Afterpulse blocking
• In QKD systems, probability of detecting a photon per pulse is always
much lower than 1 (e.g., ~ 1/1000). This makes afterpulse blocking
efficient, allowing without much loss in detection probability:
• In our QKD system: 20 MHz gate pulse rate
• In principle: a few orders of magnitude faster gate pulse rate
–VAPD
Detector
output
Hold-off time: N pulses are blocked
after detecting avalanche
t
VB
t
15
Hardware implementation ofafterpulse blocking
APD
Differential
amplifier
Gate pulse
generator BiasRF switch
= =
Set
Reset
Trigger
ComparatorIntegrator
Digital
output
0 0
N set
by switch
CLK
Load
Counter
Overflow
16
Test of afterpulse blocking
APD: Ge FD312L
Gate pulse rate = 12 MHz
QE = 7%
T = 77K
Number of gate pulses blocked
0.00
0.05
0.10
0.15
0.20
Co
un
t p
rob
ab
ilit
y,
%
Dark counts
Counts at 0.005 photon per pulse
0 2 5 12 18 34
N
17
1. Conventional security; trusted equipment manufacturer
2. Security against quantum attacks – security proofs for idealized model of equipment
3. Loopholes in optical scheme – imperfections not yet accounted in the proof
Quantum key distribution:components of security
2 311
Alice Bob
18
Large pulse attackAlice
Line
Attenuator
Alice’sPC
Eve’s equipment
Phasemodulator
– interrogating Alice’s phase modulator with powerful
external pulses (can give Eve bit values directly)
19
Large pulse attack: experiment
Laser
4% reflection
Vmod
OTDR
Out
In
Fine lengthadjustment
to get L1 = L2
L2
L1
ReceivedOTDRpulse
Vmod, V4.1 8.20
Variableattenuator
Alice
Phasemodulator
Eve
J. Mod. Opt. 48, 2023 (2001)
20
Photo 3. Artem Vakhitov tunes up Eve’s setup
21
Conventional intercept -resend:
Faked states attack:
(no alarm)
Faked states attack
J. Mod. Opt. 52, 691 (2005)
22
”0"
”1"
t
BOB
Exploiting common imperfection:detector gate misalignment
Phys. Rev. A 74, 022313 (2006)
23
”0"
”1"
t
BOB
Laser pulse from Alice
Detector gate misalignment
Phys. Rev. A 74, 022313 (2006)
24
”0"
”1"
t
BOB
Detector gate misalignment
Phys. Rev. A 74, 022313 (2006)
25
”0"
”1"
t
BOB
Detector gate misalignment
Phys. Rev. A 74, 022313 (2006)
26
”0"
”1"
t
Example: Eve measured with basis Z (90°), obtained bit 1
0°
BOB
=0°
Detector gate misalignment
(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)
27
(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)
”0"
”1"
t
Example: Eve measured with basis Z (90°), obtained bit 1
90°
BOB
=0°
Detector gate misalignment
28
De
tec
tor
eff
icie
nc
y
t
0
t0
t1
η0(t0)
η1(t0) η
0(t1)
η1(t1)
Partial efficiency mismatch
29
Partial efficiency mismatch
In the symmetric case (when η1(t0)/η
0(t0) = η
0(t1)/η
1(t1) ),
Eve causes less than 11% QBER if mismatch is larger than 1:15
A. Practical faked states attack:
B. General security bound (incomplete):
where
30
-3 -2 -1 1 2 30
t, ns
0
No
rma
lize
d d
ete
cto
r s
en
sit
ivit
y,
arb
. u
.
Detector model 1.Sensitivity curves
31
0 1 2 3 4 5 6 7 8 9 10 11 12
t, ns
0
10
20
De
tec
tor
qu
an
tum
eff
icie
nc
y,
% t = 5.15 ns
1/9
t = 7.40 ns
1/30
0 1
≈ ≈ηη
ηη
1
0
0
1
Detector model 2.Sensitivity curves at low photon number µ=0.5
32
Detector efficiency mismatch
• Detector efficiency mismatch is a problem for many
protocols and encodings: BB84 (considered above),
SARG04, phase-time, DPSK and Ekert protocols.
• Control parameter t that changes detector efficiencies
shall not be necessarily timing; it can be, e.g., wavelength
or polarization.
• The worst-case mismatch, no matter how small,
must be characterized and accounted for during
privacy amplification.
[quant-ph/0702262]
33
Conclusion
• A phase tracking technique and detector with afterpulse
blocking were successfully developed.
(QKD was demonstrated with a very limited success.)
• Our group has built unique expertise in quantum
cryptanalysis of attacks via optical loopholes.
Several attacks have been proposed, studied in detail,
and protection measures suggested.
34
Possible future research
• Continuing security studies beyond those presented in the
thesis; we have experimented with passively-quenched
Si APD; we are trying to incorporate detector efficiency
mismatch into general proof... With sufficient financing,
a study of high-power damage can be attempted.
• Improving the QKD experiment, demonstrating it over
at least ~ 20 km distance. Performance of detector
and phase tracking can be more accurately characterized.
• The QKD field is abound with novel ideas that can be tried...
35
Optional slides
36
0.00 0.11
QBER
0
1
R
0
Handling errors in raw key
R = 1 – 2 h(QBER)
37
• MagiQ Tecnologies
USA
• id Quantique
Switzerland
Standard VPN router + QKD equipment for frequent key changes
Several other companies also have the QKD technology, but are not selling yet
Commercial offers (as of late 2006)
38
Photo 4. Bob (left) and Alice (right), thermoisolation partially installed
39
Typical values of reflection coefficients for different fiber-optic components
(courtesy Opto-Electronics, Inc.)
40
( Eve’s basis = Bob’s basis )is sufficient for eavesdropping
Alice
Eve’s basis det. result
Bob
Incompatible basis –discarded by Alice and Bob during sifting
41
0 1η0.00
0.11
QBER
Not proven(assumed insecure)
Insecure
0.0660
Securewith reduced key rate
Security state of QKD system
( reduced rate at QBER=0 line, too )
42
Trondheim
St. Petersburg