Cryptology-I: § 4.2: Overview of Quantum Cryptography

Instructor: M.S. Schmalz

We begin our discussion of quantum cryptography (QC) by reviewing several topics pertinent to quantum mechanics. In Section 4.2.2, we discuss the mechanism and principles of secure key transmission based on quantum mechanics. Section 4.2.3 contains a brief discussion of issues involved in secure optical encoding based on concepts derived from QC theory.

4.2.1. Brief Review of Quantum Mechanical Concepts.

From Reference [2], we read:
"Quantum transmissions [one or more streams of particles upon which information is encoded] ... can be suppressed or altered but cannot in principle be monitored without disturbance."

What does this mean?

  1. A quantum encoding is the encoding of information in terms of one or more quanta or packets of energy (a quantum is sometimes expressed in terms of a fundamental particle such as a photon).

  2. A transmission of quantum particles can be suppressed (altered) by an adversary who attenuates (injects other particles into) the transmission.

  3. Monitoring of a transmission of quantum particles implies that an adversary measures attributes of the particle stream which comprises the transmission.

  4. Disturbance of a quantum transmission signifies perturbation of the attribute(s) of transmitted particles.

From physics [3], Heiseberg's uncertainty principle states that one cannot measure two properties of a fundamental particle simultaneously. For example, one cannot measure an electron's location as well as its momentum. Measuring one property destroys information about the other property. In layman's terms, the basis for this phenomenon is the interaction of an observer's wave function with the wave function of the observed entity.

Note that the uncertainty principle holds only at quantum scales (i.e., in layman's terms, smaller than an atomic diameter). Additionally, as a result of much misinterpretation and deceptive (sci-fi) literature, there currently exists a class of pseudoscientists who gull people into believing that they can apply the uncertainty principle (and concepts that vaguely resemble early notions of wave functions) to various macroscopic phenomena. For example, various "New Age" groups consider themselves able to "direct waves" (whatever that means) using crystals, plastic pyramids, and suchlike. That drivel should not be confused with quantum physics, and bears no relationship whatever to this discussion.

4.2.2. Quantum Cryptosystems for Secure Key Transmission.

In classical cryptography, sending a ciphertext message over a non-secure channel implies that the ciphertext can be monitored by an adversary. Unfortunately, there are few methods for discovering such monitoring, and no effective methods for preventing it. Quantum cryptography (QC) uses properties of photons to deliver a key over a secure optical channel. If the message or key is monitored, then the peculiar properties of quantum systems ensure that such monitoring can be detected. Additionally, if no monitoring is detected, then the probability is high (in principle) that the system is secure.

Quantum cryptography has the following features (in theory):

4.2.2.1. Methods of Detecting Message Monitoring or Compromise.

A classical transmission channel can be tapped in two ways:
  1. A portion of the signal can be physically removed and measured.

  2. The entire signal can be (a) monitored and redirected, (b) measured and modified, or (c) retransmitted.

The foregoing approaches are infeasible in quantum cryptography, because:

  1. If an adversary removes part of the signal, one or more bits are lost, since each bit is carried in one (and only one) particle. It is impossible (with current physical techniques or theory) to capture a portion of a fundamental particle.

  2. If a given particle is removed or retransmitted, then the information encoded on that particle is irreversibly modified. This occurs because Heisenberg's uncertainty principle states that every measurement in a quantum system changes the system. For example, if you measure an electron's momentum, you lose information about the electron's position.

We next discuss physical and theoretical bases for encoding information in quantum cryptosystems.

4.2.2.2. Encoding Bases for Quantum Cryptography.

It is preferred to use photons as fundamental particles in quantum cryptosystems, as opposed to electrons or protons. The latter charged particles are inconveniently attracted to (repelled by) other charged particles or magnetic fields, which abound in practice (e.g., the earth's magnetic field). For example, magnetically constraining the propagation of charged particles along an evacuated tube is much more difficult than transmitting photons through a fiber-optic cable. The latter technology has been developed for communications use, is relatively inexpensive, and is supported by a large base of relatively low-cost expertise.

Definition. In modelling photonic (i.e., lightwave) propagation, it is useful to recall the five primary properties of an electromagnetic wave, which are:

  1. Magnitude or intensity I (initial value denoted by Io) ,
  2. Phase ,
  3. Frequency or angular frequency = 2 ,
  4. Polarization , and
  5. Coherence .

Assumption. In practice, we generally assume that a QC light source is coherent, since lasers are typically employed as light sources in fiber optical communication applications. Hoever, when we later discuss the phenomenon of modal dispersion in optical fibers, we shall see that coherence can be disrupted by simple physical phenomena.

Definition. For purposes of simplicity, we can express lightwave intensity as

I = Io · sin(t + ) ,

with polarization understood.

Observation. Polarization can be linear or circular. Light is linearly polarized in one of two orthogonal directions - horizontal or vertical. Similarly, circular polarization can have two directions - left- or right-circular. We can visualize the effects of linear polarization by modelling light in terms of a vertical electric field (E-field) axis and horizontal magnetic field (B-field) axis, as shown in Figure 4.2.1.


Figure 4.2.1. Light propagation modelled as vertical (horizontal) electric (magnetic) field components. The linear polarizer with axis vertical passes only the vertical oscillations (bold wavy line).

Definition. The spin of a fundamental particle is a synonym for its angular momentum. This derives from Uhlencek and Goudsmit's hypothesis (circa 1925) that an electron spins about its axis similar to a child's top.

Definition. The symbol h denotes the quantity h/2, where h denotes Planck's constant. Niels Bohr first introduced this concept in his theory of the hydrogen atom.

Observation. The angular momentum of an alectron due to its spin ps is assigned the value

ps = s · h ,

where s has value 1/2, which typifies particles called fermions (e.g., electrons, protons, and neutrons). These are also called spin-1/2 particles.

Observation. A distinguishing feature of spin-1/2 particles is the conformance of their energy distribution to Fermi-Dirac statistics. Particles whose spin is an integral multiple of h or zero are called bosons (e.g., alpha particle of spin zero and deuteron of spin one). The energy distribution of bosons is described by Bose-Einstein statistics.

Remark. Given the quantum number s, the magnitude of the electron's spin angular momentum is computed as

h(s(s+1))1/2 = h · s1/2/2 .

Definition. A QC encoding basis is a two-valued parameter that characterizes some measurable property of a physical entity.

Example. Vertical or horizontal polarization of light waves (and, hence, of their dual particle or photon representation) is a QC encoding basis. Phase angles separated by 180o are also QC encoding bases.

Definition. Conjugate encoding bases are two QC encoding bases such that, when a basis is measured for a given particle that does not carry information in the context of that particle, both possible outcomes of the measurement have probability 1/2.

Example. When phase angles are used as encoding bases, the conjugate bases can be separated by 90 degrees. For example (0,180) degrees and (90,270) degrees.

We next consider four instances of quantum cryptosystems, and discuss such systems in terms of two unifying models.

4.2.2.3. Types of Quantum Cryptosystems.

Several types of quantum encodings have been shown to be sufficient for secure key transmission:
  1. Random sequence of spin-1/2 particles or single photons in four non-orthogonal polarization states (e.g., linear horiz or vertical, left or rt circular);

  2. Analogous random sequence of low-intensity polarized coherent or incoherent light pulses;

  3. A sequence of polarization-entangled Einstein-Podolsky-Rosen (EPR) two-photon states; or

  4. An analogous EPR sequence of spacetime-entangled two-photon states.

From the preceding list, it is easily seen that quantum cryptosystems can be partitioned into EPR and non-EPR classes. The following table and algorithm (from Reference [2]) helps clarify basic procedure. 

%%%TABLE GOES HERE%%%
where Steps 1-10 refer to:

4.2.3. Optical Implementation of QC.

Observation. Practical QC channels have been implemented using optical fibers and free-space communication. Phase is a more convenient basis for optical fiber channels, since currently-available fibers do not preserve polarization information well.

Observation. If we have two polarization bases (e.g., vertical/horizontal linear and left/right-hand circular polarization), then if an adversary tries to measure the v/h basis, the information encoded on the l/r polarization basis is destroyed. By measuring in the wrong basis, the adversary obtains no information, since the bits of interest are destroyed due to alteration of the respective photons' physical properties by interaction of the observer and the photons.

Remark. If an adversary guesses the basis wrong, then retransmission of the intercepted particle (assuming this is possible) yields one or more bit errors (assuming error detection codes or related capabilities at the receiver). Thus, an error can be detected at the receiver, which could imply eavesdropping, but could also result from other effects, such as physical damage to the transmission channel.

Current approaches to QC include frequency-division long-distance interferometry (FDLDI), which has the following features:

  1. A signal is phase-encoded on a carrier signal that is shifted in frequency with respect to its original frequency;
  2. Signals are combined and transmitted over a given channel; and
  3. The combined signals are demixed at the receiver, with phase detection to determine the transmitted information.
The following figure schematically illustrates this concept.


Figure 4.2.2. Schematic diagram of optical quantum encoder/decoder for secure key transmission, where LS = Light Source, AOLM = Acousto-Optic Light Modulator, DET = Detector, and BS = Beam Splitter. Here, f2 > f1 has been reported in the literature.

Here, signal s2 of frequency f1 is shifted by an acousto-optic light modulator (AOLM1) to frequency f2 and midex linearly (via a beamsplitter) with signal s1 (also of frequency f1). The Mach-Zehnder interferometer (MZ) separates f1 and f2 by coercing s1 to have phase 2k, k Z. MZ also coerces s2 to have phase k, so there is destructive (constructive) interference at DET1 or DET2 (DET2 or DET1). The AOLM2 downshifts s2 to frequency f1.

If you an adversary (Oscar) listens to the channel and guesses the encoding basis correctly, Oscar obtains one bit of information. This also holds for the receiver. If the basis is guessed incorrectly, the bit value is irretrievably lost. Thus, if Oscar measures the intercepted photons incorrectly, they are irretrievably lost and yield a completely random output due to the conjugate encoding bases. This is the only reason that eavesdropping can fail in QC systems.

4.2.3.1. Practical Considerations of Optical QC.

Various physical effects cause perturbation of the phase and polarization information inherent in optical encoding for QC applications. Since we have thus far considered optical fiber channels only, we will discuss sources of error in fiber-optic circuits primarily. A brief discussion of errors in free-space communications will be presented at the end of this section.

4.2.3.1.1. Modal dispersion in fiber optic cables results from internal reflection of light carried inside the cable. This effect causes an optical path inside a cable of length L to be of physical length greater than L. Figure 4.2.3 schematially illustrates the geometry and physical consequences of this effect.


Figure 4.2.3. Schematic illustration of the effects of modal dispersion in fiber optic cables: (a) ray propagation geometry; and (b) broadening of the initial phase probability distribution (solid line) associated with a photon having nominal phase . The resultant probability distribution is shown as symmetric, due to possible reflection about the principal value range of .

The effect of dispersion is encountered in free-space optical communications in outer space, due to optical scattering by dust particles. Although not significant over short distances, the cumulative effect over long transmission paths can introduce significant error into a QC system.

4.2.3.1.2. Errors due to eavesdropping can increase the measured error rate at the receiver due to (a) choice of the wrong basis by an adversary monitoring the channel, and (b) dispersion or attenuation introduced into a fiber-optic channel by physical intrusion into the optical fiber. Since small changes in the error rate may be hard to detect in practice (e.g., due to time-variant dispersion effects that result from fiber deformation, hydration, etc.), a given fiber channel must be well characterized prior to being used for QC purposes. This is a nontrival measurement, but is of great importance, since the communicating parties may subsequently have difficulty distinguishing normal channel errors from those introduced by an adversary.

A conservative perspective on the security of QC would assume that every error measured at the receiver is caused by an adversary. Based on the number of errors observed at the receiver, an upper bound can be derived for the amount of information that an adversary could observe. Given this upper bound, Slutsky and Fainman [-] propose to employ privacy amplification, an information-theoretic technique, to maximize the amount of received information.

For example, suppose Alice transmits 1000 bits to Bob and Oscar knows 110 bits of a given transmission. Privacy amplification allows one to manipulate the remaining 890 bits (via the use of checksums, etc.) to render such bits secure.

4.2.3.1.3. Detection of individual photons has traditionally been implemented with photomultiplier tubes (PMTs). Unfortunately, fiber-optical communication employs light whose wavelength is primarily in the red and infrared (IR), where the detection efficiency and sensitivity of PMTs is low. Hence, avalanche photodiodes will probably be employed in the near future, due to their enhanced quantum efficiency in the IR.

4.2.3.1.4. Throughput of a typical QC system generally depends upon

  1. Dispersion and attenuation losses in the optical medium (e.g., an optical fiber);
  2. Dectector bandwidth, which is nontrivial, since single-photon detectors are required;
  3. Efficiency of error detection and correction methods; and
  4. Introduction of noise or error by one or more adversaries.
Definition. Raw throughput of a channel is the number of bits transmitted per second. After error detection or correction, and allowing for errors possibly induced by an adversary, the remaining bandwdith is called net secure throughput.

Observation. A typical avalanche photodiode currently exhibits a bandwidth that is constrained by a 50ns cycle time. This implies a maximum raw throughput of 20MHz.

Example. If the channel bit error rate (BER) is 5 percent and channel loss over the propagation path is 10db, then the current throughput expectation is approximately 104 to 105 bits per second.

4.2.3.1.5. Choice of basis may be performed by the transmitter, in a random fashion. Additionally, the receiver may choose randomly from two conjugate bases. In such cases, half the bits are lost due to basis mismatch at the receiver. In order to properly decode bits at the end of the transmission, communicating parties transmit a list of bases used in the transmission.

Recall that an adversary cannot measure the transmitted photons without inducing erroneous bits at the receiver. Thus, a posteriori exchange of bases does not compromise security since:

  1. If eavesdropping occurs, the error rate at the receiver increases, thereby indicating possible channel compromise; and

  2. If eavesdropping does not occur, then the transmission is not monitored, and the exchange of bases presumably furnishes no information to the adversary, since the bases are purportedly chosen randomly.

4.2.3.2. Summary of Concepts.

Several salient issues of non-EPR quantum cryptosystems are listed as follows:
  1. Customarily, only a key is sent along a secure (QC) channel.

  2. If a plaintext message is as long as the secure key (which we assume is sent along a QC channel), then perfect secrecy can be achieved in the sense of Shannon, via the use of a one-time pad.

  3. An adversary cannot guess a conjugate encoding basis correctly more than 50 percent of the time.

  4. If an adversary uses an incorrect basis to monitor the channel, then the bit that he measures is destroyed, provided that one and only one bit is encoded per particle that is subject to Heisenberg's Uncertainty Principle. Thus, errors can be introduced by one or more adversaries who monitor the channel and guess the wrong encoding basis.

  5. Additional errors can arise within the secure channel from physical effects such as attenuation, dispersion, and optical fiber deformation.

  6. QC channel throughput using fiber-optics is presently limited by device bandwidth to less than 10Hz (laboratory practice reported in the open literature).

References

[1] Ekert, A.K. "Quantum cryptography based on Bell's theorem", Physics Review Letters 67(6):661-663 (1991).

[2] Bennett, C.H. "Quantum cryptography based on Bell's theorem", Physics Review Letters 67(6):661-663 (1991).

[3] Cagnac, B. Modern Atomic Physics: Quantum Theory and its Applications, translated by J.S. Deech, New York: Wiley (1975).

[4] Levich, V.G. Theoretical Physics: An Advanced Text, translated by S. Subotic, Amsterdam: North-Holland (1971).

Click here for Giles Brassard's extensive bibliography of quantum cryptography. (More information to follow.)

Brassard is an imaginative scientist, and has contributed to early work in Quantum Teleportation at IBM.

You may also want to check on IBM's Quantum Communication and Computation Web page, which has several links to other sites.

This concludes our overview of quantum cryptosystems.