Quantum key distribution

Last updated

Quantum key distribution (QKD) is a secure communication method which implements a cryptographic protocol involving components of quantum mechanics. It enables two parties to produce a shared random secret key known only to them, which can then be used to encrypt and decrypt messages. It is often incorrectly called quantum cryptography, as it is the best-known example of a quantum cryptographic task.

Contents

An important and unique property of quantum key distribution is the ability of the two communicating users to detect the presence of any third party trying to gain knowledge of the key. This results from a fundamental aspect of quantum mechanics: the process of measuring a quantum system in general disturbs the system. A third party trying to eavesdrop on the key must in some way measure it, thus introducing detectable anomalies. By using quantum superpositions or quantum entanglement and transmitting information in quantum states, a communication system can be implemented that detects eavesdropping. If the level of eavesdropping is below a certain threshold, a key can be produced that is guaranteed to be secure (i.e., the eavesdropper has no information about it), otherwise no secure key is possible and communication is aborted.

The security of encryption that uses quantum key distribution relies on the foundations of quantum mechanics, in contrast to traditional public key cryptography, which relies on the computational difficulty of certain mathematical functions, and cannot provide any mathematical proof as to the actual complexity of reversing the one-way functions used. QKD has provable security based on information theory, and forward secrecy.

The main drawback of quantum key distribution is that it usually relies on having an authenticated classical channel of communications. In modern cryptography, having an authenticated classical channel means that one has either already exchanged a symmetric key of sufficient length or public keys of sufficient security level. With such information already available, one can achieve authenticated and secure communications without using QKD, such as by using the Galois/Counter Mode of the Advanced Encryption Standard. Thus QKD does the work of a stream cipher at many times the cost. Noted security expert Bruce Schneier remarked that quantum key distribution is "as useless as it is expensive". [1]

Quantum key distribution is only used to produce and distribute a key, not to transmit any message data. This key can then be used with any chosen encryption algorithm to encrypt (and decrypt) a message, which can then be transmitted over a standard communication channel. The algorithm most commonly associated with QKD is the one-time pad, as it is provably secure when used with a secret, random key. [2] In real-world situations, it is often also used with encryption using symmetric key algorithms like the Advanced Encryption Standard algorithm.

Quantum key exchange

Quantum communication involves encoding information in quantum states, or qubits, as opposed to classical communication's use of bits. Usually, photons are used for these quantum states. Quantum key distribution exploits certain properties of these quantum states to ensure its security. There are several different approaches to quantum key distribution, but they can be divided into two main categories depending on which property they exploit.

Prepare and measure protocols
In contrast to classical physics, the act of measurement is an integral part of quantum mechanics. In general, measuring an unknown quantum state changes that state in some way. This is a consequence of quantum indeterminacy and can be exploited in order to detect any eavesdropping on communication (which necessarily involves measurement) and, more importantly, to calculate the amount of information that has been intercepted.
Entanglement based protocols
The quantum states of two (or more) separate objects can become linked together in such a way that they must be described by a combined quantum state, not as individual objects. This is known as entanglement and means that, for example, performing a measurement on one object affects the other. If an entangled pair of objects is shared between two parties, anyone intercepting either object alters the overall system, revealing the presence of the third party (and the amount of information they have gained).

These two approaches can each be further divided into three families of protocols: discrete variable, continuous variable and distributed phase reference coding. Discrete variable protocols were the first to be invented, and they remain the most widely implemented. The other two families are mainly concerned with overcoming practical limitations of experiments. The two protocols described below both use discrete variable coding.

BB84 protocol: Charles H. Bennett and Gilles Brassard (1984)

This protocol, known as BB84 after its inventors and year of publication, was originally described using photon polarization states to transmit the information. [3] However, any two pairs of conjugate states can be used for the protocol, and many optical-fibre-based implementations described as BB84 use phase encoded states. The sender (traditionally referred to as Alice) and the receiver (Bob) are connected by a quantum communication channel which allows quantum states to be transmitted. In the case of photons this channel is generally either an optical fibre or simply free space. In addition they communicate via a public classical channel, for example using broadcast radio or the internet. The protocol is designed with the assumption that an eavesdropper (referred to as Eve) can interfere in any way with the quantum channel, while the classical channel needs to be authenticated. [4] [5]

The security of the protocol comes from encoding the information in non-orthogonal states. Quantum indeterminacy means that these states cannot in general be measured without disturbing the original state (see No-cloning theorem). BB84 uses two pairs of states, with each pair conjugate to the other pair, and the two states within a pair orthogonal to each other. Pairs of orthogonal states are referred to as a basis. The usual polarization state pairs used are either the rectilinear basis of vertical (0°) and horizontal (90°), the diagonal basis of 45° and 135° or the circular basis of left- and right-handedness. Any two of these bases are conjugate to each other, and so any two can be used in the protocol. Below the rectilinear and diagonal bases are used.

Basis01
PlusCM128.svg Arrow north.svg Arrow east.svg
Multiplication Sign.svg Arrow northeast.svg Arrow southeast.svg

The first step in BB84 is quantum transmission. Alice creates a random bit (0 or 1) and then randomly selects one of her two bases (rectilinear or diagonal in this case) to transmit it in. She then prepares a photon polarization state depending both on the bit value and basis, as shown in the adjacent table. So for example a 0 is encoded in the rectilinear basis (+) as a vertical polarization state, and a 1 is encoded in the diagonal basis (x) as a 135° state. Alice then transmits a single photon in the state specified to Bob, using the quantum channel. This process is then repeated from the random bit stage, with Alice recording the state, basis and time of each photon sent.

According to quantum mechanics (particularly quantum indeterminacy), no possible measurement distinguishes between the 4 different polarization states, as they are not all orthogonal. The only possible measurement is between any two orthogonal states (an orthonormal basis). So, for example, measuring in the rectilinear basis gives a result of horizontal or vertical. If the photon was created as horizontal or vertical (as a rectilinear eigenstate) then this measures the correct state, but if it was created as 45° or 135° (diagonal eigenstates) then the rectilinear measurement instead returns either horizontal or vertical at random. Furthermore, after this measurement the photon is polarized in the state it was measured in (horizontal or vertical), with all information about its initial polarization lost.

As Bob does not know the basis the photons were encoded in, all he can do is to select a basis at random to measure in, either rectilinear or diagonal. He does this for each photon he receives, recording the time, measurement basis used and measurement result. After Bob has measured all the photons, he communicates with Alice over the public classical channel. Alice broadcasts the basis each photon was sent in, and Bob the basis each was measured in. They both discard photon measurements (bits) where Bob used a different basis, which is half on average, leaving half the bits as a shared key.

Alice's random bit01101001
Alice's random sending basis PlusCM128.svg PlusCM128.svg Multiplication Sign.svg PlusCM128.svg Multiplication Sign.svg Multiplication Sign.svg Multiplication Sign.svg PlusCM128.svg
Photon polarization Alice sends Arrow north.svg Arrow east.svg Arrow southeast.svg Arrow north.svg Arrow southeast.svg Arrow northeast.svg Arrow northeast.svg Arrow east.svg
Bob's random measuring basis PlusCM128.svg Multiplication Sign.svg Multiplication Sign.svg Multiplication Sign.svg PlusCM128.svg Multiplication Sign.svg PlusCM128.svg PlusCM128.svg
Photon polarization Bob measures Arrow north.svg Arrow northeast.svg Arrow southeast.svg Arrow northeast.svg Arrow east.svg Arrow northeast.svg Arrow east.svg Arrow east.svg
PUBLIC DISCUSSION OF BASIS
Shared secret key0101

To check for the presence of an eavesdropper, Alice and Bob now compare a predetermined subset of their remaining bit strings. If a third party (usually referred to as Eve, for "eavesdropper") has gained any information about the photons' polarization, this introduces errors in Bob's measurements. Other environmental conditions can cause errors in a similar fashion. If more than bits differ they abort the key and try again, possibly with a different quantum channel, as the security of the key cannot be guaranteed. is chosen so that if the number of bits known to Eve is less than this, privacy amplification can be used to reduce Eve's knowledge of the key to an arbitrarily small amount at the cost of reducing the length of the key.

E91 protocol: Artur Ekert (1991)

Artur Ekert's scheme [6] uses entangled pairs of photons. These can be created by Alice, by Bob, or by some source separate from both of them, including eavesdropper Eve. The photons are distributed so that Alice and Bob each end up with one photon from each pair.

The scheme relies on two properties of entanglement. First, the entangled states are perfectly correlated in the sense that if Alice and Bob both measure whether their particles have vertical or horizontal polarizations, they always get the same answer with 100% probability. The same is true if they both measure any other pair of complementary (orthogonal) polarizations. This necessitates that the two distant parties have exact directionality synchronization. However, the particular results are completely random; it is impossible for Alice to predict if she (and thus Bob) will get vertical polarization or horizontal polarization. Second, any attempt at eavesdropping by Eve destroys these correlations in a way that Alice and Bob can detect.

Similarly to BB84, the protocol involves a private measurement protocol before detecting the presence of Eve. The measurement stage involves Alice measuring each photon she receives using some basis from the set while Bob chooses from where is the basis rotated by . They keep their series of basis choices private until measurements are completed. Two groups of photons are made: the first consists of photons measured using the same basis by Alice and Bob while the second contains all other photons. To detect eavesdropping, they can compute the test statistic using the correlation coefficients between Alice's bases and Bob's similar to that shown in the Bell test experiments. Maximally entangled photons would result in . If this were not the case, then Alice and Bob can conclude Eve has introduced local realism to the system, violating Bell's Theorem. If the protocol is successful, the first group can be used to generate keys since those photons are completely anti-aligned between Alice and Bob.

Information reconciliation and privacy amplification

The quantum key distribution protocols described above provide Alice and Bob with nearly identical shared keys, and also with an estimate of the discrepancy between the keys. These differences can be caused by eavesdropping, but also by imperfections in the transmission line and detectors. As it is impossible to distinguish between these two types of errors, guaranteed security requires the assumption that all errors are due to eavesdropping. Provided the error rate between the keys is lower than a certain threshold (27.6% as of 2002 [7] ), two steps can be performed to first remove the erroneous bits and then reduce Eve's knowledge of the key to an arbitrary small value. These two steps are known as information reconciliation and privacy amplification respectively, and were first described in 1992. [8]

Information reconciliation is a form of error correction carried out between Alice and Bob's keys, in order to ensure both keys are identical. It is conducted over the public channel and as such it is vital to minimise the information sent about each key, as this can be read by Eve. A common protocol used for information reconciliation is the cascade protocol, proposed in 1994. [9] This operates in several rounds, with both keys divided into blocks in each round and the parity of those blocks compared. If a difference in parity is found then a binary search is performed to find and correct the error. If an error is found in a block from a previous round that had correct parity then another error must be contained in that block; this error is found and corrected as before. This process is repeated recursively, which is the source of the cascade name. After all blocks have been compared, Alice and Bob both reorder their keys in the same random way, and a new round begins. At the end of multiple rounds Alice and Bob have identical keys with high probability; however, Eve has additional information about the key from the parity information exchanged. However, from a coding theory point of view information reconciliation is essentially source coding with side information, in consequence any coding scheme that works for this problem can be used for information reconciliation. Lately turbocodes, [10] LDPC codes [11] and polar codes [12] have been used for this purpose improving the efficiency of the cascade protocol.

Privacy amplification is a method for reducing (and effectively eliminating) Eve's partial information about Alice and Bob's key. This partial information could have been gained both by eavesdropping on the quantum channel during key transmission (thus introducing detectable errors), and on the public channel during information reconciliation (where it is assumed Eve gains all possible parity information). Privacy amplification uses Alice and Bob's key to produce a new, shorter key, in such a way that Eve has only negligible information about the new key. This can be done using a universal hash function, chosen at random from a publicly known set of such functions, which takes as its input a binary string of length equal to the key and outputs a binary string of a chosen shorter length. The amount by which this new key is shortened is calculated, based on how much information Eve could have gained about the old key (which is known due to the errors this would introduce), in order to reduce the probability of Eve having any knowledge of the new key to a very low value.

Implementations

Experimental

In 2008, exchange of secure keys at 1 Mbit/s (over 20 km of optical fibre) and 10 kbit/s (over 100 km of fibre), was achieved by a collaboration between the University of Cambridge and Toshiba using the BB84 protocol with decoy state pulses. [13]

In 2007, Los Alamos National Laboratory/NIST achieved quantum key distribution over a 148.7 km of optic fibre using the BB84 protocol. [14] Significantly, this distance is long enough for almost all the spans found in today's fibre networks. A European collaboration achieved free space QKD over 144 km between two of the Canary Islands using entangled photons (the Ekert scheme) in 2006, [15] and using BB84 enhanced with decoy states [16] [17] [18] [19] [20] [21] in 2007. [22]

As of August 2015 the longest distance for optical fiber (307 km) [23] was achieved by University of Geneva and Corning Inc. In the same experiment, a secret key rate of 12.7 kbit/s was generated, making it the highest bit rate system over distances of 100 km. In 2016 a team from Corning and various institutions in China achieved a distance of 404 km, but at a bit rate too slow to be practical. [24]

In June 2017, physicists led by Thomas Jennewein at the Institute for Quantum Computing and the University of Waterloo in Waterloo, Canada achieved the first demonstration of quantum key distribution from a ground transmitter to a moving aircraft. They reported optical links with distances between 3–10 km and generated secure keys up to 868 kilobytes in length. [25]

Also in June 2017, as part of the Quantum Experiments at Space Scale project, Chinese physicists led by Pan Jianwei at the University of Science and Technology of China measured entangled photons over a distance of 1203 km between two ground stations, laying the groundwork for future intercontinental quantum key distribution experiments. [26] Photons were sent from one ground station to the satellite they had named Micius and back down to another ground station, where they "observed a survival of two-photon entanglement and a violation of Bell inequality by 2.37 ± 0.09 under strict Einstein locality conditions" along a "summed length varying from 1600 to 2400 kilometers." [27] Later that year BB84 was successfully implemented over satellite links from Micius to ground stations in China and Austria. The keys were combined and the result was used to transmit images and video between Beijing, China, and Vienna, Austria. [28]

In May 2019 a group led by Hong Guo at Peking University and Beijing University of Posts and Telecommunications reported field tests of a continuous-variable QKD system through commercial fiber networks in Xi'an and Guangzhou over distances of 30.02 km (12.48 dB) and 49.85 km (11.62 dB) respectively. [29]

In December 2020, Indian Defence Research and Development Organisation tested a QKD between two of its laboratories in Hyderabad facility. The setup also demonstrated the validation of detection of a third party trying to gain knowledge of the communication. Quantum based security against eavesdropping was validated for the deployed system at over 12 km (7.5 mi) range and 10dB attenuation over fibre optic channel. A continuous wave laser source was used to generate photons without depolarization effect and timing accuracy employed in the setup was of the order of picoseconds. The Single photon avalanche detector (SPAD) recorded arrival of photons and key rate was achieved in the range of kbps with low Quantum bit error rate. [30]

In March 2021, Indian Space Research Organisation also demonstrated a free-space Quantum Communication over a distance of 300 meters. A free-space QKD was demonstrated at Space Applications Centre (SAC), Ahmedabad, between two line-of-sight buildings within the campus for video conferencing by quantum-key encrypted signals. The experiment utilised a NAVIC receiver for time synchronization between the transmitter and receiver modules. After demonstrating quantum communication between two ground stations, India has plans to develop Satellite Based Quantum Communication (SBQC). [31]

Commercial

There are currently six companies offering commercial quantum key distribution systems around the world; ID Quantique (Geneva), MagiQ Technologies, Inc. (New York), QNu Labs (Bengaluru, India), QuintessenceLabs (Australia), QRate (Russia) and SeQureNet (Paris). Several other companies also have active research programs, including Toshiba, HP, IBM, Mitsubishi, NEC and NTT (See External links for direct research links).

In 2004, the world's first bank transfer using quantum key distribution was carried out in Vienna, Austria. [32] Quantum encryption technology provided by the Swiss company Id Quantique was used in the Swiss canton (state) of Geneva to transmit ballot results to the capital in the national election occurring on 21 October 2007. [33] In 2013, Battelle Memorial Institute installed a QKD system built by ID Quantique between their main campus in Columbus, Ohio and their manufacturing facility in nearby Dublin. [34] Field tests of Tokyo QKD network have been underway for some time. [35]

Quantum key distribution networks

DARPA

The DARPA Quantum Network, [36] was a 10-node quantum key distribution network, which ran continuously for four years, 24 hours a day, from 2004 to 2007 in Massachusetts in the United States. It was developed by BBN Technologies, Harvard University, Boston University, with collaboration from IBM Research, the National Institute of Standards and Technology, and QinetiQ. It supported a standards-based Internet computer network protected by quantum key distribution.

SECOQC

The world's first computer network protected by quantum key distribution was implemented in October 2008, at a scientific conference in Vienna. The name of this network is SECOQC (Secure Communication Based on Quantum Cryptography) and the EU funded this project. The network used 200 km of standard fibre optic cable to interconnect six locations across Vienna and the town of St Poelten located 69 km to the west. [37]

SwissQuantum

Id Quantique has successfully completed the longest running project for testing Quantum Key Distribution (QKD) in a field environment. The main goal of the SwissQuantum network project installed in the Geneva metropolitan area in March 2009, was to validate the reliability and robustness of QKD in continuous operation over a long time period in a field environment. The quantum layer operated for nearly 2 years until the project was shut down in January 2011 shortly after the initially planned duration of the test.

Chinese networks

In May 2009, a hierarchical quantum network was demonstrated in Wuhu, China. The hierarchical network consisted of a backbone network of four nodes connecting a number of subnets. The backbone nodes were connected though an optical switching quantum router. Nodes within each subnet were also connected though an optical switch, which were connected to the backbone network though a trusted relay. [38]

Launched in August 2016, the QUESS space mission created an international QKD channel between China and the Institute for Quantum Optics and Quantum Information in Vienna, Austria − a ground distance of 7,500 km (4,700 mi), enabling the first intercontinental secure quantum video call. [39] [40] [41] By October 2017, a 2,000-km fiber line was operational between Beijing, Jinan, Hefei and Shanghai. [42] Together they constitute the world's first space-ground quantum network. [43] Up to 10 Micius/QUESS satellites are expected, [44] allowing a European–Asian quantum-encrypted network by 2020, and a global network by 2030. [45] [46]

Tokyo QKD Network

The Tokyo QKD Network [47] was inaugurated on the first day of the UQCC2010 conference. The network involves an international collaboration between 7 partners; NEC, Mitsubishi Electric, NTT and NICT from Japan, and participation from Europe by Toshiba Research Europe Ltd. (UK), Id Quantique (Switzerland) and All Vienna (Austria). "All Vienna" is represented by researchers from the Austrian Institute of Technology (AIT), the Institute for Quantum Optics and Quantum Information (IQOQI) and the University of Vienna.

Los Alamos National Laboratory

A hub-and-spoke network has been operated by Los Alamos National Laboratory since 2011. All messages are routed via the hub. The system equips each node in the network with quantum transmitters—i.e., lasers—but not with expensive and bulky photon detectors. Only the hub receives quantum messages. To communicate, each node sends a one-time pad to the hub, which it then uses to communicate securely over a classical link. The hub can route this message to another node using another one time pad from the second node. The entire network is secure only if the central hub is secure. Individual nodes require little more than a laser: Prototype nodes are around the size of a box of matches. [48]

Attacks and security proofs

Intercept and resend

The simplest type of possible attack is the intercept-resend attack, where Eve measures the quantum states (photons) sent by Alice and then sends replacement states to Bob, prepared in the state she measures. In the BB84 protocol, this produces errors in the key Alice and Bob share. As Eve has no knowledge of the basis a state sent by Alice is encoded in, she can only guess which basis to measure in, in the same way as Bob. If she chooses correctly, she measures the correct photon polarization state as sent by Alice, and resends the correct state to Bob. However, if she chooses incorrectly, the state she measures is random, and the state sent to Bob cannot be the same as the state sent by Alice. If Bob then measures this state in the same basis Alice sent, he too gets a random result—as Eve has sent him a state in the opposite basis—with a 50% chance of an erroneous result (instead of the correct result he would get without the presence of Eve). The table below shows an example of this type of attack.

Alice's random bit01101001
Alice's random sending basis PlusCM128.svg PlusCM128.svg Multiplication Sign.svg PlusCM128.svg Multiplication Sign.svg Multiplication Sign.svg Multiplication Sign.svg PlusCM128.svg
Photon polarization Alice sends Arrow north.svg Arrow east.svg Arrow southeast.svg Arrow north.svg Arrow southeast.svg Arrow northeast.svg Arrow northeast.svg Arrow east.svg
Eve's random measuring basis PlusCM128.svg Multiplication Sign.svg PlusCM128.svg PlusCM128.svg Multiplication Sign.svg PlusCM128.svg Multiplication Sign.svg PlusCM128.svg
Polarization Eve measures and sends Arrow north.svg Arrow northeast.svg Arrow east.svg Arrow north.svg Arrow southeast.svg Arrow east.svg Arrow northeast.svg Arrow east.svg
Bob's random measuring basis PlusCM128.svg Multiplication Sign.svg Multiplication Sign.svg Multiplication Sign.svg PlusCM128.svg Multiplication Sign.svg PlusCM128.svg PlusCM128.svg
Photon polarization Bob measures Arrow north.svg Arrow northeast.svg Arrow northeast.svg Arrow southeast.svg Arrow east.svg Arrow northeast.svg Arrow north.svg Arrow east.svg
PUBLIC DISCUSSION OF BASIS
Shared secret key0001
Errors in key

The probability Eve chooses the incorrect basis is 50% (assuming Alice chooses randomly), and if Bob measures this intercepted photon in the basis Alice sent he gets a random result, i.e., an incorrect result with probability of 50%. The probability an intercepted photon generates an error in the key string is then 50% × 50% = 25%. If Alice and Bob publicly compare of their key bits (thus discarding them as key bits, as they are no longer secret) the probability they find disagreement and identify the presence of Eve is

So to detect an eavesdropper with probability Alice and Bob need to compare key bits.

Man-in-the-middle attack

Quantum key distribution is vulnerable to a man-in-the-middle attack when used without authentication to the same extent as any classical protocol, since no known principle of quantum mechanics can distinguish friend from foe. As in the classical case, Alice and Bob cannot authenticate each other and establish a secure connection without some means of verifying each other's identities (such as an initial shared secret). If Alice and Bob have an initial shared secret then they can use an unconditionally secure authentication scheme (such as Carter-Wegman, [49] ) along with quantum key distribution to exponentially expand this key, using a small amount of the new key to authenticate the next session. [50] Several methods to create this initial shared secret have been proposed, for example using a 3rd party [51] or chaos theory. [52] Nevertheless, only "almost strongly universal" family of hash functions can be used for unconditionally secure authentication. [53]

Photon number splitting attack

In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice many implementations use laser pulses attenuated to a very low level to send the quantum states. These laser pulses contain a very small number of photons, for example 0.2 photons per pulse, which are distributed according to a Poisson distribution. This means most pulses actually contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split off the extra photons and transmit the remaining single photon to Bob. This is the basis of the photon number splitting attack, [54] where Eve stores these extra photons in a quantum memory until Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then measure her photons in the correct basis and obtain information on the key without introducing detectable errors.

Even with the possibility of a PNS attack a secure key can still be generated, as shown in the GLLP security proof; [55] however, a much higher amount of privacy amplification is needed reducing the secure key rate significantly (with PNS the rate scales as as compared to for a single photon sources, where is the transmittance of the quantum channel).

There are several solutions to this problem. The most obvious is to use a true single photon source instead of an attenuated laser. While such sources are still at a developmental stage QKD has been carried out successfully with them. [56] However, as current sources operate at a low efficiency and frequency key rates and transmission distances are limited. Another solution is to modify the BB84 protocol, as is done for example in the SARG04 protocol, [57] in which the secure key rate scales as . The most promising solution is the decoy states [16] [18] [19] [20] [21] in which Alice randomly sends some of her laser pulses with a lower average photon number. These decoy states can be used to detect a PNS attack, as Eve has no way to tell which pulses are signal and which decoy. Using this idea the secure key rate scales as , the same as for a single photon source. This idea has been implemented successfully first at the University of Toronto, [58] [59] and in several follow-up QKD experiments, [60] allowing for high key rates secure against all known attacks.

Denial of service

Because currently a dedicated fibre optic line (or line of sight in free space) is required between the two points linked by quantum key distribution, a denial of service attack can be mounted by simply cutting or blocking the line. This is one of the motivations for the development of quantum key distribution networks, which would route communication via alternate links in case of disruption.

Trojan-horse attacks

A quantum key distribution system may be probed by Eve by sending in bright light from the quantum channel and analyzing the back-reflections in a Trojan-horse attack. In a recent research study it has been shown that Eve discerns Bob's secret basis choice with higher than 90% probability, breaching the security of the system. [61]

Security proofs

If Eve is assumed to have unlimited resources, for example both classical and quantum computing power, there are many more attacks possible. BB84 has been proven secure against any attacks allowed by quantum mechanics, both for sending information using an ideal photon source which only ever emits a single photon at a time, [62] and also using practical photon sources which sometimes emit multiphoton pulses. [55] These proofs are unconditionally secure in the sense that no conditions are imposed on the resources available to the eavesdropper; however, there are other conditions required:

  1. Eve cannot physically access Alice and Bob's encoding and decoding devices.
  2. The random number generators used by Alice and Bob must be trusted and truly random (for example a Quantum random number generator).
  3. The classical communication channel must be authenticated using an unconditionally secure authentication scheme.
  4. The message must be encrypted using one-time pad like scheme

Quantum hacking

Hacking attacks target vulnerabilities in the operation of a QKD protocol or deficiencies in the components of the physical devices used in construction of the QKD system. If the equipment used in quantum key distribution can be tampered with, it could be made to generate keys that were not secure using a random number generator attack. Another common class of attacks is the Trojan horse attack [63] which does not require physical access to the endpoints: rather than attempt to read Alice and Bob's single photons, Eve sends a large pulse of light back to Alice in between transmitted photons. Alice's equipment reflects some of Eve's light, revealing the state of Alice's basis (e.g., a polarizer). This attack can be detected, e.g. by using a classical detector to check the non-legitimate signals (i.e. light from Eve) entering Alice's system. It is also conjectured[ by whom? ] that most hacking attacks can similarly be defeated by modifying the implementation, though there is no formal proof.

Several other attacks including faked-state attacks, [64] phase remapping attacks, [65] and time-shift attacks [66] are now known. The time-shift attack has even been demonstrated on a commercial quantum cryptosystem. [67] This is the first demonstration of quantum hacking against a non-homemade quantum key distribution system. Later on, the phase-remapping attack was also demonstrated on a specially configured, research oriented open QKD system (made and provided by the Swiss company Id Quantique under their Quantum Hacking program). [68] It is one of the first 'intercept-and-resend' attacks on top of a widely used QKD implementation in commercial QKD systems. This work has been widely reported in media. [69] [70] [71] [72]

The first attack that claimed to be able to eavesdrop the whole key [73] without leaving any trace was demonstrated in 2010. It was experimentally shown that the single-photon detectors in two commercial devices could be fully remote-controlled using specially tailored bright illumination. In a spree of publications [74] [75] [76] thereafter, the collaboration between the Norwegian University of Science and Technology in Norway and Max Planck Institute for the Science of Light in Germany, has now demonstrated several methods to successfully eavesdrop on commercial QKD systems based on weaknesses of Avalanche photodiodes (APDs) operating in gated mode. This has sparked research on new approaches to securing communications networks. [77]

Counterfactual quantum key distribution

The task of distributing a secret key could be achieved even when the particle (on which the secret information, e.g. polarization, has been encoded) does not traverse through the quantum channel using a protocol developed by Tae-Gon Noh. [78] serves to explain how this non-intuitive or counterfactual idea actually works. Here Alice generates a photon which, by not taking a measurement until later, exists in a superposition of being in paths (a) and (b) simultaneously. Path (a) stays inside Alice's secure device and path (b) goes to Bob. By rejecting the photons that Bob receives and only accepting the ones he doesn't receive, Bob & Alice can set up a secure channel, i.e. Eve's attempts to read the counterfactual photons would still be detected. This protocol uses the quantum phenomenon whereby the possibility that a photon can be sent has an effect even when it isn't sent. So-called interaction-free measurement also uses this quantum effect, as for example in the bomb testing problem, whereby you can determine which bombs are not duds without setting them off, except in a counterfactual sense.

History

Quantum cryptography was proposed first by Stephen Wiesner, then at Columbia University in New York, who, in the early 1970s, introduced the concept of quantum conjugate coding. His seminal paper titled "Conjugate Coding" was rejected by IEEE Information Theory but was eventually published in 1983 in SIGACT News (15:1 pp. 78–88, 1983). In this paper he showed how to store or transmit two messages by encoding them in two "conjugate observables", such as linear and circular polarization of light, so that either, but not both, of which may be received and decoded. He illustrated his idea with a design of unforgeable bank notes. A decade later, building upon this work, Charles H. Bennett, of the IBM Thomas J. Watson Research Center, and Gilles Brassard, of the University of Montreal, proposed a method for secure communication based on Wiesner's "conjugate observables". In 1990, Artur Ekert, then a PhD student at Wolfson College, University of Oxford, developed a different approach to quantum key distribution based on quantum entanglement.

Future

The current commercial systems are aimed mainly at governments and corporations with high security requirements. Key distribution by courier is typically used in such cases, where traditional key distribution schemes are not believed to offer enough guarantee. This has the advantage of not being intrinsically distance limited, and despite long travel times the transfer rate can be high due to the availability of large capacity portable storage devices. The major difference of quantum key distribution is the ability to detect any interception of the key, whereas with courier the key security cannot be proven or tested. QKD (Quantum Key Distribution) systems also have the advantage of being automatic, with greater reliability and lower operating costs than a secure human courier network.

Kak's three-stage protocol has been proposed as a method for secure communication that is entirely quantum unlike quantum key distribution in which the cryptographic transformation uses classical algorithms [79]

Factors preventing wide adoption of quantum key distribution outside high security areas include the cost of equipment, and the lack of a demonstrated threat to existing key exchange protocols. However, with optic fibre networks already present in many countries the infrastructure is in place for a more widespread use.

An Industry Specification Group (ISG) of the European Telecommunications Standards Institute (ETSI) has been set up to address standardisation issues in quantum cryptography. [80]

European Metrology Institutes, in the context of dedicated projects, [81] [82] are developing measurements required to characterise components of QKD systems.

See also

Related Research Articles

Quantum information Information held in the state of a quantum system

Quantum information is the information of the state of a quantum system. It is the basic entity of study in quantum information theory, and can be manipulated using quantum information processing techniques. Quantum information refers to both the technical definition in terms of Von Neumann entropy and the general computational term.

Quantum teleportation is a technique for transferring quantum information from a sender at one location to a receiver some distance away. While teleportation is commonly portrayed in science fiction as a means to transfer physical objects from one location to the next, quantum teleportation only transfers quantum information. Moreover, the sender may not know the location of the recipient, and does not know which particular quantum state will be transferred.

Quantum entanglement Correlation between measurements of quantum subsystems, even when spatially separated

Quantum entanglement is a physical phenomenon that occurs when a group of particles are generated, interact, or share spatial proximity in a way such that the quantum state of each particle of the group cannot be described independently of the state of the others, including when the particles are separated by a large distance. The topic of quantum entanglement is at the heart of the disparity between classical and quantum physics: entanglement is a primary feature of quantum mechanics lacking in classical mechanics.

In cryptography, Alice and Bob are fictional characters commonly used as placeholders in discussions about cryptographic protocols or systems, and in other science and engineering literature where there are several participants in a thought experiment. The Alice and Bob characters were invented by Ron Rivest, Adi Shamir, and Leonard Adleman in their 1978 paper "A Method for Obtaining Digital Signatures and Public-key Cryptosystems". Subsequently, they have become common archetypes in many scientific and engineering fields, such as quantum cryptography, game theory and physics. As the use of Alice and Bob became more widespread, additional characters were added, sometimes each with a particular meaning. These characters do not have to refer to humans; they refer to generic agents which might be different computers or even different programs running on a single computer.

Artur Ekert Polish-British physicist (born 1961)

Artur Konrad Ekert FRS is a Polish-British professor of quantum physics at the Mathematical Institute, University of Oxford, professorial fellow in quantum physics and cryptography at Merton College, Oxford, Lee Kong Chian Centennial Professor at the National University of Singapore and the founding director of the Centre for Quantum Technologies (CQT). His research interests extend over most aspects of information processing in quantum-mechanical systems, with a focus on quantum communication and quantum computation. He is best known as one of the pioneers of quantum cryptography.

Quantum networks form an important element of quantum computing and quantum communication systems. Quantum networks facilitate the transmission of information in the form of quantum bits, also called qubits, between physically separated quantum processors. A quantum processor is a small quantum computer being able to perform quantum logic gates on a certain number of qubits. Quantum networks work in a similar way to classical networks. The main difference is that quantum networking, like quantum computing, is better at solving certain problems, such as modeling quantum systems.

BB84 is a quantum key distribution scheme developed by Charles Bennett and Gilles Brassard in 1984. It is the first quantum cryptography protocol. The protocol is provably secure, relying on two conditions: (1) the quantum property that information gain is only possible at the expense of disturbing the signal if the two states one is trying to distinguish are not orthogonal ; and (2) the existence of an authenticated public classical channel. It is usually explained as a method of securely communicating a private key from one party to another for use in one-time pad encryption.

Quantum cloning is a process that takes an arbitrary, unknown quantum state and makes an exact copy without altering the original state in any way. Quantum cloning is forbidden by the laws of quantum mechanics as shown by the no cloning theorem, which states that there is no operation for cloning any arbitrary state perfectly. In Dirac notation, the process of quantum cloning is described by:

In theoretical physics, quantum nonlocality refers to the phenomenon by which the measurement statistics of a multipartite quantum system do not admit an interpretation in terms of a local realistic theory. Quantum nonlocality has been experimentally verified under different physical assumptions. Any physical theory that aims at superseding or replacing quantum theory should account for such experiments and therefore must also be nonlocal in this sense; quantum nonlocality is a property of the universe that is independent of our description of nature.

ID Quantique

ID Quantique (IDQ) is a Swiss company, based in Geneva, Switzerland, and provides quantum key distribution (QKD) systems, quantum safe network encryption, single photon counters, and hardware random number generators.

SARG04 is a quantum cryptography protocol derived from the first protocol of that kind, BB84.

Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best known example of quantum cryptography is quantum key distribution which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical communication. For example, it is impossible to copy data encoded in a quantum state. If one attempts to read the encoded data, the quantum state will be changed due to wave function collapse. This could be used to detect eavesdropping in quantum key distribution.

The noisy-storage model refers to a cryptographic model employed in quantum cryptography. It assumes that the quantum memory device of an attacker (adversary) trying to break the protocol is imperfect (noisy). The main goal of this model is to enable the secure implementation of two-party cryptographic primitives, such as bit commitment, oblivious transfer and secure identification.


Decoy state quantum key distribution (QKD) protocol is the most widely implemented QKD scheme. Practical QKD systems use multi-photon sources, in contrast to the standard BB84 protocol, making them susceptible to photon number splitting (PNS) attacks. This would significantly limit the secure transmission rate or the maximum channel length in practical QKD systems. In decoy state technique, this fundamental weakness of practical QKD systems is addressed by using multiple intensity levels at the transmitter's source, i.e. qubits are transmitted by Alice using randomly chosen intensity levels, resulting in varying photon number statistics throughout the channel. At the end of the transmission Alice announces publicly which intensity level has been used for the transmission of each qubit. A successful PNS attack requires maintaining the bit error rate (BER) at the receiver's end, which can not be accomplished with multiple photon number statistics. By monitoring BERs associated with each intensity level, the two legitimate parties will be able to detect a PNS attack, with highly increased secure transmission rates or maximum channel lengths, making QKD systems suitable for practical applications.

Three-stage quantum cryptography protocol

The Three-stage quantum cryptography protocol, also known as Kak's three-stage protocol is a method of data encryption that uses random polarization rotations by both Alice and Bob, the two authenticated parties, that was proposed by Subhash Kak. In principle, this method can be used for continuous, unbreakable encryption of data if single photons are used. It is different from methods of QKD for it can be used for direct encryption of data, although it could also be used for exchanging keys.

A quantum cryptographic protocol is device-independent if its security does not rely on trusting that the quantum devices used are truthful. Thus the security analysis of such a protocol needs to consider scenarios of imperfect or even malicious devices. Several important problems have been shown to admit unconditional secure and device-independent protocols. A closely related topic is measurement-device independent quantum key distribution.

The six-state protocol (SSP) is the quantum cryptography protocol that is the version of BB84 that uses a six-state polarization scheme on three orthogonal bases.

Relativistic quantum cryptography is a sub-field of quantum cryptography, in which in addition to exploiting the principles of quantum physics, the no-superluminal signalling principle of relativity theory stating that information cannot travel faster than light is exploited too. Technically speaking, relativistic quantum cryptography is a sub-field of relativistic cryptography, in which cryptographic protocols exploit the no-superluminal signalling principle, independently of whether quantum properties are used or not. However, in practice, the term relativistic quantum cryptography is used for relativistic cryptography too.

Adrian Kent is a British theoretical physicist, Professor of Quantum Physics at the University of Cambridge, member of the Centre for Quantum Information and Foundations, and Distinguished Visiting Research Chair at the Perimeter Institute for Theoretical Physics. His research areas are the foundations of quantum theory, quantum information science and quantum cryptography. He is known as the inventor of relativistic quantum cryptography. In 1999 he published the first unconditionally secure protocols for bit commitment and coin tossing, which were also the first relativistic cryptographic protocols. He is a co-inventor of quantum tagging, or quantum position authentication, providing the first schemes for position-based quantum cryptography. In 2005 he published with Lucien Hardy and Jonathan Barrett the first security proof of quantum key distribution based on the no-signalling principle.

DARPA Quantum Network

The DARPA Quantum Network (2002–2007) was the world's first quantum key distribution (QKD) network, operating 10 optical nodes across Boston and Cambridge, Massachusetts. It became fully operational on October 23, 2003 in BBN's laboratories, and in June 2004 was fielded through dark fiber under the streets of Cambridge and Boston, where it ran continuously for over 3 years. The project also created and fielded the world's first superconducting nanowire single-photon detector. It was sponsored by DARPA as part of the QuIST program, and built and operated by BBN Technologies in close collaboration with colleagues at Harvard University and the Boston University Photonics Center.

References

  1. Schneier, Bruce (16 October 2008). "Quantum Cryptography: As Awesome As It Is Pointless". Wired.
  2. Shannon, C. E. (1949). "Communication Theory of Secrecy Systems*". Bell System Technical Journal. Institute of Electrical and Electronics Engineers (IEEE). 28 (4): 656–715. doi:10.1002/j.1538-7305.1949.tb00928.x. hdl: 10338.dmlcz/119717 . ISSN   0005-8580.
  3. C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, volume 175, page 8. New York, 1984.
  4. Tomamichel, Marco; Leverrier, Anthony (2017). "A largely self-contained and complete security proof for quantum key distribution". Quantum. 1: 14. arXiv: 1506.08458 . doi:10.22331/q-2017-07-14-14. S2CID   56465385.
  5. Portmann, Christopher; Renner, Renato (2014). "Cryptographic security of quantum key distribution". arXiv: 1409.3525 [quant-ph].
  6. Ekert, Artur K. (5 August 1991). "Quantum cryptography based on Bell's theorem". Physical Review Letters. 67 (6): 661–663. Bibcode:1991PhRvL..67..661E. doi:10.1103/PhysRevLett.67.661. PMID   10044956. S2CID   27683254.
  7. Chau, H.F. (2002). "Practical scheme to share a secret key through a quantum channel with a 27.6% bit error rate". Physical Review A. 66 (6): 60302. Bibcode:2002PhRvA..66f0302C. doi:10.1103/PhysRevA.66.060302. hdl: 10722/43370 . Retrieved 4 September 2020.
  8. Bennett, C. H.; Bessette, F.; Brassard, G.; Salvail, L.; Smolin, J. (1992). "Experimental Quantum Cryptography" (PDF). Journal of Cryptology. 5 (1): 3–28. doi:10.1007/bf00191318. S2CID   206771454.
  9. G. Brassard and L. Salvail "Secret key reconciliation by public discussion" Advances in Cryptology: Eurocrypt 93 Proc. pp 410-23 (1993) CiteSeerx :  10.1.1.42.9686
  10. Nguyen, Kim-Chi; Van Assche, Gilles; Cerf, Nicolas J. (10–13 October 2004). "Side-Information Coding with Turbo Codes and its Application to Quantum Key Distribution". arXiv: cs/0406001 . Parma, Italy.
  11. Elkouss, D.; Martinez-Mateo, J.; Martin, V. (2010). "Information reconciliation for quantum key distribution" (PDF). Quantum Information & Computation. 11: 226–238. Archived from the original (PDF) on 15 December 2013. Retrieved 4 September 2020.
  12. Nguyen, Kim-Chi; Gilles Van Assche; Cerf, Nicolas J. (2012). "High Performance Error Correction for Quantum Key Distribution using Polar Codes". arXiv: 1204.5882v3 [quant-ph].
  13. Dixon, A.R.; Z.L. Yuan; Dynes, J.F.; Sharpe, A. W.; Shields, A. J. (2008). "Gigahertz decoy quantum key distribution with 1 Mbit/s secure key rate". Optics Express. 16 (23): 18790–7. arXiv: 0810.1069 . Bibcode:2008OExpr..1618790D. doi:10.1364/OE.16.018790. PMID   19581967. S2CID   17141431.
  14. Hiskett, P A; Rosenberg, D; Peterson, C G; Hughes, R J; Nam, S; Lita, A E; Miller, A J; Nordholt, J E (14 September 2006). "Long-distance quantum key distribution in optical fibre". New Journal of Physics. IOP Publishing. 8 (9): 193. arXiv: quant-ph/0607177 . Bibcode:2006NJPh....8..193H. doi: 10.1088/1367-2630/8/9/193 . ISSN   1367-2630.
  15. Ursin, Rupert; Felix Tiefenbacher; Cerf, Nicolas J.; Weier, H.; Scheidl, T.; Lindenthal, M.; Blauensteiner, B.; Jennewein, T.; Perdigues, J.; Trojek, P.; Ömer, B.; Fürst, M.; Meyenburg, M.; Rarity, J.; Sodnik, Z.; Barbieri, C.; Weinfurter, H.; Zeilinger, A. (2006). "Free-Space distribution of entanglement and single photons over 144 km". Nature Physics. 3 (7): 481–486. arXiv: quant-ph/0607182 . Bibcode:2006quant.ph..7182U. doi:10.1038/nphys629.
  16. 1 2 Hwang, Won-Young (1 August 2003). "Quantum Key Distribution with High Loss: Toward Global Secure Communication". Physical Review Letters. 91 (5): 057901. arXiv: quant-ph/0211153 . Bibcode:2003PhRvL..91e7901H. doi:10.1103/physrevlett.91.057901. ISSN   0031-9007. PMID   12906634. S2CID   19225674.
  17. Shams Mousavi, S. H.; Gallion, P. (24 July 2009). "Decoy-state quantum key distribution using homodyne detection". Physical Review A. 80 (1): 012327. arXiv: 1411.6155 . doi:10.1103/PhysRevA.80.012327. ISSN   1050-2947.
  18. 1 2 H.-K. Lo, in Proceedings of 2004 IEEE ISIT (IEEE Press, New York, 2004), p. 137
  19. 1 2 Wang, Xiang-Bin (16 June 2005). "Beating the Photon-Number-Splitting Attack in Practical Quantum Cryptography". Physical Review Letters. 94 (23): 230503. arXiv: quant-ph/0410075 . Bibcode:2005PhRvL..94w0503W. doi:10.1103/physrevlett.94.230503. ISSN   0031-9007. PMID   16090451. S2CID   2651690.
  20. 1 2 H.-K. Lo, X. Ma, K. Chen, "Decoy State Quantum Key Distribution", Physical Review Letters, 94, 230504 (2005)
  21. 1 2 Ma, Xiongfeng; Qi, Bing; Zhao, Yi; Lo, Hoi-Kwong (2005). "Practical decoy state for quantum key distribution". Physical Review A. 72 (1): 012326. arXiv: quant-ph/0503005 . Bibcode:2005PhRvA..72a2326M. doi:10.1103/PhysRevA.72.012326. S2CID   836096.
  22. Schmitt-Manderbach, Tobias; Weier, Henning; Fürst, Martin; Ursin, Rupert; Tiefenbacher, Felix; et al. (5 January 2007). "Experimental Demonstration of Free-Space Decoy-State Quantum Key Distribution over 144 km" (PDF). Physical Review Letters. American Physical Society (APS). 98 (1): 010504. Bibcode:2007PhRvL..98a0504S. doi:10.1103/physrevlett.98.010504. ISSN   0031-9007. PMID   17358463. S2CID   15102161.
  23. Korzh, Boris; Lim, Charles Ci Wen; Houlmann, Raphael; Gisin, Nicolas; Li, Ming Jun; Nolan, Daniel; Sanguinetti, Bruno; Thew, Rob; Zbinden, Hugo (2015). "Provably Secure and Practical Quantum Key Distribution over 307 km of Optical Fibre". Nature Photonics. 9 (3): 163–168. arXiv: 1407.7427 . Bibcode:2015NaPho...9..163K. doi:10.1038/nphoton.2014.327. S2CID   59028718.
  24. Yin, Juan; Cao, Yuan; Li, Yu-Huai; Liao, Sheng-Kai; Zhang, Liang; Ren, Ji-Gang; Cai, Wen-Qi; Liu, Wei-Yue; Li, Bo; Dai, Hui; et al. (2017). "Satellite-based entanglement distribution over 1200 kilometers". Science. 356 (6343): 1140–1144. arXiv: 1707.01339 . Bibcode:2017arXiv170701339Y. doi:10.1126/science.aan3211. PMID   28619937. S2CID   5206894.
  25. Pugh, C. J.; Kaiser, S.; Bourgoin, J.- P.; Jin, J.; Sultana, N.; Agne, S.; Anisimova, E.; Makarov, V.; Choi, E.; Higgins, B. L.; Jennewein, T. (2017). "Airborne demonstration of a quantum key distribution receiver payload". Quantum Science and Technology. 2 (2): 024009. arXiv: 1612.06396 . Bibcode:2017QS&T....2b4009P. doi:10.1088/2058-9565/aa701f. S2CID   21279135.
  26. "China's quantum satellite achieves 'spooky action' at a record distance". 15 June 2017. Retrieved 15 June 2017.
  27. Yin, J.; Cao, Y.; Li, Y.- H.; Liao, S.- K.; Zhang, L.; Ren, J.- G.; Cai, W.- Q.; Liu, W.- Y.; Li, B.; Dai, H.; Li, G.- B.; Lu, Q.- M.; Gong, Y.- H.; Xu, Y.; Li, S.- L.; Li, F.- Z.; Yin, Y.- Y.; Jiang, Z.- Q.; Li, M.; Jia, J.- J.; Ren, G.; He, D.; Zhou, Y.- L.; Zhang, X.- X.; Wang, N.; Chang, X.; Zhu, Z.- C.; Liu, N.- L.; Lu, C.- Y.; Shu, R.; Peng, C.- Z.; Wang, J.- Y.; Pan, J.- W. (2017). "Satellite-based entanglement distribution over 1200 kilometers". Science. 356 (6343): 1140–4. arXiv: 1707.01339 . doi: 10.1126/science.aan3211 . PMID   28619937.
  28. Liao, Sheng-Kai; Cai, Wen-Qi; Handsteiner, Johannes; Liu, Bo; Yin, Juan; Zhang, Liang; Rauch, Dominik; Fink, Matthias; Ren, Ji-Gang; Liu, Wei-Yue; et al. (2018). "Satellite-Relayed Intercontinental Quantum Network". Physical Review Letters. 120 (3): 030501. arXiv: 1801.04418 . Bibcode:2018PhRvL.120c0501L. doi:10.1103/PhysRevLett.120.030501. PMID   29400544. S2CID   206306725.
  29. Zhang, Yichen; Li, Zhengyu; Chen, Ziyang; Weedbrook, Christian; Zhao, Yijia; Wang, Xiangyu; Huang, Yundi; Xu, Chunchao; Zhang, Xiaoxiong; Wang, Zhenya; Li, Mei; Zhang, Xueying; Zheng, Ziyong; Chu, Binjie; Gao, Xinyu; Meng, Nan; Cai, Weiwen; Wang, Zheng; Wang, Gan; Yu, Song; Guo, Hong (2019). "Continuous-variable QKD over 50 km commercial fiber". Quantum Science and Technology. 4 (3): 035006. arXiv: 1709.04618 . Bibcode:2019QS&T....4c5006Z. doi:10.1088/2058-9565/ab19d1. S2CID   116403328.
  30. Ministry of Defence (9 December 2020). "Quantum Communication between two DRDO Laboratories". Press Information Bureau. Retrieved 22 March 2021.
  31. "ISRO makes breakthrough demonstration of free-space Quantum Key Distribution (QKD) over 300 m". Indian Space Research Organisation. 22 March 2021. Retrieved 22 March 2021.
  32. http://www.secoqc.net/downloads/pressrelease/Banktransfer_english.pdf Archived 9 March 2013 at the Wayback Machine secoqc.net
  33. Jordans, Frank (12 October 2007). "Swiss Call New Vote Encryption System 'Unbreakable'". technewsworld.com. Archived from the original on 9 December 2007. Retrieved 8 March 2013.
  34. Dillow, Clay (14 October 2013). "Unbreakable encryption comes to the U.S". fortune.cnn.com. Archived from the original on 14 October 2013.
  35. Sasaki, M.; et al. (2011). "Field test of quantum key distribution in the Tokyo QKD Network". Optics Express. 19 (11): 10387–10409. arXiv: 1103.3566 . Bibcode:2011OExpr..1910387S. doi:10.1364/OE.19.010387. PMID   21643295. S2CID   593516.
  36. Knight, Will. "Quantum cryptography network gets wireless link" . Retrieved 18 August 2016.
  37. "'Unbreakable' encryption unveiled". 9 October 2008. Retrieved 18 August 2016 via bbc.co.uk.
  38. Xu, FangXing; Chen, Wei; Wang, Shuang; Yin, ZhenQiang; Zhang, Yang; Liu, Yun; Zhou, Zheng; Zhao, YiBo; Li, HongWei; Liu, Dong (2009), "Field experiment on a robust hierarchical metropolitan quantum cryptography network", Chinese Science Bulletin, 54 (17): 2991–2997, arXiv: 0906.3576 , Bibcode:2009ChSBu..54.2991X, doi:10.1007/s11434-009-0526-3, S2CID   118300112
  39. Lin Xing (16 August 2016). "China launches world's first quantum science satellite". Physics World. Institute of Physics. Retrieved 17 August 2016.
  40. "First Quantum Satellite Successfully Launched". Austrian Academy of Sciences. 16 August 2016. Retrieved 17 August 2016.
  41. Wall, Mike (16 August 2016). "China Launches Pioneering 'Hack-Proof' Quantum-Communications Satellite". Space.com. Purch. Retrieved 17 August 2016.
  42. "Is China the Leader in Quantum Communications?". IEEE . 19 January 2018. Retrieved 19 March 2018.
  43. "China Demonstrates Quantum Encryption By Hosting a Video Call". IEEE . 3 October 2017. Retrieved 17 March 2018.
  44. "A quantum communications satellite proved its potential in 2017". Science News . 3 October 2017. Retrieved 19 March 2018.
  45. huaxia (16 August 2016). "China Focus: China's space satellites make quantum leap". Xinhua. Retrieved 17 August 2016.
  46. Jeffrey Lin; P.W. Singer; John Costello (3 March 2016). "China's Quantum Satellite Could Change Cryptography Forever". Popular Science. Retrieved 17 August 2016.
  47. Tokyo QKD Network unveiled at UQCC 2010
  48. Hughes, Richard J.; Nordholt, Jane E.; McCabe, Kevin P.; Newell, Raymond T.; Peterson, Charles G.; Somma, Rolando D. (2013). "Network-Centric Quantum Communications with Application to Critical Infrastructure Protection". arXiv: 1305.0305 [quant-ph].
  49. Wegman, Mark N.; Carter, J.Lawrence (1981). "New hash functions and their use in authentication and set equality". Journal of Computer and System Sciences. Elsevier BV. 22 (3): 265–279. doi: 10.1016/0022-0000(81)90033-7 . ISSN   0022-0000.
  50. Nguyen, Kim-Chi; Gilles Van Assche; Cerf, Nicolas J. (2007). "Using quantum key distribution for cryptographic purposes: A survey". arXiv: quant-ph/0701168 .
  51. Zhang, Z.; Liu, J.; Wang, D.; Shi, S. (2007). "Quantum direct communication with authentication". Phys. Rev. A. 75 (2): 026301. arXiv: quant-ph/0604125 . Bibcode:2007PhRvA..75b6301Z. doi:10.1103/physreva.75.026301. S2CID   5529511.
  52. D. Huang, Z. Chen, Y. Guo and M. Lee "Quantum Secure Direct Communication Based on Chaos with Authentication", Journal of the Physical Society of Japan Vol. 76 No. 12, 124001 (2007) ( "Archived copy". Archived from the original on 5 March 2012. Retrieved 6 February 2016.CS1 maint: archived copy as title (link))
  53. "5. Unconditionally secure authentication" . Retrieved 18 August 2016.
  54. Brassard, Gilles; Lütkenhaus, Norbert; Mor, Tal; Sanders, Barry C. (7 August 2000). "Limitations on Practical Quantum Cryptography". Physical Review Letters. American Physical Society (APS). 85 (6): 1330–1333. arXiv: quant-ph/9911054 . Bibcode:2000PhRvL..85.1330B. doi:10.1103/physrevlett.85.1330. ISSN   0031-9007. PMID   10991544. S2CID   18688722.
  55. 1 2 D. Gottesman, H.-K. Lo, N. L¨utkenhaus, and J. Preskill, Quant. Inf. Comp. 4, 325 (2004)
  56. Intallura, P. M.; Ward, M. B.; Karimov, O. Z.; Yuan, Z. L.; See, P.; et al. (15 October 2007). "Quantum key distribution using a triggered quantum dot source emitting near 1.3μm". Applied Physics Letters. 91 (16): 161103. arXiv: 0710.0565 . Bibcode:2007ApPhL..91p1103I. doi:10.1063/1.2799756. ISSN   0003-6951. S2CID   118994015.
  57. Scarani, Valerio; Acín, Antonio; Ribordy, Grégoire; Gisin, Nicolas (6 February 2004). "Quantum Cryptography Protocols Robust against Photon Number Splitting Attacks for Weak Laser Pulse Implementations". Physical Review Letters. 92 (5): 057901. arXiv: quant-ph/0211131 . Bibcode:2004PhRvL..92e7901S. doi:10.1103/physrevlett.92.057901. ISSN   0031-9007. PMID   14995344. S2CID   4791560.
  58. Zhao, Yi; Qi, Bing; Ma, Xiongfeng; Lo, Hoi-Kwong; Qian, Li (22 February 2006). "Experimental Quantum Key Distribution with Decoy States". Physical Review Letters. American Physical Society (APS). 96 (7): 070502. arXiv: quant-ph/0503192 . Bibcode:2006PhRvL..96g0502Z. doi:10.1103/physrevlett.96.070502. hdl:1807/10013. ISSN   0031-9007. PMID   16606067. S2CID   2564853.
  59. Y.Zhao, B. Qi, X. Ma, H.-K. Lo, and L. Qian, in Proc. IEEE ISIT, pp. 2094–2098 (2006).
  60. Yuan, Z. L.; Sharpe, A. W.; Shields, A. J. (2007). "Unconditionally secure one-way quantum key distribution using decoy pulses". Applied Physics Letters. AIP Publishing. 90 (1): 011118. arXiv: quant-ph/0610015 . Bibcode:2007ApPhL..90a1118Y. doi:10.1063/1.2430685. ISSN   0003-6951. S2CID   20424612.
  61. Jain, N.; et al. (2014). "Trojan-horse attacks threaten the security of practical quantum cryptography". New Journal of Physics. 16 (12): 123030. arXiv: 1406.5813 . Bibcode:2014NJPh...16l3030J. doi:10.1088/1367-2630/16/12/123030. S2CID   15127809.
  62. Shor, Peter W.; Preskill, John (10 July 2000). "Simple Proof of Security of the BB84 Quantum Key Distribution Protocol" (PDF). Physical Review Letters. 85 (2): 441–444. arXiv: quant-ph/0003004 . Bibcode:2000PhRvL..85..441S. doi:10.1103/physrevlett.85.441. ISSN   0031-9007. PMID   10991303. S2CID   703220.
  63. Vakhitov, Artem; Makarov, Vadim; Hjelme, Dag R. (2001). "Large pulse attack as a method of conventional optical eavesdropping in quantum cryptography". Journal of Modern Optics. Informa UK Limited. 48 (13): 2023–2038. Bibcode:2001JMOp...48.2023V. doi:10.1080/09500340108240904. ISSN   0950-0340. S2CID   16173055.
  64. Makarov *, Vadim; Hjelme, Dag R. (20 March 2005). "Faked states attack on quantum cryptosystems". Journal of Modern Optics. Informa UK Limited. 52 (5): 691–705. Bibcode:2005JMOp...52..691M. doi:10.1080/09500340410001730986. ISSN   0950-0340. S2CID   17478135.
  65. Fung, Chi-Hang Fred; Qi, Bing; Tamaki, Kiyoshi; Lo, Hoi-Kwong (12 March 2007). "Phase-remapping attack in practical quantum-key-distribution systems". Physical Review A. 75 (3): 032314. arXiv: quant-ph/0601115 . Bibcode:2007PhRvA..75c2314F. doi:10.1103/physreva.75.032314. ISSN   1050-2947. S2CID   15024401.
  66. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, Quant. Info. Compu. 7, 43 (2007)
  67. Zhao, Yi; Fung, Chi-Hang Fred; Qi, Bing; Chen, Christine; Lo, Hoi-Kwong (28 October 2008). "Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems". Physical Review A. 78 (4): 042333. arXiv: 0704.3253 . Bibcode:2008PhRvA..78d2333Z. doi:10.1103/physreva.78.042333. ISSN   1050-2947. S2CID   117595905.
  68. F. Xu, B. Qi, and H.-K. Lo, New J. Phys. 12, 113026 (2010)
  69. Quantum crypto boffins in successful backdoor sniff - Erroneous error-handling undermines bulletproofness retrieved 2010-05-26
  70. Merali, Zeeya (20 May 2010). "Quantum crack in cryptographic armour". Nature. doi:10.1038/news.2010.256 . Retrieved 18 August 2016 via www.nature.com.
  71. "Light fantastic". The Economist. 26 July 2010.
  72. "Quantum cryptography system hacked - physicsworld.com". Archived from the original on 8 November 2011. Retrieved 26 July 2011.
  73. Lydersen, Lars; Wiechers, Carlos; Wittmann, Christoffer; Elser, Dominique; Skaar, Johannes; Makarov, Vadim (29 August 2010). "Hacking commercial quantum cryptography systems by tailored bright illumination". Nature Photonics. Springer Science and Business Media LLC. 4 (10): 686–689. arXiv: 1008.4593 . Bibcode:2010NaPho...4..686L. doi:10.1038/nphoton.2010.214. ISSN   1749-4885. S2CID   58897515.
  74. Lydersen, Lars; Wiechers, Carlos; Wittmann, Christoffer; Elser, Dominique; Skaar, Johannes; Makarov, Vadim (17 December 2010). "Thermal blinding of gated detectors in quantum cryptography". Optics Express. 18 (26): 27938–27954. arXiv: 1009.2663 . Bibcode:2010OExpr..1827938L. doi:10.1364/oe.18.027938. ISSN   1094-4087. PMID   21197067. S2CID   13395490.
  75. Wiechers, C; Lydersen, L; Wittmann, C; Elser, D; Skaar, J; Marquardt, Ch; Makarov, V; Leuchs, G (26 January 2011). "After-gate attack on a quantum cryptosystem". New Journal of Physics. 13 (1): 013043. arXiv: 1009.2683 . Bibcode:2011NJPh...13a3043W. doi: 10.1088/1367-2630/13/1/013043 . ISSN   1367-2630.
  76. Jain, Nitin; Wittmann, Christoffer; Lydersen, Lars; Wiechers, Carlos; Elser, Dominique; Marquardt, Christoph; Makarov, Vadim; Leuchs, Gerd (9 September 2011). "Device Calibration Impacts Security of Quantum Key Distribution". Physical Review Letters. 107 (11): 110501. arXiv: 1103.2327 . Bibcode:2011PhRvL.107k0501J. doi:10.1103/physrevlett.107.110501. ISSN   0031-9007. PMID   22026652. S2CID   6778097.
  77. Richard Hughes and Jane Nordholt (16 September 2011). "Refining Quantum Cryptography". Science. 333 (6049): 1584–6. Bibcode:2011Sci...333.1584H. doi:10.1126/science.1208527. PMID   21921186. S2CID   206535295.
  78. Noh, Tae-Gon (1 December 2009). "Counterfactual Quantum Cryptography". Physical Review Letters. American Physical Society (APS). 103 (23): 230501. arXiv: 0809.3979 . Bibcode:2009PhRvL.103w0501N. doi:10.1103/physrevlett.103.230501. ISSN   0031-9007. PMID   20366133. S2CID   9804265.
  79. Thapliyal, Kishore; Pathak, Anirban (26 July 2018). "Kak's three-stage protocol of secure quantum communication revisited: hitherto unknown strengths and weaknesses of the protocol". Quantum Information Processing. Springer Science and Business Media LLC. 17 (9): 229. arXiv: 1803.02157 . Bibcode:2018QuIP...17..229T. doi:10.1007/s11128-018-2001-z. ISSN   1570-0755. S2CID   52009384.
  80. "ETSI - Quantum Key Distribution". etsi.org. 2014. Retrieved 28 July 2014.
  81. "MIQC - European Metrology Research Programme (EMRP)". projects.npl.co.uk. 2014. Retrieved 28 July 2014.
  82. "MIQC2 - European Metrology Research Programme (EMRP)". projects.npl.co.uk. 2019. Retrieved 18 September 2019.
General and review
More specific information
Further information
Quantum key distribution simulation
Quantum cryptography research groups
Companies selling quantum devices for cryptography
Companies with quantum cryptography research programmes