Shri Vile Parle Kelavani Mandal’s

NMIMS (Deemed-to-be University)

Mukesh Patel School of Technology Management & Engineering

JVPD Scheme, Bhaktivedanta swami Marg,
Vile Parle (w), Mumbai- 400 056.

Certificate

Department of Information Technology Engineering

This is to certify that following students:

Jayant Kumar(125),Farhan Mahesania(128),Sazmin Momin(131).

have submitted their seminar report entitled

Quantum Cryptography
as a part of their curriculum for the Second Year, B.Tech,
Trimester – V, during the academic year 2009-2010

Internal Mentor HOD

 (1)
Introduction
Until modern times cryptography referred almost exclusively to encryption, which is the
process of converting ordinary information (plaintext) into unintelligible gibberish
(i.e., ciphertext).Decryption is the reverse, in other words, moving from the unintelligible
ciphertext back to plaintext. A cipher (or cypher) is a pair of algorithms that create the
encryption and the reversing decryption. The detailed operation of a cipher is controlled
both by the algorithm and in each instance by a key. This is a secret parameter (ideally
known only to the communicants) for a specific message exchange context. Keys are
important, as ciphers without variable keys can be trivially broken with only the
knowledge of the cipher used and are therefore less than useful for most purposes.
Historically, ciphers were often used directly for encryption or decryption without
additional procedures such as authentication or integrity checks.

Cryptography (or cryptology; from Greek κρυπτός, kryptos, "hidden, secret";

and γράφω, gráphō, "I write", or -λογία, -logia, respectively) is the practice and study of
hiding information. Modern cryptography intersects the disciplines
of mathematics, computer science, and engineering. Applications of cryptography
include ATM cards, computer passwords, and electronic commerce.

• Transmitting information with access restricted to the intended recipient even if

the message is intercepted by others.

Cryptography is of increasing importance in our technological age using broadcast,

network communications, Internet, e-mail, cell phones which may transmit sensitive
information related to finances, politics, business and private confidential matters
Important Terms Used In Cryptography

Cryptography the art or science encompassing the principles and methods of

transforming an intelligible message into one that is unintelligible, and then
retransforming that message back to its original form.

Plaintext the original intelligible message

Ciphertext the transformed message

Cipheran algorithm for transforming an intelligible message into one that is

unintelligible by transposition and/or substitution methods

Keysome critical information used by the cipher, known only to the sender & receiver.

Encipher (encode) the process of converting plaintext to ciphertext using a cipher and
a key

Decipher (decode) the process of converting ciphertext back into plaintext using a
cipher and a key.

Cryptanalysisthe study of principles and methods of transforming an unintelligible

message back into an intelligible message without knowledge of the key. Also called
“codebreaking”.

Cryptology both cryptography and cryptanalysis.

Code an algorithm for transforming an intelligible message into an unintelligible one
using a code-book.

Concepts

Encryption C = E_(K)(P) .

Decryption P = E_(K)^(-1)(C).

E_(K) is chosen from a family of transformations known as a cryptographic system.

The parameter that selects the individual transformation is called the key K, selected from
a keyspace K .
A Brief History of Cryptography

Ancient Ciphers

• have a history of at least 4000 years

• ancient Egyptians enciphered some of their hieroglyphic writing on monuments

• ancient Hebrews enciphered certain words in the scriptures

• 2000 years ago Julius Ceasar used a simple substitution cipher, now known as the
Caesar cipher
• Roger Bacon described several methods in 1200s
• Geoffrey Chaucer included several ciphers in his works
• Leon Alberti devised a cipher wheel, and described the principles of frequency
analysis in the 1460s
• Blaise de Vigenère published a book on cryptology in 1585, & described the
polyalphabetic substitution cipher
• increasing use, esp in diplomacy & war over centuries

Machine Ciphers

• Jefferson cylinder, developed in 1790s, comprised 36 disks, each with a random

alphabet, order of disks was key, message was set, then another row became
cipher

• Wheatstone disc, originally invented by Wadsworth in 1817, but developed by

Wheatstone in 1860's, comprised two concentric wheels used to generate a
polyalphabetic cipher.
• Enigma Rotor machine, one of a very important class of cipher machines, heavily
used during 2nd world war, comprised a series of rotor wheels with internal cross-
connections, providing a substitution using a continuously changing alphabet
 (2)
Traditional Cryptography
Privacy is paramount when communicating sensitive information, and humans have
invented some unusual ways to encode their conversations. In World War II, for example,
the Nazis created a bulky machine called the Enigma that resembles a typewriter on
steroids. This machine created one of the most difficult ciphers (encoded messages) of
the pre-computer age.
Even after Polish resistance fighters made knockoffs of the machines -- complete with
instructions on how the Enigma worked -- decoding messages was still a constant
struggle for the Allies [source: Cambridge University]. As the codes were deciphered,
however, the secrets yielded by the Enigma machine were so helpful that many historians
have credited the code breaking as an important factor in the Allies' victory in the war.

What the Enigma machine was used for is called cryptology. This is the process of
encoding (cryptography) and decoding (cryptoanalysis) information or messages
(called plaintext). All of these processes combined are cryptology. Until the 1990s,
cryptology was based on algorithms -- a mathematical process or procedure. These
algorithms are used in conjunction with a key, a collection of bits (usually numbers).
Without the proper key, it's virtually impossible to decipher an encoded message, even if
you know what algorithm to use.

There are limitless possibilities for keys used in cryptology. But there are only two
widely used methods of employing keys: public-key cryptology and secret-key
cryptology. In both of these methods (and in all cryptology), the sender (point A) is
referred to as Alice. Point B is known as Bob.
In the public-key cryptology (PKC) method, a user chooses two interrelated keys. He lets
anyone who wants to send him a message know how to encode it using one key. He
makes this key public. The other key he keeps to himself. In this manner, anyone can
send the user an encoded message, but only the recipient of the encoded message knows
how to decode it. Even the person sending the message doesn't know what code the user
employs to decode it.
PKC is often compared to a mailbox that uses two keys. One unlocks the front of the
mailbox, allowing anyone with a key to deposit mail. But only the recipient holds the key
that unlocks the back of the mailbox, allowing only him to retrieve the messages.
The other usual method of traditional cryptology is secret-key cryptology (SKC). In this
method, only one key is used by both Bob and Alice. The same key is used to both
encode and decode the plaintext. Even the algorithm used in the encoding and decoding
process can be announced over an unsecured channel. The code will remain uncracked as
long as the key used remains secret.
SKC is similar to feeding a message into a special mailbox that grinds it together with the
key. Anyone can reach inside and grab the cipher, but without the key, he won't be able
to decipher it. The same key used to encode the message is also the only one that can
decode it, separating the key from the message.
Traditional cryptology is certainly clever, but as with all encoding methods in code-
breaking history, it's being phased out.

Limitations of Traditional Cryptography

Both the secret-key and public-key methods of cryptology have unique flaws. Oddly
enough, quantum physics can be used to either solve or expand these flaws.

The keys used to encode messages are so long that it would take a trillion years to crack
one using conventional computers.
The problem with public-key cryptology is that it's based on the staggering size of the
numbers created by the combination of the key and the algorithm used to encode the
message. These numbers can reach unbelievable proportions. What's more, they can be
made so that in order to understand each bit of output data, you have to also understand
every other bit as well. This means that to crack a 128-bit key, the possible numbers used
can reach upward to the 1038 power [source: Dartmouth College]. That's a lot of possible
numbers for the correct combination to the key.

The keys used in modern cryptography are so large, in fact, that a billion computers
working in conjunction with each processing a billion calculations per second would still
take a trillion years to definitively crack a key [source: Dartmouth College]. This isn't a
problem now, but it soon will be. Current computers will be replaced in the near future
with quantum computers, which exploit the properties of physics on the immensely small
quantum scale. Since they can operate on the quantum level, these computers are
expected to be able to perform calculations and operate at speeds no computer in use now
could possibly achieve. So the codes that would take a trillion years to break with
conventional computers could possibly be cracked in much less time with quantum
computers. This means that secret-key cryptology (SKC) looks to be the preferred
method of transferring ciphers in the future.

But SKC has its problems as well. The chief problem with SKC is how the two users
agree on what secret key to use. If you live next door to the person with whom you
exchange secret information, this isn't a problem. All you have to do is meet in person
and agree on a key. But what if you live in another country? Sure, you could still meet,
but if your key was ever compromised, then you would have to meet again and again.

It's possible to send a message concerning which key a user would like to use, but
shouldn't that message be encoded, too? And how do the users agree on what secret key
to use to encode the message about what secret key to use for the original message? The
problem with secret-key cryptology is that there's almost always a place for an unwanted
third party to listen in and gain information the users don't want that person to have. This
is known in cryptology as the key distribution problem.

It's one of the great challenges of cryptology: To keep unwanted parties -- or

eavesdroppers -- from learning of sensitive information. After all, if it was OK for just
anyone to hear, there would be no need to encrypt a message.

Quantum physics has provided a way around this problem. By harnessing the
unpredictable nature of matter at the quantum level, physicists have figured out a way to
exchange information on secret keys.
 (3)
QUBITS
The most important unit of information in computer science is the bit. There are
two possible values that can be stored by a bit: the bit is either equal to “0” or equal to
“1.” These two different states can be represented in various ways, for example by a
simple switch or by a capacitor: if not charged, the capacitor holds the value zero; if
charged, it holds the value one.
There exist many possibilities to physically represent a qubit in practice, as every
Quantum system with at least two states can serve as a qubit. For example, the spin of an
Atom or the polarization5 of a light particle can represent the state of a qubit. Even a cat
with its two basic states “dead” and “alive,” introduced by Schrödinger [1935] to
visualize fundamental concepts of quantum mechanics, might serve as a representation.
The cat’s problem—or fortune from the animal’s point of view—when being used as a
Quantum system is its sheer size compared to that of an atom or light particle. There is no
way to protect such a big quantum instance from interaction with its environment, which
in turn will result in decoherence of the superposition of the cat.

Qubit Representation

In general, a quantum state |ψ) is an element of a finite-dimensional complex

vector space (or Hilbert space) H. We denote the scalar product of two states |ψ) and |φ)
by (ψ|φ), where (ψ| = |ψ) T is the conjugate transpose of |ψ). It is convenient to deal with
normalized states, so we require (ψ|ψ) = 1 for all states |ψ) that have a physical meaning.
The quantum analog of the bit is called qubit, which is derived from quantum bit.
A qubit |ψ) is an element of a two-dimensional Hilbert space, in which we can introduce
an orthonormal basis, consisting of the two states |0) and |1). Unlike its classical
counterpart, the quantum state can be in any coherent superposition of the basis states:
|ψ) = α|0) + β|1), (1)
where α and β are, in general, complex coefficients. This is due to the fact that the
quantum mechanical equation of motion, the Schrödinger equation, is linear: Any linear
superposition of its solutions (the quantum states) is also a solution. Since we require
quantum states to be normalized, we find that the coefficients in (1) have to fulfill

|α|2 + |β|2 = 1, where | · | denotes the absolute value.

 (3)

Photon Properties
Photons are some pretty amazing particles. They have no mass, they're the smallest
measure of light, and they can exist in all of their possible states at once, called the wave
function. This means that whatever direction a photon can spin in -- say, diagonally,
vertically and horizontally -- it does all at once. Light in this state is called unpolarized.
This is exactly the same as if you constantly moved east, west, north, south, and up-and-
down at the same time.

The foundation of quantum physics is the unpredictability factor. This unpredictability is

pretty much defined by Heisenberg's Uncertainty Principle. This principle says,
essentially, that it's impossible to know both an object's position and velocity -- at the
same time.

But when dealing with photons for encryption, Heisenberg's principle can be used to our
advantage. To create a photon, quantum cryptographers use LEDs -- light emitting
diodes, a source of unpolarized light. LEDs are capable of creating just one photon at a
time, which is how a string of photons can be created, rather than a wild burst. Through
the use of polarization filters, we can force the photon to take one state or another -- or
polarize it. If we use a vertical polarizing filter situated beyond a LED, we can polarize
the photons that emerge: The photons that aren't absorbed will emerge on the other side
with a vertical spin ( | ).
The thing about photons is that once they're polarized, they can't be accurately measured
again, except by a filter like the one that initially produced their current spin. So if a
photon with a vertical spin is measured through a diagonal filter, either the photon won't
pass through the filter or the filter will affect the photon's behavior, causing it to take a
diagonal spin. In this sense, the information on the photon's original polarization is lost,
and so, too, is any information attached to the photon's spin.

So how do you attach information to a photon's spin? That's the essence of quantum
cryptography.
 (4)
Quantum Cryptography
Quantum cryptography was proposed first by Stephen Wiesner, and then at Columbia
University in New York, who, in the early 1970s, introduced the concept of quantum
conjugate coding. His seminal paper titled "Conjugate Coding" was rejected by IEEE
Information Theory but was eventually published in 1983 in SIGACT News (15:1 pp. 78-
88, 1983). In this paper he showed how to store or transmit two messages by encoding
them in two “conjugate observables”, such as linear and circular polarization of light, so
that either, but not both, of which may be received and decoded. He illustrated his idea
with a design of unforgeable bank notes. A decade later, building upon this work, Charles
H. Bennett, of the IBM Thomas J. Watson Research Center, and Gilles Brassard, of the
Université de Montréal, proposed a method for secure communication based on
Wiesner’s “conjugate observables”. In 1990, independently and initially unaware of the
earlier work, Artur Ekert, then a Ph.D. student at Wolfson College, University of Oxford,
developed a different approach to quantum cryptography based on peculiar quantum
correlations known as quantum entanglement.

Quantum cryptography uses quantum mechanics to guarantee secure communication. It

enables two parties to produce a shared random bit string known only to them, which can
be used as a key to encrypt and decrypt messages.

An important and unique property of quantum cryptography is the ability of the two
communicating users to detect the presence of any third party trying to gain knowledge of
the key. These results from a fundamental part of quantum mechanics: the process of
measuring a quantum system in general disturbs the system.

A third part trying to eavesdrop on the key must in some way measure it, thus introducing
detectable anomalies. By using quantum superpositions or quantum entanglement and
transmitting information in quantum states, a communication system can be implemented
which detects eavesdropping. If the level of eavesdropping is below a certain threshold a
key can be produced which is guaranteed as secure, otherwise no secure key is possible
and Communication is aborted.

The security of quantum cryptography relies on the foundations of quantum

mechanics, in contrast to traditional public key cryptography which relies on the
computational difficulty of certain mathematical functions, and cannot provide any
indication of eavesdropping or guarantee of key security.
Quantum cryptography is only used to produce and distribute a key, not to
transmit any message data. This key can then be used with any chosen encryption
algorithm to encrypt and decrypt a message, which can then be transmitted over a
standard communication channel. The algorithm most commonly associated with QKD is
the one-time pad, as it is provably secure when used with a secret, random key.
Quantum cryptographic devices typically employ individual photons of light and
take advantage of either the Heisenberg Uncertainity principle or Quantum
Entanglement.
Uncertainity

Unlike in classical physics, the act of measurement is an integral part of quantum

mechanics. So it is possible to encode information into quantum properties of a photon in
such a way that any effort to monitor them disturbs them in some detectable way. The
effect arises because in quantum theory, certain pairs of physical properties are
complementary in the sense that measuring one property necessarily disturbs the other.
This statement is known as the Heisenberg uncertainty principle. The two complementary
properties that are often used in quantum cryptography are two types of photons
Polarization, e.g. rectilinear (vertical and horizontal) and diagonal (at 45° and 135°).

Entanglement

It is a state of two or more quantum particles, e.g. photons, in which many of their
physical properties are strongly correlated. The entangled particles cannot be described
by specifying the states of individual particles and they may together share information in
a form which cannot be accessed in any experiment performed on either of the particles
alone. This happens no matter how far apart the particles may be at the time.

Using Quantum Cryptology

Quantum cryptography uses photons to transmit a key. Once the key is transmitted,
coding and encoding using the normal secret-key method can take place. But how does a
photon become a key? How do you attach information to a photon's spin?

This is where binary code comes into play. Each type of a photon's spin represents one
piece of information -- usually a 1 or a 0, for binary code. This code uses strings of 1s
and 0s to create a coherent message. For example, 11100100110 could correspond with
h-e-l-l-o. So a binary code can be assigned to each photon -- for example, a photon that
has a vertical spin ( | ) can be assigned a 1. Alice can send her photons through randomly
chosen filters and record the polarization of each photon. She will then know what
photon polarizations Bob should receive.
When Alice sends Bob her photons using an LED, she'll randomly polarize them through
either the X or the + filters, so that each polarized photon has one of four possible states:
(|), (--), (/) or ( ) [source: Vittorio]. As Bob receives these photons, he decides whether to
measure each with either his + or X filter -- he can't use both filters together. Keep in
mind, Bob has no idea what filter to use for each photon, he's guessing for each one.
After the entire transmission, Bob and Alice have a non-encrypted discussion about the
transmission.

The reason this conversation can be public is because of the way it's carried out. Bob
calls Alice and tells her which filter he used for each photon, and she tells him whether it
was the correct or incorrect filter to use.

Their conversation may sound a little like this:

• Bob: Plus
Alice: Correct
 • Bob: Plus
Alice: Incorrect
• Bob: X
Alice: Correct

Since Bob isn't saying what his measurements are -- only the type of filter he used -- a
third party listening in on their conversation can't determine what the actual photon
sequence is.

Here's an example. Say Alice sent one photon as a ( / ) and Bob says he used a + filter to
measure it. Alice will say "incorrect" to Bob. But if Bob says he used an X filter to
measure that particular photon, Alice will say "correct." A person listening will only
know that that particular photon could be either a ( / ) or a ( ), but not which one
definitively. Bob will know that his measurements are correct, because a (--) photon
traveling through a + filter will remain polarized as a (--) photon after it passes through
the filter.

After their odd conversation, Alice and Bob both throw out the results from Bob's
incorrect guesses. This leaves Alice and Bob with identical strings of polarized protons. It
my look a little like this: -- / | | | / -- -- | | | -- / | … and so on. To Alice and Bob, this is a
meaningless string of photons. But once binary code is applied, the photons become a
message. Bob and Alice can agree on binary assignments, say 1 for photons polarized as (
) and ( -- ) and 0 for photons polarized like ( / ) and ( | ).

This means that their string of photons now looks like this: 11110000011110001010.
Which can in turn be translated into English, Spanish, Navajo, prime numbers or
anything else the Bob and Alice use as codes for the keys used in their encryption.

Protocols Utilizing Heisenberg's Uncertainty Principle

In 1984 Charles Bennett and Gilles Brassard published the first QKD protocol [BB84]. It
was based on Heisenberg's Uncertainty Principle and is simply known as the BB84
protocol after the author’s names and the year in which it was published. It is still one of
the most prominent protocols and one could argue that all of the other HUP based
protocols are essentially variants of the BB84 idea. The basic idea for all of these
protocols then is that Alice can transmit a random secret key to Bob by sending a string
of photons where the secret key's bits are encoded in the polarization of the photons.
Heisenberg's Uncertainty Principle can be used to guarantee that an Eavesdropper cannot
measure these photons and transmit them on to Bob without disturbing the photon's state
in a detectable way thus revealing her presence.

BB84 Protocol
Figure shows how a bit can be encoded in the polarization state of a photon in BB84. We
define a binary 0 as a polarization of 0 degrees in the rectilinear bases or 45 degrees in
the diagonal bases [CKI-BB84] [Gisin02]. Similarly a binary 1 can be 90 degrees in the
rectilinear bases or 135 in diagonal bases. Thus a bit can be represented by polarizing the
photon in either one of two bases.

In the first phase, Alice will communicate to Bob over a quantum channel. Alice begins
by choosing a random string of bits and for each bit; Alice will randomly choose a basis,
rectilinear or diagonal, by which to encode the bit. She will transmit a photon for each bit
with the corresponding polarization, as just described, to Bob. For every photon Bob
receives, he will measure the photon's polarization by a randomly chosen basis. If, for a
particular photon, Bob chose the same basis as Alice, then in principle, Bob should
measure the same polarization and thus he can correctly infer the bit that Alice intended
to send. If he chose the wrong basis, his result, and thus the bit he reads, will be random.

In the second phase, Bob will notify Alice over any insecure channel what basis he used
to measure each photon. Alice will report back to Bob whether he chose the correct basis
for each photon. At this point Alice and Bob will discard the bits corresponding to the
photons which Bob measured with a different basis. Provided no errors occurred or no
one manipulated the photons, Bob and Alice should now both have an identical string of
bits which is called a sifted key. The example below shows the bits Alice chose, the bases
she encoded them in, the bases Bob used for measurement, and the resulting sifted key
after Bob and Alice discarded their bits as just mentioned [Wiki-SIFT].

Before they are finished however, Alice and Bob agree upon a random subset of the bits
to compare to ensure consistency. If the bits agree, they are discarded and the remaining
bits form the shared secret key. In the absence of noise or any other measurement error, a
disagreement in any of the bits compared would indicate the presence of an eavesdropper
on the quantum channel. This is because the eavesdropper, Eve, were attempting to
determine the key, she would have no choice but to measure the photons sent by Alice
before sending them on to Bob. This is true because the no cloning theorem assures that
she cannot replicate a particle of unknown state [Wooters82]. Since Eve will not know
what bases Alice used to encode the bit until after Alice and Bob discuss their
measurements, Eve will be forced to guess. If she measures on the incorrect bases, the
Heisenberg Uncertainty Principle ensures that the information encoded on the other bases
is now lost.

Figure: Shifted Key

Thus when the photon reaches Bob, his measurement will now be random and he will
read a bit incorrectly 50% of the time. Given that Eve will choose the measurement basis
incorrectly on average 50% of the time, 25% of Bob's measured bits will differ from
Alice [Rieffel00]. If Eve has eavesdropped on all the bits then after n bit comparisons by
Alice and Bob, they will reduce the probability that Eve will go undetected to ¾n
[Lomonaco98]. The chance that an eavesdropper learned the secret is thus negligible if
sufficiently long sequences of the bits are compared.

B92 Protocol

In 1992, Charles Bennett proposed what is essentially a simplified version of BB84 in his
paper, "Quantum cryptography using any two non-orthogonal states" [Bennett92]. The
key difference in B92 is that only two states are necessary rather than the possible 4
polarization states in BB84. As shown in figure 4, 0 can be encoded as 0 degrees in the
rectilinear basis and 1 can be encoded by 45 degrees in the diagonal basis [CKI-BB92]
[Gisin02]. Like the BB84, Alice transmits to Bob a string of photons encoded with
randomly chosen bits but this time the bits Alice chooses dictates which bases she must
use. Bob still randomly chooses a basis by which to measure but if he chooses the wrong
basis, he will not measure anything; a condition in quantum mechanics which is known
as an erasure [Bruss07]. Bob can simply tell Alice after each bit she sends whether or not
he measured it correctly.

Figure: B92 2-State Encoding

Other Uncertainty Based Protocols

Another variant of BB84 is the Six-State Protocol (SSP) proposed by Pasquinucci and
Gisin in 1999 [SSP99]. SSP is identical to BB84 except, as its name implies, rather than
using two or four states, SSP uses six states on three orthogonal bases by which to encode
the bits sent. This means that an eavesdropper would have to choose the right basis from
among 3 possibilities. This extra choice causes the eavesdropper to produce a higher rate
of error thus becoming easier to detect. Brus and Micchiavello proved in 2002 that such
higher-dimensional systems offer increased security [Bruss02].

While there are a number of other BB84 variants, one of the more recent was proposed in
2004 by Scarani, Acin, Ribordy, and Gisin [Sarg04]. The SARG04 protocol shares the
exact same first phase as BB84. In the second phase, when Alice and Bob determine for
which bits their bases matched, Alice does not directly announce her bases. Rather she
announces a pair of non-orthogonal states, one of which she used to encode her bit. If
Bob used the correct basis, he will measure the correct state. If he chose incorrectly, he
will not measure either of Alice's states and he will not be able to determine the bit. This
protocol has a specific advantage when used in practical equipment as will be discussed
in Section 5.

BB84 was the first proposed QKD protocol and it was based on Heisenberg's Uncertainty
Principle. A whole series of protocols followed which built on the ideas of BB84. Some
of the most notable of these were B92, SSP, and Sarg04. The next section describes the
alternate approach to QKD which is based on the principle of quantum entanglement.
Protocols Utilizing Quantum Entanglement

Artur Eckert contributed a new approach to quantum key distribution where the key is
distributed using quantum teleportation [Eckert91]. This section describes his protocol
and its application to the protocols based on HUP described in the previous section.

Eckert's Protocol

Figure: Entangled QKD Model

Eckert describes a channel where there is a single source that emits pairs of entangled
particles, which could be polarized photons [Eckert91]. The particles are separated and
Alice and Bob each receive one particle from each pair as shown in figure 5. Alice and
Bob would each choose random bases on which to measure their received particles. As in
BB84, they would discuss in the clear which bases they used for their measurements. For
each measurement where Alice and Bob used the same bases, they should expect
opposite results due to the principle of quantum entanglement as described earlier. This
means that if Alice and Bob both interpret their measurements as bits as before, they each
have a bit string which is the binary complement of the other. Either party could invert
their key or they would thus share a secret key.

The presence of an eavesdropper can be detected by examining the photons for which
Alice and Bob chose different bases for measurement. Alice and Bob can measure these
photons in a third basis and discuss their results. With this information they can test Bell's
Inequality which should not hold for entangled particles [Gisin02]. If the inequality does
hold, it would indicate that the photons were not truly entangled and thus there may be an
eavesdropper present.

Entangled BB84 Variants

It is important to note the similarity between Eckert's protocol and BB84. If Alice was the
source and Alice and Bob did not perform Eckert's entanglement check, we are
essentially left with BB84. Bennet and Brassard [BBM92] noted that any variant of BB84
could be adapted to use an entangled photon source instead of Alice being the source. In
particular, Enzer et al 2002 [Enzer02] described an entangled version of the SSP protocol
with added security. Work has also been done that shows that the SARG04 protocol can
tolerate fewer errors with a two-photon source (entangled) than a single-photon source
(Alice) [Fung06].

This section described the approach to QKD that utilized the principle of quantum
entanglement. Artur Eckert was the first to propose the idea in his 1991 paper but Bennett
and Brassard pointed out that his ideas could be incorporated into the BB84 protocol. A
series of subsequent papers investigated the use of quauntum entangled photons in the
variants of the BB84 protocols.
 (5)

Practical Security Concerns

QKD is unconditionally secure in the sense that no assumptions are made about Eve's
inability to compute hard mathematical problems but rather her inability to violate
physics [Bruss07]. Even with this security, however, the QKD protocols are still
susceptible to a man-in-the-middle attack where Eve pretends to be Bob to Alice and
simultaneously pretends to be Alice to Bob. Such an attack is impossible to prevent under
any key distribution protocol without Alice and Bob authenticating each other first.
Furthermore it is not immediately obvious whether QKD protocols are perfectly secure
when used with imperfect equipment and in the presence of noise. This section examines
the security of the QKD protocols in practical systems.

QKD with Noisy Channels - Privacy Amplification

In real systems, if Alice and Bob discover their measurements are not perfectly
correlated, it is difficult for them to determine whether the discrepancy was caused by
using noisy imperfect equipment or whether there was an eavesdropper present creating
perturbations in the state of the photons by measuring them. We have already discussed
in sections 3 and 4 how the two approaches to QKD would detect an eavesdropper under
ideal conditions. In practical systems, Alice and Bob would not want to discard every
transmission that wasn't error free since there likely will always be some natural error not
caused by Eve. Since there is some error, we must assume that Eve may have
successfully learned some of the key's bits. QKD protocols can employ a technique
known as privacy amplification to reduce the information Eve has about the key down to
an arbitrary level.

Before applying privacy amplification, Alice and Bob must first remove the errors from
their shared key. They can use classical error correction to arrive at the same key without
giving the key away to Eve. A simple scheme would involve Alice randomly choosing
pairs of bits and sending the xor value to Bob [Gisin02]. Bob would tell Alice whether or
not he has the same xor value for those pairs of bits. In this way they could arrive at the
same shared key without revealing what the bit values were in each pair they compared.

With Alice and Bob sharing an identical key, they can transform their key into a new key
in a way that Eve could not unless she also had exactly the same entire key. This
technique is called privacy amplification and involves shrinking the original key to a new
key unknowable to Eve. A simple privacy amplification scheme is for Alice to announce
to Bob pairs of bits from the original key [Gisin02]. Alice and Bob would then replace
these random pairs of bits in the original key with the xor value for each pair to create a
new key. Eve cannot know the xor value for a pair of bits with certainty unless she is
certain of both original bits, thus she cannot know the new key.

QKD with Practical Equipment - PNS Attack

Figure: Photon Number Splitting Attack

In addition to noise, it is also currently impractical for equipment to reliably produce and
detect single photons. Instead real systems often use a laser producing a small amount of
coherent light. Producing multiple photons, however, opens up a new attack known as the
photon number splitting (PNS) attack [Brassard00] shown above in figure 6. In PNS, Eve
splits off a single photon or a small number of photons from each bit transmission for
measurement and allows the rest to pass on to Bob. This would allow Eve to measure her
photons without disturbing the photons Bob measures. Lo et al developed a trick to send
extra decoy pulses for Alice and Bob to measure allowing them to detect a PNS attack
[Lo05]. In addition, the SARG04 protocol is resistant to the PNS because Alice does not
directly reveal her bases [Sarg04]. Instead, as described in Section 3, she reveals a pair of
non-orthogonal states in which the bit might be encoded. If bob chose the correct bases
he will discover that he measured one of these two states that Alice revealed. If not Alice
and Bob will drop that bit. This means that Eve does not know which bases to use when
measuring her copy of the photon even after Alice and Bob agree on the bases used. This
forces Eve to guess which will mean she will not know the bit with certainty. In 2004,
Gottesman et al published a paper [Gottesman04] describing how the security of BB84
based QKD protocols hold when using imperfect devices.

This section examined the security of QKD in the presence of noise and when using
imperfect equipment. Privacy amplification was introduced to describe how the QKD
protocols could be sure Eve maintains no useful information when errors are detected
during measurement. The photon number splitting attack, resulting from an imperfect
photon source, was also described.

Attacks:

Example: Intercept and resend

The simplest type of possible attack is the intercept-resend attack, where Eve measures
the quantum states (photons) sent by Alice and then sends replacement states to Bob,
prepared in the state she measures. In the BB84 protocol, this produces errors in the key
Alice and Bob share. As Eve has no knowledge of the basis a state sent by Alice is
encoded in, she can only guess which basis to measure in, in the same way as Bob. If she
chooses correctly, she measures the correct photon polarization state as sent by Alice, and
resends the correct state to Bob. However, if she chooses incorrectly, the state she
measures is random, and the state sent to Bob is sometimes not the same as the state sent
by Alice. If Bob then measures this state in the same basis Alice sent, he gets a random
result—as Eve has sent him a state in the opposite basis—instead of the correct result he
would get without the presence of Eve. The table below shows an example of this type of
attack.

Alice's random bit 0 1 1 0 1 0 0 1

Alice's random sending basis

Photon polarization Alice sends

Eve's random measuring basis

Polarization Eve measures and sends

Bob's random measuring basis

Photon polarization Bob measures

PUBLIC DISCUSSION OF BASIS

Shared secret key 0 0 0 1

Errors in key ✓ ✘ ✓ ✓
The probability Eve chooses the incorrect basis is 50% (assuming Alice chooses
randomly), and if Bob measures this intercepted photon in the basis Alice sent he gets a
random result, i.e., an incorrect result with probability of 50%. The probability an
intercepted photon generates an error in the key string is then 50% x 50% = 25%. If Alice
and Bob publicly compare n of their key bits (thus discarding them as key bits, as they
are no longer secret) the probability they find disagreement and identify the presence of
Eve is

So to detect an eavesdropper with probability Pd = 0.999999999 Alice and Bob need to

compare n = 72 key bits.

Security Proofs

The above is just a simple example of an attack. If Eve is assumed to have unlimited
resources, for example classical and quantum computing power, there are many more
attacks possible. BB84 has been proven secure against any attacks allowed by quantum
mechanics, both for sending information using an ideal photon source which only ever
emits a single photon at a time , and also using practical photon sources which sometimes
emit multiphoton pulses . These proofs are unconditionally secure in the sense that no
conditions are imposed on the resources available to the Eavesdropper, however there are
other conditions required:

1. Eve cannot access Alice and Bob's encoding and decoding devices.
2. The random number generators used by Alice and Bob must be trusted and truly
random (for example a Quantum random number generator).
3. The classical communication channel must be authenticated using an
unconditionally secure authentication scheme.

Man in the middle attack

Quantum cryptography is vulnerable to a man-in-the-middle attack when used without

authentication to the same extent as any classical protocol, since no known principle of
quantum mechanics can distinguish friend from foe. As in the classical case, Alice and
Bob cannot authenticate each other and establish a secure connection without some
means of verifying each other's identities (such as an initial shared secret). If Alice and
Bob have an initial shared secret then they can use an unconditionally secure
authentication scheme (such as Carter-Wegman,) along with quantum key distribution to
exponentially expand this key, using a small amount of the new key to authenticate the
next session. Several methods to create this initial shared secret have been proposed, for
example using a 3rd party or chaos theory.
Photon number splitting attack

In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice
many implementations use laser pulses attenuated to a very low level to send the quantum
states. These laser pulses contain a very small number of photons, for example 0.2
photons per pulse, which are distributed according to a Poissonian distribution. This
means most pulses actually contain no photons (no pulse is sent), some pulses contain 1
photon (which is desired) and a few pulses contain 2 or more photons. If the pulse
contains more than one photon, then Eve can split off the extra photons and transmit the
remaining single photon to Bob. This is the basis of the photon number splitting attack ,
where Eve stores these extra photons in a quantum memory until Bob detects the
remaining single photon and Alice reveals the encoding basis. Eve can then measure her
photons in the correct basis and obtain information on the key without introducing
detectable errors.

Even with the possibility of a PNS attack a secure key can still be generated, as shown in
the GLLP security proof, however a much higher amount of privacy amplification is
needed reducing the secure key rate significantly (with PNS the rate scales as t2 as
compared to t for a single photon sources, where t is the transmittance of the quantum
channel).

There are several solutions to this problem. The most obvious is to use a true single
photon source instead of an attenuated laser. While such sources are still at a
developmental stage QKD has been carried out successfully with them. However as
current sources operate at a low efficiency and frequency key rates and transmission
distances are limited. Another solution is to modify the BB84 protocol, as is done for
example in the SARG04 protocol, in which the secure key rate scales as t3 / 2. The most
promising solution is the decoy state idea, in which Alice randomly sends some of her
laser pulses with a lower average photon number. These decoy states can be used to
detect a PNS attack, as Eve has no way to tell which pulses are signal and which decoy.
Using this idea the secure key rate scales as t, the same as for a single photon source. This
idea has been implemented successfully in several QKD experiments, allowing for high
key rates secure against all known attacks.

Hacking attacks

Hacking attacks target imperfections in the implementation of the protocol instead of the
protocol directly. If the equipment used in quantum cryptography can be tampered with,
it could be made to generate keys that were not secure using a random number generator
attack. Another common class of attacks is the Trojan horse attack which does not
require physical access to the endpoints: rather than attempt to read Alice and Bob's
single photons, Mallory sends a large pulse of light back to Alice in between transmitted
photons. Alice's equipment reflects some of Mallory's light, revealing the state of Alice's
polarizer. This attack is easy to avoid, for example using an optical isolator to prevent
light from entering Alice's system, and all other hacking attacks can similarly be defeated
by modifying the implementation. Apart from Trojan horse there are several other known
attacks including faked state attacks, phase remapping attacks and time-shift attacks. The
time-shift attack has even been successfully demonstrated on a commercial quantum
crypto-system. This demonstration is the first successful demonstration of quantum
hacking against a non-homemade quantum key distribution system.

Denial of service

Because currently a dedicated fibre optic line (or line of sight in free space) is required
between the two points linked by quantum cryptography, a denial of service attack can be
mounted by simply cutting or blocking the line.
 (6)
Real Life Applications and Recent Achievements

Quantum finance

MONEY has been transferred between banks using quantum cryptography for the first
time. This novel technology promises to make exchanging information 100 per cent
secure, and the latest feat brings it nearer to commercialisation.The experiment was
carried out by a team headed by Anton Zeilinger of the University of Vienna. The city's
mayor sent a donation of €3000 to the team, using data sent along an optical fiber
threaded through sewers between Vienna City Hall and the Schottengasse branch of Bank
Austria-Creditanstalt.Encrypting and decrypting the message required a key, sent secretly
from the transmitter to the receiver using pairs of entangled photons. Any eavesdropper
would have disturbed the quantum entanglement and signaled their presence, as well as
making it impossible to extract any information from the message. The commercial
quantum cryptographic devices that already exist use a different system, employing weak
pulses of light to create a secure key. Using pairs of entangled photons makes it easier to
guarantee absolute secrecy. Although the two buildings in the Vienna transfer were only
500 meters apart, Zeilinger says that it should be possible to extend such links to 20
kilometres. "In three years, we'll have a marketable system," says team member Andrea
Aglibut.

Quantum Encryption Computer with Wireless Link

The world's first quantum encryption computer network has been expanded to include a
wireless link that uses quantum communications codes. Most modern cryptography rests
upon the difficulty of solving very complex mathematical problems used to encrypt data.
This makes it theoretically vulnerable to being hacked using dramatic mathematical or
computing breakthroughs. By contrast, quantum cryptography near guarantees
communications security, using quirks of quantum physics to thwart eavesdropping
attempts. The wireless connection was added to the DARPA Quantum Network, a
quantum fiber-optic network buried beneath the ground in Massachusetts, US. The
network was built by US Company BBN Technologies with funding from the US
Defense Advanced Research Projects Agency (DARPA). It now links 10 different sites,
including BBN's offices, Harvard University and Boston University. The wireless
connection was installed by UK defense research company QinetiQ. Brian Lowans, at
QinetiQ says introducing the wireless link represents a "critical first step toward global
networks protected by quantum cryptography".Qinetiq has already demonstrated a
wireless quantum link over 25 kilometers. But eventually researchers hope to extend the
range to be able to reach satellites that orbit at an altitude of hundreds or even thousands
of kilometres.Tim Spiller a researcher at Hewlett Packard's labs in Bristol, UK this could
be used to secure communications between over long distances on the ground. "It's a long
term aim," he told New Scientist. "It really expands your options for sharing
cryptographic keys."Quantum cryptography guarantees security by encoding information
as polarized photons which can be sent down a fiber optic cable or through the air.
Intercepting these photons disturbs their quantum state, alerting both sides to an
eavesdropper's presence.

"An uncrackable information network has long been a goal for government and financial
institutions," says Chip Elliot, principal engineer at BBN Technologies. "With the
addition of the free space link nodes, we have demonstrated the potential for a complete
quantum cryptography network that's both wired and wireless."

Intruder detection

Quantum cryptography guarantees secure communications by harnessing the quantum

quirks of photons sent between users. Any attempt to intercept the photons will disturb
their quantum state and raise the alarm. But Elliott points out that even quantum
cryptography "does not give you 100 per cent security". Although quantum keys are
theoretically impossible to intercept without detection, implementing them in the real
world presents hackers with several potential ways to listen in unobserved.

One example is if a laser inadvertently produces more than one photon, which happens
occasionally. An eavesdropper could potentially siphon off the extra photons and decrypt
the key, although no one has actually done this.

"However Qnet is more secure than current internet cryptography," says Elliott, which
relies on "one way functions". These are mathematical operations that are very simple to
compute in one direction, but require huge computing power to perform in reverse.

Secure Electronic Ballots (E-voting)

As technology advances, electronic voting is becoming more of a normal occurrence in

general elections. There are two main types of electronic voting machines, optical scan
machines and direct-recording electronic (DRE) machines. A voter casting a ballot using
optical scan machines involve the following three steps.
Electronic Voting Using Optical Scanner

The three steps shown in Figure 1 are as follows:

The voter receives a paper ballot from a poll worker. The voter then makes their
selections by filling the bubbles on the ballot in the same manner a student would fill out
a standardized test.
1. The ballot is then given to a poll worker where the voter watches as their ballot sheet is
scanned by an optical scan voting machine. The voter’s selections are then converted into
binary then stored in the machines internal memory with all the other votes scanned by
that machine.
2. At the conclusion of the election, all the stored votes within the optical scanning
machines are sent electronically to the county Board of Elections (BOE) for counting.
The paper ballots are kept for future audits.

A voter casting a ballot using DRE machines involve the following three steps:
1. The voter inserts a smart card, issued by a poll worker, into the DRE machine. The
DRE machine has a touch screen displaying the ballot.
2. The votes made by the voter are recorded by the vote recording software and saved
directly into the DRE machines internal memory, along with all the other votes cast on
that DRE machine.
3. At the conclusion of the election, the contents of the DRE machines are sent
electronically to the county Board of Elections for counting.

Electronic Voting Using DRE

The three step process described for the optical scanning machines and DRE machines
are susceptible to an attack at each step in the voting process. In step one of the voting
processes; the machine could be compromised with vote stealing software. In this
scenario, the voting machine needs to be physically secure to prevent against this type of
attack. In step two of the voting process; the machine could be compromised to
incorrectly record a vote where a person may be able to vote multiple times, delete votes,
or disable the machine entirely. In this scenario, the voting machine needs to be
physically secure in addition to a means of verifying a voter’s ballot was recorded
correctly.
In the third step in the voting process; the centralized tallying machine that performs the
counting of the votes could be compromised, where the election could be skewed in any
direction. In this scenario, the centralized voting machine needs to be physically secure
and the transmission of votes from the voting machines needs to be secure as well.

The electronic voting process has a number of other vulnerabilities discovered by

University of California researchers, but the vulnerabilities discussed cover a majority of
them. As stated in the introduction, securing an electronic ballot is more than just
protecting the electronic ballot against third party interception. The
Electronic voting systems must be physically secure as well as electronically secure.
Quantum cryptographic systems only contribute to securing ballots at the third step of the
voting process, specifically the electronic transmission of electronic ballots from one
location to the centralized counting machine. This is how the technology is applied by the
Swiss for securing electronic ballots during the parliamentary election held on October
21, 2007.

Swiss Secure Balloting(Protection Of Swiss Election)

Geneva, Switzerland has been the innovator of electronic voting by being one of the first
to offer electronic voting over the internet. They have also been credited with being the
first to use a quantum cryptographic system to secure electronic ballots over a fiber-optic
line. The quantum cryptographic system was developed by Id Quantique in
collaboration with Senetas by Professor Nicolas Gisin at the University of Geneva. The
quantum cryptographic unit that was developed is called ID500. The price tag associated
with this cryptographic box starts at $50,000. The technology has been in development
for at least two decades and has benefited from
financial support from the United States military.
The cryptographic systems employed by the Swiss are used for securing a link between
the central ballot-counting station in downtown Geneva and government data centers in
the suburbs of Geneva over fiber-optic channels. The newly used quantum cryptographic
system is used to transmit the count totals of a public election. Quantum
cryptographic technology is specifically used in the exchange of secret keys for point-to-
point encryption methods such as Triple-DES or Advanced Encryption Standard at
speeds of about 100 times a second and is capable of automatically detecting a third party
from eavesdropping on the communication stream. The encryption boxes used
by the Swiss use quantum cryptographic technology for exchanging secret keys and use
Triple-DES to provide a secure point-to-point connection between two parties. Initially,
the quantum cryptographic systems used by the Swiss proved to be successful, but they
do have limitations, which include encryption speed and transmission distance. Currently,
typical quantum cryptographic machines can only transmit at speeds of 100 Mbps while
the Swiss system is capable of encrypting at 1 Gbps. The hardware used is limited to a 50
mile transmission distance before the protons performing the encryption over the fiber-
optic line begins to degrade. These limitations are introduced by how quantum
cryptographic systems perform a key exchange. Currently, there
are plans for enhancing QC systems to reduce these limitations and the amount
susceptible attacks.

Stopping Software Piracy (By Generation Of Uncrackable Codes)

THE long-running battle between coders and code-breakers could soon be over, as a
breakthrough in quantum cryptography has brought uncrackable codes a step closer. To
exchange a coded message, the sender and recipient must somehow share a secret
sequence of 0s and 1s that is used as a key to encode and decode the message. The
problem is finding a way to exchange the key without it being intercepted. To achieve
this, cryptographers have developed the technique known as quantum key distribution,
which uses the quantum properties of photons to encode the key. But the technique has an
Achilles' heel.

(7)
Conclusion And Future Scope
Future enhancements of current QC systems include making QC more secure, increasing
the transmission distance of fiber-optic lines, increasing encryption rates and making the
technology wireless. One might think QC systems are unconditionally secure because of
the quantum mechanics theory used, but the theory can only be solid if QC hardware
transmits single photons. Current QC implementations do not transmit single protons, but
bursts of protons. With photon bursts instead of single protons, eavesdropping attacks are
possible because Eve could siphon off individual photons without being detected.

One proposal, introduced by Toshiba, for making QC systems more secure is by sending
randomly interspersed pulses within the quantum signal called decoy pulses. These decoy
pulses are of weakened strength than the real quantum signals, which means the decoy
pulses rarely contain more than one photon. So, the sender and receiver can monitor the
ratio of decoy pulses to real quantum singles that made it through to determine if an
eavesdropper was present. With decoy pulses, Eve will have a harder time siphoning
meaningful photons, decreasing the level of vulnerability of the QC system. This
approach would also increase the transmission distance and encryption rate by 100-fold
because stronger quantum pulses can be used.

Another advancement for making QC systems more secure is the development of a light
emitting diode capable of emitting a single photon more reliably.Toshiba’s methodology
is to create an array of quantum dots, each about 45 nanometers in diameter, for emitting
a single photon. This advancement would increase the level of security offered by current
QC systems, but does not resolve the transmission distance and encryption rate
limitations. The most promising advancement to QC systems is the wireless application.

Current QC systems transmit their quantum signals across fiber-optic channels, but only a
small few have been able to send quantum signals through free space.
Current military plans are to use satellites to transmit quantum photons globally. Few
people have been able to transmit QC photons through free space, but it has been proven
that the wireless QC systems are conceivable. Having a wireless QC system would
alleviate the transmission distance limitation. The encryption can be resolved with
advancements of electronic hardware when larger capacity storage devices and better
processors come available. Wireless QC systems are still in the development stage, but
the few successful attempts are making strides in the realization of commercial wireless
QC systems.

Future developments will focus on faster photon detectors, a major

factor limiting
the development of practical systems for widespread commercial use.
Chip Elliott, BBN's
principal engineer, says the company is working with the University of
Rochester and
NIST's Boulder Laboratories in Colorado to develop practical
superconducting photon
detectors based on niobium nitride, which would operate at 4 K and 10
GHz.

The ultimate goal is to make QKD more reliable, integrate it with

todays
telecommunications infrastructure, and increase the transmission
distance and rate of key
generation. Thus the Long-term goals of quantum key distribution are
the realistic
implementation via fibers, for example, for different buildings of a bank
or company,
and free space key exchange via satellites. Quantum cryptography
already provides the
most advanced technology of quantum information science, and is on
the way to achieve
the (quantum) jump from university laboratories to the real world.

Quantum cryptographic systems are becoming more of a reality with each passing day.
The primary use of QC systems is for the distribution of secret keys for encrypting and
decrypting a conversation between two parties, but they are being used by several
financial institutions and by the Swiss for securing electronic ballots and have been
supported greatly by the military. The Swiss have successfully used quantum
cryptographics in securing the ballots of a public election when the ballots are transferred
from the voting centers to the counting and archiving center,which is only a portion of
actually securing electronic ballots. Because QC systems are based off the principles of
quantum mechanics, QC systems are inherently secure against eavesdropping, although
QC systems are susceptible to several man-in-the-middle and denial of service attacks.
There are several different ways to perform quantum key exchange, such as the BB84
protocol, the B92 protocol, and the Ekert scheme protocol. The QC system is very
promising and advancements are being made to improve upon the technology, most
notably a wireless implementation. With all the hype surrounding quantum cryptographic
systems, the technology is very promising, but still susceptible to hacker attacks and has
transmission distance and encryption rate limitations. These limitations are being
addressed and proposals have been made to resolve these limitations and protect against
the known hacker attacks, but it may be a while until the quantum cryptographic systems
are accepted and used on a larger scale.
 (8)
References