Air Force Institute of Technology

I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Educating the Leaders of Americas Air Force
Michael R. Grimaila, PhD, CISM, CISSP,
Senior Member IEEE; ISSA Fellow

Center for Cyberspace Research
Dept. of Systems and Engineering Management
Air Force Institute of Technology


The 2012 World Congress in Computer
Science, Computer Engineering, and Applied
Computing (WORLDCOMP 2012)
Las Vegas, Nevada

16 July 2012
Quantum Key Distribution (QKD)
Basics
Disclaimer
The views expressed in this
presentation are my own and
do not reflect the official policy
or position of the United States
Air Force, the Department of
Defense, or the United States
Government
Overview
Cryptography Basics
Quantum Physics Basics
BB84: Quantum Key Distribution
Non-Idealities
Conclusions
Agenda
Overview (1)
Quantum Key Distribution (QKD) exploits
the laws of quantum mechanics to achieve
information-theoretic secure key exchange.
QKD was invented in 1984 by Charles
Bennett and Giles Brassard based on
previous work by Stephen Wiesner.
QKD enables two parties to grow a
shared secret key without placing any limits
on an adversarys computational power.
An adversary can impose a denial of
service and cause key generation to fail.
Overview (2)
QKD is unique in its ability to detect the
presence of any third-party eavesdropping
on the key exchange because they will
introduce detectable errors !
However, if the error rate is below a defined
threshold, an unconditionally secure key
can be distilled.
When used in conjunction with the One-
Time Pad (OTP) symmetric cryptographic
algorithm, the result is an unconditionally
secure cryptographic system.
In this presentation, I will provide a brief
background of cryptography and physics
related to QKD, introduce BB84 (the first
QKD protocol), and discuss vulnerabilities
arising from the non-idealities present in
real world QKD system implementations.
This is a BASIC introduction intended for
those who are not familiar with QKD !
I will keep the discussion simple and not
discuss quantum entanglement or other
QKD protocols (e.g., B92, E91, SARG).
Overview (3)
Cryptographic Basics
Security Services
Security Mechanisms
Cryptography
Cryptographic Algorithms
Symmetric
Asymmetric
Hashing Functions
Hybrid Cryptosystems
The One-Time Pad
Computational Security
Basic Security Services
Authentication
Provides assurance that a communicating entity is
the one that it claims to be.
Access control
Aims to prevent unauthorized access to resources.
Confidentiality
Aims to protect data from unauthorized disclosure.
Integrity
Aims to detect modification and replay.
Provides assurance that data received are exactly
as sent by the sender.
Non-Repudiation
Provides protection against denial by one entity
involved in a communication of having participated
in all or part of the communication.
Security Mechanisms
Cryptography (Encryption/Decryption)
Symmetric key, Asymmetric (public) key.
Data Integrity Mechanisms
Message Authentication Codes (MAC), sequence numbering,
time stamping, cryptographic chaining.
Digital Signatures
Access Control Schemes
Access Control Lists (ACL), capabilities, security labels, etc.
Authentication Protocols
Passwords, cryptographic challenge-response protocols,
biometrics, etc.
E D
m
plaintext
K
encryption key
K

decryption key
E
K
(m)
ciphertext
D
K
(E
K
(m)) = m
plaintext
eavesdropping
adversary
Cryptosystem
A cryptosystem is comprised of two components:
A cryptographic algorithm.
One or more keys.
The algorithm is the mathematical transformation
used to encrypt and decrypt messages and the
key(s) are parameters used in the encryption and
decryption processes.
Insecure Communication Channel
Symmetric Key Algorithms
Single Key Encryption

Asymmetric Key Algorithms
Two Key Encryption (for each entity):
Public Key
Private Key

Hashing Functions
One-way transformation.
Easy to compute in the forward direction.
May (or may not) use a key parameter.
Cryptographic Algorithms
Symmetric Key Algorithms
The same key is used for encryption and decryption.
Advantages:
Fast and easily implemented in hardware.
Consumes less power than asymmetric algorithms.
Disadvantages:
Provides only confidentiality.
Multiple keys required when multiple partners.
Does not scale well when you have a large number of
entities you must securely communicate with.
Examples:
DES, 3-DES, AES, Blowfish, RC4, RC5, The One-
Time Pad (OTP).
Symmetric Key Scalability
( ) ( )
2
1 - P * P
Required Keys =
Asymmetric Key Algorithms
Uses different (e.g., K K), key pairs for encryption
and decryption (e.g., public and private keys)
Advantages:
Reduces key management burden.
Scales well (only a single key pair needed per entity).
Provides authentication and non-repudiation.
Disadvantages:
Slow, slow, slow.
Requires complex mathematical operations.
Consumes more computational power than symmetric
algorithms.
Examples:
RSA, PGP, El Gamal, ECC, Diffie-Hellman.
Asymmetric Key Example
Alices
Public Key
Alices
Private Key
Anyone Only Alice
Hash Functions
Hash functions map bit strings of arbitrary finite length to bit
strings of fixed length (n bits).
Many-to-one mapping collisions are unavoidable.
However, finding collisions are difficult the hash value of a
message serves as a compact representative image of the
message (similar to fingerprints).
message of arbitrary length
(0 or more bytes)
fixed length
hash value / message digest / fingerprint
hash
function
Hash Functions
May (or may not) require a key depending on the
mode of operation.
Provides an efficient way to check the integrity of
stored or transmitted data without having to
compare the data bit by bit.
More than one input can map to the same digest
creating a collision which may provide an
advantage to an eavesdropper.
Examples:
MD-4, MD-5, SHA-1
Hybrid Cryptographic Systems
Different cryptographic algorithms can be used
independently or can be combined in a hybrid
fashion to provide robust security services.
Examples:
A web browser that interacts with a secure
web server using SSL/TLS uses asymmetric,
symmetric, and hashing cryptographic
algorithms.
A digitally signed email uses asymmetric and
hashing cryptographic algorithms.
IPSec uses symmetric, and hashing
cryptographic algorithms.

The One-Time Pad (1)
The One-Time Pad (OTP) is a simple symmetric
cryptographic algorithm that is easily
implemented in hardware.
Contrary to popular belief, the OTP was not
invented by Gilbert Vernam!
The first known description of the OTP was in
1882 when Frank Miller described
superencipherment as a means to insure the
privacy and secrecy of telegraphic
communications.
Millers method required the use of a randomly
generated key that was never reused.
Bellovin, Steven M. (2011). Frank Miller: Inventor of the One-Time Pad, Technical Report
CUCS-009-11, Department of Computer Science, Columbia University, March 2011.
The One Time Pad (2)
In 1917, Gilbert Vernam patented a cipher based
on teleprinter technology, but it was vulnerable
because it reused key material.
Despite this weakness, a National Security Agency
report identified Vernams patent as perhaps one
of the most important in the history of
cryptography.
Subsequently, Joseph Mauborgne recognized that
if the key used in the Vernam cipher was fully
random, then cryptanalysis would be impossible.
In the 1940s, Claude Shannon proved the
theoretical significance of the security of the OTP.
Shannon distinguished between two kinds of security:

Theoretical Secrecy (aka Unconditional Security or
Information-Theoretic Security): How secure is a
system against cryptanalysis when the enemy has
unlimited time and manpower available for the analysis of
intercepted cryptograms?

Practical Secrecy (aka Computational Security):
An analysis of the basic weaknesses of secrecy systems
is made. This leads to methods for constructing systems
which will require a large amount of work to solve.


C.E. Shannon, "Communication Theory of Secrecy Systems", Bell System Tech. J., vol.
28, pp. 656-715, Oct., 1949.
Shannons Security Assessment
Information-Theoretic Security
The Ciphertext should reveal no information
about Plaintext.
This means that given any ciphertext, each
plaintext is equally likely.

The One-Time Pad (OTP) is the only
cryptographic algorithm that is
unconditionally secure when used properly!
It is secure even if an adversary has unbounded
computation resources.
We will see what used properly means shortly
Computational Security
The strength of almost every cryptographic
algorithms is based upon Computational
Security.
In theory, every cryptographic algorithm
(except the OTP) is insecure given enough
ciphertext, computational resources, and time.
Recent developments in quantum computing
and quantum algorithms has placed the
security of certain cryptographic algorithms
which are based upon the difficulty of factoring
large numbers into their constituent primes
(e.g., RSA) at greater risk.
1 0 0 1
0 1 0 1
Plaintext
Key Pad
1 1 0 0 Ciphertext
+
Alice - Sender
1 1 0 0
0 1 0 1
Ciphertext
Key Pad
1 0 0 1 Plaintext
+
Bob - Receiver
Ciphertext
One-Time Pad Example
= Exclusive OR +
One-Time Pad Requirements
For the OTP to be unconditionally secure, the key pad
shared by Alice and Bob must be:
1. Truly random, and
2. Never reused.
Not meeting both of these conditions significantly reduces
the strength of the security of the OTP.
True randomness is not a trivial requirement!
The pad must NEVER be reused!
This lesson was learned by the Soviet Union who during
WWII reused one-time pads after distributing them to
Soviet intelligence field agents. As a result, US and UK
intelligence agencies working on Project VERONA were
able to easily decode their messages.
To take advantage of the OTP, we must
generate and distribute random secret keys to
both Alice and Bob equal in length to the sum of
the lengths of all messages to be exchanged.
In practice, this places a significant burden on
key distribution and management as one must
continuously generate and distribute key pads
between the authorized entities in a secure
manner.
For this reason, historically the OTP is only used
in environments which justify the costs involved
with secure key distribution.
OTP Practical Considerations (1)
Most of the time we accept Computationally
Secure cryptographic algorithms as a matter of
practicality.
The costs associated with key distribution and
management are just too great when you have
many different entities that must securely
communicate and you impose the OTP
requirements.
However, as we will see QKD offers an attractive
point-to-point solution to this dilemma, but first
we must introduce some quantum physics
basics!

OTP Practical Considerations (2)
Quantum Physics Basics
Planks Constant
Youngs Dual Slit Experiment
Heisenbergs Uncertainty Principle
No Cloning Theorem
Quantum Basics and Principles
Classical Bits vs. Quantum Bits
Planck initiated the study of quantum
mechanics when he announced in 1900
the results of his theoretical research into
the radiation and absorption of a black
body.
Plancks constant is the scale on which
physical phenomena are discrete; for
example, photons are the expression of the
discreteness of the electromagnetic field.
Max Planck (1858-1947)
Plancks Constant
Photons (1)
Electrons in materials are vibrated and emit
energy in the form of photons.
Photons have no mass, but are pure energy.
Electromagnetic (E-M) waves are waves that are
made up of these photons.
When these photons come in contact with
boundaries, E-M waves interact like other waves.
Photons exhibit the properties both of particles
and waves.
Do you remember Youngs Dual Slit experiment
you learned about in your optical physics class?
The Double Slit Setup
Particles Through One Slit
Particles Through Both Slits
Wave Behavior
Interference
How Do Photons Behave?
Like Particles? Like Waves?
Experimental Results (1)
Light behaves like a wave causing an interference
pattern to appear on the screen.
Experimental Results (2)
This is true even when I use a Photon Gun and
shoot one photon at a time!
Adding Detectors
However, if we add detectors to determine which
slit the photons pass through, it causes them to
behave like particles!
Photon
Gun
Role of an Observer
In Classical Physics:
The observer is objective and passive.
Physical events happen independently of
whether there is an observer or not.
This is known as objective reality.
In Quantum Physics:
The observer is not objective and passive.
The act of observation changes the physical
system irrevocably.
This is known as subjective reality.
Heisenberg Realizations
In the world of very small particles (i.e,
quantum systems), one cannot measure
any property of a particle without
interacting with it in some way.
This introduces an unavoidable
uncertainty into the result.
One can never measure all the
properties exactly.
A quantum particle can never be in a
state of rest, as this would mean we
know both its position and momentum
precisely. Werner Heisenberg (1901-1976)
Heisenbergs Uncertainty Principle (1)
It can be expressed in its simplest form as
follows: One can never know with perfect
accuracy both of those two important
factors which determine the movement of
one of the smallest particlesits position
and its velocity.

Certain pairs of physical properties are related in such a
way that measuring one property prevents the observer
from knowing the value of the other.
Quantum uncertainty is inherent in the properties of all
wave-like systems, and that it arises in quantum
mechanics simply due to the matter wave nature of all
quantum objects.
Heisenberg, W., Die Physik der Atomkerne, Taylor & Francis, 1952, p. 30.
Heisenbergs Uncertainty Principle (2)
The more accurately you know the position (i.e.,
the smaller Ax is) , the less accurately you know the momentum
(i.e., the larger Ap is); and vice versa.
Heisenberg Implications
It is impossible to know both the position and
momentum exactly, i.e., Ax=0 and Ap=0.
These uncertainties are inherent in the physical world
and have nothing to do with the skill of the observer.
Because h is so small, these uncertainties are not
observable in normal everyday situations.
Mathematically, the uncertainty relation between
position and momentum arises because the
expressions of the wave function in the two
corresponding bases are Fourier transforms of one
another (i.e., position and momentum are conjugate
variables).

No Cloning Theorem
It is not possible to clone an unknown
quantum state.
It is not possible to perform multiple
observations on a single qubit in its original
state, since each observation alters the
original state and it is not allowed to copy
exactly the original state.
Even though it is impossible to make perfect
copies of an unknown quantum state, it is
possible to produce imperfect copies.
Quantum Mathematics (1)
A system can be fully described by a set of
mathematical variables, called State.
A quantum system is defined by a quantum state.
In general, the pure states of the system of
quantum system are represented by vectors,
called a state vectors, residing in a state space.
A state space is a complex Hilbert space, which
can be considered as a generalization of the
Euclidian space.
The dimensionality of Hilbert space depends on
the system and depends upon the number of
possible outcomes.
Quantum Mathematics (2)
Linear algebra is used to describe quantum
systems.
Every vector space has a basis (a set of linear
independent vectors of unit length).
Every element of the vector space can be
expressed uniquely as a finite linear combination
of the basis vectors.
All possible bases of a vector space have the
same number of elements, called the dimension of
the vector space.
A qubit can be described by a pure quantum state
(a state vector) in a 2-state quantum system,
equivalent to a 2-dimensional vector space over
the complex numbers.
Quantum Mathematics (3)
One example of a 2-State quantum system:
Polarization of a single photon.
Consider the basis set consisting of Horizontal and
Vertical polarization.
In a classical system, bits would exist in only one
of two states {0,1}.
In a quantum system, a qubit can be in a linear
combination of both states, meaning a
superposition where the qubit can exist in both
states at the same time!

Polarization Notation
Bra/Ket notation (pronounced bracket)
From Dirac 1958
Each state represented by a vector denoted
by a arrow pointing in the direction of the
polarization
We will use a simplified Bra/Ket-notation
representation of polarized photons:
Horizontally:
Vertically:
Diagonally:
Anti-diagonally

Polarized Photons (1)
Polarization can be
modeled as a linear
combination of basis
vectors and
Only interested in
direction
a + b will result in a
unit vector such that
|a|
2
+ |b|
2
= 1


b
a
Polarized Photons (2)
Measurement of a state
not only measures but
actually transforms that
state to one of the basis
vectors and
If we chose the basis
vectors and when
measuring the state of
the photon, the result
will tell us that the
photon's polarization is
either or , nothing in
between.


b
a
Polarization Experiment (1)
Classical experiment.
Equipment:
Laser pointer.
Three polarization filters.
The beam of light pointed toward a screen.
The three filters are polarized at:
Horizontally ,
Diagonally , and
Vertically respectively
Polarization Experiment (2)
The filter is put in front of the screen
Light on outgoing side of filter is now 50% of
original intensity






100%
50%
Polarization Experiment (3)
Next we insert a filter whereas no light
continue on the output side











100%
50% 0%
Polarization Experiment (4)
Here is the puzzling part
We insert a filter in between
This increases the number of photons
passing through
















100%
50% 25%
12.5%
Rectilinear
Basis
Horizontal
0 Polarization
Bit = 0
Vertical
90 Polarization
Bit = 1
Diagonal
Basis
Diagonal
45 Polarization
Bit = 0
Anti-Diagonal
135 Polarization
Bit = 1
Polarization Encoding Using Two
Conjugate Bases
Binary Information
Each photon carries one qubit of information
Polarization can be used to represent a 0 or 1.
In quantum computation this is called qubit.
To determine photons polarization the recipient must
measure the polarization by, for example, passing it
through a filter.
A user can suggest a key by sending a stream of
randomly polarized photons.
This sequence can be converted to a binary key.
If the key was intercepted it could be discarded and a
new stream of randomly polarized photons sent.
Two Qubit Bases
Define the four qubit states:





{0,1}(Rectilinear) and {+,-}(Diagonal) form an
orthogonal qubit state.
They are indistinguishable from each other.

=
+ = +
) 1 0 (
) 1 0 (
1
0
2
1
2
1
Two-State Quantum System (1)
Photon
Photon polarization
0
1
Qubit
1
1
Rectilinear
Basis
Photon
0
0
Rectilinear
Basis
Two-State Quantum System (2)
1
1
Diagonal
Basis
Photon
0
0
Diagonal
Basis
Two-State Quantum System (3)
0 r
R D
0
1
s 1
R D
Photon
Quantum Rules:
1. Only one polarization at a time can be prepared or
measured.
2. When one polarization is measured, the other is
randomized (mutually unbiased).
Two-State Quantum System (4)
Quantum No-Cloning Theorem
An unknown quantum state CANNOT be
cloned. Therefore, eavesdropper, Eve, cannot
have the same information as Bob.
Single-photon signals are secure.
a a a
IMPOSSIBLE
BB84 States
> > 1 |
2
1
0 |
2
1
> + > 1 |
2
1
0 |
2
1
||> = |1>
|> = |0>
| >=
| >=
Classical vs. Quantum Bits
Classical bits:
can be measured
completely,
are deterministic,
are not changed by
measurement,
can be copied,
can be erased.
Quantum bits (qubit):
can be measured
partially,
are probabilistic,
are changed by
measurement,
cannot be copied,
cannot be erased.
Wiesners Quantum Money
A quantum bill contains a serial number N, and
20 random qubits from {0,1,+,-}.
The Bank knows which string {0,1,+,-}
20
is
associated with which N.
The Bank can check validity of a bill N by
measuring the qubits in the proper 0/1 or +/-
bases.
A counterfeiter cannot copy the bill if he does not
know the 20 bases!
Quantum Cryptography
In 1984 Bennett and Brassard describe how
the quantum money idea with its basis {0,1}
vs. {+,-} can be used in quantum key
distribution protocol.
Measuring a quantum system in general
disturbs it and yields incomplete information
about its state before the measurement.
Protocols for QKD
BB84 (and DARPA Project) uses polarization
of photons to encode the bits of information
relies on uncertainty to keep Eve from
learning the secret key.
Ekert uses entangled photon states to
encode the bits relies on the fact that the
information defining the key only "comes into
being" after measurements performed by Alice
and Bob.
There are others!
I will only talk about BB84
BB84 (Bennett and Brassard)
Alice randomly chooses one of two orientations
from two bases to measure in: (for spin
situation analogous to z-basis, and x-basis)
Polarization is used in the original BB84 paper.
Alice then assigns the value of 0 and 1 in each
basis (up-z and up-x = 0, down-z and down-x
=1)
Alice sends a state from one of the four bases
at random, and Bob selects (with his own
random generator) a basis (x or z) to measure
in
If they choose the same basis, they will agree
with 100% probability, if they choose a different
basis they will have no way of correlating the
results (error rate ~25%)

BB84
Alice transmits a polarized beam in short bursts. The
polarization in each burst is randomly modulated to
one of four states (horizontal, vertical, left-circular, or
right-circular).
Bob measures photon polarizations in a random
sequence of bases (rectilinear or circular).
Bob tells the sender publicly what sequence of
bases were used.
Alice tells the receiver publicly which bases were
correctly chosen.
Alice and Bob discard all observations not from
these correctly-chosen bases.
BB84 QKD
Alice sends n qubits.
Bob chooses the same basis n/2 times.
If there is no eavesdropping/transmission
errors, they share the same n/2 bits.

Eavesdropping
Assume that Eve measures some qubits in
||), |) basis and resends them.
If the qubit she measures is |> or |>, Eve
resends a different state (||) or |) ).
If Bob chooses |>, |> basis, he gets each
answer with probability 1/2.
With probability 1/2, Alice and Bob have
different bits.
Eavesdropping
Theorem: Impossible to obtain information
about non-orthogonal states without
disturbing them.
In this protocol:
Check for eavesdropping
Alice randomly chooses a fraction of the final
string and announces it.
Bob counts the number of different bits.
If too many different bits, reject
(eavesdropper found).
If Eve measured many qubits, she gets
caught.
Next step
Alice and Bob share a string most of which is
unknown to Eve.
Eve might know a few bits.
There could be differences due to
transmission errors.
Classical post-processing
Information reconciliation: Alice and Bob
apply error correcting code to correct
transmission errors.
They now have the same string but small
number of bits might be known to Eve.
Privacy amplification: apply a hash function to
the string.
QKD summary
Alice and Bob generate a shared bit string by
sending qubits and measuring them.
Eavesdropping results in different bits.
That allows to detect Eve.
Error correction.
Privacy amplification (hashing).
The BB84 Protocol
Ingredients: 1) One photon no copying,
2) Two non orthonormal bases sets
3) Insecure classical channel; Internet
What it does: Secure distribution of a key, can't be used to send messages
How it works:
50% correlated
Physikalische Bltter 55, 25 (1999)
Alice
Classical Authenticated
Public Channel
eavesdropping
adversary
Bob
Quantum Channel
Admin
Data
Admin
Data
BB84 Protocol (I)
Central Idea: Quantum Key Distribution (QKD)
via the {0,1,+,-} states between Alice and Bob
O(N) classical and quantum communication to establish N
shared key bits

BB84 Protocol (II)
1) Alice sends 4N random qubits e{0,1,+,-} to Bob
2) Bob measures each qubit randomly in 0/1 or +/-
basis
3) Alice and Bob compare their 4N basis, and
continue with ~2N outcomes for which the same
basis was used
4) Alice and Bob verify the measurement outcomes on
random (size N) subset of the 2N bits
5) Remaining N outcomes function as the secret key
Quantum
Public & Classical
Shared Key
Security of BB84
Without knowing the proper basis, Eve not
possible to
Copy the qubits
Measure the qubits without disturbing
Any serious attempt by Eve will be detected
when Alice and Bob perform equality check
The Main Contribution of QKD
It solves the key distribution problem
Unconditionally secure key distribution method
proposed by:
Charles Bennett and Gilles Brassard in 1984.
The method is called BB84.
Once key is securely received it can be used to
encrypt messages transmitted by conventional
channels.
Quantum Key Distribution
(a)Alice communicates with Bob via a
quantum channel sending him photons.
(b) Then they discuss results using a public
channel.
(c) After getting an encryption key Bob can
encrypt his messages and send them by
any public channel.
Quantum Key Distribution (2)
Both Alice and Bob have two polarizers each.
One with the 0-90 degree basis (+) and one with 45-135
degree basis ( )
(a) Alice uses her polarizers to send randomly photons to Bob
in one of the four possible polarizations 0,45,90,135 degree.
(b) Bob uses his polarizers to measure each
polarization of photons he receives.
He can use the( + )basis or the ( ) but not both
simultaneously.

Example of QKD
Security of QKD
Quantum cryptography obtains its
fundamental security from the fact that each
qubit is carried by a single photon, and each
photon will be altered as soon as it is read.
This makes impossible to intercept
message without being detected.

Noise
The presence of noise can impact detecting
attacks.
Eavesdropper and noise on the quantum
channel are indistinguishable.
Malicious eavesdropper can prevent communication.
Detecting eavesdropper in the presence of noise is
hard.

The State of the QKD Technology
Experimental implementations have existed
since 1990.
Current QKD system can generate key over
distances > 80 kilometers using optical
fiber.
In general we need two capabilities.
(1) Single photon gun.
(2) Being able to measure single photons.


State of the QC technology.
Efforts are being made to use Pulsed Laser
Beam with low intensity for firing single
photons.
Detecting and measuring photons is hard.
The most common method is exploiting
Avalanche Photodiodes in the Geiger
mode where single photon triggers a
detectable electron avalanche.
History of QKD
Stephen Wiesner early 1970s wrote paper
"Conjugate Coding
Paper by Charles Bennett and Gilles Brassard
in 1984 is the basis for QKD protocol BB84.
Prototype developed in 1991.
Another QKD protocol was invented
independently by Artur Ekert in 1991.
Practical Feasibility of QKD
Only single qubits are involved
Simple state preparations and measurements
Commercial Availability
id Quantique: http://www.idquantique.com
Important BB84 Assumptions
ASSSUMPTIONS:
1. Source: Emits perfect single photons. (No multi-
photons)
2. Channel: noisy but lossless. (No absorption in
channel)
3. Detectors: a) Perfect detection efficiency. (100 %)
4. Basis Alignment: Perfect. (Angle between X and Z
basis is exactly 45
degrees.)
Assumptions lead to security proofs:
Mayers (BB84), Lo and Chau (quantum-computing protocol),
Biham et al. (BB84), Ben-Or (BB84), Shor-Preskill (BB84),
Photon-number Splitting Attack
A multi-photon signal CAN be split. (Therefore,
insecure.)

a
a
Bob
Eve
Splitting attack
a
a
Alice
Summary: Single-photon good.
Multi-photon bad.
QKD : Practice
Question: Is QKD secure in practice?
2. Channel: Absorption inevitable. (e.g. 0.2 dB/km)
3. Detectors:
(a) Efficiency ~15% for Telecom wavelengths
(b) Dark counts: Detectors erroneous fire.
Detectors will claim to have detected signals with
some probability even when the input is a vacuum.
4. Basis Alignment: Minor misalignment inevitable.
Reality:
1. Source: (Poisson photon number distribution)
Mixture. Photon number = k with probability:
Some signals are, in fact, double photons!
o
o

e
k
k
!
Eavesdroping Threshold
QKD Phases
Sifting Unmatched Bases;
stray or lost qubits
Error Correction Noise &
Eaves-dropping detected Uses
cascade protocol Reveals
information to Eve so need to
track this.
Privacy Amplification reduces
Eves knowledge obtained by
previous EC
Authentication Continuous to
avoid man-in-middle attacks
not required
to initiate using shared keys
Non-Idealities = Vulnerabilities
Security is easy to prove while assuming perfect
apparatus and a noise-free channel.
Those assumptions are not valid for practical systems.
Vulnerabilities thus appear.

Hacking by Tailored Illumination
Lydersen et al. (2010) proposed a method to
eavesdrop on a QKD system undetected.
The hack exploits a vulnerability associated
with the avalanche photo diodes (APDs) used
to detect photons.

Modes of Operation of APDs
Geiger and linear modes




Geiger Mode




V
APD
is usually fixed and called bias voltage and in Geiger mode, V
bias
> V
br
.
An incident photon creates an electron-hole pair, leading to an avalanche of
carriers and a surge of current I
APD
beyond I
th
. That is detected as a click.
V
bias
is then made smaller than V
br
to stop flow of carriers. Subsequently it is
restored to its original value in preparation for the next photon.
Linear Mode




V
bias
< V
br
.
Detected current is proportional to incident optical power P
opt
.
Clicks again occur when I
APD
> I
th
.
Operation in a QKD System



V
bias
is varied as shown such that APD is in Geiger mode only
when a photon is expected
That is to minimize false detections due to thermal
fluctuations.
However, it is still sensitive to bright light in linear mode.
Understanding the Attack
Eve uses an intercept-resend attack.



She uses a copy of Bob to detect states in a random basis.
Sends her results to Bob as bright light pulses, with peak
power > P
th
, instead of individual photons.
She also blinds Bobs APDs to make them operate as
classical photodiodes only at all times to improve QBER.
Understanding the Attack (2)




C is a 50:50 coupler used in phase-encoded QKD systems.
When Eves and Bobs bases match, trigger pulse from Eve constructively
interferes and hits detector corresponding to what Eve detected.
Otherwise, no constructive interference and both detectors hit with equal energy.
Click only observed if detected current > I
th
.
Comments
Clicks also only observed when Eve and Bob
have matching bases.
This means Eve and Bob now have identical bit
values and basis choices, independently of
photons emitted by Alice.
However, half the bits are lost in the process of
eavesdropping.
Conclusions
The OTP is the only cryptographic algorithm
mathematically proven to be unconditionally
secure.
QKD systems are unconditionally secure, based on the
fundamental laws of physics.
However, real world implementations of QKD systems
violate some of the assumptions of the security proof.
As a consequence, eavesdroppers may intercept sent
messages without being detected.
Research is underway to identify and close
vulnerabilities in QKD systems.

QKD in the Real World
The DARPA Quantum Network: World's First Quantum Cryptographic Network

Under DARPA sponsorship, and together with our academic colleagues,
Harvard University and Boston University, BBN Technologies has recently built
and begun to operate the world's first Quantum Key Distribution (QKD) network.
The DARPA Quantum Network employs 24x7 quantum cryptography to provide
unprecedented levels of security for standard Internet traffic flows such as web-
browsing, e-commerce, and streaming video.

The DARPA Quantum Network became fully operational on October 23, 2003 in
BBNs laboratories, and has run continuously since. It currently consists of two
BBN-built, interoperable weak-coherent QKD systems running at a 5 MHz pulse
rate (0.1 mean photons per pulse) through telecommunications fiber, and inter-
connected via a photonic switch, together with a full suite of production-quality
QKD protocols. In the near future, we plan to roll out this network into dark fiber
between our campuses through the Cambridge, Massachusetts metropolitan
area, introduce a series of new quantum cryptographic links based on a variety
of physical phenomena, and start testing the resulting network against
sophisticated attacks.

http://www.bbn.com/networking/quantumcryptography.html
LANL Quantum Institute

http://quantum.lanl.gov/
Although the quantum key distribution technique was not created
at Los Alamos, laboratory researchers have taken the technology,
quite literally to new lengths in the interest of national security. In
1999, Los Alamos researchers set a world record when they sent
a quantum key through a 31-mile-long optical fiber. Los
Alamos researchers developed a free-space quantum
cryptography system that could send keys through the air.

Los Alamos quantum scientists developed a transportable, self-
contained QKD system that used polarized photons to send
information through the air for distances of up to 10 miles. This
mobile trailer-based QKD system could be quickly deployed in
the field and was capable of continuous, automated transmission
in both daylight and darkness. Today, Los Alamos researchers
are in the process of taking this technology even further by
developing a smaller scale version that is capable of being put on
an Earth-orbiting satellite for transmitting quantum keys distances
of hundreds of miles between the satellite and a ground station.
QKD in the Real World
Questions





Michael R. Grimaila, PhD, CISM, CISSP
Senior Member, IEEE; ISSA Fellow
Center for Cyberspace Research
Air Force Institute of Technology
Wright-Patterson AFB, OH 45433-7765
Michael.Grimaila@afit.edu

References (1)
Ambainis, A., Introduction to Quantum Computation, Retrieved 12 March 2012 from
http://www.cs.ioc.ee/yik/schools/win2003/ambainis2002-1.ppt.
Bellovin, Steven M. (2011). Frank Miller: Inventor of the One-Time Pad, Technical Report CUCS-
009-11, Department of Computer Science, Columbia University, March 2011. A revised version
appeared in Cryptologia 35(3), July 2011. Retrieved 12 March 2012 from
https://www.cs.columbia.edu/~smb/talks/crypthistory-otp.pdf.
Barrett, J., Hardy, L., & Kent, A. (2005). No signaling and quantum key distribution. Physical Review
Letters, 95(1), 10503-10503-10506. doi:10.1103/PhysRevLett.95.010503.
Bennett, C. H. and Brassard, G. (1984), Quantum Cryptography: Public key distribution and coin
tossing, in Proceedings of the IEEE International Conference on Computers, Systems, and Signal
Processing, Bangalore, p. 175, Retrieved 14 April 2012 from http://www.cs.ucsb.edu/~chong/290N-
W06/BB84.pdf.
Bennett, C. H., Brassard, G., Crpeau, C., & Maurer, U. M. (1995). Generalized privacy
amplification. Information Theory, IEEE Transactions on, 41(6), 1915-1923.
Brassard, G. (1993). A Bibliography of Quantum Cryptography. ACM SIGACT News, pp. 16-20.
Benson, Robert L. (2006), The Venona Story, National Security Agency. Retrieved 14 April 2012
from http://web.archive.org/web/20060614231955/http://www.nsa.gov/publications/publi00039.cfm.
Bru, D. (1998). Optimal eavesdropping in quantum cryptography with six states. Physical Review
Letters, 81(14), 3018-3021. Retrieved from http://arxiv.org/pdf/quant-ph/9805019.pdf.
Buttyn, L. and Hubaux, J.P., Introduction to Cryptographic Algorithms and Protocols, Retrieved 12
March 2012 from http://secowinet.epfl.ch/slides/AppA-Crypto.ppt.
Caves, C.M., What the #$*! Do We (K)now!? about Quantum Communication , Retrieved 12 March
2012 from http://info.phys.unm.edu/~caves/talks/capsfinal.ppt.
References (2)
Cerf, N. J., Bourennane, M., Karlsson, A., & Gisin, N. (2002). Security of quantum key distribution
using d-level systems. Physical Review Letters, 88(12), 127902. Retrieved from
http://arxiv.org/pdf/quant-ph/0107130.
Grosshans, F., & Grangier, P. (2002). Reverse reconciliation protocols for quantum cryptography
with continuous variables. Paper presented at the Proc. 6th Int. Conf. on Quantum Communications,
Measurement, and Computing (QCMC'02), 1-1-5. Retrieved from http://arxiv.org/pdf/quant-
ph/0204127.pdf .
Hitt, Parker (1916). Manual for the Solution of Military Ciphers, Press of the Army Service Schools,
Fort Leavenworth, Kansas. Retrieved 12 March 2012 from
http://openlibrary.org/works/OL92027W/Manual_for_the_solution_of_military_ciphers.
Joyseeree, R.R. and Fognini, A., Quantum Cryptography, Retrieved 12 March 2012 from
http://qudev.ethz.ch/content/courses/QSIT10/presentations/QSIT-QuantumCryptography.ppt.
Kahn, David (1996). The Codebreakers. Macmillan. pp. 3978. ISBN 0-684-83130-9.
Kerckhoffs, Auguste (1883). La cryptographie militaire, Journal des sciences militaires, vol. IX, pp.
538, Jan. 1883, pp. 161191, Feb. 1883. Retrieved 12 March 2012 from
http://www.petitcolas.net/fabien/kerckhoffs/#english.
Klein, M., Securing Record Communications: The TSEC/KW-26, National Security Agency,
Retrieved 12 March 2012 from
http://www.nsa.gov/about/_files/cryptologic_heritage/publications/misc/tsec_kw26.pdf.
Kowalik, J., Introduction to Quantum Cryptography, Retrieved 12 March 2012 from
http://www.ee.washington.edu/research/ieee-comm/Presentations/comsoc_talks/Introduction-to-
quantum-cryptography.ppt.
Lo, H.K., Decoy State Quantum Key Distribution (QKD), Retrieved 12 March 2012 from
http://www.newton.ac.uk/programmes/QIS/seminars/082610101.ppt.
References (3)
Ltkenhaus, N. (2000). Security against individual attacks for realistic quantum key distribution.
Physical Review A, 61(5), 052304. Retrieved from http://arxiv.org/pdf/quant-ph/9910093.
Mayers, D. (2001). Unconditional security in quantum cryptography. Journal of the ACM (JACM),
48(3), 351-406. Retrieved from http://arxiv.org/pdf/quant-ph/9802025.
McNett, M., Applications of Quantum Cryptography QKD, Retrieved 12 March 2012 from
http://www.cs.virginia.edu/crab/QuantumCrypto.ppt.
Myers, J.M., Wu, T.T., & Pearson, D. S. (2004). Entropy estimates for individual attacks on the BB84
protocol for quantum key distribution. Paper presented at the Proceedings of SPIE, , 5436 36-47.
NIST 800-21 (2005). Guideline for Implementing Cryptography In the Federal Government,
Retrieved 12 March 2012 from http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-
1_Dec2005.pdf.
Renner, R., Gisin, N., & Kraus, B. (2005). Information-theoretic security proof for quantum-key-
distribution protocols. Physical Review A, 72(1), 012332. Retrieved from http://arxiv.org/pdf/quant-
ph/0502064.
Rivest, Ronald L. (1990). "Cryptology, Chapter 13 of Handbook of Theoretical Computer Science,
(ed. J. Van Leeuwen) vol. 1 (Elsevier, 1990), 717-755. Retrieved 12 March 2012 from
http://people.csail.mit.edu/rivest/Rivest-Cryptography.pdf.
Roth, M., Quantum Cryptography, Retrieved 12 March 2012 from
http://courses.washington.edu/bbbteach/576/Marshall.ppt.
Rundberg, J., (2004). Quantum Cryptography: The Final Battle, Retrieved 12 March 2012 from
http://www.comp.nus.edu.sg/~cs4236/stu-present/jonas.ppt.
Scarani, V., Acin, A., Ribordy, G., & Gisin, N. (2004). Quantum cryptography protocols robust
against photon number splitting attacks for weak laser pulse implementations. Physical Review
Letters, 92(5), 57901. Retrieved from http://arxiv.org/pdf/quant-ph/0211131.
References (4)
Shannon, Claude E. (October 1949). "Communication Theory of Secrecy Systems". Bell System
Technical Journal (AT&T) 28 (4): 656715. Retrieved 12 March 2012 from http://www.alcatel-
lucent.com/bstj/vol28-1949/articles/bstj28-4-656.pdf.
Shor, P. W., & Preskill, J. (2000). Simple proof of security of the BB84 quantum key distribution
protocol. Physical Review Letters, 85(2), 441-444. doi:10.1103/PhysRevLett.85.441.
Tanenbaum, Andy (2008). Dutch Public Transit Card Broken: RFID replay attack allows free travel
in The Netherlands, Retrieved 12 March 2012 from http://www.cs.vu.nl/~ast/ov-chip-card/.
Trappe, W., & Washington, L. C. (2005). Introduction to Cryptography with Coding Theory (2 ed.).
Upper Saddle River, NJ: Prentice Hall.
Wootters, W. K., & Zurek, W. H. (1982). A single quantum cannot be cloned. Nature, 299(5886),
802-803.
USGPO (1997), Commission on Protecting and Reducing Government Secrecy: Brief Account of
the American Experience," Report of the Commission on Protecting and Reducing Government
Secrecy. VI; Appendix A. US Government Printing Office. Retrieved 14 April 2012 from
http://www.gpo.gov/fdsys/pkg/GPO-CDOC-105sdoc2/pdf/GPO-CDOC-105sdoc2-11-1.pdf.
Vernam, G.S. (22 July 1919), Secret Signaling System, US Patent 1,310,719, Retrieved 12 March
2012 from http://www.google.com/patents?vid=1310719.
Vernam, G.S. (1926).Cipher printing telegraph systems for secret wire and radio telegraphic
communications, Journal of the American Institute of Electrical Engineers, XLV:109115, February
1926. Retrieved 12 March 2012 from https://www.cs.columbia.edu/~smb/vernam.pdf.
Wiesner, Stephen (1983), Conjugate Coding, ACM SIGACT News, Winter-Spring 1983, Vol. 15,
No. 1, Jan. 1983.
Yuan, Q., Quantum Cryptography, Retrieved 12 March 2012 from
http://www.cs.ucsb.edu/~chong/290N-W06/BB84.ppt.



Elements of Quantum Theory
Light waves are propagated as discrete quanta
called photons.
They are massless and have energy,
momentum and angular momentum called
spin.
Spin carries the polarization of the photon.
If a photon encounters a polarization filter while
traveling from one point to another, it may pass
through it (or not) based upon the polarization
of the photon and the orientation of the filter.
We can use a detector to check of a photon
has passed through a filter.