ABSTRACT

Quantum cryptography uses quantum mechanics to guarantee secure communication. It enables two parties to produce a shared random bit string known only to them, which can be used as a key to encrypt and decrypt messages. An important and unique property of quantum cryptography is the ability of the two communicating users to detect the presence of any third party trying to gain knowledge of the key. This results from a fundamental part of quantum mechanics: the process of measuring a quantum system in general disturbs the system. A third party trying to eavesdrop on the key must in some way measure it, thus introducing detectable anomalies. By using quantum superpositions or quantum entanglement and transmitting information in quantum states, a communication system can be implemented which detects eavesdropping. If the level of eavesdropping is below a certain threshold a key can be produced which is guaranteed as secure, otherwise no secure key is possible and communication is aborted. The security of quantum cryptography relies on the foundations of quantum mechanics, in contrast to traditional public key cryptography which relies on the computational difficulty of certain mathematical functions, and cannot provide any indication of eavesdropping or guarantee of key security. Quantum cryptography is only used to produce and distribute a key, not to transmit any message data. This key can then be used with any chosen encryption algorithm to encrypt and decrypt a message, which can then be transmitted over a standard communication channel. The algorithm most commonly associated with QKD is the one-time pad, as it is provably secure when used with a secret, random key.

CRYPTOGRAPHY
Cryptography (or cryptology; from Greek , kryptos, "hidden, secret"; and , gráphin, "writing", or , -logia, , "study", respectively) is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce. Cryptology prior to the modern age was almost synonymous with encryption, the conversion of information from a readable state to apparent nonsense. The sender retained the ability to decrypt the information and therefore avoid unwanted persons being able to read it. Since WWI and the advent of the computer, the methods used to carry out cryptology have become increasingly complex and its application more widespread. Modern cryptography follows a strongly scientific approach, and designs cryptographic algorithms around computational hardness assumptions that are assumed hard to break by an adversary. Such systems are not unbreakable in theory but it is infeasible to do so for any practical adversary. Information-theoretically secure schemes that provably cannot be broken exist but they are less practical than computationally-secure mechanisms. An example of such systems is the one-time pad. Alongside the advancement in cryptology-related technology, the practice has raised a number of legal issues, some of which remain unresolved.

TERMINOLOGY
y Until modern times cryptography referred almost exclusively to encryption, which is the process of converting ordinary information (called plaintext) into unintelligible gibberish (called ciphertext). y Decryption is the reverse, in other words, moving from the unintelligible ciphertext back to plaintext. y A cipher (or cypher) is a pair of algorithms that create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key. This is a secret parameter (ideally known only to the communicants) for a specific message exchange context. y A "cryptosystem" is the ordered list of elements of finite possible plaintexts, finite possible cyphertexts, finite possible keys, and the encryption and decryption algorithms which correspond to each key. Keys are important, as ciphers without variable keys can be trivially broken with only the knowledge of the cipher used and are therefore useless (or even counter-productive) for most purposes. Historically, ciphers were often used directly for encryption or decryption without additional procedures such as authentication or integrity checks. y In colloquial use, the term "code" is often used to mean any method of encryption or concealment of meaning. However, in cryptography, code has a more specific meaning. It means the replacement of a unit of plaintext (i.e., a meaningful word or phrase) with a code word (for example, wallaby replaces attack at dawn). Codes are no longer used in serious cryptography except incidentally for such things as unit designations (e.g., Bronco Flight or Operation Overlord) since properly chosen ciphers are both more practical and more secure than even the best codes and also are better adapted to computers. y Cryptanalysis is the term used for the study of methods for obtaining the meaning of encrypted information without access to the key normally required to do so; i.e., it is the study of how to crack encryption algorithms or their implementations.

y Some use the terms cryptography and cryptology interchangeably in English, while others (including US military practice generally) use cryptography to refer specifically to the use and practice of cryptographic techniques and cryptology to refer to the combined study of cryptography and cryptanalysis.

y The study of characteristics of languages which have some application in cryptography (or cryptology), i.e. frequency data, letter combinations, universal patterns, etc., is called cryptolinguistics.

CIPHER
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In nontechnical usage, a cipher is the same thing as a code ; however, the concepts are distinct in cryptography. In classical cryptography, ciphers were distinguished from codes. Codes operated by substituting according to a large codebook which linked a random string of characters or numbers to a word or phrase.
Edward Larsson's rune cipher resembling that found on the Kensington Runestone. Also includes runically-unrelated blackletter writing style and pigpen cipher.

For example, UQJHSE could be the code for Proceed to the following coordinates . When using a cipher the original information is known as plaintext, and the encrypted form as ciphertext. The ciphertext message contains all the information of the plaintext message, but is not in a format readable by a human or computer without the proper mechanism to decrypt it; it should resemble random gibberish to those not intended to read it. The operation of a cipher usually depends on a piece of auxiliary information, called a key or, in traditional NSA parlance, a cryptovariable. The encrypting procedure is varied depending on the key, which changes the detailed operation of the algorithm. A key must be selected before using a cipher to encrypt a message. Without knowledge of the key, it should be difficult, if not nearly impossible, to decrypt the resulting ciphertext into readable plaintext.

If the algorithm is an asymmetric one. or if a different key is used for each (asymmetric key algorithms). Cipher came to mean concealment of clear messages or encryption. even any number. If one key cannot be deduced from the other. and so forth. from the Arabic ifr = zero (see Zero Etymology). There are many theories about how the word cipher may have come to mean encoding :   Encoding often involved numbers.  Etymology of Cipher Cipher is alternatively spelled cypher . so confusing and ambiguous to common Europeans that in arguments people would say talk clearly and not so far fetched as a cipher .Most modern ciphers can be categorized in several ways: y y By whether they work on blocks of symbols usually of a fixed size (block ciphers). The word cipher in former times meant zero and had the same origin: Middle French as cifre and Medieval Latin as cifra. Cipher was later used for any decimal digit. The concept of zero (which was also called cipher ). the enciphering key is different from. was very alien in medieval Europe. By whether the same key is used for both encryption and decryption (symmetric key algorithms). but closely related to. the asymmetric key algorithm has the public/private key property and one of the keys may be made public without loss of confidentiality. the deciphering key. The Roman number system was very cumbersome because there was no concept of zero (or empty space). . the key must be known to the recipient and sender and to no one else. or on a continuous stream of symbols (stream ciphers). If the algorithm is symmetric. similarly ciphertext and cyphertext . which we all now think of as natural.

However. however. or. decoding and so on. words or phrases are converted into something else and this chunking generally shortens the message. on the other hand. . Within technical discussions. codes have a variety of drawbacks. using superencipherment to increase the security. Codes work at the level of meaning that is. Because of this. individual bits. in modern schemes. codes have fallen into disuse in modern cryptography. the words code and cipher refer to two different concepts. work at a lower level: the level of individual letters. a (secret) code typically means a cipher . including susceptibility to cryptanalysis and the difficulty of managing a cumbersome codebook. An example of this is the Telegraph Code which was used to shorten long telegraph messages which resulted from entering into commercial contracts using exchanges of Telegrams. Some systems used both codes and ciphers in one system. codetext. Ciphers versus codes In non-technical usage. and ciphers are the dominant technique. small groups of letters. cryptography was split into a dichotomy of codes and ciphers. Ciphers. analogous to that for ciphers: encoding. Historically. In some cases the terms codes and ciphers are also used synonymously to substitution and transposition. and coding had its own terminology.

Although these encryption methods were more complex than previous schemes and required machines to encrypt and decrypt. Simple ciphers were replaced by polyalphabetic substitution ciphers which changed the substitution alphabet for every letter. polyalphabetic substitution. Algorithms used earlier in the history of cryptography are substantially different from modern methods. electro-mechanical machines were invented to do encryption and decryption using transposition. other machines such as the British Bombe were invented to crack these encryption methods. several rotor disks provided polyalphabetic substitution. P for G . . S . Transposition of the letters GOOD DOG can result in DGOGDOO . while plug boards provided another substitution.y Types of cipher There are a variety of different types of encryption. In rotor machines. Keys were easily changed by changing the rotor disks and the plugboard wires. With even a small amount of known or estimated plaintext. simple polyalphabetic substitution ciphers and letter transposition ciphers designed for pen and paper encryption are easy to crack. For example GOOD DOG can be encrypted as PLSX TWF where L . and modern ciphers can be classified according to how they operate and whether they use one or two keys. and W substitute for O . These simple ciphers and examples are easy to crack. and a kind of additive substitution. y Historical ciphers Historical pen and paper ciphers used in the past are sometimes known as classical ciphers. even without plaintext-ciphertext pairs. For example GOOD DOG can be encrypted as PLLX XLP where L substitutes for O . and X for D in the message. They include simple substitution ciphers and transposition ciphers. During the early twentieth century.

DES and AES). which encrypt continuous streams of data .y Modern ciphers Modern encryption methods can be divided by two criteria: by type of key used.. In a symmetric key algorithm (e. there are two separate keys: a public key is published and enables any sender to perform encryption.g. the sender uses this key for encryption. RSA). where two different keys are used for encryption and decryption. where the same key is used for encryption and decryption. and Stream ciphers. and the receiver uses the same key for decryption. By type of key used ciphers are divided into: y y Symmetric key algorithms (Private-key cryptography). The Feistel cipher uses a combination of substitution and transposition techniques. In an asymmetric key algorithm (e. which encrypt block of data of fixed size. Ciphers can be distinguished into two types by the type of input data: y y Block ciphers. and by type of input data.. the sender and receiver must have a shared key set up in advance and kept secret from all other parties. Most block cipher algorithms are based on this structure. and Asymmetric key algorithms (Public-key cryptography). while a private key is kept secret by the receiver and enables only him to perform correct decryption.g.

such as Julius Caesar and Napoleon. into disuse. such as the Enigma machine. for example. who created their own ciphers which were then popularly used. and operate on bits and bytes. In general. Hence. Modern schemes use computers or other digital technology. y Types of Classical ciphers Classical ciphers are often divided into transposition ciphers and substitution ciphers. Many classical ciphers were used by well-respected people. So. for the most part. Another method of substitution cipher is based on a keyword. "WIKIPEDIA" encrypts as "ZLNLSHGLD". etc. a classical cipher is a type of cipher that was used historically but now has fallen. The end of the cipher alphabet is the rest of the . and sometimes for many letters. A is replaced by D. X. Many ciphers had their origins in the military and were used for transporting secret messages among people on the same side. classical ciphers operate on an alphabet of letters (such as "A-Z"). Sometimes grouped with classical ciphers are more advanced mechanical or electro-mechanical cipher machines. Finally. All spaces and repeated letters are removed from a word or phrase. A well-known example of a substitution cipher is the Caesar cipher. but any number works. y Substitution ciphers In a substitution cipher. sometimes even without knowledge of the system itself. Y and Z are replaced by A. Caesar rotated the alphabet by three letters. and are implemented by hand or with simple mechanical devices.CLASSICAL CIPHER A cipher is a means of concealing a message. each letter of message is replaced by the letter three positions later in the alphabet. To encrypt a message with the Caesar cipher. where letters of the message are substituted or transposed for other letters. They are probably the most basic types of ciphers. C by F. which made them not very reliable. Classical schemes are often susceptible to ciphertext-only attacks. which the encoder then uses as the start of the cipher alphabet. In cryptography. B and C respectively. B by E. letter pairs. letters (or groups of letters) are systematically replaced throughout the message for other letters (or groups of letters). using tools such as frequency analysis. especially after new technology was developed.

the cipher alphabet would look like this: normal alphabet: a b c d e f g h i j k l m n o p q r s t u v w x y z cipher alphabet: c i p h e r s t u v w x y z a b d f g j k l m n o q The previous examples were all examples of monoalphabetic substitution ciphers. Each cipher alphabet is just another rightword Caesar shift of the original alphabet. and then encode their message. where multiple cipher alphabets are used. For example. an innovative encoding method. With the square. It is also possible to have a polyaphabetic substitution cipher. alternating what cipher alphabet is used with every letter or word. The encoded would just make up two or more cipher alphabets using whatever techniques he or she chooses. where just one cipher alphabet is used. This is what a Vigenère square looks like: ABCDEFGHIJKLMNOPQRSTUVWXYZ BCDEFGHIJKLMNOPQRSTUVWXYZA CDEFGHIJKLMNOPQRSTUVWXYZAB DEFGHIJKLMNOPQRSTUVWXYZABC EFGHIJKLMNOPQRSTUVWXYZABCD FGHIJKLMNOPQRSTUVWXYZABCDE GHIJKLMNOPQRSTUVWXYZABCDEF HIJKLMNOPQRSTUVWXYZABCDEFG IJKLMNOPQRSTUVWXYZABCDEFGH JKLMNOPQRSTUVWXYZABCDEFGHI KLMNOPQRSTUVWXYZABCDEFGHIJ LMNOPQRSTUVWXYZABCDEFGHIJK MNOPQRSTUVWXYZABCDEFGHIJKL NOPQRSTUVWXYZABCDEFGHIJKLM OPQRSTUVWXYZABCDEFGHIJKLMN PQRSTUVWXYZABCDEFGHIJKLMNO QRSTUVWXYZABCDEFGHIJKLMNOP . Another example of a polyalphabetic substitution cipher that is much more difficult to decode is the Vigenère square. there are different cipher alphabets that are used to encrypt text.alphabet in order without repeating the letters in the keyword. This makes the message much harder to decode because the codebreaker would have to figure out both cipher alphabets. if the keyword is CIPHER.

where signs of the zodiac were used to represent different letters. symbols can also be used to replace letters or syllables.RSTUVWXYZABCDEFGHIJKLMNOPQ STUVWXYZABCDEFGHIJKLMNOPQR TUVWXYZABCDEFGHIJKLMNOPQRS UVWXYZABCDEFGHIJKLMNOPQRST VWXYZABCDEFGHIJKLMNOPQRSTU WXYZABCDEFGHIJKLMNOPQRSTUV XYZABCDEFGHIJKLMNOPQRSTUVW YZABCDEFGHIJKLMNOPQRSTUVWX ZABCDEFGHIJKLMNOPQRSTUVWXY To use the Vigenère square to encrypt a message. which isn't really a cipher. The pigpen cipher uses a grid system or lines and dots to establish symbols for letters. for example. . or dashes could also be used. Dots. this is what you would do: message: I LOVE CRYPTOGRAPHY keyword: W ORDW ORDWORDWORDW encoded text:E ZFYA QIBLHFJNOGKU Some substitution ciphers involve using numbers instead of letters. One example of this is Zodiac alphabet. There are various other methods that involve substituting letters of the alphabet with symbols or dots and dashes. There is also another number substitution cipher that involves having four different number pair options for a letter based on a keyword. You then would write the message underneath the repeated keyword to see which cipher alphabet you would use for each letter of the message. lines. The first letter of the message would be encoded using the cipher alphabet that corresponds with the first letters of the keyword. you first choose a keyword and then repeat it is the same length as the message you wish to encode. but uses dots and dashes as letters nonetheless. would be cipher alphabet 'B'. Each cipher alphabet is named by the first letter in it. where numbers were used to represent syllables. one example of this being Morse Code. Instead of numbers. and Saturn stood for C. The cipher alphabet that uses B for A and C for B etc. the symbols for the sun stood for A. For example if you have a keyword of WORD and the message you want to encode is I LOVE CRYPTOGRAPHY. An example of this is the Great Cipher. Jupiter stood for B.

B is 2. if the message needed to be enciphered was THE DOG RAN FAR." would now be "olleH ym eman si ecilA. the letters are taken in order to get the new ciphertext. For example. In a columnar cipher. if the key word is CAT and the message is THE SKY IS BLUE. i. then the column under T. The number corresponding to the letters in the key is determined by their place in the alphabet. a key is chosen and used to assign a number to each column in the rectangle to determine the order of rearrangement. For example "Hello my name is Alice.y Transposition ciphers In a transposition cipher. this is how you would arrange your message: CAT 3 1 20 THE SKY ISB LUE Next. Then. A is 1. the Chinese cipher would look like this: RRGT AAOH FNDE The cipher text then reads: RRGT AAOH FNDE . Next." A scytale is a machine that aids in the transposition of methods. Many transposition ciphers are done according to a geometric design. the letters themselves are kept unchanged. then the column under C. as a result your message "The sky is blue" has become: HKSUTSILEYBE In the Chinese cipher's method of transposing. A simple (and once again easy to crack) encryption would be to write every word backwards. but their order within the message is scrambled according to some well-defined scheme. the original message is arranged in a rectangle. For example. starting in the first row. etc. You take the column under A first. down and up columns to scramble the letters. you take the letters in numerical order and that is how you would transpose the message. the letters of the message are written from right to left. from left to right and top to bottom. C is 3.e.

Polyalphabetic ciphers such as the Vigenère cipher prevent a simple frequency analysis by using multiple substitutions. that is by simply trying out all keys. but are often susceptible to a frequency analysis. modern block ciphers such as DES iterate through several stages of substitution and transposition. For these ciphers an attacker should not be able to find the key even if he knows any amount of plaintext and corresponding ciphertext and even if he could select plaintext or ciphertext himself. More complex algorithms can be formed by mixing substitution and transposition in a product cipher. usually involving rearranging the letters into rows or columns and then taking them in a systematic way to transpose the letters. On the other hand. more advanced techniques such as the Kasiski examination can still be used to break these ciphers. Many of the classical ciphers can be broken even if the attacker only knows sufficient ciphertext and hence they are susceptible to a ciphertext-only attack. A good modern cipher must be secure against a wide range of potential attacks including known-plaintext attacks and chosen-plaintext attacks as well as chosen-ciphertext attacks. modern ciphers are designed to withstand much stronger attacks than ciphertext-only attacks. the Caesar cipher) have a small key space.Many transposition ciphers are similar to these two examples. Some classical ciphers (e. . These ciphers can be broken with a brute force attack. because for example frequent letters in the plaintext language correspond to frequent letters in the ciphertexts. However. Classical ciphers do not satisfy these much stronger criteria and hence are no longer of interest for serious applications.g.  Cryptanalysis of classical ciphers Classical ciphers are commonly quite easy to break. Substitution ciphers can have a large key space. Other examples include the Vertical Parallel and the Double Transposition Cipher.

On its own. they were in widespread use in the 1930s 1950s. a rotor machine is an electromechanical device used for encrypting and decrypting secret messages. replacing them in some complex fashion. the rotors advance positions. used by Germany during World War II The most famous example is the Enigma machine. changing the substitution. which are rotating disks with an array of electrical contacts on either side. . a rotor machine produces a complex polyalphabetic substitution cipher. however. also termed wheels or drums. The wiring between the contacts implements a fixed substitution of letters. after encrypting each letter. this would offer little security. By this means.ROTOR MACHINE CIPHER In cryptography. A series of three rotors from an Enigma machine. Rotor machines were the cryptographic state-of-the-art for a brief but prominent period of history. The primary component is a set of rotors.

for instance. They are the modes of operation and must be carefully considered when using a block cipher in a cryptosystem.12 One round (out of 8. DES (especially its stillapproved and much more secure triple-DES variant) remains quite popular.  Symmetric-key cryptography Symmetric-key cryptography refers to encryption methods in which both the sender and receiver share the same key (or. the output stream is created based on a hidden internal state which changes as the cipher operates. The Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) are block cipher designs which have been designated cryptography standards by the US government (though DES's designation was finally withdrawn after the AES was adopted). it is used across a wide range of applications. The chief ones are discussed here. some with better security in one aspect or another than others.5) of the patented IDEA cipher. create an arbitrarily long stream of key material. in a sense.17 Many other block ciphers have been designed and released. some method of knitting together successive blocks is required. but related in an easily computable way). Several have been developed. from ATM encryption to e-mail privacy16 and secure remote access. Stream ciphers. somewhat like the one-time pad. which is combined with the plaintext bit-by-bit or character-bycharacter. with considerable variation in quality. a modern embodiment of Alberti's polyalphabetic cipher: block ciphers take as input a block of plaintext and a key. in which their keys are different. used in some versions of PGP for high-speed encryption of. in contrast to the 'block' type. Since messages are almost always longer than a single block. less commonly. In a stream cipher. This was the only kind of encryption publicly known until June 1976. That . e-mail The modern study of symmetric-key ciphers relates mainly to the study of block ciphers and stream ciphers and to their applications. and output a block of ciphertext of the same size. Many have been thoroughly broken.Modern cryptography The modern field of cryptography can be divided into several areas of study.14 Despite its deprecation as an official standard. A block cipher is.

S. Thus. fixed length hash which can be used in (for example) a digital signature. RC4 is a widely used stream cipher. to be called SHA-3. an attacker cannot find two messages that produce the same hash. For good hash functions. MD4 is a long-used hash function which is now broken. is also widely used but broken in practice. and output a short. They take a message of any length as input. Cryptographic hash functions are a third type of cryptographic algorithm. except that a secret key can be used to authenticate the hash value13 upon receipt. by 2012.S. a hash function design competition is underway and meant to select a new U. national standard. The U. and the U. but it isn't yet widely deployed. SHA-1 is widely deployed and more secure than MD5. a strengthened variant of MD4. Message authentication codes (MACs) are much like cryptographic hash functions.internal state is initially set up using the secret key material. but cryptanalysts have identified attacks against it.S. . Block ciphers can be used as stream ciphers. standards authority thought it "prudent" from a security perspective to develop a new standard to "significantly improve the robustness of NIST's overall hash algorithm toolkit. MD5. National Security Agency developed the Secure Hash Algorithm series of MD5-like hash functions: SHA-0 was a flawed algorithm that the agency withdrew. the SHA-2 family improves on SHA-1.

Diffie and Hellman showed that public-key cryptography was possible by presenting the Diffie Hellman key exchange protocol. In public-key cryptosystems. . The historian David Kahn described public-key cryptography as "the most revolutionary new concept in the field since polyalphabetic substitution emerged in the Renaissance". Asymmetric-key cryptography Symmetric-key cryptosystems use the same key for encryption and decryption of a message. The number of keys required increases as the square of the number of network members. Whitfield Diffie and Martin Hellman. Instead. the public key may be freely distributed. more generally. Adi Shamir. and perhaps each ciphertext exchanged as well.12 In 1978. authors of the first published paper on publickey cryptography In a groundbreaking 1976 paper. as an interrelated pair. even though they are necessarily related. which very quickly requires complex key management schemes to keep them all straight and secret. and Len Adleman invented RSA. The public key is typically used for encryption. A public key system is so constructed that calculation of one key (the 'private key') is computationally infeasible from the other (the 'public key'). share a different key. while the private or secret key is used for decryption. Each distinct pair of communicating parties must. Whitfield Diffie and Martin Hellman proposed the notion of public-key (also. ideally. while its paired private key must remain secret. when a secure channel does not already exist between them. called asymmetric key) cryptography in which two different but mathematically related keys are used a public key and a private key. both keys are generated secretly. though a message or group of messages may have a different key than others. The difficulty of securely establishing a secret key between two communicating parties. also presents a chicken-and-egg problem which is a considerable practical obstacle for cryptography users in the real world. another publickey system. Ronald Rivest. A significant disadvantage of symmetric ciphers is the key management necessary to use them securely.

they both have the characteristic that they are easy for a user to produce. in which a fast high-quality symmetric-key encryption algorithm is used for the message itself. in the early 1970s. while Diffie Hellman and DSA are related to the discrete logarithm problem. A digital signature is reminiscent of an ordinary signature. for any attempt will be detectable. in which a secret key is used to process the message (or a hash of the message. public-key cryptography can be used to implement digital signature schemes. any subverted browser might mislead a user by displaying such an icon when a transmission is not actually being protected by SSL or TLS. and that. often from number theory.). or both). and one for verification. Ellis at GCHQ. have been among the most widely used. they cannot then be 'moved' from one document to another. public-key cryptosystems are commonly hybrid cryptosystems. but difficult for anyone else to forge. Digital signatures can also be permanently tied to the content of the message being signed. in addition to being the first publicly known examples of high quality public-key algorithms. RSA and DSA are two of the most popular digital signature schemes. many VPNs. it finally became publicly known that asymmetric key cryptography had been invented by James H. However. In addition to encryption. such an icon is not a guarantee of security. in which the matching public key is used with the message to check the validity of the signature. both the Diffie Hellman and RSA algorithms had been previously developed (by Malcolm J. Padlock icon from the Firefox Web browser. More recently. SSL/TLS. As a result. meant to indicate a page has been sent in SSL or TLS-encrypted protected form. Williamson and Clifford Cocks.18 Public-key algorithms are most often based on the computational complexity of "hard" problems. Others include the Cramer Shoup cryptosystem.. Because of the difficulty of the underlying problems.g. there are two algorithms: one for signing. ElGamal encryption. In digital signature schemes. and various elliptic curve techniques. elliptic curve cryptography has developed in which security is based on number theoretic problems involving elliptic curves.In 1997. etc. a British intelligence organization. most public-key algorithms involve operations such as modular multiplication and exponentiation. See Category:Asymmetric-key cryptosystems. For example. which are much more computationally expensive than the techniques used in most block ciphers. respectively). especially with typical key sizes. while the relevant symmetric key . Digital signatures are central to the operation of public key infrastructures and many network security schemes (e.24 The Diffie Hellman and RSA algorithms. the hardness of RSA is related to the integer factorization problem.

Similarly. but encrypted using a public-key algorithm. in which a cryptographic hash function is computed.is sent with the message. hybrid signature schemes are often used. and only the resulting hash is digitally signed. .

was important to Allied victory. . In a known-plaintext attack. the cryptanalyst may choose a plaintext and learn its corresponding ciphertext (perhaps many times). used by the British during WWII. thus permitting its subversion or evasion. Claude Shannon proved that the onetime pad cipher is unbreakable. Since no such showing can be made currently. and they can be classified in any of several ways.. are mistakes (generally in the design or use of one of the protocols involved. In a ciphertext-only attack. Also important. an example is gardening. but the amount of effort needed may be exponentially dependent on the key size. never reused. in Shannon's terms) is beyond the ability of any adversary. Breaking and reading of the Enigma cipher at Poland's Cipher Bureau. used by Germany's military and civil authorities from the late 1920s through World War II. for 7 years before the war. as compared to the effort needed to use the cipher. and of equal or greater length than the message. It is a common misconception that every encryption method can be broken. apart from the one-time pad. the cryptanalyst has access only to the ciphertext (good modern cryptosystems are usually effectively immune to ciphertext-only attacks). This means it must be shown that no efficient method (as opposed to the time-consuming brute force method) can be found to break the cipher. and subsequent decryption at Bletchley Park.CRYPTANALYSIS Variants of the Enigma machine. The goal of cryptanalysis is to find some weakness or insecurity in a cryptographic scheme. provided the key material is truly random. In a chosenplaintext attack. kept secret from all possible attackers. Most ciphers. A common distinction turns on what an attacker knows and what capabilities are available. In such cases. In connection with his WWII work at Bell Labs. "work factor". implemented a complex electromechanical polyalphabetic cipher. effective security could be achieved if it is proven that the effort required (i. the one-time-pad remains the only theoretically unbreakable cipher. as of today. There are a wide variety of cryptanalytic attacks. can be broken with enough computational effort by brute force attack. the cryptanalyst may be able to choose ciphertexts and learn their corresponding plaintexts. the cryptanalyst has access to a ciphertext and its corresponding plaintext (or to many such pairs). Finally.e. in a chosen-ciphertext attack. see Cryptanalysis of the Enigma for some historical examples of this). often overwhelmingly so.

Much public-key cryptanalysis concerns numerical algorithms for solving these computational problems. will make any system vulnerable.Pozna monument (center) to Polish cryptologists whose breaking of Germany's Enigma machine ciphers. a simple brute force attack against DES requires one known plaintext and 255 decryptions. For instance. other attacks on cryptosystems are based on actual use of the algorithms in real devices. For this reason. a linear cryptanalysis attack against DES requires 243 known plaintexts and approximately 243 DES operations. For example. blackmail. and can be quite useful to an alert adversary. in a practical time). trying approximately half of the possible keys. . Poor administration of a cryptosystem.e. The most famous of these is integer factorization (e. Thus.g. altered the course of World War II Cryptanalysis of symmetric-key ciphers typically involves looking for attacks against the block ciphers or stream ciphers that are more efficient than any attack that could be against a perfect cipher. This is a considerable improvement on brute force attacks. social engineering. for example. but the discrete logarithm problem is also important. beginning in 1932. regardless of other virtues.. of course. the amount of time the device took to encrypt a number of plaintexts or report an error in a password or PIN character. and are called side-channel attacks. efficiently (i. Public-key algorithms are based on the computational difficulty of various problems. . If a cryptanalyst has access to.. such as permitting too short keys. he may be able to use a timing attack to break a cipher that is otherwise resistant to analysis.. An attacker might also study the pattern and length of messages to derive valuable information. While pure cryptanalysis uses weaknesses in the algorithms themselves.g. extortion.) may be the most productive attacks of all. or some of them. the best known algorithms for solving the elliptic curve-based version of discrete logarithm are much more time-consuming than the best known algorithms for factoring. public-key cryptosystems based on elliptic curves have become popular since their invention in the mid-1990s. other things being equal. espionage. But this may not be enough assurance. torture. at least for problems of more or less equivalent size. to reach a point at which chances are better than even the key sought will have been found. to achieve an equivalent strength of attack resistance. this is known as traffic analysis.. and other attacks against the personnel who work with cryptosystems or the messages they handle (e. the RSA algorithm is based on a problem related to integer factoring).. bribery. And. factoring-based encryption techniques must use larger keys than elliptic curve techniques.

It was selected by the National Bureau of Standards as an official Federal Information Processing Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally. in January. although there are theoretical attacks. Furthermore. This is chiefly due to the 56-bit key size being too small. The Data Encryption Standard (DES) is a block cipher that uses shared secret encryption. DES consequently came under intense academic scrutiny which motivated the modern understanding of block ciphers and their cryptanalysis. DES is now considered to be insecure for many applications. the data complexity can be reduced by a factor of four (Knudsen and Mathiassen. The algorithm was initially controversial with classified design elements.DATA ENCRYPTION STANDARD y Designers IBM y First published 1977 (standardized on January 1979) y Cipher detail Key sizes 56 bits Block sizes 64 bits DES is now considered insecure because a brute force attack is possible (see EFF DES cracker). 2001). There are also some analytical results which demonstrate theoretical weaknesses in the cipher. which requires 243 known plaintexts and has a time complexity of 239 43 (Junod. DES has been withdrawn as a standard by the National Institute of Standards and Technology (formerly the National Bureau of Standards). the cipher has been superseded by the Advanced Encryption Standard (AES). under a chosen-plaintext assumption. the best analytical attack is linear cryptanalysis.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). . 2000). although they are infeasible to mount in practice. distributed. a relatively short key length. In recent years. As of 2008. It is based on a symmetric-key algorithm that uses a 56-bit key. and suspicions about a National Security Agency (NSA) backdoor. 1999. The algorithm is believed to be practically secure in the form of Triple DES.

and are thereafter discarded. 56. 48. so that decryption can supposedly only be performed by those who know the particular key used to encrypt. In the case of DES.DES is the block cipher an algorithm that takes a fixed-length string of plaintext bits and transforms it through a series of complicated operations into another ciphertext bitstring of the same length. . Eight bits are used solely for checking parity. however. 16. and it is never quoted as such. The key ostensibly consists of 64 bits. i. positions 8. Every 8th bit of the selected key is discarded. 24. DES by itself is not a secure means of encryption but must instead be used in a mode of operation. 32.e. 64 are removed from the 64 bit key leaving behind only the 56 bit key. the block size is 64 bits. 40. DES also uses a key to customize the transformation. only 56 of these are actually used by the algorithm. Hence the effective key length is 56 bits. Like other block ciphers.

ADVANCED ENCRYPTION STANDARD y Designers Vincent Rijmen. Joan Daemen and Vincent Rijmen.4 Rijndael (Dutch pronunciation: r inda l5) is a wordplay based upon the names of the two inventors. .S. the Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U. It is available in many different encryption packages. In cryptography.5. The standard comprises three block ciphers. which is faster than brute force but is still infeasible. 2001 after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable (see Advanced Encryption Standard process for more details). AES was announced by National Institute of Standards and Technology (NIST) as U.S. with key sizes of 128. AES-128.3 the Data Encryption Standard (DES). AES is the first publicly accessible and open cipher approved by the NSA for top secret information (see Security of AES. The Rijndael cipher was developed by two Belgian cryptographers. and submitted by them to the AES selection process. below). respectively. government. 2002 after approval by the Secretary of Commerce. Each of these ciphers has a 128-bit block size. 192-bit AES can also be defeated in a similar manner. It became effective as a Federal government standard on May 26. AES-192 and AES-256. The AES ciphers have been analyzed extensively and are now used worldwide. 192 or 256 bits1 Block sizes 128 bits2 A related-key attack can break 256-bit AES with a complexity of 299. 128-bit AES is not affected by this attack. 192 and 256 bits. adopted from a larger collection originally published as Rijndael. but at a complexity of 2176 which is also infeasible. Joan Daemen y First published 1998 y Cipher detail Key sizes 128. as was the case with its predecessor. FIPS PUB 197 (FIPS 197) on November 26.

Unlike its predecessor. It is fast in both software and hardware. but the keysize has no theoretical maximum.  AES has a fixed block size of 128 bits and a key size of 128.  The AES cipher is specified as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext. 192. Each round consists of several processing steps. including one that depends on the encryption key.Description of the cipher  AES is based on a design principle known as a Substitution permutation network. DES. combining the four bytes in each column. whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key. or 256 bits. . High-level description of the algorithm  KeyExpansion round keys are derived from the cipher key using Rijndael's key schedule Initial Round  AddRoundKey each byte of the state is combined with the round key using bitwise xor Rounds  SubBytes a non-linear substitution step where each byte is replaced with another according to a lookup table. with a minimum of 128 bits.  ShiftRows a transposition step where each row of the state is shifted cyclically a certain number of steps. AES does not use a Feistel network. Most AES calculations are done in a special finite field. termed the state (versions of Rijndael with a larger block size have additional columns in the state).  AES operates on a 4×4 array of bytes. The blocksize has a maximum of 256 bits.  MixColumns a mixing operation which operates on the columns of the state.

The largest successful publiclyknown brute force attack has been against a 64-bit RC5 key by distributed. 2009.11 In 2002.trying every possible key. 2009."13 However..10  AES has a fairly simple algebraic description. wrote that while he thought successful academic attacks on Rijndael would be developed someday.in security-critical applications. This new attack.5. other papers have shown that the attack as originally presented is unworkable. 2009 and released as a preprint19 on August 3. is against AES-256 that uses only two related keys and 239 time to recover the complete 256-bit key of a 9-round version.we are concerned about its use. Nathan Keller. ". termed the "XSL attack". Orr Dunkelman. Bruce Schneier. Dmitry Khovratovich. see XSL attack on block ciphers. discovered by Alex Biryukov and Dmitry Khovratovich. with a complexity of 296 for one out of every 235 keys. at the end of the AES process. or 245 time for a 10-round version with a stronger type of related subkey attack. by Alex Biryukov. Thus. and Adi Shamir. so these attacks aren't effective against full AES. was announced by Nicolas Courtois and Josef Pieprzyk.16 which exploits AES's somewhat simple key schedule and has a complexity of 299.  During the AES process. a theoretical attack.Known attacks  For cryptographers."  On July 1. or 270 time for an 11-round version. a cryptographic "break" is anything faster than a brute force attack .12 Since then. Dmitry Khovratovich. developers of competing algorithms wrote of Rijndael.17 Another attack was blogged by Bruce Schneier18 on July 30. a developer of the competing algorithm Twofish. This is a follow-up to an attack discovered earlier in 2009 by Alex Biryukov. an attack against a 256-bit-key AES requiring 2200 operations (compared to 2256 possible keys) would be considered a break. purporting to show a weakness in the AES algorithm due to its simple description... "I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic.. . and Ivica Nikoli .net. 256-bit AES uses 14 rounds. even though 2200 operations would still take far longer than the age of the universe to complete. Bruce Schneier blogged15 about a related-key attack on the 192-bit and 256-bit versions of AES.

and a memory complexity of 232.20 This known-key distinguishing attack is an improvement of the rebound or the start-from-the-middle attacks for AES-like permutations. Adi Shamir and Eran Tromer presented a paper demonstrating several cache-timing attacks against AES.25  In November 2010 Endre Bangerter.  In April 2005. Dag Arne Osvik. In November 2009. in a total of 65 milliseconds. This attack requires the attacker to be able to run programs on the same system or platform that is performing AES.  In July 2010 Vincent Rijmen published an ironic paper on "chosen-keyrelations-in-the-middle" attacks on AES-128. There are several such known attacks on certain implementations of AES.21 Side-channel attacks  Side-channel attacks do not attack the underlying cipher and so have nothing to do with its security as described here.J.24 One attack was able to obtain an entire AES key after only 800 operations triggering encryptions. David Gullasch and Stephan Krenn published a paper which described a practical approach to a "near real time" . which view two consecutive rounds of permutation as the application of a so-called SuperSbox. D.23  In October 2005. and the attack required over 200 million chosen plaintexts.  In December 2009 an attack on some hardware implementations was published that used differential fault analysis and allows recovery of key with complexity of 232.22 The custom server was designed to give out as much timing information as possible (the server reports back the number of machine cycles taken by the encryption operation). the first known-key distinguishing attack against a reduced 8-round version of AES-128 was released as a preprint. Bernstein announced a cache-timing attack that he used to break a custom server that used OpenSSL's AES encryption. but attack implementations of the cipher on systems which inadvertently leak data. It works on the 8-round version of AES-128. with a computation complexity of 248.

recovery of secret keys from AES-128 without the need for either cipher text or plaintext. The approach also works on AES-128 implementations that use compression tables. . 26 Like some earlier attacks this one requires the ability to run arbitrary code on the system performing the AES encryption. such as OpenSSL.

Indeed. the (cryptographic) hash value. They can also be used as ordinary hash functions. and other forms of authentication. The ideal cryptographic hash function has four main or significant properties: y it is easy to compute the hash value for any given message. A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string. message authentication codes (MACs). Properties  Most cryptographic hash functions are designed to take a string of any length as input and produce a fixed-length hash value. notably in digital signatures. The data to be encoded is often called the "message". As a minimum. to detect duplicate data or uniquely identify files. by the so-called avalanche effect. for fingerprinting. SHA-1) at work. in information security contexts. cryptographic hash values are sometimes called (digital) fingerprints. or just hash values. it must have the following properties: . to index data in hash tables.CRYPTOGRAPHIC HASH FUNCTION A cryptographic hash function (specifically. checksums. even though all these terms stand for functions with rather different properties and purposes. y it is infeasible to find a message that has a given hash. Cryptographic hash functions have many information security applications. y it is infeasible to find two different messages with the same hash. and as checksums to detect accidental data corruption.  A cryptographic hash function must be able to withstand all known types of cryptanalytic attack. Note that even small changes in the source input (here in the word "over") drastically change the resulting output. such that an accidental or intentional change to the data will change the hash value. y it is infeasible to modify a message without hash being changed. and the hash value is sometimes called the message digest or simply digest.

These properties imply that a malicious adversary cannot replace or modify the input data without changing its digest. Thus. one may wish for even stronger conditions.  Collision resistance It should be difficult to find two different messages and such that . are designed to meet much weaker requirements. For example. Therefore. It requires a hash value at least twice as long as that required for preimage-resistance. but an attack was readily discovered which exploited the linearity of the checksum. a CRC was used for message integrity in the WEP encryption standard. This property is sometimes referred to as weak collision resistance. a cryptographic hash function should behave as much as possible like a random function while still being deterministic and efficiently computable. A function meeting these criteria may still have undesirable properties. if two strings have the same digest. by choosing a suitable an attacker can calculate where | | denotes concatenation. Currently popular cryptographic hash functions are vulnerable to length-extension attacks: given and but not . given only its digest.  Second preimage resistance Given an input it should be difficult to find another input where such that . Ideally. It should be impossible for an adversary to find two messages with substantially similar digests. This concept is related to that of one-way function. one can be very confident that they are identical. such as CRC32 and other cyclic redundancy checks. and are generally unsuitable as cryptographic hash functions. otherwise collisions may be found by a birthday attack. This property is sometimes referred to as strong collision resistance. Functions that lack this property are vulnerable to preimage attacks. Such a pair is called a cryptographic hash collision.citation needed This property can be used to break naive authentication schemes based on hash functions. . The HMAC construction works around these problems. and functions that lack this property are vulnerable to second preimage attacks. Preimage resistance Given a hash it should be difficult to find any message such that . or to infer any useful information about the data. Checksum algorithms.

In some theoretical analyses difficult has a specific mathematical meaning. The meaning of the term is therefore somewhat dependent on the application. an exponential time algorithm can sometimes still be fast enough to make a feasible attack. Conversely. difficult generally means almost certainly beyond the reach of any adversary who must be prevented from breaking the system for as long as the security of the system is deemed important. However.g. . even a thousand-fold advantage in processing power can be neutralized by adding a few dozen bits to the latter. such as not solvable in asymptotic polynomial time. since the needed effort usually grows very quickly with the digest length. Degree of difficulty In cryptographic practice. For example. a polynomial time algorithm (e. since the effort that a malicious agent may put into the task is usually proportional to his expected gain. Such interpretations of difficulty are important in the study of provably secure cryptographic hash functions but do not usually have a strong connection to practical security. one that requires n20 steps for n-digit keys) may be too slow for any practical use.

but the algorithm was released to the public domain by RSA Security on 6 September 2000.3 Since a paper describing the algorithm had been published in August 1977... computed when the exponentiated number is divided by the product of two predetermined prime numbers (associated with the intended receiver).  Operation The RSA algorithm involves three steps: key generation. and was one of the first great advances in public key cryptography. The RSA algorithm was publicly described in 1978 by Ron Rivest.RSA In cryptography. C. That number is then raised to a first predetermined power (associated with the intended receiver) and finally computed. The system includes a communications channel coupled to at least one terminal having an encoding device and to at least one terminal having a decoding device.829 for a "Cryptographic communications system and method" that used the algorithm in 1983. two weeks earlier. encryption and decryption. RSA (which stands for Rivest. The patent would have expired on September 21.405. A message-to-be-transferred is enciphered to ciphertext at the encoding terminal by encoding the message as a number M in a predetermined set. and is believed to be secure given sufficiently long keys and the use of up-to-date implementations. a patent in the US might not have been possible. The remainder or residue. Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography. MIT was granted U. 2000 (the term of patent was 17 years at the time).1 It is the first algorithm known to be suitable for signing as well as encryption. is.S. Patent 4.2 prior to the December 1977 filing date of the patent application. . Had Cocks' work been publicly known. regulations in much of the rest of the world precluded patents elsewhere and only the US patent was granted. and Leonard Adleman at MIT. RSA is widely used in electronic commerce protocols. Adi Shamir.

This is often computed using the extended Euclidean algorithm. He then computes the ciphertext c corresponding to c = me(mod n). Key generation RSA involves a public key and a private key.e.  e having a short bit-length and small Hamming weight results in more efficient encryption . d is kept as the private key exponent.  For security purposes.  e is released as the public key exponent. e and (n) are coprime. i. This can be done quickly using the method of exponentiation by squaring.  Bob then transmits c to Alice.e) to Bob and keeps the private key secret. . where is Euler's totient function. small values of e (such as 3) have been shown to be less secure in some settings. i.  He first turns M into an integer 0 < m < n by using an agreed-upon reversible protocol known as a padding scheme. The private key consists of the private (or decryption) exponent d which must be kept secret. (n)) = 1. the integers p and q should be chosen at random.  Determine d = e 1 mod (n).e. However.  n is used as the modulus for both the public and private keys  Compute (n) = (p 1)(q 1). Prime integers can be efficiently found using a primality test. Messages encrypted with the public key can only be decrypted using the private key.  Compute n = pq.  Choose an integer e such that 1 < e < (n) and gcd(e. The public key consists of the modulus n and the public (or encryption) exponent e.  Encryption  Alice transmits her public key (n.most commonly 0x10001 = 65537. The keys for the RSA algorithm are generated the following way:  Choose two distinct prime numbers p and q. and should be of similar bit-length. d is the multiplicative inverse of e mod (n). Bob then wishes to send message M to Alice. The public key can be known to everyone and is used for encrypting messages.

but one can also use OpenSSL to generate and examine a real keypair. The parameters used here are artificially small. The private key is (n = 3233. the modular multiplicative inverse of e(mod (n)) yielding d = 2753.  Choose two distinct prime numbers.  Choose any number 1 < e < 3120 that is coprime to 3120. e = 17). The public key is (n = 3233. the decryption function is c2753(mod 3233). For instance. there are more efficient methods of calculating cd using the pre computed values below. the encryption function is m17(mod 3233). we calculate . (In practice. Decryption  Alice can recover m from c by using her private key exponent d via computing m = cd(mod n). in order to encrypt m = 65. such as p = 61 and q = 53. Let e = 17. d = 2753). Choosing a prime number for e leaves us only to check that e is not a divisor of 3120.  Compute n = pq giving n = 61 · 53 = 3233.  Compute the totient of the product as (n) = (p 1)(q 1) giving (3233) = (61 1)(53 1) = 3120. For an encrypted ciphertext c.)  A worked example Here is an example of RSA encryption and decryption.  Given m. For a padded plaintext message m.  Compute d. she can recover the original message M by reversing the padding scheme.

we could then compute d and so acquire the private key. in our example it would be relatively trivial to factor n. 3233. Given e. also from the public key. Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard. To decrypt c = 2790. obtained from the freely available public key back to the primes p and q. i. Providing security against partial decryption may require the addition of a secure padding scheme.citation needed . Both of these calculations can be computed efficiently using the square-andmultiply algorithm for modular exponentiation. In real life situations the primes selected would be much larger. The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring large numbers and the RSA problem. no efficient algorithm exists for solving them.e. we calculate m = 27902753(mod 3233) = 65.c = 6517(mod 3233) = 2790..

a key of 128 bits used for encoding results in a choice of about 1038 numbers. a k-bit "secret key" is shared by two users. But any discussion of how the key is to be chosen that takes place on a public communication channel could in principle be intercepted and used by an eavesdropper. For example. could be impractical for routine communication between many users. the theory of quantum computation has yielded new methods to tackle these mathematical problems in a much more efficient way. But since these problems typically are not provably hard. but increases in the size of the key can be used to offset this.LIMITATIONS Cryptographic technology in use today relies on the hardness of certain mathematical problems. in theory many classical ciphers (in . In principle any two users who wished to communicate could first meet to agree on a key in advance. a billion computers doing a billion operations per second would require a trillion years to decrypt it. analysis of the encryption algorithm might make it more vulnerable. To make unauthorized decipherment more difficult. the transformation algorithm can be carefully designed to make each bit of output depend on every bit of the input. but in practice this could be inconvenient.We mention in passing that computing the RSA secret key from the corresponding public key is polynomial-time equivalent to integer factoring May 2004. In secret key encryption. the corresponding cryptosystems are potentially insecure. such as the use of secure courier or private knowledge. Although there are still numerous challenges to overcome before a working quantum computer of sufficient power can be built. y First. The main practical problem with secret key encryption is exchanging a secret key. In practice. is not a proven fact but rather a hypothesis. who use it to transform plaintext inputs to cryptotext for transmission and back to plaintext upon receipt. Classical cryptography faces the following two problems. The hardness of integer factoring. 1978 could easily be broken if large integers were easy to factor. the security of many classical cryptosystems is based on the hardness of problems such as integer factoring or the discrete logarithm problem.1. assuming that brute force and massive parallelism are employed. The encrypted message should be secure. the famous and widely used RSA public-key cryptosystem Rivest et al. however. With such an arrangement. y Second. Other methods for establishing a key.

For example. Every potential communicating party registers with the server and establishes a secret key. Quantum encryption. Communication at the quantum level changes many of the conventions of both classical secret key and public key communication described above. The server then relays secure communications between users. while quantum computation seems to be a severe challenge to classical cryptography in a possibly not so distant future. which will be discussed later. However. it is not necessarily possible for messages to be perfectly copied by anyone with access to them. at the same time it offers new possibilities to build encryption methods that are safe even against attacks performed by means of a quantum computer. Another method is a protocol for agreeing on a secret key based on publicly exchanged large prime numbers. One proposed method for solving this key distribution problem is the appointment of a central key distribution server. provides a way of agreeing on a secret key without making this assumption. nor for an eavesdropper to passively monitor communications without being detected .particular public-key cryptosystems such as RSA) might be broken by such a powerful machine. but the server itself is vulnerable to attack. as in the Diffie Hellman key exchange. Its security is based on the assumed difficulty of finding the power of a base that will generate a specified remainder when divided by a very large prime number. nor for messages to be relayed without changing them in some respect. but this suffers from the uncertainty that such problems will remain intractable.

QUANTUM CRYPTOGRAPHY Quantum cryptography extends the power of classical cryptography by protecting the secrecy of messages using the physical laws of quantum mechanics. Uncertainity Unlike in classical physics. certain pairs of physical properties are complementary in the sense that measuring one property necessarily disturbs the other. the spin of an atom or the polarization of a light particle can represent the state of a qubit. . the act of measurement is an integral part of quantum mechanics. The effect arises because in quantum theory. For example. These two different states can be represented in various ways. y QUBITS The most important unit of information in computer science is the bit. as every quantum system with at least two states can serve as a qubit. So it is possible to encode information into quantum properties of a photon in such a way that any effort to monitor them disturbs them in some detectable way. for example by a simple switch or by a capacitor: if not charged. introduced by Schrödinger 1935 to visualize fundamental concepts of quantum mechanics. 1. if charged. the capacitor holds the value zero. it holds the value one. There exist many possibilities to physically represent a qubit in practice. might serve as a representation. y Principles: Quantum cryptographic devices typically employ individual photons of light and take advantage of either the Heisenberg Uncertainity principle or Quantum Entanglement. There are two possible values that can be stored by a bit: the bit is either equal to 0 or equal to 1. Even a cat with its two basic states dead and alive.

Entanglement It is a state of two or more quantum particles. y PROTOCOLS: 1. 2. The steps of the protocol are explained below. This happens no matter how far apart the particles may be at the time. The entangled particles cannot be described by specifying the states of individual particles and they may together share information in a form which cannot be accessed in any experiment performed on either of the particles alone.g. e.This statement is known as the Heisenberg uncertainty principle. 1. and Eve is the eavesdropper. Bob is the receiver. 1995). but not the results of his measurements. . for establishing a secret key using quantum transmissions (Ford. e. photons. Bob publicly tells Alice what the measurement types were. He records the measurement type (basis used) and the resulting polarization measured. 2. BB84 Protocol In 1984.g. This protocol uses the rectilinear and circular polarization bases for photons. (It is important to remember that the polarization sent by Alice may not be the same polarization Bob finds if he does not use the same basis as Alice. 3. Alice prepares photons randomly with either rectilinear or circular polarizations. using the standard convention that Alice is the sender. Bob receives each photon and randomly measures its polarization according to the rectilinear or circular basis. are two types of photon's polarization. in which many of their physical properties are strongly correlated. rectilinear (vertical and horizontal) and diagonal (at 45° and 135°). 2002. Ekert. Alice records the polarization of each photon and then sends it to Bob. called BB84. 4. Bennett and Brassard suggested the first protocol. The two complementary properties that are often used in quantum cryptography.

To take advantage of EPR correlations. particles are prepared in such a way that they are entangled . the number of photons sent and the resulting length of the string of bits would be much greater. and convert the remaining data to a string of bits using a convention such as: left-circular = 0. vertical = 1 The string of bits now owned by Alice and Bob is: 1 0 0 1 0 1 0 1. EKERT Protocol An essentially equivalent protocol that utilizes EPR correlations has been worked on by Artur Ekert and David Mermin (Collins. In practice.5. This string of bits forms the secret key. Suppose the entangled particles are photons. they are not independent of each other. right-circular = 1 horizontal = 0. Alice and Bob each throw out the data from measurements that were not of the correct type. 6. This means that although they may be separated by large distances in space. Alice publicly tells Bob which measurements were of the correct type. 1992). If one of the particles is measured according to the rectilinear basis and found to have a . A correct measurement is the correct type of Bob used the same basis for measurement as Alice did for preparation. 4.

vertical = 1 y One important difference between the BB84 and the EPR methods is that with BB84. 5. Therefore. keeping one particle for herself and sending the other particle of each pair to Bob. Alice and Bob tell each other which measurement types were used. 2. If however. She records each measurement type and the polarization measured. right-circular = 1 horizontal = 0. and they keep the data from all particle pairs where they both chose the same measurement type. Bob randomly measures each particle he received according to the rectilinear or circular basis.vertical polarization. The steps of the protocol for developing a secret key using EPR correlations of entangled photons are explained below: 1. 4. although the key was completely secure when it was created. Alice randomly measures the polarization of each particle she kept according to the rectilinear or circular basis. They convert the remaining data to a string of bits using a convention such as: left-circular = 0. its continued security over time is only as great as the security of its storage. then the other particle will also be found to have a vertical polarization if it is measured according to the rectilinear basis. Alice creates EPR pairs of polarized photons. the key created by Alice and Bob must be stored classically until it is used. Alice and Bob could potentially store the prepared entangled particles and then measure them and create the key just before they were going to use it. . it may be found to have either left-circular or right-circular polarization. the second particle is measured according to the circular basis. He records each measurement type and the polarization measured. Using the EPR method. 3. eliminating the problem of insecure storage.

y Quantum Cryptography Fundamentals Electromagnetic waves such as light waves can exhibit the phenomenon of polarization. A photon is a massless particle. if one measures the polarization of a photon by noting that it passes through a vertically oriented filter. light waves are propagated as discrete particles known as photons. Entanglement affects the randomness of measurements. Information about the photon's polarization can be determined by using a photon detector to determine whether it passed through a filter. As increases. According to quantum theory. If one places a second filter oriented at some angle to the vertical. If we measure a beam of photons E1 with a polarization filter. In particular. Similarly. the photon emerges as vertically polarized regardless of its initial direction of polarization. there is a certain probability that the photon will pass through the second filter as well. regardless of its orientation. only half of it will pass a perfect filter. A photon either will or will not pass through a polarization filter. the quantum of the electromagnetic field. carrying energy. which states that certain pairs of physical properties are related in such a way that measuring one property prevents the observer from simultaneously knowing the value of the other. and angular momentum. However. the probability of the photon passing through the second filter . one-half of the incident photons will pass the filter. A polarization filter is a material that allows only light of a specified polarization direction to pass. in which the direction of the electric field vibrations is constant or varies in some definite way. and this probability depends on the angle . Each pair contains two photons of different but related polarization. The foundation of quantum cryptography lies in the Heisenberg uncertainty principle. Whether a particular photon will pass the filter is random. the choice of what direction to measure affects all subsequent measurements. then if an E1 photon passes its filter. For instance. if an E1 photon does not pass its filter then its E2 companion will not. If the light is randomly polarized. when measuring the polarization of a photon. "Entangled pairs" are pairs of photons generated by certain particle reactions. there are no partial photons. if we measure a beam of photons E2 consisting of entangled companions of the E1 beam with a filter oriented at 90 degrees (deg) to the first filter. its E2 companion will also pass its filter. momentum. The polarization of the light is carried by the direction of the angular momentum or spin of the photons. but if it emerges it will be aligned with the filter regardless of its inital state.

A pair of orthogonal (perpendicular) polarization states used to describe the polarization of photons. uses a filter in the 0-deg/90deg basis to give the photon an initial polarization (either horizontal or vertical. the chance of the photon passing through the second filter is precisely 1/2. However if Bob uses a filter in the 45-deg/135-deg basis to measure the photon. the second filter is horizontal). she can recover the original polarization of the photon. These characteristics provide the principles behind quantum cryptography. such as horizontal/vertical. This is the same result as a stream of randomly polarized photons impinging on the second filter. A second filter tilted at some angle absorbs some of the polarized light and transmits the rest.decreases until it reaches 0 at = 90 deg (i. A pair of bases are said to be conjugate bases if the measurement of the polarization in the first basis completely randomizes the measurement in the second basis . giving it a new polarization. but will have influenced the original photon so that she will be unable to reliably retransmit one with the original polarization. Polarization by a filter: Unpolarized light enters a vertically aligned filter. It is a fundamental consequence of the Heisenberg uncertainty principle that such conjugate pairs of states must exist for a quantum system. But if she uses a misaligned filter she will not only receive no information. is referred to as a basis..e. Bob will either . but she doesn't reveal which). which absorbs some of the light and polarizes the remainder in the vertical direction. If an eavesdropper Eve uses a filter aligned with Alice's filter. If a sender. as in the above example with = 45 deg. a receiver Bob can determine this by using a filter aligned to the same basis. When = 45 deg. typically designated Alice in the literature. so the first filter is said to randomize the measurements of the second. he cannot determine any information about the initial polarization of the photon .

This is bad news for eavesdroppers. Cryptographers cannot exploit this idea to send private messages. and in either case will be able to deduce Eve's presence. a measurement that inevitably alters the photon's properties. Alice and Bob are equipped with two polarizers each. This sequence can then be used to generate a sequence of numbers. Alice and Bob can communicate via a quantum channel over which Alice can send photons.receive no message or a garbled one. If the key is intercepted by an eavesdropper.or | polarized photons and one aligned with the diagonal 45-deg/135-deg (or X) basis that will emit \ or / polarized photons. can be used to represent a 0 or a 1. The process is known as quantum key distribution. y Quantum Cryptography Application Sending a message using photons is straightforward in principle. The system is called the BB84 system (after Bennett and Brassard. the recipient must determine the photon's polarization. 1984). one aligned with the rectilinear 0-deg/90-deg (or +) basis that will emit . The first published paper to describe a cryptographic protocol using these ideas to solve the key distribution problem was written in 1984 by Charles Bennett and Gilles Brassard . for example by passing it through a filter. which physicists call a qubit. this can be detected and it is of no consequence. An eavesdropper Eve is assumed to have unlimited computing power and access to both these channels. e-mail. though she cannot alter messages on the public channel (see below for discussion of this). but they can determine whether its security was compromised in retrospect. . since the sender and receiver can easily spot the alterations these measurements cause. and its operation is as follows . Once a key has been securely received. To receive such a qubit. Each photon therefore carries one bit of quantum information. since it is only a set of random bits and can be discarded. A user can suggest a key by sending a series of photons with random polarizations. it can be used to encrypt a message that can be transmitted by conventional means: telephone. and a public channel over which they can discuss results. namely polarization. In it. The genius of quantum cryptography is that it solves the problem of key distribution. or regular postal mail . since one of their quantum properties. The sender can then transmit another key. Bennett and Brassard described an unconditionally secure quantum key distribution system.

but if it doesn't match. Bob will measure the same polarization as Alice sent. Alice and Bob can agree publicly on a random subset of their bits.Alice begins to send photons to Bob. If Bob's basis matches Alice's (and thus is different from Eve's). Bob tells Alice which basis he used to measure each photon. but if he measures with his X polarizer. he will deduce (with equal probability) either \ or /. Furthermore. To eliminate the false measurements from the sequence. in this intercept/resend scenario. In fact. only the bases in which they were made. They can then convert these into bit strings by agreeing on which photon directions should be 0 and which should be 1. each one polarized at random in one of the four directions: 0. If it does match the basis. 45. which can be used as the secret key. 90. he would have been guaranteed the same measurement as Alice.or |. leaving (in theory) two perfectly matching strings. he measures it with one of his polarizers chosen at random. and then sends Bob a photon matching the one she measures. if Eve had not interfered. Bob's measurement will be completely random. his measurement will have destroyed the original polarization. Alternatively. The parities will differ in 50 percent of the cases if the bits have been intercepted. As Bob receives each photon. she will then see a photon in one of the two directions she is measuring. If she chooses the correct basis. neither of which is what Alice actually sent. if she chooses the wrong basis. . and compare the parities. However. and send it to Bob. Eve will corrupt 25 percent of the bits. all is well. However. if Alice sends a photon | and Bob measures with his + polarizer oriented either . they can conclude that Eve has learned nothing about the remaining bits. like Bob. he will correctly deduce Alice sent a | photon. If an eavesdropper Eve tries to gain information about the key by intercepting the photons as they are transmitted from Alice to Bob. then since Eve. has no idea which basis Alice uses to transmit each photon. So if Alice and Bob publicly compare some of the bits in their key that should have been correctly measured and find no discrepancies. or 135 deg. and Alice tells him whether or not it was the correct one. he is equally likely to measure either direction for the photon. Alice and Bob begin a public discussion after the entire sequence of photons has been sent. They discard all data for which their polarizers didn't match. measuring their polarization. Since he does not know which direction Alice chose for her polarizer. For instance. By doing 20 parity checks. his choice may not match hers. and then resending them so Bob does receive a message. Neither Alice nor Bob announces the actual measurements. she too must choose bases at random for her measurements. This provides a way for Alice and Bob to arrive at a shared key without publicly announcing any of the bits.

For each photon. and they should start over to transmit another key. This exchange may be overheard. Bob tells Alice the measurement types he used (but not his results) and Alice tells him which were correct for the photons she sent. Bob uses a receiver to measure each polarization in either the rectilinear basis (0 and 90) or the diagonal basis (45 and 135). it indicates unavoidable tampering due to eavesdropping. Alice and Bob choose some bits at random to reveal. Bob chooses at random the type of measurement: either the rectilinear type (+) or the diagonal type (X). If they agree. Bob records the result of his measurements but keeps it a secret. . according to the laws of quantum mechanics he cannot simultaneously make both measurements. which she chooses at random. An Illustration of Quantum Key Distribution: A quantum cryptography system allows two people. As a check. The key distribution requires several steps. to exchange a secret key. say Alice and Bob. 90 or 135 degrees. or Eve could use this to intercept and resend the photons correctly. Alice uses a transmitter to send photons in one of four polarizations: 0. These cases are then translated into bits (1s and 0s) to define the key. they can use the remaining bits with assurance that they have not been intercepted. It is of course crucial that they do not discuss the orientation of the polarization filters until after the message has been sent.Alice and Bob can reduce the probability of an eavesdropper remaining undetected to less than one in a million 8. Alice sends photons with one of the four polarizations. Alice and Bob keep all cases in which Bob should have measured the correct polarization. 45. But if they find a substantial number of discrepancies. After the transmission.

y Quantum Privacy Attacks Quantum cryptography obtains its fundamental security from the fact that each qubit of information is carried by a single photon. because they know the intensity of the light flashes and the number of errors found and corrected. by communication over an open channel. A confounding factor in detecting attacks is the presence of noise on the quantum communication channel. and the two parties can easily verify whether this has been done. the act of detection of one particle of a pair destroys its quantum correlation with the other. and retransmit it in order for his presence to remain unknown. Alice and Bob. Another one involves cryptosystems with encoding built upon quantum entanglement and Bell's Theorem. But these techniques potentially leak information to Eve. Ekert (1990) . Information on that key may have leaked to Eve at several stages. and that each photon will be altered as soon as it is read once. as it causes errors in Bob's data) and by listening to the public discussion between Alice and Bob. A variety of techniques are available for Alice and Bob to correct a small number of errors through public discussion. An eavesdropper on this communication would have to detect a particle to read the signal. a shared body of data that is ortly partly secret. without revealing the results of their own measurements. with one member of each pair being detected by each party. such an . Therefore. can estimate how much information might have leaked to Eve through all these routes. This foils attempts to intercept message bits without being detected. and so either can cause a secure quantum exchange to fail. by directly measuring others (she cannot do this too often. However. She may have gained information by splitting some flashes. This leads to two potential problems: a malicious eavesdropper could prevent communication from occurring. proposed by Artur K. such as the use of error-correcting codes. who may be listening to the public discussion. in itself. The basic idea of those cryptosystems is as follows. and attempts to operate in the expectation of noise might make eavesdropping attempts more feasible. Alice and Bob find themselves with what might be thought of as an impure key.The BB84 system is now one of several types of quantum cryptosystems for key distribution. Eavesdropping and noise are indistinguishable to the communicating parties. Fortunately. after the quantum transmission and the errorcorrecting discussion. A sequence of correlated particle pairs is generated.

For example. Alice and Bob can distill nearly 800 highly secret bits as output. for example. The problem of key security is not entirely solved by secure key distribution. if the input consists of 1. The two photons are produced in an initial state of undefined polarization. in collaboration with Jean-Marc Robert (then a student of Brassard). the laws of physics always provide the possibility of a security breach. The essential idea of privacy amplification is for Alice and Bob. publicly agreed-on random subset of the input bits. Alice and Bob. Once Alice and Bob have established the key. and vice versa. through public discussion.000 bits about which Eve knows at most 200 bits. to choose publicly a length-reducing transformation to apply to their impure key so that partial information about the input conveys almost no knowledge of the output. In particular. very much as they had done to gain high confidence that their raw quantum data were identical (except that now they keep the parity secret instead of pubhcly comparing it). when measured. the more vulnerable it is to unauthorized inspection. after the eavesdropping has taken place. Using this technique. say. Alice and Bob. of which the eavesdropper is very unlikely to know even one bit. if Ahce and Bob both measure rectilinear polarizations. they are each equally likely to record either a 0 (horizontal polarization) or a 1 (vertical). can take such a partly secret key and distill from it a smaller amount of highly secret key. But the longer they keep the key in. Fairly simple techniques can be shown to suffice. and Alice and Bob do not even need to know which partial information the eavesdropper might have about the input in order to choose a function about whose output Eve has almost no information. but if Alice obtains a 0. If it were used as a key for the Vernam cipher. a cryptosystem can be designed that can guarantee the security of both key distribution and storage by employing quantum correlations. it might prove very insecure if the most important part of the message happened to coincide with a part of the key the eavesdropper knew. Fortunately. it suffices for Alice and Bob to define each bit of the output as the parity of an independent. Another weak point is key storage. they must store it until it is needed. Bob wffl certainly obtain a 1. The EPR effect occurs when a spherically symmetric atom emits two photons in opposite directions toward two observers. But because of the symmetry of the initial state. must have opposite values. two of us (Bennett and Brassard).impure key is almost worthless. Surprisingly. their secret safe. The unusual and important aspect of the EPR effect is that . developed a mathematical technique known as privacy amplification. provided that the measurements are of the same type. For example. Although principles of engineering may make the safe difficult to crack. the polarizations of the photons. The cryptosystem is based on David Bohm's version of the famous Einstein-Podolsky-Rosen (EPR) effect.

This "classical" explanation of the EPR effect is somewhat counterintuitive. such as instantaneous action at a distance. The problem here is the small but significant probability that the pulse contains more than one photon. one of us (Ekert) recently devised a cryptosystem that guarantees the security of both key distribution and key storage. and colleagues. and indeed all classical explanations of the EPR effect involve some implausible element. on average.the polarization of both photons is determined as soon as. The ideal source is a so-called photon gun that fires a single photon on demand. . physicists have to rely on other techniques that are by no means perfect from a security viewpoint. however. Jungsang Kim at Stanford University. two technologies make quantum key distribution possible: the equipment for creating single photons and that for detecting them. Employing the EPR effect. California. but several research efforts are under way. for example. and today quantum cryptography is performed over distances of 30-40 kilometers using optical fibers. nobody has succeeded in building a practical photon gun. That substitution creates a vacancy similar to a hole in a p-type semiconductor. Others are working with a diamond-like material in which one carbon atom in the structure has been replaced with nitrogen. y State of Quantum Cryptography Technologies Experimental implementations of quantum cryptography have existed since 1990. TWs happens no matter how far apart the photons may be at the time. but not before. one of the photons is measured. each pulse contains only a single photon. Many groups are also working on ways of making single ions emit single photons. This extra photon is advantageous for Eve. and experiments have amply confirmed the e)dstence of the phenomenon. Essentially. Most common is the practice of reducing the intensity of a pulsed laser beam to such a level that. are working on a light-emitting p-n junction that produces well-spaced single photons on demand. is mature enough to be used in current quantum cryptography experiments. As a result. None of these technologies. Yet the mathematical formalism of quantum mechanics accounts for the EPR effect in a straightforward manner. who can exploit the information it contains without Alice and Bob being any the wiser. As yet. which emits single photons when excited by a laser.

Single-photon detection is tricky too. in what is called Geiger mode. they still lack the efficiencies useful for quantum cryptography 9. Scientists have shown that creating a repeater that doesn't measure is feasible in principle. To detect another photon. but because air turbulence. well short of the 1300. Hughes believes his system should be able to send signals to satellites. Hughes and his colleagues have described how they sent keys over a distance of 10 km with rates similar to those achieved using optical fibers. unlike telephone repeaters. occurs predominately in the lower 2 km of the atmosphere. So that the photons can be distinguished from all the others bombarding the detector. where 1 nm = one one-billionth of a meter). But these devices are far from perfect. the current through the diode must be quenched and the device reset. Satellites could provide an alternative means of achieving long-distance transmission. In a recent paper. the energy from a single absorbed photon is enough to cause an electron avalanche. a time-consuming process. but the technology to building one is a long way off 5. the factor that most disrupts the photons. germanium (Ge) or indium-gallium-arsenide (InGaAs) detectors must be used. At telecommunications wavelengths. and it is not sensitive to wavelengths above 1100 nm. While commercial single-photon detectors at telecommunications wavelengths are beginning to appear on the market. However. Most experts agree that a 67-km transmission achieved by a group of physicists at the University of Geneva on October 2001 is close to the maximum that can be achieved with current technology. silicon's best detection wavelength is 800 nanometers (nm. Ten kilometers is a long way short of the hundreds of kilometers between the Earth's surface and satellites. The most common method exploits avalanche photodiodes. an easily detectable flood of current. The range could be extended by devices that strengthen the signal as it passes by. At that point. A quantum cryptography team led by physicist Richard Hughes at the Los Alamos National Laboratory in New Mexico is developing a key-distribution system that sends single photons through open air. like those used to send telephone conversations over long distances. Beyond about 80 km of cable. These devices operate beyond the diode's breakdown voltage.and 1550-nm standards for telecommunication. the team uses various techniques to filter the incoming light. Furthermore. . too few photons make it from Alice to Bob. The distance that the key can be transmitted is also an important technical limitation. even though they are far less efficient and must be cooled well below room temperature. quantum versions would have to bolster the signal without measuring the photons.

a hacker known as Captain Midnight interrupted a 1986 broadcast by HBO (the Home Box Office company) and sent over half of the company's customers a five-minute broadcast of a message complaining about the firm's new subscription charges.The team is now trying to make the receiver light and sturdy enough to fit in a satellite and survive a rocket launch. Combined with optical fibers. In one such breach. . the technology might help to protect the security of satellite television broadcasts. In the shorter term. satellites could eventually form part of a long-distance transmission system.

the researchers used bright illumination to dazzle the photon detectors. "This fact was often overlooked in the past. The detectors were fooled by classical laser pulses superimposed over the quantum signal. and the QPN 5505. Dominique Elser. Quantum key distribution (QKD) uses entangled quantum bits to exchange secure keys to a cipher. Most QKD systems use avalanche photodiodes. Johannes Skaar. the researchers said in a letter to Nature Photonics. The subverted QKD systems were the id3110 Clavis2 by vendor ID Quantique. and Vadim Makarov are from the Norwegian University of Science and Technology (NTNU). The researchers said on a how-to page that they had disclosed their findings to the affected vendors seven months ago. the attack will work for most QKD systems that use avalanche photodiodes. . According to the researchers. This allowed them to eavesdrop on communications. from MagiQ Technologies. ID Quantique has developed and tested a countermeasure. the researchers said. which are semiconductors that convert light to electricity. according to the researchers.QUANTUM CRYPTO DETECTORS CRACKED BY RESEARCHERS Researchers at Norwegian and German institutes claim to have successfully cracked the quantum cryptography equipment used to cloak high-sensitive communications by banks and defence agencies. and the Max Planck Institute for the Science of Light in Erlangen. "The security of quantum cryptography relies on quantum physics but not only on that It must also be properly implemented. the University of ErlangenNürnberg. Carlos Wiechers. The researchers said they had remotely controlled the photon detectors used in commercially available photodiode quantum cryptography systems. In the attack. The research team Lars Lydersen." said Gerd Leuchs of the University of Erlangen-Nürnberg in a statement on Sunday. Christoffer Wittmann." Quantum cryptography relies on Heisenberg's uncertainty principle that observation of quantum particles alters their behaviour to reveal eavesdropping.

Chip Elliott. and is on the way to achieve the (quantum) jump from university laboratories to the real world. a major factor limiting the development of practical systems for widespread commercial use. instead of the current state of mathematical algorithms or computing technology. integrate it with today's telecommunications infrastructure. such systems could start encrypting some of the most valuable secrets of government and industry. Quantum cryptography already provides the most advanced technology of quantum information science. for example.CONCLUSION AND FUTURE SCOPE Quantum cryptography promises to revolutionize secure communication by providing security based on the fundamental laws of physics. The devices for implementing such methods exist and the performance of demonstration systems is being continuously improved. and free space key exchange via satellites. The ultimate goal is to make QKD more reliable. Future developments will focus on faster photon detectors. for different buildings of a bank or company . if not months. which would operate at 4 K and 10 GHz. and increase the transmission distance and rate of key generation. says the company is working with the University of Rochester and NIST's Boulder Laboratories in Colorado to develop practical superconducting photon detectors based on niobium nitride. Thus the Long-term goals of quantum key distribution are the realistic implementation via fibers. Within the next few years. . BBN's principal engineer.

124. A. pp. pp. Systems and Signal Processing. M. in Proceedings of the IEEE International Conference on Computers. Ekert. A. 69. Brassard. Peterson. 661 (1991). Bennett. 1293 (1992). 11. http://www. E. IEEE Spectrum.htm (K. 257. Los Alamitos. P. J.com/~goldwate/quantum. p. 4. Moore. New Journal of Physics. Nordholt. Hughes. Proceedings of the 35th Annual Symposium on the Foundations of Computer Science (IEEE Computer Society. 7. http://www. 50-57. CA. 12. "Quantum Cryptography: Uncertainty in the Service of Privacy". and G. R. Physical Review Letters. 10. Palma. S. K. J. R. Technical Report. 270-272. Science. IT-22. 8. October 1992.BIBLIOGRAPHY 1. 7 August 1992.edu/mon/ElectronicProperty/klamond/CCard. "Credit Card Transactions: Real World and Online") 5. J. back to article 6. E. Lamond. 3. Tapster. Ekert. D. 752-753. Goldwater. "On Digital Signatures and Public-Key Cryptosystems".. "Quantum Cryptography: Uncertainty in the Service of Privacy". C. C. vol. Klarreich. 4. Bennett and G. and Adleman L. IEEE Transactions on Information Theory. 752-753. C.html (S. C. 43 (2002).W. Ekert.. "Quantum Cryptography and Privacy Amplification") 9. Bennett. Shamir A. E. pp. 1994). Shor. May 2002. H. 14. G. Rarity. Brassard. 418. MIT Laboratory for Computer Science. "Quantum Cryptography". pp. K. Diffie and M. P. . IEEE. MIT/LCS/TR-212 (January 1979). Bennett. vol. G. 18 July 2002. and C. K. Scientific American. Hellman. Nature. Derkacs.ai. and A. G. pp. Physical Review Letters. H. H. Science. New York (1984).. 67. 644-654 (1977). 13. 2. Rivest R.sri.virtualschool. vol. K. W. H. 257. 7 August 1992.

Sign up to vote on this title
UsefulNot useful