Title: From Quantum Cheating to Quantum Security
1From Quantum Cheating to Quantum Security
 HoiKwong Lo
 Department of Physics
 Department of Elect. Computer Engineering (ECE)
 University of Toronto
 URL http//www.comm.utoronto.ca/hklo/
 Email hklo_at_comm.utoronto.ca
2List of most frequently asked questions
 1. What is quantum information processing?
 2. What is quantum information?
 3. What quantum codebreaking can do?
 4. What quantum codemaking can do?
 5. What quantum codemaking CANNOT do?
3What is Quantum Information Processing?
.
Synthesis of quantum mechanics with other
subjects.
4What is Quantum Information?
 Classical Information
Quantum Information  Bit 0 or 1
Qubit (quantum bit) superposition of 0 and 1. 

where
and
are complex numbers.
Qubit any twolevel quantum system e.g. an
electron with spin
0 ,
1 .
Remark There exist quantum data compression,
quantum error correction, etc. Classical Informati
on can be regarded as A special case of quantum
info.
e.g. a photon with polarization
0 ,
1 .
Note that a general state is in a superposition
of 0 and 1.
5Aside Classical vs Quantum Computation
 Elementary Classical Operations
Elementary Quantum Operations  Logical operations AND, OR, a)
Singlequbit operations rotations  NOT, etc.
b) Twoqubit operations e.g. 
quantum controlledNOT (XOR) 


Schematic representation of a quantum computation
Steps 1) preparation
3) measurement
2) evolution
measure
measure
measure
time
Input 000
Output110
6Quantum cryptanalysis
 1. Quantum efficient factoring (Shor 1994)
 A quantum computer can efficiently factorize
large integers, thus breaking RSA. More
generally, Shors algorithm can break
cryptosystems based on the discrete log problem
and elliptic curves.  If a quantum computer is ever built, much of
publickey cryptography will fall apart! 
7Mathematical structure behind Shors algorithm
 Remark All those problems can be rephrased as an
Abelian Hidden Subgroup Problem Given a finite
group G and a set S and a mapping  f G S with the promise that
 f (g1 ) f (g2 ) iff g1 and g2 are in the same
coset of H where H is some (hidden) Abelian
subgroup of G. The goal is to find H.  Remark Quantum computers can efficiently
solve the Abelian Hidden Subgroup problem.
Whether they can efficiently solve NonAbelian
Hidden Subgroup problem is a big open question in
quantum algorithms.
8Quantum cryptanalysis (contd.)
 Grovers search algorithm Finding a needle in a
haystack.  Given an unstructured database of N objects, how
many searches are needed on average to find the
correct object?  Mathematically, given a function, f X
0,1 with the  Promise that f (x) 1 if x y for a unique y
and 0 otherwise. Find y.  Classically, clearly O (N) searches are needed.
Surprisingly, quantum mechanically, only order
square root of N searches are needed.  Remark Grovers algorithm can be used for an
exhaustive search, for example, exhaustive key
search for DES (Data Encryption Standard) or AES
(Advanced Encryption Standard). Therefore, a
quantum computer can dramatically speed up the
breaking of AES.  (Remedy Doubling the key length.)
9 Properties of
 Quantum Information
10Conjugate observables
0
1
0 1
Rectilinear basis
Diagonal basis
It is fundamentally IMPOSSIBLE to determine
the polarization of a single photon in the two
bases simultaneously. (The two selfadjoint
operators representing the two observables do
NOT commute. Therefore, they cannot be
simultaneously diagonalized. And, it makes no
sense to talk about their simultaneous
eigenvectors.)
11Corollary Quantum Nocloning Theorem
a?
a
a
IMPOSSIBLE
An unknown quantum state CANNOT be cloned! Proof.
If it were possible to clone an unknown quantum
state, by repeating the cloning operation, one
could measure two conjugate observables simultaneo
usly, which is forbidden in quantum mechanics.
12Defeating counterfeiters withunclonable quantum
checks (Wiesner)
Quantum Check Serial number 1011010
Quantum Check Serial number 1011010
( up, left, right, down, left, up )
Quantum checks are impossible to counterfeit
without basis information.
13CONVENTIONALCRYPTOGRAPHY
MILITARY AND DIPLOMATIC APPLICATIONS
SECURE EBUSINESS AND ECOMMERCE
CRYPTOGRAPHY
COMPUTATIONAL ASSUMPTIONS (e.g. factoring is hard)
14What is wrong with conventional cryptography?
 Unanticipated Advances in Hardware and
Algorithms.  Quantum Codebreaking
 Quantum computers can efficiently factor large
numbers (exponential speedup!) , thus breaking
RSA, the bestknown encryption scheme. (Shor
1994)  If a quantum computer is ever built, much of
conventional cryptography will fall apart!
(Brassard)
15Forward security?
 Trade secrets and US government secrets are kept
as secrets for decades.  A Big Problem RIGHT NOW
 If adversary can factor in 2018, she can then
decrypt all traffic sent in 2003.
16CONVENTIONALCRYPTOGRAPHY
MILITARY AND DIPLOMATIC APPLICATIONS
SECURE EBUSINESS AND ECOMMERCE
CRYPTOGRAPHY
COMPUTATIONAL ASSUMPTIONS
17QUANTUM CRYPTOGRAPHY
MILITARY AND DIPLOMATIC APPLICATIONS
SECURE EBUSINESS AND ECOMMERCE
CRYPTOGRAPHY
QUANTUM MECHANICS
18Quantum Cryptography
 Two potential applications
 Quantum key distribution (QKD)
 Quantum bit commitment
19Key Distribution Problem
Alice
Bob
encryption key
decryption key
If Alice and Bob share a common long random
string of secret, then encryption is secure.
(Shannon 1949) QUESTION How to transfer the key?
20Classical Key Distribution
Eves copying machine
Bob
(Representable as a string of Number 01101. )
Eve
All CLASSICAL key distribution schemes
are fundamentally INSECURE.
21Quantum Key Distribution
a?
a
a
IMPOSSIBLE
Quantum Nocloning Theorem
Quantum information cannot be copied. An
eavesdropper Eve will be unable to copy a quantum
key without changing it.
22Quantum key distribution
 Absolute security based on fundamental laws of
quantum mechanics, rather than computational
assumptions.  Allow two persons who share a small amount of
authentication information to communicate in
absolute security in the presence of an
eavesdropper.  Any eavesdropping attack will essentially always
be caught.  Alice
Bob
23Quantum key distribution (QKD)
 Absolute security based on fundamental laws of
quantum mechanics, rather than computational
assumptions.  Allow two persons who share a small amount of
authentication information to communicate in
absolute security in the presence of an
eavesdropper.  Any eavesdropping attack will essentially always
be caught.  Intrusion alert! Eve
Intrusion alert!
24The DARPA Quantum Network
Encrypted Traffic
Private
Private
via Internet
Enclave
Enclave
EndtoEnd Key Distribution
QKD Repeater
QKD Switch
QKD
QKD
Endpoint
Endpoint
QKD Switch
QKD Switch
UltraLong
Distance Fiber
QKD Switch
Borrowed from BBNs website.
25Procedure of standard BB84 QKD scheme
Step 5 Test for tampering by random sampling and
computing quantum bit error rate. If
error rate is OK, apply error correction
and privacy amplification. Otherwise, they
abort.
26Experimental QKD
 Quantum key distribution is feasible with current
technology.  Over Telecom fibers
 About 67km LANL, BT (now Corning),Geneva
 Distance Limitation Need quantum repeaters.
 Open air experiment (about 23km).
 Proposal for ground to satellite experiments.
27Proposed Ground to satellite QKD experiment
28Longterm vision of global quantum network
Fibers For longhaul quantum communications
29Is QKD secure?
The most important question in
quantum cryptography is to determine how secure
it really is. Gilles Brassard
and Claude Crepeau
Problems a) Real channels are all NOISY. Eve
may try to disguise herself as noise. b) Eve can
perform ANY attack consistent with quantum
mechanics. c) A priori, classical probabilistic
arguments do NOT work because of the wellknown
EinsteinPodolskyRosen (EPR) paradox.
30Proof of unconditional security of quantum key
distribution (QKD)
 Mayers, quantph/9802025 Los Alamos preprint
archive 1998 preliminary version Crypto96.  Lo and Chau, Science 283, 2050 (1999).
 Biham et al., in Proceedings of Symposium on the
Theory of Computing, STOC 2000, p. 715.  BenOr, to appear.
 Shor and Preskill, Phys. Rev. Lett. 85, 441
(2000).  Gottesman and Lo, http//xxx.lanl.gov/abs/quantph
/0105121  Inamori, Lutkenhaus and Mayers, quantph/0107017
Los Alamos preprint archive 2001. (Consider
imperfect photon sources, channel loss and
imperfect detectors.)
31Techniques of proof
1)
Noiseless Quantum Problem
REDUCTION
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
3) Use Classical Probability Theory
32Techniques of proof
1)
Noiseless Quantum Problem
REDUCTION
FaultTolerant Quantum Computation
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
3) Use Classical Probability Theory
33Techniques of proof
1)
Noiseless Quantum Problem
REDUCTION
FaultTolerant Quantum Computation
Noiseless Classical Problem
2)
Noiseless Quantum Problem
REDUCTION
Use Commuting Observables
3) Use Classical Probability Theory
34Innovation of LoChaus proof
 Innovation Apply CLASSICAL probability theory to
solve a QUANTUM problem. (Not obvious because of
wellknown EPR paradox. Did not seem like a
promising approach, at first sight.)  Solution Construct COMMUTING observables.
(Mathematically, commuting Hermitian matrices
have simultaneous eigenvectors.) This works even
when those observables are nonlocal.  Remark Hard part is to the actual construction.
 Example
commutes with
,
even though they are both nonlocal. Conclusion
One can safely assign CLASSICAL probabilities
to them.
35Tolerable Bit Error Rates
Question Under what operating parameters will
BB84 be secure?
Proof (Quantum) Bit Error
Rate
Cf. Upper bound 25.
 Significance of our result
 Practical a) Extend distance of secure QKD.
 b) Higher key generation rate.
 c) Proved security of standard schemes e.g.
Cascade  2) Conceptual a) Demonstrate the advantage of
using twoway  classical communications in classical
postprocessing  of data generated in QKD.
 b) Introduce a new class of quantum codes.
36Quantum Error Correction
 A wellknown class of quantum codes is the
CalderbankShorSteane (CSS) codes  Consider two binary linear codes, C1 and C2, of
length n such that  C2 is a subcode of C1
 C1 and the DUAL of C2 can each correct up to t
errors.  Then, one can define a QUANTUM error correcting
code  that can correct up to t general type of quantum
errors in a quantum communication channel.  The resulting quantum code is called a CSS code.
37Quantum Key Distribution
Eve
Alice
Bob
38Beyond Quantum Key Distribution
666
666
Bob
Alice
39Age Problem
Im Y years old.
Im X years old.
Alice
Bob
How to find out whether x gt y without disclosing
the exact value of x and y to each other?
40Impossibility of Quantum Bit Commitment
 Old belief The Age Problem can be solved through
a basic primitive called quantum bit
commitment.  Surprising result (Mayers 96, Lo and Chau 96)
Unconditionally secure quantum bit commitment is
IMPOSSIBLE.
41Aside What is bit commitment?
1. Commit Phase
0
1
or
Alice
Bob
2. Opening Phase
Alice can prove to Bob that she has made up her
mind during the commit phase and she cannot
change it. Yet, Bob does not know her choice
until the opening phase.
42Generality of the proof of impossibility of
quantum bit commitment
Any quantum/classical hybrid protocol can be
equivalently be described by a purely quantum
protocol. (Analogy Any expression involving both
real numbers and complex numbers can be evaluated
by using complex analysis. There is no need to
switch back and forth between real and complex
analyses.)
43Foundation of security
DOABLE
IMPOSSIBLE
Quantum Key Distribution (Nocloning Theorem) M
ayers Lo and Chau Biham et al. BenOr Shor and
Preskill
Quantum bit commitment Quantum oblivious
transfer (Quantum cheating using EinsteinPodol
skyRosen Effect) Mayers Lo and Chau Lo
44WHAT IS THE BOUNDARY WHY IS THERE SUCH A BOUNDARY?
DOABLE
IMPOSSIBLE
Quantum Key Distribution (Nocloning Theorem) M
ayers Lo and Chau Biham et al. BenOr Shor and
Preskill
Quantum bit commitment Quantum oblivious
transfer (Quantum cheating using EinsteinPodol
skyRosen Effect) Mayers Lo and Chau Lo
Unclonable quantum Encryption (Gottesman
Chuang)
Quantum coin tossing (Kitaev 2002)
45What is the physics?
Classical Description (Classical Probability Theo
ry) Simple
Quantum/ Classical Hybrid Description COMPLEX
Quantum Description (Unitary Description) Simple
Reduction?
Reduction?
46What is the physics?
Classical Description (Classical Probability Theo
ry) Simple
Quantum/ Classical Hybrid Description COMPLEX
Quantum Description (Unitary Description) Simple
Reduction
Reduction
Construct Commuting Observables
Always Possible
Classical information can be regarded as a
special case of quantum information.
47Prologue Model reallife QKD systems
 1) All models of QKD are idealizations of
reallife systems.  Reallife QKD system is a complex system with
many degrees of freedom.  2) Imperfections
 Imperfect singlephoton sources
 Lossy channels
 Imperfect singlephoton detection efficiency
 Detectors dark counts
 Trojan Horses attacks
 Denialofservice attacks
 How to quantify (theoretically and
experimentally) small imperfections and ensure
security in the presence of those imperfections?  How to perform secure QKD with REALISTIC amounts
of computational power, communication bandwidth
and random number generation rate?  Cf. Mayers and Yao, quantph/9809039
 Inamori, Lutkenhaus and Mayers, quantph/0107017
 Gottesman, Lo, Lutkenhaus, and Preskill ,
quantph/0212066
48Open Question Quantum version of Shannons
channel coding theorem?
 How to compute channel capacity of a quantum
channel for transmitting classical information?  And, for transmitting quantum information?
 Remark While many different types of channel
capacities have been formally defined, the analog
of Shannons channel coding theorem remains
UNPROVEN in the quantum case.
49Perspectives
 There is only one information theory.
 QUANTUM INFORMATION THEORY is the natural
generalization of classical information theory.
Classical information theory can be regarded as a
special case of quantum information theory.  In the same way that the theory of complex
numbers simplifies the theory of real numbers and
makes it complete, Quantum information theory
makes classical information complete.
50List of most frequently asked questions
 1. What is quantum information processing?
 2. What is quantum information?
 3. What quantum codebreaking can do?
 4. What quantum codemaking can do?
 5. What quantum codemaking CANNOT do?
51List of most frequently asked questions
 1. What is quantum information processing?
 Synthesis of quantum mechanics with other
subjects.  2. What is quantum information?
 Use superposition and manipulate quantum
states.  3. What quantum codebreaking can do?
 Break standard encryption schemes including
RSA.  4. What quantum codemaking can do?
 Secure communications using unbreakable
quantum key distribution.  5. What quantum codemaking CANNOT do?
 Protect private information during public
discussion,  e.g. the Age Problem.
52Survey Paper
 Gottesman and Lo, From quantum cheating to
quantum security, Physics Today, Nov. 2000, p.
22 www.physicstoday.org/pt/vol53/iss11/p22.html
 Recent paper
 Gottesman and Lo, Security of Quantum Key
Distribution with twoway classical
communications, IEEE Transactions on Information
Theory, Vol. 49,  No. 2, p. 457, Feb. 2003.
53Students/Postdocs Wanted
 For a combined study in the theory and
implementation of quantum key distribution. From
foundation of security, modeling physical
devices, protocol design to software/hardware
implementations. Please contact HoiKwong Lo
( hklo_at_comm.utoronto.ca )  www.comm.utoronto.ca/hklo
54Quantum cheating using EinsteinPodolskyRosen
effect
Quantum objects can exhibit correlations that are
stronger than what is allowed by any local
classical model.
Spin 0
When a spin0 object decays into two spin1/2
objects, from conservation of momentum, the two
resulting objects exhibit perfect
anticorrelations. Individual measurement
outcomes RANDOM Relative measurement outcomes
OPPOSITE Appearance of fasterthanlight
transmission. Does not violate causality because
the outcomes are random.
55Main step of Shors algorithm
 Note that the factoring problem can be reduced
to a periodicity problem.  Given an RSA number N pq and a random x
coprime with N. Suppose one can find the order,
r, of x such that xr 1 (mod N).  Compute gcd(xr/2 1, n). This fails to give a
factor of N only if either r is odd or if xr/2
1 (mod N). It can be shown that the algorithm
finds a factor of n with a probability at least
1/4. 
 Surprisingly, a quantum algorithm can find the
periodicity of x efficiently (because quantum
computers allow interference.)
56Quantum Cryptography
 My contributions (Theory. Asymptotic results.)
 Proof of unconditional security of quantum key
distribution (QKD)  Efficient classical postprocessing protocols for
QKD.  Impossibility of quantum bit commitment
 Future directions (PRACTICE. Finite size codes.)
 Develop classical postprocessing layer of
QKD.  Design practical protocols for classical
postprocessing of QKD.  Model reallife QKD systems.
 Study eavesdropping attacks.
 Work with others to construct a QKD testbed with
all layers (optical, classical postprocessing
and application) included.
57Design practical protocols for classical
postprocessing of QKD.
 Remark Privacy amplification is a new
concept in classical coding theory. (The dual of
error correction.)  Finite size codes (convolutional codes or block
codes?)  Security proofs usually deal with an infinitely
long key.  In practice, it is necessary to consider a final
key of finite length.  Fluctuations become very important.
 Limited REAL random number generator rate.
 Limited computational power.
 Limited memory space.
 Limited classical communication bandwidth.
 Need REALTIME (hardware?) implementation.
 Cost
58Model reallife QKD systems
 1) All models of QKD are idealizations of
reallife systems.  Reallife QKD system is a complex system with
many degrees of freedom.  2) Imperfections
 Imperfect singlephoton sources
 Lossy channels
 Imperfect singlephoton detection efficiency
 Detectors dark counts
 Trojan Horses attacks
 Denialofservice attacks
 How to quantify (experimentally) small
imperfections and ensure security in the presence
of those imperfections?
59Study eavesdropping attacks.
 The best way to build a secure cryptographic
system is to try hard to break it.  Need to study theoretically and experimentally
the feasibility and power of various
eavesdropping attacks beamsplitting attacks,
unambiguous state determination, Trojan Horse
attacks, etc.
60Future directions in other layers
 Optical layer
 integrated optics?
 singlephoton sources
 singlephoton detecting modules
 low loss fibers
 quantum switches
 quantum repeaters
 2. Application layer
 How to use the key? onetimepad encryption?
network multicasting? Applications beyond key
distribution?  System control issues
 What are the states of a QKD system? How to
recover a system after  Eavesdropping attacks? How to share the small
initial authentication key?
61Summary
 1. What is quantum information processing?
 Synthesis of quantum mechanics with information
processing.  2. What quantum codebreaking can do?
 Break standard encryption schemes including RSA.
 3. What quantum codemaking can do?
 Secure communications using unbreakable quantum
key distribution (QKD).  4. What quantum codemaking CANNOT do?
 Protect private information during
discussionsAge problem.  5. What are my future directions?
 Design practical protocols for classical
postprocessing of data generated by QKD. Model
reallife QKD systems. Study eavesdropping
attacks. Construct testbed QKD by integrating
optical, classical postprocessing and
application layers.
62Selected Original Papers
 Impossibility of bit commitment and oblivious
transfer  H.K. Lo and H. F. Chau, Phys. Rev. Lett. 78,
3410 (1997).  H.K. Lo and H. F. Chau, Physica D 120, 177
(1998).  H.K. Lo, Phy. Rev. A 56, 1154 (1997).
 Security Proof of quantum key distribution
 H.K. Lo and H. F. Chau, Science 283, 2050
(1999).  Towards Practical QKD
 D. Gottesman and H.K. Lo, http//xxx.lanl.gov/abs
/quantph/0105121  H.K. Lo, http//xxx.lanl.gov/abs/quantph/0201030
63Three layers of QKD
Application layer
data
data
Secret key
Secret key
Classical PostProcessing Layer Error
correction, Privacy amplification,
Authentication, etc.
Raw key, Basis info, etc
Raw key, Basis info, etc
Optical Layer
RNG Random Number generator
Sender optics
Receiver optics
Alice
Bob
64Efficient classical postprocessing protocols for
QKD
EPP with oneway Communications (modified LoChau
protocol)
ShorPreskill
BB84
Use CSS codes
Remark EPP is a generalization of quantum error
correcting codes.
??
EPP with twoway communications
BB84
Motivations 1) Entanglement purification
protocols (EPPs) with twoway classical
communications are known to be more powerful than
those with only oneway comm. (Bennett,
DiVincenzo, Smolin and Wootters. See also,
Deutsch et al.) 2) To prove unconditional
security of standard protocols such as "Cascade".
65Efficient classical postprocessing protocols for
QKD
ShorPreskill
Modified LoChau Protocol (with only oneway
classical Communications)
BB84 (essentially Mayers proof)
Use CSS codes
66Security of QKD (Intuition)
 A single photon cannot be split. Its polarization
cannot be cloned. (Quantum NoCloning Theorem.
Heisenberg Uncertainty Principle.) Therefore,
eavesdropper CANNOT have the same quantum
information that Bob has.
a
a
a
IMPOSSIBLE
67Experimental Implementations
 Current status Small scale Implementations.
 Entanglement of four atoms.
 Factor 153 x 5 in nuclear magnetic resonance
machines.  Proposals for scalable quantum computers Ion
Traps, Cavity Quantum Electrodynamics, Nuclear
Magnetic Resonance (NMR), Optical Lattices,
Superconducting qubits, Siliconbased proposal,
Electrons flowing on Helium,
68Towards scalable quantum computers III
Book Scalable Quantum Computers, edited
by Braunstein and Lo.
69Towards scalablequantum computers
 Proposals
 Ion Traps
 Cavity Quantum Electrodynamics
 Nuclear Magnetic Resonance (NMR)
 Optical Lattices
 Superconducting qubits
 Siliconbased proposals
 Electrons flowing on Helium
 8. .
 9. .
70Towards scalable quantum computers IV
 Summary
 Primitive (small scale) quantum computing has
successfully been performed in experiments.  Large scale experimental quantum computing is
extremely challenging. But, this has not deterred
researchers from working on the subject.  Success of quantum computing depends on efforts,
not time. (Eli Yablonovitch UCLA)
71Research activities in quantum information
processing
 Industries MagiQ, ATT, Bell Labs, IBM,
Microsoft,  Universities Too many to list. (e.g. Caltech,
MIT, Stanford, Princeton, UC Berkeley, UCLA, UC
Santa Barbara,)  National Labs NIST, Los Alamos
 Funding Agencies DARPA, ARO, NSA, NIST, NASA,
 (In the US alone, public government funding is
over 50 million per year.)  Motivation Go beyond the demise of Moores law.
 Quantum information processing as the Second
Phase of the IT revolution.
72What is oblivious transfer?
Alice sends two pieces of information to Bob. Bob
can only choose to learn one piece of the
information, NOT both. Alice does not know which
piece of information Bob has learnt. For
example, Alice sends her age and height to
Bob. Bob can learn either Alices age or height,
but not both.
73Advances in quantum crypto