1. Field of the Invention
The present disclosure relates to methods and systems to secure communications and, more particularly, to methods and systems to secure communications of encrypted data using quantum cryptography, including to employ embedded authentication keys to inherently authenticate users during error detection and/or privacy amplification portions of a Quantum Key Distribution (QKD) protocol.
2. Description of the Related Art
Quantum cryptography is the use of quantum systems to do cryptographic tasks. A well-known example is quantum key distribution (QKD), which uses quantum mechanics to guarantee secure communication. It enables two parties to produce a shared random bit string known only to them which can be used as a key to encrypt and decrypt messages.
An important and unique property of quantum cryptography is the ability of the two communicating users to detect the presence of any third party trying to gain knowledge of the key. This is due to fundamental aspect of quantum mechanics: the process of measuring a quantum system in general disturbs the system. A third party trying to eavesdrop on the key must in some way measure it, thus introducing detectable anomalies.
By using quantum super-positions or quantum entanglement and transmitting information in quantum states, a communication system may be implemented to detect eavesdropping. If the level of eavesdropping is below a certain threshold, a secure key may be produced for which the eavesdropper has insufficient or no information. Otherwise, generation of a secure key may not be possible and communication may be aborted.
Quantum cryptography is used to produce and distribute a key to authenticated users, not to transmit subsequent message data. The key may be used with an encryption algorithm to encrypt and decrypt the message data. The encrypted message data may be transmitted over a conventional unsecured communication channel. Conventional QKD encryption algorithms include a one-time pad.
Quantum communication involves encoding information in quantum states, or qubits, such as quantum states of photons. Quantum cryptography exploits certain properties of quantum states to ensure security.
In contrast to classical physics, the act of measurement is an integral part of quantum mechanics. In general, measuring an unknown quantum state changes that state in some way. This is known as quantum indeterminacy, and underlies results such as the Heisenberg uncertainty principle, information-disturbance theorem, and no-cloning theorem. As noted above, this can be exploited in order to detect eavesdropping on a communication channel, which necessarily involves measurement, and to determine an amount of information that may have been intercepted.
The quantum states of two (or more) separate objects may become linked together in such a way that they must be described by a combined quantum state rather than as individual objects. This is known as entanglement and means that, for example, joint measurements of a pair may be completely correlated even though the result is completely random. If an entangled pair of objects is shared between two parties, anyone intercepting either object alters the overall system, revealing the presence of the third party and the amount of information they have gained.
These approaches may each be further divided into three families of protocols: discrete variable, continuous variable and distributed phase reference coding. Discrete variable protocols were developed first and remain the most widely implemented. The other two families are mainly concerned with overcoming practical limitations of experiments. The two protocols described below both use discrete variable coding.
A BB84 protocol was originally described using photon polarization states to transmit the information. However, any two pairs of conjugate states can be used for the protocol, and many optical fiber based implementations described as BB84 use phase encoded states.
A sender and a receiver, conventionally referred to as Alice and Bob, respectively, are connected by a quantum communication channel to transmit quantum states. In the case of photons, a quantum channel may include an optical fiber or free space. Alice and Bob may also communicate via a non-secure or classical channel, such as broadcast radio or the Internet. The BB84 protocol is designed to be secure even with the assumption that an eavesdropper has access to all of the classical (non-secure) communications.
The security of the BB84 protocol comes from encoding information in non-orthogonal states. Quantum indeterminacy means that these states cannot in general be measured without disturbing the original state (see, no cloning theorem). BB84 uses two pairs of states, with each pair conjugate to the other pair, and the two states within a pair orthogonal to each other. Pairs of orthogonal states are referred to as a basis. Polarization state pairs include a rectilinear basis of vertical (0°) and horizontal (90°), and a diagonal basis of 45° and 135° or the circular basis of left and right-handedness. Any two of these bases are conjugate to each other, and so any two can be used in the protocol. In the example of Table 1 below, rectilinear and diagonal bases are used.
TABLE 1Basis01+↑→×  
The first step in BB84 is quantum transmission. Alice creates a random bit (0 or 1) and then randomly selects one of her two bases (rectilinear or diagonal in this case). Alice then prepares a photon polarization state depending both on the bit value and basis, as shown in Table 1. For example, a 0 is encoded in the rectilinear basis (+) as a vertical polarization state, and a 1 is encoded in the diagonal basis (x) as a 135° state. Alice then transmits a single photon in the state specified to Bob, using the quantum channel. This process is then repeated from the random bit stage, with Alice recording the state, basis and time of each photon sent.
According to quantum mechanics, particularly quantum indeterminacy, no possible measurement distinguishes between the 4 different polarization states, as they are not all orthogonal. The only possible measurement is between any two orthogonal states (a basis). For example, measuring in the rectilinear basis gives a result of horizontal or vertical. If the photon was created as horizontal or vertical, as a rectilinear eigenstate, then this measures the correct state, but if the photon was created as 45° or 135° (diagonal eigenstates) then the rectilinear measurement instead returns either horizontal or vertical at random. Furthermore, after this measurement the photon is polarized in the state it was measured in (horizontal or vertical), with all information about its initial polarization lost.
As Bob does not know the basis the photons were encoded in, Bob selects a basis at random to measure in, either rectilinear or diagonal. Bob does this for each received photon, recording the time, measurement basis used and measurement result. After Bob has measured all the photons, Bob communicates with Alice over the classical channel. Alice broadcasts the basis each photon was sent in, and Bob broadcasts the basis each was measured in. Alice and Bob discard photon measurements (bits) where Bob used a different basis, which is half on average, leaving half the bits as a shared key. This is illustrated in Table 2 below.
TABLE 2Alice's random bit01101001Alice's random++X+XXX+sending basisPhoton polarization↑→ ↑   →Alice sendsBob's random+XXX+X++measuring basisPhoton polarization↑   → →→Bob measures
To check for the presence of eavesdropping, Alice and Bob compare a certain subset of their remaining bit strings. If a third party has gained any information about the photons' polarization, this introduces errors in Bobs' measurements. If more than p bits differ, Alice and Bob abort the key and try again, possibly with a different quantum channel, as the security of the key cannot be guaranteed. p is chosen so that if the number of bits known to Eve is less than this, privacy amplification can be used to reduce Eve's knowledge of the key to an arbitrarily small amount, by reducing the length of the key.
The Ekert scheme uses entangled pairs of photons. These can be created by Alice, by Bob, or by some source separate from both of them, including eavesdropper Eve. The photons are distributed so that Alice and Bob each end up with one photon from each pair.
The scheme relies on two properties of entanglement. First, the entangled states are perfectly correlated in the sense that if Alice and Bob both measure whether their particles have vertical or horizontal polarizations, they always get the same answer with 100% probability. The same is true if they both measure any other pair of complementary (orthogonal) polarizations. However, the particular results are completely random; it is impossible for Alice to predict if she (and thus Bob) will get vertical polarization or horizontal polarization. Second, any attempt at eavesdropping by Eve destroys these correlations in a way that Alice and Bob can detect.
The quantum cryptography protocols described above provide Alice and Bob with nearly identical shared keys, and also with an estimate of the discrepancy between the keys. These differences can be caused by eavesdropping, but also by imperfections in the transmission line and detectors. As it is impossible to distinguish between these two types of errors, guaranteed security requires the assumption that all errors are due to eavesdropping. Provided the error rate between the keys is lower than a certain threshold, two steps can be performed to first remove the erroneous bits and then reduce Eve's knowledge of the key to an arbitrary small value. These two steps are known as information reconciliation and privacy amplification, respectively.
Information reconciliation is a form of error correction carried out between Alice and Bob's keys in order to ensure both keys are identical. It is conducted over the public channel and as such it is vital to minimize the information sent about each key, as this can be read by Eve.
A common protocol used for information reconciliation is the cascade protocol. This operates in several rounds, with both keys divided into blocks in each round and the parity of those blocks compared. If a difference in parity is found then a binary search is performed to find and correct the error. If an error is found in a block from a previous round that had correct parity then another error must be contained in that block; this error is found and corrected as before. This process is repeated recursively. After all blocks have been compared, Alice and Bob both reorder their keys in the same random way, and a new round begins. At the end of multiple rounds, it is highly probable that Alice and Bob have identical keys, however, Eve has additional information about the key from the parity information exchanged.
Privacy Amplification is a method for reducing (and effectively eliminating) Eve's partial information about Alice and Bob's key. This partial information could have been gained both by eavesdropping on the quantum channel during key transmission (thus introducing detectable errors), and on the public channel during information reconciliation (where it is assumed Eve gains all possible parity information).
Privacy amplification uses Alice and Bob's key to produce a new, shorter key, in such a way that Eve has only negligible information about the new key. This can be done using a universal hash function, chosen at random from a publicly known set of such functions, which takes as its input a binary string of length equal to the key and outputs a binary string of a chosen shorter length. The amount by which this new key is shortened is calculated, based on how much information Eve could have gained about the old key (which is known due to the errors this would introduce), in order to reduce the probability of Eve having any knowledge of the new key to a very low value.
The protocols described above generally rely on algorithmic authentication protocols, such as SHA256, or classical encryption to establish trust in the communications with the other party. This is required to defeat a “man-in-the-middle” attack wherein an adversary is capable of manipulating all communications between the sender and receiver. When classical encryption is used the required key material is usually taken from the QKD output, thus greatly reducing the secret keys available to encrypt user data. Additionally, as noted above, typical implementations employ the use of random hash functions which must be generated by one party and communicated to the other. Both problems increase the required communications overhead.