Index of /rozprawy2/10409

Pełen tekst

(1)AGH University of Science and Technology Faculty of Electrical Engineering, Automatics, Computer Science and Electronics. Ph.D. Thesis Marcin Niemiec. Design, Construction and Verification of a High-Level Security Protocol Allowing to Apply the Quantum Cryptography in Communication Networks Supervisor: Prof. dr hab. in˙z. Andrzej R. Pach.

(2) AGH University of Science and Technology Faculty of Electrical Engineering, Automatics, Computer Science and Electronics Department of Telecommunications Al. Mickiewicza 30, 30-059 Kraków, Poland tel. +48 12 617 39 37 fax. +48 12 634 23 72 www.agh.edu.pl www.eaiie.agh.edu.pl www.kt.agh.edu.pl. . Reviewers: dr hab. inż. Jerzy Konorski1 prof. dr hab. inż. Andrzej Dziech2 1 2. Gdansk University of Technology AGH University of Science and Technology. ISBN 978-83-88309-08-3 c Marcin Niemiec, 2011 Copyright All rights reserved Cover and layout design by Rafał Stankiewicz Printed in Poland by Drukarnia Cyfrowa EIKON PLUS, ul. Wybickiego 46, Kraków.

(3) To my wife and children.

(4)

(5) Acknowledgements. Many people have helped me in my work on this dissertation. I would like to thank all of them, however there are a few people I want to thank especially. First of all, I would like to thank my supervisor Professor Andrzej Pach for his understanding, advice, and constant encouragement. I would like to thank also Professor Andrzej Dziech for his contribution in the development of my research. I wish to thank Piotr Chołda for his valuable comments and fruitful discussions. I would like to thank Robert Wójcik who helped me to solve my problems with statistical analysis and improved my English grammar. I am also indebted to Jerzy Domżał for his support with LATEX and motivation. I also feel obliged to all my colleagues at AGH University of Science and Technology for their help and friendliness. Especially, I wish to thank Janek Derkacz for our joint work in many projects. I would also like to thank Marcin Święty and Łukasz Romański for our joint work on the quantum cryptography simulator. My work on this dissertation would not have been possible without the support, patience, and love of my Family. I would like to thank my wife Kasia, my daughters, and my parents. They deserve my deepest appreciation. Thank You, Adonai..

(6)

(7) Abstract. The dissertation focuses on a new high-level security protocol and a unique quantitative approach to security in Quantum Cryptography (QC). The proposed high-level protocol allows end users to control low-level parameters of the Quantum Key Distribution (QKD) system. This solution leads to implementing QC in practical networks. The definition of crucial end-user requirements is presented in this thesis. The requirements related to security are introduced and assessed by potential end-users. Also, the most important low-level parameters of a typical QC system are defined. These parameters directly influence data security. The new idea of entropy of security in QC is proposed, and the unique measure of security is defined. Applying this quantitative approach to security, it is possible to manage security as well as personalize services based on QC. Two different security levels are defined: the basic security level, and the advanced security level. This differentiation of security allows end users to choose a security level appropriate to their specific requirements and needs. The high-level security protocol, proposed in this dissertation, is verified by simulation experiments. Additionally, two use cases for different security levels are proposed and assessed by potential end-users..

(8)

(9) Streszczenie. Niniejsza rozprawa jest poświęcona nowemu, wysokopoziomowemu protokołowi bezpieczeństwa oraz proponuje unikalne ilościowe podejście do bezpieczeństwa w kryptografii kwantowej. Opisany protokół pozwala na bezpośrednie sterowanie niskopoziomowymi parametrami systemu kwantowej dystrybucji kluczy. Przedstawione rozwiązanie zwiększa szanse na implementację kryptografii kwantowej w sieciach telekomunikacyjnych. W rozprawie zdefiniowano zarówno kluczowe wymagania użytkowników końcowych jak i niskopoziomowe parametry typowego systemu kwantowej dystrybucji kluczy, które wpływają na bezpieczeństwo całego systemu. Zdefiniowane zostały dwa nowe pojęcia: entropia bezpieczeństwa i miara bezpieczeństwa. Takie ilościowe podejście do bezpieczeństwa pozwala na zróżnicowanie poziomu ochrony danych dla różnych usług. W rozprawie zaproponowano dwa różne poziomy bezpieczeństwa: podstawowy i rozszerzony. Dzięki takiemu zróżnicowaniu, użytkownicy końcowi są w stanie wybrać odpowiedni poziom ochrony w zależności od swoich potrzeb i wymagań. Działanie nowego protokołu zostało zweryfikowane za pomocą badań symulacyjnych. Dodatkowo zaproponowano dwa przykładowe scenariusze dla różnych poziomów bezpieczeństwa. Oba zostały wysoko ocenione przez potencjalnych użytkowników kryptografii kwantowej..

(10) x. Streszczenie.

(11) Contents. Acknowledgements. v. Abstract. vii. Streszczenie. ix. Contents. xi. List of figures. xv. List of tables. xvii. Abbreviations. xix. I. Introduction and background. 1. 1 Introduction 1.1 Scope and thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Structure of the dissertation . . . . . . . . . . . . . . . . . . . . . . 2 Background 2.1 Steganography and cryptography 2.1.1 Symmetric ciphers . . . . 2.1.2 Asymmetric ciphers . . . 2.2 Basics of quantum mechanics . . 2.2.1 Qubit . . . . . . . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. 3 3 4 5. 7 . 7 . 9 . 10 . 11 . 11.

(12) xii. Contents. . . . . .. 13 15 15 16 19. 3 Area of research 3.1 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Current status of quantum cryptography . . . . . . . . . . . . . . . 3.3 Cost of quantum cryptography . . . . . . . . . . . . . . . . . . . .. 21 21 24 25. II. 29. 2.3. 2.2.2 Heisenberg uncertainty principle Quantum cryptography . . . . . . . . . 2.3.1 Quantum key distribution . . . . 2.3.2 BB84 protocol . . . . . . . . . . 2.3.3 Key distillation . . . . . . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. . . . . .. Requirements and motivation. 4 Requirements 31 4.1 System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2 End-user requirements . . . . . . . . . . . . . . . . . . . . . . . . . 35 5 Motivation and needs of system end-users. 37. III. 41. High-level protocol. 6 Design and construction of a new 6.1 Low-level parameters . . . . . . . 6.1.1 Bit error estimation . . . 6.1.2 Key reconciliation . . . . 6.1.3 Privacy amplification . . . 6.1.4 Other parameters . . . . . 6.2 Quantity of security . . . . . . . 6.2.1 Information theory . . . . 6.2.2 The measure of security . 6.2.3 Entropy of security . . . . 6.3 Security personalization . . . . . 6.4 High-level protocol . . . . . . . . 7 Verification of the 7.1 Simulations . . 7.2 Use cases . . . 7.2.1 Scenario 7.2.2 Scenario. high-level security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 1: Federated Identity 2: Police database . .. . . . .. . . . .. . . . .. . . . .. . . . .. . . . .. . . . .. . . . .. . . . .. protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . .. 43 43 43 45 46 48 48 49 49 52 56 58. . . . .. . . . .. 69 69 73 73 76. . . . .. . . . .. . . . .. . . . .. . . . ..

(13) Contents. xiii. IV. 79. Finale. 8 Conclusions. 81. Bibliography. 85.

(14)

(15) List of Figures. 2.1 2.2 2.3 2.4 2.5. A qubit in the Bloch sphere . . . . . . . . . . . . . . . . . . . . Wave of polarized light (45◦ ) let in a birefringent calcite crystal A single photon let in a birefringent calcite crystal . . . . . . . An example of BB84 protocol . . . . . . . . . . . . . . . . . . . Eavesdropping in BB84 protocol . . . . . . . . . . . . . . . . .. 3.1. The topology of an exemplary quantum network in Switzerland. The figure is a copy from the paper [52] . . . . . . . . . . . . . . . 26. 4.1. Security dimensions and security layers of a communication system for end-to-end communication. The figure comes from ITU-T Recommendation X.805 [14] . . . . . . . . . . . . . . . . . . . . . . 32. 5.1. Mean importance of general requirements from the users’ questionnaire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39. 6.1 6.2. An example of function J(k) for key length: 1000 bits . . . . . . . b An example of function J(k) with the codomain Y ∈ h0, 1) (key length is 1000 bits) . . . . . . . . . . . . . . . . . . . . . . . . . . . An example of function S(k) (key length: 1000 bits) . . . . . . . . Security levels on the graph of (a) the entropy of security, (b) the measure of security . . . . . . . . . . . . . . . . . . . . . . . . . . . Inter-level communication: interaction between end-user and QKD physical layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part of a key intended for comparison during the QBER estimation. 6.3 6.4 6.5 6.6. . . . . .. . . . . .. 12 14 14 17 18. 51 53 54 59 60 64.

(16) xvi. List of Figures. 6.7. The reduction of eavesdropper’s knowledge due to the privacy amplification process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66. 7.1 7.2 7.3 7.4 7.5 7.6 7.7. User interface of the used quantum protocol simulator . . . . . Simulation of QBER (noise = 0%) . . . . . . . . . . . . . . . . Simulation of QBER (noise = 2%) . . . . . . . . . . . . . . . . Simulation of QBER (noise = 5%) . . . . . . . . . . . . . . . . The results of simulations with marked the security levels . . . Scenario 1: QC in the communications between servers . . . . . Scenario 1: QC in the communications between user and server. . . . . . . .. . . . . . . .. 70 71 72 73 74 75 77.

(17) List of Tables. 2.1. Truth table of XOR operation: A ⊕ B . . . . . . . . . . . . . . . . 10. 6.1 6.2 6.3 6.4. Matlab code of function J(k) . . . . . . . . . . . . . . . . . . . . Matlab code of function S(k) . . . . . . . . . . . . . . . . . . . . Matlab code of the sum of S(k) values from k = 1 to extremum . b Selected values of function S(k) and respective parts of a key assigned to QBER estimation . . . . . . . . . . . . . . . . . . . . .. . 51 . 55 . 57 . 63.

(18)

(19) Abbreviations. Alice. legitimate party who sends quantum states to Bob. Bob. legitimate party who receives quantum states from Alice. Eve. eavesdropper and active enemy of Alice and Bob. AES. Advanced Encryption Standard. B92. protocol of Bennett presented in 1992. BB84. protocol of Bennett and Brassard presented in 1984. BBBSS. protocol of Bennett, Bessette, Brassard, Salvail and Smolin. BBCM. protocol of Bennett, Brassard, Crepeau, and Maurer. BBM92. protocol of Bennett, Brassard and Mermin presented in 1992. BER. Bit Error Rate. CRL. Certificate Revocation List. DARPA. Defense Advanced Research Projects Agency. DES. Data Encryption Standard. E91. protocol of Ekert presented in 1991. ETSI. European Telecommunications Standards Institute. FId. Federated Identity. GUI. Graphical User Interface. IdP. Identity Provider.

(20) xx. Abbreviations. IDEA. International Data Encryption Algorithm. ISG. Industry Specification Group. MSD. Multistage Soft Decoding. PNS. Photon Number Splitting. QBER. Quantum Bit Error Rate. QC. Quantum Cryptography. QKD. Quantum Key Distribution. SEC. Sliced Error Correction. SSL. Secure Socket Layer. SARG04. protocol of Scarano, Ac´ın, Ribordy, and Gisin presented in 2004. VoIP. Voice over Internet Protocol. VPN. Virtual Private Network. XOR. eXclusive OR.

(21) Part I. Introduction and background.

(22)

(23) 1 Introduction. People’s requirement to communicate secretly is at least as old as our civilization. We know that ancient societies had developed and used many methods of secret communication. Unfortunately, these imperfect solutions were quickly cracked. Nowadays, we observe entirely new methods of solving the problem of security, which utilize the laws of physics to ensure that every eavesdropper is uncovered. This concept, called Quantum Cryptography (QC), provides the highest security level, unachieved by previous solutions. Probably we are as close to reaching perfect security as never before.. 1.1. Scope and thesis. This dissertation proposes a unique quantitative approach to security in QC and a new high-level security protocol. The high-level protocol is able to control lowlevel parameters by the end-users of a QC system. The quantitative approach to security makes it possible to measure and assess security, and personalize services, based on QC. The protocol manages the level of security depending on specific end-user requirements and needs. This solution allows to apply QC in practical networks. The following thesis of this dissertation has been proposed and demonstrated: It is possible to create a high-level security protocol allowing to apply the Quantum Cryptography in communication networks. The concept and steps of a high-level security protocol are described in this dissertation. The verification of the proposed protocol was performed. The simulations confirm the protocol’s functionality and the differentiation of security level.

(24) 4. 1. Introduction. in QC systems. Alongside the theoretical considerations and software implementation, the author presents the results of a special survey. It obtains end-users requirements and needs, as well as taking a look at QC services from the end-users point of view.. 1.2. Publications. Some of the author’s achievements presented in the dissertation as well as general considerations related to security in QC were published in journals and conference papers. The list of relevant publications is as follows: [80] M. Niemiec. Quantum cryptography – the analysis of security requirements. In Proceedings of 11th International Conference on Transparent Optical Networks, ICTON 2009, Azores, Portugal, June 2009. [81] M. Niemiec and L. Romanski and M. Swiety. Quantum cryptography protocol simulator. In Multimedia Communications, Services and Security, volume 149 of Communications in Computer and Information Science, pages 286—292, Springer, June 2011. [79] M. Niemiec. Quantum cryptography — safety on the highest level. (in Polish) In Przeglad Telekomunikacyjny, Wiadomosci Telekomunikacyjne, pages 470—473, Poland, June 2009. [86] L. Romanski and M. Swiety and M. Niemiec. Current status and future directions of quantum cryptography. In Proceedings of the IEEE International Conference on Multimedia Communications, Services and Security, MCSS 2010, Krakow, Poland, May 2010. [78] M. Niemiec. Analysis of possibility of the Quantum Key Distribution implementation in the Passive Optical Networks. In Proceedings of the e-PhotonONe+/COST 291 Summer School 2007, Brest, France, July 2007. More technical information related to high-level security protocols development (i.e. simulator of QC protocols) was presented in the following technical reports (deliverables): [96] M. Uruena and M. Niemiec et al. Deliverable D8.1: Specification of Requirements for Security and Confidentiality of the System. INDECT Consortium, December 2009 [96] N. Stoianov and M. Niemiec et al. Deliverable D8.2: Evaluation of Components. INDECT Consortium, June 2010.

(25) 1.3 Structure of the dissertation. 1.3. 5. Structure of the dissertation. The dissertation is organized into four parts. The introduction and the theoretical background for the research is presented in the first part (Chapters 1–3). Chapter 1 shows the general information on the issues presented in the dissertation. In Chapter 2, the theoretical background is presented: introduction to modern cryptography, basics of quantum mechanics, description of Quantum Key Distribution (QKD) techniques, key distillation process, and an example of the most popular QKD protocol: BB84. Chapter 3 presents the current status of QC and the related work - the most important publications related to QKD, as well as high-level security protocols. This chapter also shows the cost analysis of a QC system. The second part of this dissertation consists of two chapters. Chapter 4 is dedicated to the most important requirements related to QC systems. The author proposes two sets of key demands: system requirements, and end-user requirements. Chapter 5 presents the motivation behind high-level QC protocol development. The results of a survey which checks the importance of key requirements is described, presenting QC from the end-users’ point of view. The third part is dedicated to a new high-level security protocol. Chapter 6 describes the design and construction of the new protocol. The key low-level parameters which directly influence the security of the whole QC system are defined first. Then, a quantitative approach to security is proposed: the author defines the measure of security and the entropy of security. Based on the quantitative approach to security in QC systems, two distinct security levels are proposed: basic and advanced. These levels make it possible to personalize security for specific end-users and services. The last section of Chapter 6 describes the high-level security protocol in detail. Chapter 7 presents the verification of the new protocol. To check the idea of the measure of security and verify the functionality of the new protocol, a number of simulations were performed. Additionally, two use cases were considered: a scenario with a federated identity service, and a connection with the police database. Both scenarios were assessed by end-users. The last part of this dissertation contains Chapter 8 which concludes the thesis. It contains the list of major achievements and significant contributions..

(26)

(27) 2 Background. In this chapter, the basics of quantum cryptography is introduced. Although this dissertation concerns mainly telecommunications, other issues relating to quantum mechanics and information theory are also presented. Basic issues and principles of quantum mechanics, including qubits, entangled states, and the Heisenberg uncertainty principle, are presented first. The author then describes the process of key distribution using quantum states and the concept of key distillation, as well as the BB84 protocol example — the most popular quantum protocol. However, before the principles of quantum physics and quantum protocols are considered, it is essential to describe cryptography — the most popular solution which ensures data confidentiality.. 2.1. Steganography and cryptography. Very often data confidentiality is inseparable from communication between people. Usually, non-technical users of communications systems treat data confidentiality as the synonym of the term security, even though it is only one of many security services [10]. In general we could specify two main solutions which ensure data confidentiality: steganography and cryptography. The former hides the message so that no-one, apart from the sender and recipient, suspects its existence. The second solution transforms the message to make it unreadable to anyone except some proper entities (i.e., the sender and recipient)..

(28) 8. 2. Background. As for back as in the ancient times, people used steganography techniques. One of the first known example was described by Herodotus in the 6th century BC [58]. Histiaeus, the tyrant of Miletus, shaved the head of his trusted slave and then tattooed a message on his head. After that he waited for slave’s hair to grow back. The slave was then sent to Aristagoras (son-in-law and an ally of Histiaeus), who was instructed to shave the slave’s head again and read the message. The message encouraged Aristagoras to revolt against the Persians and trigger off the Ionian Revolt. A more well-known steganography technique is an invisible ink which is used for writing and can be visible only in some specific ways (e.g., chemical reaction). Nowadays, the digital steganography techniques are mainly in use [19]. An example could be digital watermarking which is the process of embedding additional information into multimedia files. Digital watermarking embeds the data by modifying the digital signal (i.e., the least significant bits in a picture or the sound of an audio file). It is widely used in copyright protection of multimedia files or to find the source of an information leakage from confidential databases. Similarly to steganography, also cryptography has been used for over two thousand years. Ancient people invented many different ciphers—mainly substitution ciphers. These ciphers replace units of a message (usually single letters but sometimes also groups of letters) with other units. Many interesting historical ideas which ensured the security of confidential messages were presented by Kahn in [60]. The best-known ancient substitution cipher is the Caesar cipher which was allegedly used by Julius Caesar. Each letter of Caesar’s message was replaced by a letter three positions down the alphabet. The letter A was replaced by the letter D, the letter B by the letter E, and so on. Unfortunately, such simple monoanalphabetic ciphers were easy to break by means of the study of the letters’ frequency in a ciphertext. Much more secure were homophonic ciphers, where each unit of a message was replaced by another unit which was chosen randomly from a given group. Simply, the letters were mapped to more than one ciphertext symbol. More sophisticated solutions were polyalphabetic ciphers which were based on multiple substitution alphabets. One of the first polyalphabetic ciphers was the Vigenere cipher but surely the best-known is ENIGMA. The famous electro-mechanical device ENIGMA was widely used by Germans during the World War II and it was broken even before the war in Poland by Marian Rejewski, Jerzy Różycki and Henryk Zygalski. The development of computer science after the World War II starts the era of modern cryptography. In general, new ciphers operate on binary bit sequences, unlike classical schemes, which mainly manipulate traditional characters. The.

(29) 2.1 Steganography and cryptography. 9. modern ciphers could be divided into two groups: symmetric and asymmetric ciphers.. 2.1.1. Symmetric ciphers. Symmetric-key cryptography refers to ciphers in which both encryption and decryption processes transform a message by means of the same key [37]. Formally, symmetric-key encryption is a function E defined by: EK (M ) = C. (2.1). where M denotes a massage (plaintext), C denotes a ciphered message (ciphertext) and K is the key. The function defined in 2.1 is a bijection. Therefore, we can present a reverse process (decryption) as a function D: DK (C) = M. (2.2). A symmetric cipher usually consists of some simple transformations which are used repeatedly. Besides, the algorithms have many identical stages of processing (rounds) to increase confidentiality. The basic transformations are presented below. • Substitution Substitution refers to the substitution of certain bits with other bits. A very popular transformation in modern cryptography is a substitution box (S-box)—a specific table with a string of bits. This table converts input bits into output bits. The output is found by selecting the row using one part of input bits and the column using remaining bits of the input. • Permutation Permutation is a form of bit rearrangement. It ensures the changes diffusion in next rounds during the encryption process. • XOR operation Logical XOR operation is a type of logical disjunction on two operands. It corresponds to the modulo 2 addition but results in value 1 (value of true) if exactly one of the operands has value 1 (value of true). The truth table of A ⊕ B is presented in Tab. 2.1. The XOR is a reversible operation because: (A ⊕ B) ⊕ A = B. (2.3).

(30) 10. 2. Background Table 2.1: Truth table of XOR operation: A ⊕ B. A 0 0 1 1. B 0 1 0 1. A⊕B 0 1 1 0. and (A ⊕ B) ⊕ B = A.. (2.4). Therefore, if we use the XOR during encryption process, then decryption of a message is possible. Substitution, permutation and XOR are universal transformations used in all modern symmetric-key ciphers. They are not the only available methods. Other methods are rather specific for given algorithms, e.g. Feistel Network in DES (Data Encryption Standard) [11] or MixColumns operation in AES (Advanced Encryption Standard) [13]. In the symmetric-key cryptography, sender and receiver of the message must share the same key. In the modern cryptography, the key is a long string of bits. The distribution or agreement of keys are crucial to data confidentiality. Even though currently used algorithms (e.g., Diffie–Hellman key agreement protocol [12]) are able to establish a shared secret key over an insecure communications channel, they are vulnerable to some types of attacks. Nowadays, the best solution which ensures the highest level of security is quantum key distribution.. 2.1.2. Asymmetric ciphers. Asymmetric ciphers do not require a secure initial exchange of secret keys to both sender and receiver because they create a mathematically related key pair: a confidential private key and a published public key [37] [54]. The private key is kept secret, while the public key could be widely distributed. Additionally, the private key cannot be feasibly derived from the public key. Encryption is performed by using the public key of a receiver—after that the ciphertext can only be decrypted by the complementary private key. The security of asymmetric cryptography is based on the hardness of a mathematical problem: the concept of one-way trapdoor function. One-way trapdoor function f is such a function, that given input x it is easy to compute f (x) but without knowledge.

(31) 11. 2.2 Basics of quantum mechanics. of so called “trapdoor” information it is impossible to compute x from: f −1 (f (x)). (2.5). Two of the most popular mathematical concepts, which are widely used in asymmetric cryptography are as follows: – factorization of two large prime numbers and – computing discrete logarithm. The first concept—factorization of two large prime numbers—is applied in RSA algorithm [85], whose name comes from the surnames of the inventors: Rivest, Shamir and Adleman. Created in 1978, RSA is the best-known asymmetric cryptography algorithm today. Even though asymmetric cryptography solves the problem of key distribution, it is much slower than symmetric cryptography. Therefore, even if asymmetric cipher is implemented in the system, it is usually used to encrypt only small parts of data (e.g. symmetric keys). The comparison of asymmetric cryptography to symmetric and quantum cryptography is presented in [86]. It is worth to mention that the fast quantum algorithms for solving the factorization and discrete logarithm problems are already known (e.g. the Shor algorithm [93]). They will be very easy to compute by quantum computers. Then, symmetric ciphers with secure key distribution/agreement will remain the only solution.. 2.2. Basics of quantum mechanics. Quantum mechanics is a branch of physics which explains the behavior of matter and energy at the atomic and subatomic scales. In this section, some of the principles and models which have a direct connection with quantum cryptography are presented.. 2.2.1. Qubit. A bit is a basic unit of computer information which can have only two possible values: 0 or 1. By the quantum analogue of the classical bit, a qubit (quantum bit) is a unit of quantum information. Like a bit, a qubit can have two possible values (normally 0 or 1) but it can be also a superposition of both. This idea represents a vector in the Bloch sphere (an abstract sphere with antipodal opposite points representing two specific states) which is presented in.

(32) 12. 2. Background. Figure 2.1: A qubit in the Bloch sphere. Fig. 2.1. Two basic states (extreme opposite points in the sphere) are conventionally written as |0i and |1i but in general a quantum state is presented as |ψi. Symbol |ψi is called a ket. Now, if we assume that each state in quantum mechanics is represented as a vector in Hilbert space and |0i as well as |1i are orthonormal states, then we can define a qubit as a superposition of two orthonormal quantum states: |ψi = α|0i + β|1i. (2.6). where 2. 2. |α| + |β| = 1. (2.7). We can provide the following physical interpretation of the notation presented in Equation (2.6): when we perform a measurement on a qubit, we will obtain 2 2 the state |0i with the probability |α| or the state |1i with the probability |β| . Therefore, Equation (2.7) stands. Now it is easy to notice that objects before the measurement could be in some superposition state, but the measurement itself may damage this state. After that, the object’s state will be determined by the measurement and will be equal to |0i or |1i. This observation leads directly to the Heisenberg uncertainty principle..

(33) 13. 2.2 Basics of quantum mechanics. 2.2.2. Heisenberg uncertainty principle. In 1927 Werner Heisenberg published one of the fundamental principles of quantum mechanics [57]. He proved that it is not possible to assign exact simultaneous values to the position and momentum of a physical system and these quantities can only be determined with some characteristic uncertainty. The mathematical notation of this principle can be presented as follows: ∆x · ∆px ≥. h 4π. (2.8). ∆y · ∆py ≥. h 4π. (2.9). h (2.10) 4π where ∆x, ∆y, ∆z and ∆px , ∆py , ∆pz are measurement uncertainties of position and momentum of a particle in three space dimensions, respectively and h is the Planck’s constant (h ≈ 6.626 · 10−34 J · s). Equations (2.8), (2.9), and (2.10) show that having measured a position of a particle in some dimension, we are able to measure its momentum along this dimension, with only a limited precision. In general, Heisenberg uncertainty principle states that it is impossible to measure certain physical quantities with the same, high precision—position and momentum are only an example of these pairs. Another example could be polarizations of photons. Let us consider qubits which are realized by means of photon polarization states. If we assume that vertical | li and horizontal | ↔i polarizations are orthonormal, we can represent any photon polarization as a superposition of two orthonormal polarizations: | li and | ↔i. For instance, photon polarized at 45◦ can be presented as: 1 | %i = √ (| li + | ↔i). (2.11) 2 ∆z · ∆pz ≥. Now, we consider an experiment with polarized photons and a birefringent calcite crystal. Birefringence is the decomposition of a ray of light into two rays (the ordinary ray and the extraordinary ray) when it passes through such materials as calcite crystals, depending on the polarization of the light. Let us assume that horizontally polarized photons appear in the upper ray and vertically polarized photons appear in the bottom ray. If we polarize the light at 45◦ and we put it to the input of the birefringent calcite crystal, we should obtain vertical and horizontal polarization components split on the output (ordinary and extraordinary rays)—it is presented in Fig. 2.2. However, if we transmit only one photon with the polarization 45◦ it cannot.

(34) 14. 2. Background. Figure 2.2: Wave of polarized light (45◦ ) let in a birefringent calcite crystal. be simultaneously vertical and horizontal on the output. It ‘chooses’ only one of the polarizations with probability 21 . The experiment with a single photon is presented in Fig. 2.3. The wave and the particle nature of light cannot be. Figure 2.3: A single photon let in a birefringent calcite crystal. simultaneously detected..

(35) 2.3 Quantum cryptography. 2.3. 15. Quantum cryptography. In Section 2.1.1 I mentioned that currently used key distribution algorithms are able to establish a shared secret key over an insecure communications channel. The security of these algorithms is based on the fact that successful eavesdropping requires excessive computational effort. Quantum cryptography (QC) brings an entirely new way of solving the key distribution problem. It provides secure key distribution by means of the laws of quantum mechanics [33]. First of all, the rules of quantum mechanics ensure that any measurement modifies the state of the transmitted qubit. This modification can be discovered by the sender and the receiver of quantum bits. Therefore, quantum cryptography requires to define two types of channels: • quantum channel, where qubits with the information about distributed key are exchanged and • public channel, which is used to check whether the communication through the quantum channel is distorted. The other rule of quantum mechanics which makes quantum cryptography a very secure solution is the no-cloning theorem [100]. According to this theorem, it is not possible to create identical copies of unknown quantum state [62]. Therefore, an eavesdropper is not able to clone the original qubit to measure the quantum state and simultaneously send the second qubit to the proper receiver. In the next subsections, the main ingredients of quantum cryptography: a quantum key distribution protocol with a simple example as well as key distillation algorithms are presented.. 2.3.1. Quantum key distribution. Quantum key distribution (QKD) is used to distribute an encryption key for symmetric ciphers but not to transmit any message data between users. As we mentioned, the security of QKD relies on the foundations of quantum mechanics and information about a key is transmitted by means of qubits. We could distinguish two types of QKD protocols: based on single and entangled particles [44]. In the first group—QKD protocols based on single particles—information about distributed key is coded by means of quantum state of single particles such as polarized photons. Quantum states of the particles do not depend on each other and each particle brings information which can be read independently. The second group is based on entanglement. Entangled state is a pair of particles which has the following feature: the states of particles are completely random before the measurement is performed but if we measure the state of the first particle, then the state of the second particle is fully determined. It means.

(36) 16. 2. Background. that we need to measure only one particle to know the states of them both. Formally, an entangled state can be presented as: 1 |ψi = √ (| li1 | ↔i2 + | ↔i1 | li2 ) 2. (2.12). where indices 1 and 2 denote two different particles which are entangled. If the first particle has a vertical polarization, the second has a horizontal polarization and vice versa. Both combinations can appear with the same probability ( 12 ). It is worth mentioning that the entanglement still retain this feature, even if the particles are separated. Today, we know a lot of QKD protocols but only few are used in practice [88]. The first invented protocol was BB84 [28], presented in 1984 by Bennett and Brassard. This protocol is based on single particles (polarized photons) and in the next section it will be presented in detail. Another protocol based on single particles is B92—developed by one of the BB84 creators, Bennett, in 1992 [26]. It is simpler and faster than its predecessor. Furthermore, it is more efficient because it detects an eavesdropper faster. A well-known QKD protocol based on entanglement is E91, invented in 1991 by Ekert [46]. It was an innovative solution which used a phenomenon of entangled particles for the first time. In principle, many other protocols, such as BBM92 [29] (proposed by Bennett, Brassard and Mermin in 1992) or SARG04 [87] (proposed by Scarano, Ac´ın, Ribordy, and Gisin in 2004) are modified versions of the BB84 protocol.. 2.3.2. BB84 protocol. Although we known several QKD protocols, the most popular is still the BB84— the oldest QKD protocol [28]. It bases on information encoded by means of the polarization of photons. In Fig. 2.4, an example of key distribution process in the BB84 protocol is presented. With reference to many papers related to cryptography, I introduce three characters: Alice (usually sender) and Bob (usually receiver), individuals who want to communicate secretly, as well as Eve, an eavesdropper. In a typical scenario, Alice and Bob want to establish a secret key and Eve wants to gain information about the key. When Alice wants to establish a new encryption key with Bob, they both have to define two alphabets: rectilinear and diagonal. Let us assume that in the rectilinear alphabet, photons with horizontal polarization 0◦ mean bit 0 and photons with vertical polarization 90◦ mean bit 1. Similarly, in the diagonal alphabet, photons with polarization −45◦ mean bit 0 and photons with polarization 45◦ mean bit 1. In Fig. 2.4 the double headed arrows represent the polarization states of individual photons..

(37) 2.3 Quantum cryptography. 17. Figure 2.4: An example of BB84 protocol. In Section 2.2.2 it is said that if we observe one photon with diagonal polarization 45◦ by means of rectilinear basis (calcite crystal), the photon ‘chooses’ one of the polarizations: horizontal or vertical with probability 12 . It means that we are able to measure perfectly only photons with polarization 0◦ and 90◦ by means of a calcite crystal oriented in vertical/horizontal directions (called rectilinear basis). We lose information about diagonally polarized photons (−45◦ and 45◦ ). Similarly, by means of a diagonal basis we are able to measure perfectly only photons with polarization −45◦ and 45◦ . In this situation we lose information about horizontally and vertically polarized photons (0◦ and 90◦ ) In Fig. 2.4, two crossed double headed arrows: 0◦ and 90◦ mean rectilinear basis (black color). Similarly, two crossed double headed arrows: −45◦ and 45◦ mean diagonal basis (green color). At the beginning of the protocol operation, Alice sends to Bob some string of bits which is encoded by means of polarization of photons (qubits). Alice sends the bits using a randomly chosen alphabet, through a quantum channel. Bob receive this string by means of rectilinear basis (allows to detect perfectly polarizations: 0◦ and 90◦ ) or diagonal basis (allows to detect perfectly polarizations: −45◦ and 45◦ ). Bob chooses the basis randomly but after that, he informs Alice which basis he used. He sends this information by a public channel. It is worth emphasizing that Bob disclosures only information about the used basis. The result of the measurement is secret. Now Alice informs Bob when he has chosen.

(38) 18. 2. Background. proper basis to measure photon. The new key consist of that bits which Bob has chosen the basis properly because then they both have the same bits. In the example presented in Fig. 2.4 the first photon is detected perfectly and it will be the first bit of a new key. Alice and Bob have to get rid of the second bit and third bit because Bob have chosen bad basis and the measurement of polarization is uncertain. The next bit (fourth) is detected perfectly and it will be a part of the key. Such algorithm ensures that a distributed key consists of approximately a half of bits sent by Alice. Another 50%, Alice and Bob must disregard. Now, let us assume that Eve eavesdrops communication between Alice and Bob in the quantum channel. In Fig. 2.5, an example of key distribution process with eavesdropping is presented.. Figure 2.5: Eavesdropping in BB84 protocol. To obtain information, Eve has to measure the polarization of photons by means of rectilinear or diagonal basis. She chooses the basis randomly (like Bob) but if the chosen basis is incorrect, the polarization will be changed. Such effect is presented in Fig. 2.5: the first bit originally has a vertical polarization (coded bit 1) but Eve eavesdrops by means of diagonal basis and after that the photon has the polarization 45◦ . This photon, after Bob’s measurement, has horizontal polarization and will be decoded as 0. Even though Alice sent vertically polarized.

(39) 2.3 Quantum cryptography. 19. photon and Bob have chosen proper basis (rectilinear), they obtained different bits. Therefore, if Alice and Bob compare the part of obtained key in public channel, they uncover eavesdropping. In that way, the passive eavesdropping is not possible—when Eve wants to eavesdrop photons, she will change quantum states of the photons. Besides, Eve is not able to clone an unknown state of photon. Therefore, BB84 protocol ensures a high level of security.. 2.3.3. Key distillation. As mentioned in the previous section, during the quantum key distribution process, Alice and Bob use two communication channels: quantum and public. In the quantum channel, information is coded by means of quantum states. In the public channel Alice and Bob exchange data to check if Eve was eavesdropping. Usually the public channel is necessary for much more cases. In this section, the general idea of high-level protocols related to quantum cryptography is presented. Not only Eve is responsible for errors in the quantum channel. Errors during the quantum communication may occur because of disturbance in the quantum channel, optical misalignment, noise in detectors, or others. Therefore, Alice and Bob have to estimate the error rate and decide if there is an eavesdropper in between or not. In practice, they compare a small portion of a distributed raw key through public channel and compute Quantum Bit Error Rate (QBER). If QBER exceeds a given threshold, it means that Eve has eavesdropped (or the quantum channel is too noisy to perform a proper key distribution). But if error rate is low enough, Alice and Bob continue further distillation of the key. Of course, they must delete the compared part of the raw key. Section 6.1.1 contains more details about bit error estimation. After the bit error estimation, Alice and Bob use key distillation protocols. These protocols usually involve two steps: key reconciliation and privacy amplification. As said previously, the quantum communication is not perfect and some errors usually occur. If the number of errors does not exceed a given threshold of QBER, the reconciliation process must find and correct or delete these errors. The most simple solution is the parity test. The key is divided into many blocks and then Alice and Bob compare the parity of each block. If the parity does not agree, they know that an error occurred and continue searching for an error by dividing the block into two parts. The algorithm is repeated until an error is corrected or deleted. Unfortunately, after the parity test, Alice and Bob must reject one bit to reduce Eve’s knowledge about each block. In this way the key is shortened again but Alice and Bob will be sure that they have the same string of bits (without.

(40) 20. 2. Background. errors). More information about a key reconciliation technique is presented in Section 6.1.2. At the end of the key distillation process, the privacy amplification should be carried out. Because Eve may have gained significant knowledge of the key (eavesdropping in the quantum channel and in the public channel during the bit error estimation and key reconciliation), Alice and Bob are required to strengthen their privacy. They can delete some of the bits and construct the final key in a specific way. The details of privacy amplification are presented in Section 6.1.3. If Alice and Bob perform all steps considered here, the final key which can be used to symmetric encryption is reduced. This reduction of the key length is characteristic for all quantum key distribution protocols. Let us assume that the length of raw key obtained from quantum channel is Q, the length of the key after the bit error estimation is B, the length of the key after key reconciliation is R, and the length of the final key (after the privacy amplification process) is A. Then we can present the reduction of the key lengths at different steps as follows: Q>B>R>A. (2.13). Because each stage reduces the key length, the performance of QKD is also reduced. Sometimes, when we want to ensure a high level of security, this reduction is significant. This is the reason why the high-level protocols are crucial to quantum cryptography implemented in real communication networks.. Let us conclude the introduction to QC. This technique ensures the highest level of security, because it is not possible to eavesdrop the communication in passive way. If an eavesdropper reads the distributed key, it will change the quantum states of the photons and will be disclosed. This is possible due to two principles: – a measurement influences quantum state and – it is not possible to clone an unknown quantum state. When we use ‘classical’ cryptography and key distribution we are not sure if an intruder eavesdrop the communication. Hidden intruder can scan the network and obtain sensitive data. Users in the network are not even aware of the attack. QC is the unique solution where such passive threats are not possible..

(41) 3 Area of research. Quantum cryptography was invented in the mid-1980s, but it is still a seldom used solution in the communications market. Nevertheless, many different QKD channels and specialized services with QC have been implemented by researchers. In this chapter, we consider state-of-the-art QC. The author presents the main publications which are related to this dissertation, as well as the current status of QC.. 3.1. Related work. The first pioneering achievement related directly to QC was the conjugate coding invented by Wiesner [99]. He proposed the idea of encoding secret information into quantum states. The first secure quantum communication mode considered by Wiesner based on information encoded by the spin of particles. In 1984, Bennett and Brassard developed the Wiesner’s idea and proposed the first QKD protocol called BB84 [28]. This protocol encodes information by means of polarized photons and ensures that an eavesdropper can be detected if Alice and Bob compare a part of raw key. The BB84 was presented in detail in Section 2.3.2. A completely different approach to QC was proposed by Artur Ekert. In 1991, he invented the E91 protocol which bases on a phenomenon of entangled particles [46]. Entangled particles, usually photons, are distributed to Alice and Bob. The basics of entangled pairs were discussed in Section 2.3.1. Detection of.

(42) 22. 3. Area of research. an eavesdropper bases on the phenomenon of entanglement, Alice and Bob check whether the Bell’s inequality is satisfied [24]. Shortly after the Ekert’s invention, in 1992 Bennett, Brassard, and Mermin argued that entanglement could be used in BB84 protocol [29]. In fact, the proposed BBM92 protocol was a modified version of the BB84 protocol. Instead of single photons, communication takes place through a quantum channel on entangled pairs. Alice and Bob use two orthogonal bases for detection of qubits, but photons are sent from the entangled pairs source. One of the BB84 and BBM92 inventors—Charles Bennett—presented in 1992 a new QKD protocol based on single particles: BB92 [26]. It was a simpler and faster protocol than BB84. Furthermore, it was more efficient because Alice and Bob need a smaller number of compared bits to detect an eavesdropper. The BB92 protocol uses a single base, which means that Alice and Bob have only one alphabet. Alice does not need to choose the polarization to send single bit through the quantum channel. Unfortunately, the simplification of the algorithm has a negative impact on the precision of physical devices. Bob’s detector has to be calibrated with high precision: even the small deviation from the desired polarization angles can generate an error during transmission. One year later, in 1993, Brassard, Crepeau, Jozsa and Langlois proposed the idea of the BCJL93 protocol [34]. Based on the idea presented in [35] they presented a solution to secure the QC system against cheating of the recipient. Additionally, BCJL93 ensures that Alice could not break the commitment and change her decision about the chosen bit. Unfortunately, a few years later, in 1995, Mayers pointed out the vulnerability of this protocol [69]. After foundational works, the interest in practical implementation of QKD was growing. In the first experiment, the quantum channel was constructed as a 32 cm free air optical path [27]. After that, many improved experimental demonstrations took place, both based on optical fibers and free air space [59], [72], [95]. These implementations of QKD are based on single particles. The next step was deploying QKD in the installed optical fibers [74], thereby demonstrating that QC can be implemented in a real environment. Another milestone was the development of auto-aligning plug-and-play devices to connect Alice and Bob by a quantum channel. This solution was presented by the Geneva group in 1997 [73], [84]. In 2000, also the implementation of QKD based on entangled photons over large distance was demonstrated [76]. In 2004, another QKD protocol (SARG04) was proposed by Scarano, Ac´ın, Ribordy, and Gisin [87]. It is also the variation of the BB84 protocol. The SARG04 was invented in order to protect against the photon number splitting (PNS) attack. This technique exploits vulnerability of weak laser pulses. Eve counts the number of photons in a pulse and stores one of them (if their number is greater than one), while the rest is passed to Bob [63]..

(43) 3.1 Related work. 23. Parallel to QKD protocols and practical implementations, key distillation methods were developed. The first binary error correction method was provided by the BBBSS protocol. This protocol was designed by Bennett and coworkers [27]. It requires to exchange parities of raw key subsets from Alice and Bob. BBBSS uses several iterations to correct the errors by parity check. A pseudorandom permutation is used after each iteration. Two years later, Brassard and Salvail constructed the Cascade algorithm with improved efficiency [36]. It uses only four iterations and keeps track of all checked subsets of raw key starting from the second iteration. It ensures a fast error correction process. Other reconciliation methods based on the BBBSS algorithm are Furukawa-Yamazaki [50] (less efficient than the Cascade) and Winnow protocol [38] which uses a Hamming code to reduce the number of errors. Other protocols are based on such error-correcting codes as: turbo codes [31] or low density parity check codes [51]. It is worth to mention that some ideas of non-binary reconciliation were also developed. Sliced error correction (SEC) bases on a list of correlated values and obtains with a high probability, equal binary strings to Alice and Bob [22]. A more efficient solution is multistage soft decoding (MSD) proposed by Bloch, Thangaraj and McLaughlin [32]. The first privacy amplification method was based on hash functions. Universal families of hash functions were introduced by Wegman and Carter [40], [75]. Privacy amplification with this solution was proposed by Bennett, Brassard and Robert [30] but Bennett, Brassard, Crepeau, and Maurer generalized this idea (BBCM protocol) to the case of probabilistic eavesdropping strategies [25]. Other idea of privacy amplification was proposed a few years later [67]. This method based on an extractor which is a function able to extract uniformly random bits from a weakly random source. It uses a small number of additional random bits as a catalyst [82]. The first paper which considered privacy amplification of QKD protocols based on entangled states was presented by Deutsch et al. [41]. Also, Lo and Chau used privacy amplification to prove the security of these protocols [61]. After the series of ordinary point-to-point QKD implementations (communication between only two users: Alice and Bob), an interest in practical QC services between many users aroused. The first network with QKD links was developed in 2003 and 2004 [89]. This simple QKD network was deployed in Cambridge, Massachusetts under Defense Advanced Research Projects Agency (DARPA) sponsorship. It consisted of two BB84 transmitters, two compatible receivers, and controlled 2x2 switch which can couple any transmitter to any receiver. The lengths of quantum channels varied from approx. 10 to 30 km. More details of this network were described in [47]. Much more complex QKD network was constructed by SECOQC consortium..

(44) 24. 3. Area of research. SECOQC was an Integrated Project of the Sixth Framework Programme under the auspices of the European Union [9]. The prototype of this network was demonstrated in Vienna in October 2008 [68]. Many heterogeneous QKD systems were exploited, i.e., autocompensating “plug & play”, entangled photons, continuous variables and others. The network was deployed on a typical telecom metropolitan area network. The distances between six nodes varied from 80 m (a free space link) to 85 km. In the prototype network, some well known applications like Voice over Internet Protocol (VoIP) or Web Services were deployed. This QKD network was described in [70], [83].. 3.2. Current status of quantum cryptography. Although the first quantum cryptography devices were constructed nearly twenty years ago [27] and the first QKD protocols were invented only a few years before [28], QC is still a novelty in communications market. Nevertheless, recently this technology appears in practical implementations. For example: the first testbed of commercial quantum cryptography in the Netherlands deployed by ID Quantique and Siemens [1] and the first use of secure quantum encryption at a world public event (FIFA World Cup competition in Durban) where a critical communications link was protected by QKD [2]. The popularity of services based on QC raised after commercial companies had launched first quantum devices. Now we can find in the communications market a few devices which support symmetric encryption with QKD technique, e.g., CERBERIS [17] created by idQuantique company [5] or QPN-8505 [15] created by MagiQ company [7]. Even though they are expensive, these quantum devices ensure a higher level of security than traditional solutions. Currently, quantum communication over long distances is a crucial issue because of problems with the regeneration of signal which carries quantum information. Contemporary amplifiers directly influence qubits, therefore, they change quantum information. Now maximum distance of successful QKD transmission in optical fiber amounts more than 200 kilometers [45]. The bit rate of current QKD systems reach a few Mbit/s in typical telecom metropolitan area network, i.e. QKD system deployed by Toshiba Research Europe Ltd. (Cambridge Research Laboratory) in 2010 exceeded 1 Mbit/s over 50 km fiber [43]. The bit rate of a QKD system is decreasing rapidly when the distance between Alice and Bob is growing. The maximum distances of free-space quantum cryptography are similar— in 2007, a European researchers team, experimentally demonstrated the QKD communication over the 144 km distance between two Canary Islands: La Palma and Tenerife [23]. Two years later the same transmission distance of entangled photons pair was achieved [49]..

(45) 3.3 Cost of quantum cryptography. 25. In 2008, it was shown, that also QKD between the Earth and satellite is possible to be established [97]. Weak laser pulses were sent from the Earth to the Low Earth Orbit (LEO) satellite equipped with retroreflectors. Returned photons were detected on the Earth and the measured return rate reached about 5 counts per second. More details about performance of QKD in the Earth-Satellite and Inter-Satellite links were presented in [71]. Development of QC systems forces big players involved in this technology area to standardize quantum communications issues. In 2008, European Telecommunication Standards Institute (ETSI) [4] brought a new Industry Specification Group (ISG) into existence. This group, called QKD [16], is still working on standardization issues in quantum cryptography and quantum technology. Until now, experts from this group created some documents and drafts concerning such QC aspects as: devices, interfaces, ontology, and others. In Section 3.1 I mentioned an international SECOQC project which was dedicated to QC development. Also nowadays, some projects which develop QC are being realized. An example can be the INDECT project which is funded under the Seventh Framework Programme. One of the project’s tasks is dedicated to developing the QC methods for security and privacy assurance. More details about the aims of this work were presented in [94].. 3.3. Cost of quantum cryptography. When we consider the QKD technique, the potential end-users of systems which will be protected by means of QC are: banks, big corporations or public administration. The reason why only the big players can take the liberty of implementing QC technique is first of all the cost of a quantum system. Let us consider the ‘classical’ key distribution and key agreement protocols as well as QKD technique. The ‘classical’ protocols (i.e. Diffie-Hellman protocol [42]) use only one public channel to exchange messages between users who want to encrypt data by symmetric ciphers. Detailed information about contributory and distributive key management schemes are presented in a survey [56]. These protocols can be compared with the key distillation step in QC. In Section 2.3.3 I said that key distillation is performed by means of communication in public channel—similarly as ‘classical’ key distribution and agreement protocols. Therefore, this step of QC does not require additional network resources which could generate additional cost. But QC needs also a quantum channel— additional optical path to distribute qubits. This channel generates additional cost of the QC service. Particularly two elements generate a significant cost: • additional optical fiber to establish a quantum channel between Alice.

(46) 26. 3. Area of research. and Bob (this optical channel requires only passive elements, without any amplifiers, multiplexers, etc.) and • quantum devices to send and receive qubits. In [52], Ghernaouti-Helie and Sfaxi presented a scenario for the QC application to secure bank transactions. The authors considered the QC implementation in Switzerland (as an example of a small size country). They assumed that a bank company has headquarters in every canton and the main office with the central database is located in Zurich. Remote offices have to communicate all transactions to the database in Zurich. In Fig. 3.1 the topology of the proposed network is presented.. Figure 3.1: The topology of an exemplary quantum network in Switzerland. The figure is a copy from the paper [52]. This network has about 2000 km of optical fiber and the number of quantum cryptography stations is about 80. If the cost of the optical fiber per meter equals 6 CHF and the cost of the QC station (two devices: transmitter and receiver) is 150000 CHF, then the total cost of this scenario is: 2000000 m ∗ 6 CHF/m + 40 ∗ 150000 CHF = 18000000 CHF.. (3.1). This is approximately 54 millions PLN. By means of a proposed quantum network, the bank is able to ensure the highest level of data security. The authors concluded that this is a huge cost but if we estimate the prestige gain of the bank.

(47) 3.3 Cost of quantum cryptography. 27. (i.e. the reputation, the image) this expense is justifiable and such a long term investment will be beneficial to the bank. Sometimes, such a big cost is really justifiable, i.e. to ensure national security. QC can protect voting ballots against hacking and accidental data modification. In October 2007 during the federal elections in Switzerland the QC was applied [3]. The transmission to the government’s central database repository in Geneva was secured using a quantum connection. Now, Swiss regional governments consider using the QC for e-voting. Researchers are aware of the fact that the big cost of QC is a major problem for the end-users. Therefore, many different improvements to QKD were proposed within last years. First of all, the most expensive components of QC are optimized to decrease the total cost of quantum system. An exemplary component can be a photon measurement detector. It generates one of the major costs of QKD devices. In 2008, the idea of time division multiplexing of a single photon detector between two photon bases in QKD system was proposed [64]. This solution can simplify the structure of a QKD system and significantly reduce its cost..

(48)

(49) Part II. Requirements and motivation.

(50)

(51) 4 Requirements. Cryptographic key distribution using quantum states is a remarkable technique. However, it is still not clear whether QKD will become a revolution in communications. One of the crucial issues concerns requirements. We could approach the problem twofold. On one hand, we could consider demands of network resources (communication medium, physical layer parameters, etc.) to ensure the possibility of QC implementation but it is not a subject of this dissertation. On the other hand, we could define security requirements of users which QC is able to meet. It seems that they are more important for communications market. These requirements come from potential users of QC and determine the final choice of the deployed security service. In this chapter, the author defines and considers the main requirements of a typical QC system. They could be divided into two groups: system requirements, and end-user requirements [65]. Both groups differ from each other. The first one—system requirements—is connected with peculiarity of a communication system. This kind of requirements allows to protect the system against intruders. Therefore, we can map most of system requirements to the standardized security models. The second group— end-user requirements—come from stakeholders and express properties of the communication system. They are not as ‘technical’ as the first group, but they determine the final form of security mechanisms and decide whether QC is a desirable solution or not. Security requirements from the QC point of view are presented in [80]..

(52) 32. 4. Requirements. Figure 4.1: Security dimensions and security layers of a communication system for end-to-end communication. The figure comes from ITU-T Recommendation X.805 [14]. 4.1. System requirements. The requirements which express desirable system properties are referred to as system requirements. They are important because on one hand the system requirements should lead to the achievement of at least one user requirement and on the other hand they should provide the optimal solution from the available technology point of view. System requirements concern ‘technical’ aspects of a given security service. Therefore, they could be defined by means of official recommendations and standards. One of the crucial ITU-T recommendation which consider general security issues is X.805 “Security architecture for systems providing end-to end communications” [14]. It describes the security architecture of systems offering an endto-end communication. Because currently available QC architectures have, in general, the end-to-end character [68], we can provide a mapping of the X.805 security model to the QC architecture and security requirements. Fig. 4.1 comes from the ITU-T X.805 document and presents basic model of the communication system from the security point of view. On one hand the recommendation defines vulnerability of the communications system—on the other hand the system is susceptible to threats and attacks. In Fig. 4.1 we have three security layers: infrastructure security, service security and application security. QC will be deployed in service and application security layers. The service security layer addresses security of services which are provided in the network. It concerns the obligatory services and value-added services such as: Virtual Private Network (VPN) or confidentiality assurance of instant messages. The applications security layer addresses security of the network-based applications..

(53) 4.1 System requirements. 33. It is responsible for security assurance of web browsing applications, emails, etc. As we can see, the QKD technique is able to ensure confidentiality in both security layers: services and applications. From QC requirements point of view, the most interesting components of the X.805 system security model are security dimensions. The ITU-T recommendation defines eight different security dimensions which protect a system against passive and active threats. We can map some of them directly to the security requirements. Therefore, if we meet the mapped requirements, we will create a secure end-to-end communication system (also based on QC). The security dimensions are as follows: – access control, – authentication, – non-repudiation, – data confidentiality, – communication security, – data integrity, – availability, and – privacy. It is worth emphasizing that not all of presented security dimensions relate to QC requirements. Also, not only security dimensions enumerated in the ITUT X.805 document can be defined as security requirements of a QC system. Nevertheless, security issues defined in Recommendation X.805 can help to define main security requirements of a QC system. Below, some significant system requirements are presented in detail. • Confidentiality One of the security dimensions presented in Recommendation X.805 is confidentiality of information transmitted in a communication system. Nowadays, the most popular solution which ensures confidentiality is data encryption. Currently, network communication is often protected using symmetric encryption algorithms, like Advanced Encryption Standard (AES) [13], International Data Encryption Algorithm (IDEA) [101], and other ciphers. The basic information about cryptography and ciphers was presented in Section 2.1..

(54) 34. 4. Requirements. The security of symmetric algorithms depends on the fact that the key is secret. Unfortunately, it is a serious problem to distribute the keys to other entities in a network environment in a secure way. If an intruder finds out the secret key, he or she will be able to encrypt confidential data. The QKD ensures the highest security level of encryption key distribution, because it is not possible to eavesdrop the communication in a passive way. Let us assume the communications system where data confidentiality is the crucial requirement. Then, the QC service in conjunction with a strong symmetric cipher (e.g. AES with a key size of 256 bits) can be implemented. This solution meets the considered requirement. • Communication security The communication security is another security dimension introduced by the X.805 document. It ensures that information flows only between the proper end points. If communication security is considered as the key feature of the system, it is worth to consider the implementation of QC service. The QKD technique meets this requirement in the best way: the quantum information is exchanged only between the proper entities. Otherwise, an eavesdropper will be uncovered. The QC ensures communication security requirement by means of the principles of the quantum mechanics. • Privacy The information that might be derived from the observation of network activities can be used by intruders against users or a communication system. Privacy assurance is the action when we provide the protection against the intruders who can collect this kind of information. When we introduce this requirement during the system design process, we should consider the QKD technique. Always, when eavesdroppers want to observe the quantum information, they change the quantum states and can be uncovered. Then, end-users or system administrators are capable of protecting data and/or network resources against intruders. • Efficiency This system requirement is strongly connected with security. Let us consider a popular solution which ensures data security: an asymmetric encryption. It does not require confidential key establishment or exchange, however it is not very efficient. Therefore, asymmetric ciphers are not suitable for all applications. When efficiency of the communication system is one of the most important requirements, the best encryption algorithm will be a symmetric cipher with secure key distribution, such as the QKD technique. Symmetric encryption algorithms are the fastest ciphers. Even.

(55) 4.2 End-user requirements. 35. thought the transition of quantum information is slower, the encryption key is relatively short in comparison to data generated by users. The presented properties exemplify main system requirements from the security point of view. They lead to desirable system features, but in the next section the author presents more important requirements which come from users.. 4.2. End-user requirements. At the beginning of the system design process, the end-users should create the specific requirements concerning, among other things, also security and other issues which directly influence data protection. The end-user requirements should come from stakeholders and express a property of the communication system. It is worth mentioning that end-users usually do not use such ‘technical’ terms as: confidentiality or data integrity. They usually describe desirable features of the system more generally, i.e.: security, performance, etc. End-user requirements of the communication system indicate whether QC is a suitable solution or not. Below, some of them are presented in detail. • Security At the beginning, we should become aware that end-users usually do not distinguish between specific security services, i.e.: privacy and confidentiality. Therefore, they describe all specific data protection services as security. Very often the data security is the crucial issue for end-users. Let us consider a communication system of a bank. The weak security system jeopardizes a bank to lose not only money but also good reputation. In such a situation the QKD technique may be the best solution because QC provides the highest security level. When security is one of the most important end-user requirement, it is worth to consider data protection by means of QC. • Performance Performance is the feature of the system which is inseparable from security. It is inversely proportional to the security level of the system. Performance is a requirement which is usually directly perceived by users and for this reason it appears as an end-user requirement very often. Performance of the QC is not worse than other security solutions: in comparison with asymmetric ciphers, the QC which is based on symmetric encryption, provides much more efficient encryption. Even QKD in comparison with traditional key exchange or establishment protocols like Diffie-Hellman key establishment algorithm [42], is not worse. The Diffie-Hellman protocol is based.

(56) 36. 4. Requirements. on prime number computation which is not an efficient process and has a lot of protocol overhead. For these reasons it is worth to consider the QC technique, when end-user require high level of communication system performance. • Cost The cost of a communication system is usually the most frequent end-user requirement which appears during the design process. Unfortunately, QC is a very expensive technique. Not only do quantum devices and software applications generate big expenses but they also impose additional changes in communication network. Currently, when we want to implement QC in a communication system, we have to build or rent a dedicated optical fiber for the quantum channel, called a ‘dark fiber’. All components: hardware, software, and optical fibers generate a huge cost. Therefore, only when enduser requirements do not include any real cost restrictions, we can think seriously about the QC implementation. • Ease of use End-users of communication systems usually are not engineers and do not possess technical skills. Therefore, ‘ease of use’ often appears as a requirement of a system. QKD devices deployed in a communication system do not generate additional difficulty in the user interface. This technique is completely ‘transparent’ for the users. As distinct from the SSL (Secure Socket Layer ) technique with asymmetric encryption, QC does not require installation of certificates or checking certificate revocation list (CRL)—list of certificates that have been revoked or are no longer valid. End-users can define much more specific requirements related to security (e.g., universality or reliability) but it seems that the presented features are prevalent. In the next chapter the importance of end-users requirements is considered..

(57) 5 Motivation and system end-users. needs. of. Currently, QC ensures the highest level of security, however, it is a very expensive solution [48]. Costly devices and dedicated network resources could discourage the end-users from the implementation of QKD technique in communications networks. This problem rises the question: ‘Do we really need so expensive solution? ’. In fact, if security is a less important issue than the cost of the system, QC will not be implemented in real networks. In this situation, QC will only be ‘an interesting fact’ in the communications market. Otherwise, QKD technique will be a popular solution in a near future. In 2009 I decided to ask potential end-users to specify the most important requirements. The question about practical dimension of QC was one of the reasons of the survey. I wanted to have a look at QC from the end-users point of view. First of all, I wanted to check the importance of end-users requirements. The questionnaire was created within the confines of UE INDECT project [6]. It includes the question about requirements of communication systems. Potential end-users indicated the most important feature of a communications system. They could assign a number from ‘1’ to ‘5’ to each requirement (where: ‘5’ means the most important and ‘1’ means the least important). In the survey, we specified six main requirements: – security (system and data are secure), – performance (quick access to data), – cost (cost of the system), – universality (possibility of deployment in different environments), – reliability (high availability of the system),.