Vous êtes sur la page 1sur 46

Cryptographie quantique : des

concepts aux applications

17 Avril 2007
Crypto Puces Porquerolles

Romain Allaume
Dpartement Informatique et Rseaux
Ecole Nationale Suprieure des Tlcommunications - Paris
Plan de lexpos
Elements dinformation quantique

Cryptographie quantique : principes,


ralisations

Projet SECOQC : rseaux de distribution


quantique de cl

Perspectives dapplications de la crypto


quantique
Elements dinformation
quantique
Physique et information
Linformation est stocke sur un mdium
physique et manipule par des opration
physiques => les processus lmentaires mis
en jeu sont quantiques

Information Quantique : spcificits


Ne peut tre copie
Superpositions dtats autorises
La mesure affecte ltat quantique
Le qubit vs le bit
Classique Quantique
1 bit 1 qubit
0 ou 1 |0 + |1 ||2 + ||2=1
n bit n qubit
000...0 (0) 2n"1 2n"1 2
000...1 (1) ! ci i ! ci =1
i=0 i=0
M
111...1 (2n-1) ex. 4 qubits: |7 = |0111
Mesure Mesure 2n"1

b1b2b3...bn ! ci i
i=0

b1b2b3...bn i avec probabilit |ci|2
Intrication (entanglement)
Intrication : il existe des tats non sparables

B
A |> |> | >
Corrlations eventuellement non-locales

Exemple :
Entanglement : non-classical correlations

Violation of Bell inequalities => refutation of Local Realism


Entanglement => fondamental ressource for Q computation
and Q communication
Circuits et portes quantiques

Ensemble complet: (Ou-exclusif, Toutes les portes 1 qubit)

|a |a
Ou-exclusif:
(non-contrl) |b |b si a=0
|b si a=1

|0 1 (|0+|1)
2
Ex. porte a 1 qubit: H
|1 1 (|0-|1)
2
Quantum Circuit
A quantum circuit provides an visual representation
of a quantum algorithm.

0
0
0
0

initial quantum gates measurement


state

time
Applications
Efficient simulations of quantum systems
Phase estimation; improved time-frequency
and other measurement standards (e.g. GPS)

Factoring and Discrete Logarithms


(Shor Algorithm, 1994)

Hidden subgroup problems


Amplitude amplification
and much more
Computational Complexity Comparison

Classical Quantum

Factoring

e (
O n1 / 3 log 2 / 3 n ) O(n )! e O (log n )

Elliptic
Curve O (n )
Discrete e O(n )! e O (log n )
Logarithms

(in terms of number of group multiplications for n-bit inputs)


Cryptographie quantique
Une belle ide

When elementary quantum systems are


used to transmit digital information, the
uncertainty principle gives rise to novel
cryptographic phenomena unachievable with
traditional transmission media.
Charles H. Bennett et Gilles Brassard (1984)
Les 3 piliers de la cryptographie quantique

1. Cryptographie
Confidentialit des informations transmises (cls
alatoires)

2. Physique Quantique
Comportement des particules quantique lmentaires :
1. Il est impossible de dupliquer un tat quantique arbitraire
2. La mesure dun tat quantique perturbe ce dernier

3. Thorie de lInformation
Distillation publique de secret, avec une scurit dite
inconditionnelle (caractre secret portant sur
linformation au sens de Shannon)
Scnario de la cryptographie quantique

Eve

Alice Bob

Canal quantique

Canal classique

But du jeu : IAB > IAE, IBE CL


Coder linformation sur un tat quantique
Etats de polarisation Encodage dinformation
linaires dun photon

, , , 0
= (+ ) /2
= ( - ) /2 1

Si photon unique :
Information ambige si lon ne connat pas la base de codage
Acqurir de linformation sur le bit cod se traduit pas une perturbation
Mesure dun tat de polarisation
Un analyseur de polarisation donne 2 rsultats : transmis ou dvi
Une dtection conjointe sur les deux sorties permet de dterminer
avec certitude ltat du photon polaris dans la mme base que la base
danalyse
Dvi : vertical

Transmis : horizontal
Analyseur
Si la polarisation et la base danalyse diffrent, le rsultat de
mesure devient alatoire (50 % - 50 % pour la base 45)

?
Analyseur
Mise en oeuvre : le protocole BB84
Lespionnage peut tre dtect

Eve 25% errors


Bob
BB84 protocol:
H/V Basis

Polarizers Alice
45 Basis
Horizontal - Vertical

Diagonal (-45, +45)

Alice's Bit Sequence


Bob's Bases

Bob's Results 0 1 0 - 0 1 1 1 1 - 1 0

Key - 1 - - 0 1 - - 1 - 1 0
Post-processing classique
A lissue de la phase quantique, Alice et Bob disposent
dinformations corrles mais
Entaches derreurs (exprimentales et / ou dues lespion)
Partiellement connues de lespion.

2 ETAPES DE POST-PROCESSING

1) Correction derreur (codes correcteurs derreurs classiques


1) Rconciliation : se fait sur canal classique (public)
2) But : travailler prs de la borne de Shannon
3) Augmente linformation dun espion potentiel

2) Amplification de confidentialit => cl totalement secrte


Amplifier la confidentialit de la cl : principe
Alice Bob

Canal classique
Eve

UE
Situation intiale : I(XA=XB ; UE) > 0

XA =0100110001010 XB =0100110001010

XA = XB I(XA=XB ; UE) -> 0


Bilan : Gnrations dune cl secrte =
processus en 3 tapes
Donnes initiales Il faut corriger les erreurs
contiennent des erreurs Il faut annihiler
(EVE) linformation dEve

Alice
Bob
Information Alice
mutuelle Bob
Eve
Alice
Bob
Eve

Info
Eve secrte

Com Quantique + Rconciliation Amplification


filtrage de
confidentialit

Asymtrie dinformation initiale est cruciale


Wireless Sensor Networks
Injectable Tissue Engineering
Nano Solar Cells
Mechatronics
Grid Computing
Molecular Imaging
Nanoimprint Lithography
Software Assurance
Glycomics
Quantum Cryptography
Quantum Key Distribution is now at the Telecom Age

Dmax ~ 100 km
Dbit ~ 5 kbit/s @ 25 km, en progression constante
Quantum Random Number Generator
Physical randomness source

Commercially available
Applications
Cryptography
Numerical simulations
Statistics
Rseaux QKD, projet
SECOQC
Quantum Key Distribution
network
(QKD network)

Definition:
Set of QKD links connecting distant
QKD nodes.

Goal:
Infrastructure capable of performing
symmetric key establishment, with
unconditional security, between any pair
of QKD nodes connected to the network.
QKD networks come in different flavors
Can be distinguished by the functionnality of the network
nodes:
Quantum Nodes : With Full Quantum Repeaters
implies Q memories + Entanglement Distillation
Essentially a distributed Q Computer
Optical Nodes : Switching, routing at the level of the Q
optical signals
Multi-user QKD possible
But cannot extend range
Trusted Relay Nodes
Extra trust assumption but long distance possible
Achievable with todays technologies.
Maintaining perfect secrecy over an
arbitrary long distance.

Hop-by-hop key transport, with new key One-Time-


Pad key encryption at each node.

M appears in cleartext in each node


All nodes have to be trusted.
A path is secure, if and only if all its nodes are.
The SECOQC European Project

Development of a Global Network for SEcure


COmmunication based on Quantum Cryptography
IP, FP6 within the IST program Security & Trust
Integrated Project FP6-2002- IST-1 -506813
Unit D4: ICT for Trust and Security
Duration: April 2004 April 2008 => Oct 2008
www.secoqc.net
SECOQC Developments

Fully functional Quantum Key Distribution (QKD) Devices


Novel Security Architecture
Quantum Information Security Proofs
Novel Protocols and Design of QKD Networks
Standardization of QKD devices and network interface
Certification based on Common Criteria + COPRAS coop.
5 Backbone QKD technologies + 2 Access QKD techno.
Full deployment of a QKD network in 2008, Vienna
SECOQC QKD Network Architecture
External USER
QAN USER QBB USER

Application
(User)

QAN Node
Secrets :
Key store
QBB Node global management

QBB LINK
QAN LINK
Quantum
Key Distribution
M. Dianati, R. A. Proc. IEEE QSEC 2007 quant-ph/0610202
QBB node
Q3P instance 1

Link layer module

Other modules

QBB link 1
Key store QKD Device array

Q3P instance 2

Link layer module

QBB link 2
Forwarding module
Routing module

Key store QKD Device array


...

...
Q3P instance n

Link layer module

QKD Device array


QBB link n Analogue to a router in a
Key store

conventional packet switching


QBB Node networks
Integrated design (19 racks)
QBB link
QBB Node QBB Node
QBB Link
Classical Classical Channel Classical
Network Interface Network Interface

QKD Device 1 Quantum Channel 1 QKD Device 1


QKD Device 2 Quantum Channel 2 QKD Device 2
. ..

. ..
QKD Device n Quantum Channel n QKD Device n

Multiple QKD links can be deployed in parallel, they


operate over the same shared classical channel, and fill the
same key store
Typically for high-rate / high-cost core network links
Protocol Stack of the QKD network
QKD Application Layer (NI/SYS)

QKD Transport Layer (ENST)

QKD Network Layer (ENST)

Q3P:
QKD Point-to-Point Protocol
(ARCS)
QKD Network Demonstrator (1)

Deployment over a
real metropolitan
area telecom fibre
network.

Cooperation:
Siemens

Vienna, fall 2008


QKD Network Demonstrator (2)
Meshed Topology Different QBB-Link technologies:
Fully connected parallelogram +
Long Distance Link Coherent One Way System
(N. Gisin, Univ. Genve)
One Way Weak Pulse System
(A. Shields, Toshiba)
Continuous Variables
(P. Grangier, CNRS)
Entangled Photons
(A. Zeilinger, Univ. Vienna)
Autocompensating Plug&Play
(G. Ribordy, id Quantique, Genve)
Perspectives dapplication de
la cryptographie quantique
Comparative advantages of QKD
over classical key distribution techniques
Secoqc White Paper on Quantum Key Distribution
and Cryptography,
quant-ph/0701168

Romain Allaume, Jan Bouda, Cyril Branciard, Thierry Debuisschert,


Mehrdad Dianati, Nicolas Gisin, Mark Godfrey, Philippe Grangier,
Thomas Lnger, Anthony Leverrier, Norbert Ltkenhaus, Philippe
Painchault, Momtchil Peev, Andreas Poppe, Thomas Pornin, John
Rarity, Renato Renner, Grgoire Ribordy, Michel Riguidel, Louis
Salvail, Andrew Shields, Harald Weinfurter, Anton Zeilinger,
Some messages
QKD main advantage : properties of the key
Unconditionnal security versus computationnal security
Composability
QKD is not adapted to open networks
Open networks : trust relations + asymetric crypto
(Internet) => no symmetrically shared secret
QKD is for closed, operated, (and medium-sized
networks).
One of the main challenges for QKD will be side-
channel analysis => very intesting for the analysis
of side-channles in classical cryptosystems.
Application naturelle : renouvellement de
cls pour chiffrage de liens

Chiffrage One-Time-Pad (masque jetable)


Scurit inconditionnelle
En particulier forward secrecy
Mais dbits faibles (dbit donnes = dbit cls)

Chiffrage Symtrique (DES, AES, etc)


Gain en scurit : scurit de la cl + frquence de
renouvellement
Dbits levs
Pour quelles infrastructures ?
=> Rseaux oprs, consommateurs de secrets

Rseaux privs de grande scurit : bancaire,


cur de rseau oprateur, militaires,
gouvernementaux
Rseaux de stockage scuris de donnes
(SANs)
PKIs: distribution des cls secrtes, initialisation

Autre ide ??
Side-channels et crypto quantique
Interfaces classique-quantique
=> critique pour les side-channels
classique classique

Public quantique Public


Priv Priv

Espace quantique prsentant


Problmatique
une garantie forte contre les
standard de
side-channels: test de
gestion de
correlations quantiques
secrets =>
smartcards ?
Conclusion

Systmes de distribution quantique de cl sont


maintenant fiables, deployables sur des
rseaux fibrs tlcoms
SECOQC: premiers lments dun standard
europen
Nouvel outil cryptographique => ncessit
didentifier les avantages que lon peut en tirer
et les applications adaptes => projet FP7
Merci pour votre attention !