本講主要內(nèi)容8.1研究背景8.2

BB84協(xié)議的原理8.3

BB84協(xié)議的安全性證明8.4

BB84協(xié)議的密鑰率分析8.5B92協(xié)議18.1研究背景密鑰分配2■非對稱密碼(公鑰密碼)消息

m

加密

加密

消息

m公鑰(n,e)

私鑰(p,q,f)RSA:n=p·q,pand

q

are

prime

numbers.?(n)=(p-1)(q-1),gcd(e,φ(n))=1,e

d=1(mod(φ(n)c=m°(mod

n),m=c?(mod

n)密碼體制與密鑰分配■對稱密碼(私鑰密碼)消息

m加密加密

消息

m相同的密

鑰

K

密鑰AES,DES,3DES,RC4,IDEA,...一次性便簽

(onetime密鑰

K

pad,OTP)

加密難點：足夠長的密鑰公鑰密碼的安全性-大數(shù)分解■RSA的安全威脅(公開報道的因數(shù)分解：已達768

bits)Academic

RSAfactorizationrecordsHostilefactorizations(Year-2000)·32+512

bitsbits8965765304631990

19952000

2005

2010

2015

year

2020Break

RSA-1024:LibgcryptcryptographiclibraryusedbyGnuPG開源加密軟件(用于Linux,FreeBSD,Windows等),Cryptographic

Hardware

and

Embedded

Systems-CHES

2017,555采用量子計算分解N的時間隨logN

的多項式增長(可

解

問

題)。N=129

位，如果用2000個qubit的量子計算機只要1秒時間即可以分解成功。Shor

算法實現(xiàn)需要通用量子計算機，實現(xiàn)大整數(shù)的分解需要的物理量子比特數(shù)目巨大，具體實現(xiàn)尚需時日。大數(shù)分解：Shor算法180708208868740480595165616440590556627810251676940134917012702145005666254024404838734112759081230337178188796656318201321488055739685999459597454290161126二

1628837860675

76449112810064832555157243Shor算法證明：N=129

位，1994年1600臺工作站耗時8個月分解成功。45534498646735972188403686897274408864356301263205069600999044599×■后量子密碼■構(gòu)造量子計算機無法破解的

加密方法■

基于Hash

函數(shù)的密碼■

基于糾錯碼的密碼■

基于格的密碼■

多變量二次方程組密碼■

仍然基于計算復(fù)雜度，有無

新的破解算法?■

量子密碼■安全性建立在量子力學(xué)基本

原理上■

有商用產(chǎn)品■成本相對較高■物理實現(xiàn)上的瑕疵不斷被彌

補(協(xié)議和實現(xiàn)同時改進)■

短期建議：■重要數(shù)據(jù)：量子密碼■一般數(shù)據(jù)：后量子密碼后量子密碼與量子密碼經(jīng)典密鑰分配協(xié)議：

一個例子TheNeedham-SchroederprotocolParty

PartyKDC

BKA,Kg:master

keys

forcommunicatingprivately1—

—E(KA[DADB.N1])

一

with

a

key

distributioncenter(KDC).N?,N?:random

numbersKs,session

keyAsencryptedbyKDCfordeliveryto

BE(Kg,N2)—

4Figure

1:A

pictorial

depiction

of

the

Needham-Schroder7基于QKD的量子保密通信系統(tǒng)OTP信息

加密

解密經(jīng)典層量子層密性放大基矢對比信息協(xié)調(diào)探測器密性放大基矢對比信息協(xié)調(diào)量子信號源QKD單元隨機數(shù)

發(fā)生器測量基隨機數(shù)

發(fā)生器調(diào)制8Common

laserAlice

Bob411.5km411.5kmSourceChopperEncoderRegulator

Reference

RegulatorFeedbackPMChopper-Encoder4SSPDfiomwRegulator-TF-QKDthe

optimized

four-phase

twin-fieldprotocol103102This

work10.Ref.10°Ret.710-1Ref.33102ShuangWang,et.al.,Twin-fieldquantumkeydistributionover830-kmfibre,Nature

Photonics

16,154-161(2022)10?400

500

600700

800

Fibre

length(km)Fig.1|Summaryofrecent

long-distanceQKDexperimentsbeyond400km.All

demonstrations

are

provided

with

the

fibre

length,secure2019TF2019TF2018BB842016

MDISecure

key

rate(bps(2021202120212020IM

PMTFTF

TFTFFeedback

PMLocal

laser900CharlieSource1039高速集成QKD系統(tǒng)[1]Li,W.,Zhang,L.,Tan,H.et

al.High-rate

quantum

key

distribution

exceeding

110Mbs-1.Nat.Photon.Bob1-pixel1DGCSignallaserPOLMchannelQuantumchannelSynclaser2DGC115.8Mb/s@10

kmDWDMdriverAliceDCM8-pixe

PBSVBSEPC(2023).0QClassicalSNSPDDWDM8.2

BB84協(xié)議的原理經(jīng)典密碼中的密鑰分配量子密鑰分配11QuantumKeyDistribution■

Roots

ofQuantum

Cryptography■

Stephen

Weisner:Conjugate

Coding,

Published

in

1983■Conjugatebases■

A

pair

ofbases

is

conjugate

ifthe

measurement

in

the

first

basis

completely

randomizes

themeasurements

in

the

second

basis.■

BB8412BB84

協(xié)議用到的編碼基■光子不同偏振態(tài)，Z基：0/90;

X基：45/135■測量基與編碼基不一致時，得到正確結(jié)果的概率為1/2“0”或“1”,概率均為1/2“0”或“1”,概率均為1/2“1”“0”“0”或“1”,概率均為1/2“0”或“1”,概率均為1/2X基Z基“1”“0”13BB84

協(xié)議的工作流程(1)Alice隨機選擇一串二進制比特；(2)Alice隨機選擇每一個比特轉(zhuǎn)化成光子偏振態(tài)時所用的基，即垂直基或斜基；(3)Alice

按照自己隨機選擇的基和二進制比特串來調(diào)制

光子的偏振態(tài)(例：比特“0”對應(yīng)水平偏振態(tài)和↗偏振

態(tài)，比特“1”對應(yīng)垂直偏振態(tài)和\偏振態(tài)。)并將調(diào)制

后的光子串按一定的時間間隔依次發(fā)送給Bob;(4)Bob

對接收到的每一個光子隨機選擇測量基來測量

其偏振態(tài)，將結(jié)果轉(zhuǎn)換成二進制比特；BB84

協(xié)議的工作流程(續(xù))(5)Bob

通過經(jīng)典信道告訴Alice他所選用的每個比特的測

量

基

；(6)Alice

告訴Bob哪個測量基是正確的并保留下來，其余的丟棄，得到原始密鑰；(7)Alice

和Bob

從原始密鑰中隨機選擇部分比特公開比較

進行竊聽檢測，誤碼率小于門限值的情況下，進行下一步；

否則認為存在竊聽，終止協(xié)議；(8)Alice

和Bob

對協(xié)商后的密鑰作進一步糾錯和密性放大，最終得到無條件安全的密鑰。J.Kowalik,IntroductiontoQuantumCryptography,IEEEtalk,Seattle,200516BB84

3

EveDetectionfilter2Laser

Alice's

bit

sequence:

00

0

1

0Alice's

filterscheme:Bob's

detection

scheme:Bob's

bit

measurements:

1Retained

bit

sequence(key):

0

1PolarizationfilterAliceTransmittedphotonUnpolarizedphotonBobDetectionfilterAlice準備的比特串1001110101Alice發(fā)送的光子序列個→→個↗個1Bob選擇的測量基十X十十XXX十十XAlice和Bob保存的結(jié)果個→1個Bob得到的原始密鑰101011Alice和Bob協(xié)商1101密鑰1101BB84協(xié)議舉例Sifted

keyBB84

協(xié)議安全性分析■

海森堡測不確定性原理和量子不可克隆定理保證了BB8

4協(xié)議的無條件安全性■海森堡不確定性原理：若Eve

從量子信道中截獲光子并進行測量

,因為非正交態(tài)不可區(qū)分，Eve

不能分辨每個光子的原始狀態(tài)，

竊聽會干擾到量子態(tài)，進而被Alice和Bob發(fā)

現(xiàn)(分析QBER)?！鑫粗孔討B(tài)不可克隆定理：無法克隆一個副本■量子密鑰分發(fā)協(xié)議的安全檢測基于概率統(tǒng)計理論■BB84

量子密鑰分發(fā)協(xié)議中，Alice和Bob

需要隨機的抽取測量結(jié)果

進行誤碼率分析，這種抽樣雖然在總的測量結(jié)果中占的比例不是

很大，但需要大量數(shù)據(jù)。Finitesize問題!18BB84

協(xié)議的特點■

優(yōu)

點

：■被理論證明是一種無條件安全的分發(fā)密鑰方式■量子信號制備和測量相對比較容易實現(xiàn)■

缺

點

：■量子比特利用率低：通信雙方隨機選擇兩組基來進行竊聽檢測，

以保證量子密鑰分發(fā)的安全性。傳輸過程中只有不超過50%的量子比特可用于量子密鑰■編碼容量低：兩個量子態(tài)只能傳輸1比特有用經(jīng)典信息，且四種量

子態(tài)只能代表“0”和“1”兩種碼，。BB84協(xié)議■polarization

in

two

bases:circular

andrectilinear1.

Alicesendsrandom

sequence

ofthe

fourkinds

ofpolarized

photons

to

Bob2.Bob

choosesrandomlyfor

eachphoton

whether

to

measurerectilinear

or

circular

polarization3.Bob

announces

which

kind

of

measurement

he

made4.Alice

tells

him

whether

he

made

the

correct

measurement5.Alice

and

Bob

agree

publicly

to

discard

all

incorrect

measurementsand

all

positions

where

photons

were

not

detected6.Polarizations

of

resulting

photons

are

O

for

horizontal

&left-circular,Polarizations

of

resulting

photons

are

1for

vertical

&right-circular7.Resulting

binary

string

is

sifted

key8.Alice

and

Bob

perform

data

reconcilation

for

reducing

QBER9.Alice

and

Bob

perform

privacy

amplification

for

reducing

eve's

information.10.Alice

and

Bob

obtain

final

key.20從1989年第一個QKD實驗到商用產(chǎn)品21P.MOD

PH.RANDPH.ENCTBS

SPDs(c)BB84-POLARIZATION

(d)BB84-TIME-BIN|0)

CDMOCDM1|1)DWDM0ClasicalChipbasedQKD(a)(b)228.3

BB84協(xié)議的安全性證明安全性等效，規(guī)約：從EPR協(xié)議逐步規(guī)約到

(reduce

to)BB84[1]Michael

A.Nielsen

&Isaac

L.Chuang,Quantum

ComputationandQuantumInformation,CambridgeUniversityPress,201023安全性定義安全性定義A

QKD

protocol

is

defined

as

being

secure

if,for

any

security

parameters

s>0andl>0chosen

by

Alice

and

Bob,and

for

any

eavesdropping

strategy,either

thescheme

aborts,or

it

succeeds

with

probability

at

least1-0(2-?),and

guaranteesthat

Eve's

mutual

information

with

the

final

key

is

less

than2-.The

key

stringmust

also

be

essentially

random.■

信息論安全IAB>IAE

IAB>IBE■可證明安全■可組合安全QSDC的安全要求?24Denote

this

state

as

|Boo〉n.Alice

then

transmits

halfofeach

pair

to

Bob;because

of

noise

and

eavesdropping

on

the

channel,the

resulting

state

may

be

impure,and

can

bedescribed

as

the

density

matrix

p.Alice

and

Bob

then

perform

local

measurements

toobtain

a

key,as

described

previously.The

following

Lemma

can

be

used

to

show

that

thefidelity

ofp

with

respect

to

|βoo)n

places

an

upper

bound

on

the

mutual

informationEve

has

with

the

key.Lemma12.19:(High

fidelity

implies

low

entropy)If

F(p,|Boo)n)2>1-2-s,then

S(p)<(2n+s+1/In2)2-?+O(2-2s).安全的QKD協(xié)議Requirements

for

a

secure

QKDprotocolSuppose

that

Alice

has

n

pairs

ofentangled

qubits,each

in

the

state(12.198)25Step1:ModifiedLo-Chauprotocol■

EPR

協(xié)議+抗噪聲處理■

基于量子糾錯碼實現(xiàn)糾纏純化QKDprotocol:modifiedLo-Chau1:Alice

creates

2n

EPR

pairs

in

the

state|Boo)2n.2:Alice

randomly

selects

n

of

the

2n

EPR

pairs

to

serve

as

checks

to

checkfor

Eve's

interference.She

does

not

do

anything

with

them

yet.3:Alice

selects

a

random

2n-bit

string

b,and

performs

a

Hadamard

transformon

the

second

qubit

of

each

pair

for

which

bis1.發(fā)現(xiàn)相位差錯4:Alice

sends

the

second

qubit

of

each

pair

to

Bob.5:Bob

receives

the

qubits

and

publicly

announces

this

fact.6:Alice

announces

b

and

which

n

qubits

are

to

provide

check

bits.7:Bob

performs

Hadamards

on

the

qubits

where

b

is1.268:Alice

and

Bob

each

measure

their

n

check

qubits

in

the

|0),|1〉

basis,andpublicly

share

the

results.Ifmore

than

t

ofthesedisagree,they

abort

theprotocol.9:Alice

and

Bob

measure

their

remaining

n

qubits

according

to

the

checkmatrixfora

pre-determined[n,m]quantumcodecorrectinguptoterrors.Theysharetheresults,computethe

syndromes

forthe

errors,and

thencorrect

their

state,obtaining

m

nearly

perfect

EPR

pairs.10:Alice

and

Bob

measure

the

m

EPR

pairs

in

the

|0>,|1〉

basis

to

obtain

a

shared

secret

key.ModifiedLo-Chauprotocol(cont'd)■[n,m]量子碼糾正t個錯誤，最終獲得高糾纏度EPR

對27Step2:QKDprotocol-CSScodes■

采用單量子態(tài)(糾纏態(tài)在Z

基下測量，等效于發(fā)送單量子

態(tài)),包括校驗比特和碼比特■

基于量子糾錯碼

(CSS

碼)實現(xiàn)糾錯(≤t個錯誤)

QKDprotocol:CSScodes1":Alice

creates

n

random

check

bits,a

random

m

bit

key

k,and

two

random

nbitstringsrandz.Sheencodeslk)inthe

code

CSS2z(C?,C?).She

also

encodes

n

qubits

as

|0>or

|1)according

to

the

check

bits.2":Alice

randomly

chooses

n

positions

(out

of2n)and

puts

the

check

qubitsin

these

positions

and

the

encoded

qubits

in

the

remaining

positions.3:Alice

selects

a

random

2n-bit

stringb,andperforms

a

Hadamard

transform

on

each

qubit

for

which

b

is

1.4:Alice

sends

the

resulting

qubits

to

Bob.5:Bob

receives

the

qubits

and

publicly

announces

this

fact.6':Aliceannouncesb,x,z,andwhichnqubitsaretoprovidecheckbits.28QKD

protocol:CSS

codes(cont'd)7:Bob

performs

Hadamards

on

the

qubits

where

b

is1.8':Bob

measures

the

n

check

qubits

in

the|0>,|1〉basis,and

publicly

sharesthe

results

with

Alice.If

more

than

t

of

these

disagree,they

abort

theprotocol.9':Bob

decodes

the

remaining

n

qubits

from

CSSz,π(C?,C?).

10':Bob

measures

his

qubits

to

obtain

the

shared

secret

key

k.■QBER檢驗安全性：若>t個錯，協(xié)商失敗■CSS碼進行糾錯編碼29Step3:QKDprotocol-SecureBB84■

簡化編碼和譯碼■

立即測量，消除對存儲的需求QKDprotocol:SecureBB841:Alice

creates(4+δ)n

random

bits.2:For

eachbit,shecreates

a

qubit

in

eitherthe

Zbasis,or

the

X

basis,

according

to

a

random

bit

string

b.

coding3:AlicesendstheresultingqubitstoBob.4:Alice

chooses

arandom

vk∈C?

.5:Bobreceivesthequbits,publicly

announcesthis

fact,and

measures

eachintheZorXbasesatrandom.6:Alice

announces

b.307:Alice

and

Bob

discard

those

bits

Bob

measured

in

a

basis

other

than

b.Withhigh

probability,thereare

at

least

2nbitsleft;ifnot,abortthe

protocol.Alice

decides

randomly

on

a

set

of

2n

bits

to

continue

to

use,randomly

selects

n

ofthese

to

be

check

bits,and

announces