What are the advantages and disadvantages of quantum cryptography?

In: Technology [Edit categories]

Energy Supply Challenges Siemens has answers to efficient energy supply. Learn more now! www.siemens.com/answers

[Improve] A bit ago I asked if there was any interest in quantum cryptography. I received enough affirmitive answers to continue this thread.

I should first say that I am activly working on quantum cryptography and have funding for this purpose. My background is in experimental quantum optics, so I am very familiar with the theoretical physics aspect of quantum cryptography as well as the practicalities of implementing it with real devices. My weakness lies in understanding the computational aspects of quantum cryptography that make up the "bit distillation" or "privacy amplification" process.

As a brief introduction to quantum cryptography (which might eventually make a good addition to the FAQ) I offer the following. A quantum cryptography system is a key distribution system that attempts to link the security of the system to the correctness of the uncertainty principle of quantum mechanics (which is currently believed to be completely true, and has been experimentally verified many times).

The essence of the uncertainty principle of quantum mechanics is twofold. First, any measurements made on a physical system that extracts some information about that system will necessarily disturb that system, albeit possibly in a very small way. Second, any measurement made on a physical system that extracts some information about a certain quantity, call it x, necessarily precludes obtaining information about a conjugate quantity of the same system, call it p.

Quantum cryptography systems are designed such that a s ender, traditionally called Alice, prepares a physical system in a known quantum state or x or p and sends it to the legitimate receiver, traditionally called Bob. Bob them measures either the value of x or the value of p for the physical system that he recieves from Alice; the uncertainty principle precludes him from measuring the values of both x and p.

A large number of such exchanges are made, and then Alice and Bob then openly compare information on whether Alice prepared the same quantity of the system that Bob tried to measure. After this comparision, all cases are disgarded for which Alice prepared the value of x but Bob measured p, or vice versa. In the absence of an eavesdropper, and if ideal equipment is used, Alice and Bob would now share the values of the quantity for each of the retained cases. These values can then be used as a key.

Notice that information on which quantity was set by Alice and measured by Bob was disclosed in an open discussion, but the actual values of the quantities was not disclosed. So to learn about the key, an eavesdropper must attempt to extract some information from the quantum system that is sent from Alice to Bob. However, the uncertainty principle says that if and eavesdropper extracts some information about the system by making a measurement, then the eavesdropper will also perturb the system.

If Alice and Bob use ideal equipment, then the perturbation of the quantum system will fall into two catagories: (1) the perturbation may be great enough to be immediately apparent, (2) the perturbation may not be immediately apparent, but will result in some of the values that Bob measures being different from what Alice sent.

To detect the presence of eavesdropping, Alice and Bob compare the values for a subset of the retained cases. The proportion of the number of compared values that are different indicates the amount of information that the eavesdropper may have learned by making measurements on the quantum system that Alice sent to Bob.

[Here I really need help. In fact, I'm not sure this will work. I have not found any proof in the literature that says that, given the proportion of incorrect values to correct values, it is possible to extablish a bound on the information that a eavesdropper may have learned, regardless of the particular measurements or manipulation of the system that an eavesdropper may have made. Has anyone got any ideas?]

Knowing how much information the eavesdropper has learned about the values that Alice and Bob have for the retained cases, Alice and Bob apply a "bit distillation" or "privacy amplification" process. This process is an algorighm that takes the values as input and outputs a another set of values about which the eavesdropper would then know nothing or little. The quantum system that Alice uses has usually been considered to be single photons, which are the little particles of energy that light is made out of. Any quantum system would concievably do, but light travels quickly and very easily on it own, and a lot about manipulating light is known.

[For me, comming from a quantum optics background, the concept of single photon communication is quite acceptable and real. For those without such a background,

I should mention that sending photon through the air is a perfectly acceptable way of sending single photons. There is a small amount of attenuation and scattering, but the system can be adjusted to account for that. A better way of sendin single photons is to use optical fiber. Optical fibers are solid strands of ultrapure glass that are used for optical communication all over the world. These fibers are extremely well suited to sending single photons over long distances.]

Answer The primary advantage of public-key cryptography is #1 increased security and convenience: private keys never need to transmitted or revealed to anyone. In a secretkey system, by contrast, the secret keys must be transmitted(either manually or through a communication channel), and there may be a chance that an enemy can discover the secret keys during their transmission. Another major advantage of public-key systems is that they can provide a method for digital signatures. Authentication via secret-key systems requires the sharing of some secret and sometimes requires trust of a third party as well. As a result, a sender can repudiate a previously authenticated message by claiming that the shared secret was somehow compromised by one of the parties sharing the secret. For example, the Kerberos secret-key authentication system involves a central database that keeps copies of the secret keys of all users; an attack on the database would allow widespread forgery. Public-key authentication, on the other hand, prevents this type of repudiation; each user has sole responsibility for protecting his or her private key. This property of public-key authentication is often called non-repudiation. A disadvantage of using public-key cryptography for encryption is speed: there are popular secret-key encryption methods that are significantly faster than any currently available public-key encryption method. Nevertheless, public-key cryptography can be used with secret-key cryptography to get the best of both worlds. For encryption, the best solution is to combine public- and secret-key systems in order to get both the security advantages of public-key systems and the speed advantages of secret-key systems. The public-key system can be used to encrypt a secret key which is used to encrypt the bulk of a file or message. Such a protocol is called a digital envelope, which is explained in more detail in Question 16 in the case of RSA. Public-key cryptography may be vulnerable to

impersonation, however, even if users' private keys are not available. A successful attack on a certification authority (see Question 127) will allow an adversary to impersonate whomever the adversary chooses to by using a publickey certificate from the compromised authority to bind a key of the adversary's choice to the name of another user. In some situations, public-key cryptography is not necessary and secret-key cryptography alone is sufficient. This includes environments where secure secret-key agreement can take place, for example by users meeting in private. It also includes environments where a single authority knows and manages all the keys, e.g., a closed banking system. Since the authority knows everyone's keys already, there is not much advantage for some to be "public" and others "private." Also, public-key cryptography is usually not necessary in a single-user environment. For example, if you want to keep your personal files encrypted, you can do so with any secret-key encryption algorithm using, say, your personal password as the secret key. In general, public-key cryptography is best suited for an open multi-user environment. Public-key cryptography is not meant to replace secretkey cryptography, but rather to supplement it, to make it more secure. The first use of public-key techniques was for secure key exchange in an otherwise secret-key system [DH76]; this is still one of its primary functions. Secretkey cryptography remains extremely important and is the subject of much ongoing study and research. Some secret-key cryptosystems are discussed in the sections on block ciphers and stream ciphers.