U.S. patent application number 11/241164 was filed with the patent office on 2007-04-05 for double phase encoding quantum key distribution.
This patent application is currently assigned to Nortel Networks Limited. Invention is credited to Randy Kuang, John Stankus, Guo Qiang Wang.
Application Number | 20070076887 11/241164 |
Document ID | / |
Family ID | 37899298 |
Filed Date | 2007-04-05 |
United States Patent
Application |
20070076887 |
Kind Code |
A1 |
Kuang; Randy ; et
al. |
April 5, 2007 |
Double phase encoding quantum key distribution
Abstract
A laser pulse representing a bit of a quantum key is split into
two pulses. In addition to known round trip phase encoding schema,
a secret phase key is modulated into one of the two pulses: P1 and
P2. The secret phase key is used to identify whether the returning
pulses originated from the sender, i.e., whether the key
distribution has been attacked by an eavesdropper. A secret key
phase modulator randomly modulates pulse P1. An attenuator then
reduces the average photon number of the modulated pulse P1 to a
selected level greater than one to increase the likelihood of
efficient, successful transmission while reducing the possibility
of eavesdropping, e.g., .mu.=10. Both pulses P1 and P2 are sent to
the intended recipient and reflected to the sender. Pulse P2 is
modulated upon return to the sender using the same secret phase key
previously modulated into pulse P1. Therefore, when both pulses
meet together at a coupler/beamsplitter of the sender, both pulses
should contain the same secret key in their phase and therefore
exhibit no resulting phase difference if the photon pulse is the
same pulse originated by the sender. If the returning pulse is not
the pulse originated by the sender then phase differences
indicative of a so-called intercept-resend attack applied by an
eavesdropper EVE are indicated by a large quantum bit error rate
("QBER") will be detectable. If EVE applies photon-split attack,
the secret phase key modulated by the sender prevents Eve from
knowing the encoded key information in the photon(s). Therefore,
double phase encoding QKD enables use of multi-photon pulses
without unacceptable loss of security, thereby enhancing QKD bit
rate.
Inventors: |
Kuang; Randy; (Kanata,
CA) ; Wang; Guo Qiang; (Kanata, CA) ; Stankus;
John; (Plano, TX) |
Correspondence
Address: |
Ralph A. Dowell of DOWELL & DOWELL P.C.
2111 Eisenhower Ave
Suite 406
Alexandria
VA
22314
US
|
Assignee: |
Nortel Networks Limited
|
Family ID: |
37899298 |
Appl. No.: |
11/241164 |
Filed: |
September 30, 2005 |
Current U.S.
Class: |
380/278 |
Current CPC
Class: |
H04L 9/0858
20130101 |
Class at
Publication: |
380/278 |
International
Class: |
H04L 9/00 20060101
H04L009/00 |
Claims
1. A method of Quantum Key Distribution between a first node and a
second node, comprising the steps of: by the first node: generating
a pulse having multiple photons, splitting the pulse into first and
second sub-pulses; modulating the phase of the first sub-pulse with
a secret key; transmitting both the first and second sub-pulses to
the second node; by the second node: receiving the first and second
sub-pulses from the first node; modifying at least one of the first
and second sub-pulses; transmitting both the first and second
sub-pulses back to the first node; by the first node: receiving the
first and second sub-pulses from the second node; modulating the
phase of the second sub-pulse with the secret key; and comparing
the first and second sub-pulses to detect phase modulation
mismatch.
2. The method of claim 1 wherein the modifying step includes the
further step of the second node modulating a phase shift of the
first sub-pulse selected randomly from bases B1 and B2 based on the
second node's key bit.
3. The method of claim 2 wherein the modifying step includes the
further step of the second node flipping the polarization of the
first sub-pulse.
4. The method of claim 1 wherein the modifying step includes the
further step of the second node flipping the polarization of the
second sub-pulse.
5. The method of claim 1 including the further step of generating
the secret key such that the secret key is random and equal to the
Quantum Key in length.
6. The method of claim 1 including the further step of, prior to
step of transmitting both the first and second sub-pulses to the
second node, attenuating the first and second sub-pulses to reduce
the number of photons to a selected number greater than one.
7. The method of claim 1 including the further step of the first
node modulating a phase shift of the second sub-pulse selected
randomly from bases B1 and B2 based on the first node's key
bit.
8. The method of claim 1 including the further step of correlating
Quantum Key bits of the first and second sub-pulses to facilitate
quantum key distribution.
9. A network architecture operable to distribute a Quantum Key,
comprising: a first device including: a laser operable to generate
a pulse; a coupler operable to split the pulse into first and
second sub-pulses, the first sub-pulse being sent to a long loop
and the second sub-pulse being sent to a short loop; a first
modulator in the long loop operable to modulate the phase of the
first sub-pulse with a secret key; a port operable to transmit both
the first and second sub-pulses to a second device, the second
device being operable to modify at least one of the first and
second sub-pulses; a port operable to receive the first and second
sub-pulses back from the second device; a polarization beam
splitter operable to send the first sub pulse to the short loop and
to send the second sub-pulse to the long loop, where the phase of
the second sub-pulse is modulated with the secret key, the first
and second sub-pulses then being combined by the coupler; and
detectors operable to detect phase modulation mismatch of the first
and second sub-pulses.
10. The network architecture of claim 9 wherein the second device
includes a phase modulator operable to modulate a phase shift of
the first sub-pulse selected randomly from bases B1 and B2 based on
a key bit.
11. The network architecture of claim 10 wherein the second device
further includes a Faraday mirror operable to flip the polarization
of the first sub-pulse.
12. The network architecture of claim 9 wherein the second device
further includes a Faraday mirror operable to flip the polarization
of the second sub-pulse.
13. The network architecture of claim 9 further including logic
operable to generate the secret key such that the secret key is
random and equal to the Quantum Key in length.
14. The network architecture of claim 9 further including an
attenuator operable to attenuate the first and second sub-pulses to
reduce the number of photons to a selected number greater than
one.
15. The network architecture of claim 9 including logic operable to
correlate Quantum Key bits of the first and second sub-pulses to
facilitate quantum key distribution.
16. The network architecture of claim 9 further including a phase
modulator operable to modulate a phase shift of the second
sub-pulse selected randomly from bases B1 and B2 based on Bob's key
bit.
Description
FIELD OF THE INVENTION
[0001] This invention relates generally to the field of network
communications, and more particularly to cryptology.
BACKGROUND OF THE INVENTION
[0002] Public key encryption is currently a popular technique for
secure network communications. Public key encryption utilizes
"one-way functions" that are relatively simple for computers to
calculate, but difficult to reverse calculate. In particular, a one
way function f(x) is relatively easy for a computer to calculate
given the variable x, but calculating x given f(x) is difficult for
the computer, although not necessarily impossible. Some one way
functions can be much more easily reverse calculated with the
assistance of particular "trap door" information, i.e., a key.
Public key cryptography utilizes such one-way functions in a
two-key system in which one key is used for encryption and the
other key is used for decryption. In particular, the one-way
function is a "public key" which is openly advertised by Node A for
the purposes of sending encrypted messages to Node A. The trap door
key is a "private key" which is held in confidence by Node A for
decrypting the messages sent to Node A. For two-way encrypted
communications each node utilizes a different public key and a
different private key. One advantage of this system is that secure
key distribution is not required. However, advances in the
capabilities of computers tend to erode the level of security
provided by public key encryption because the difficulty of reverse
calculating the one-way function decreases as computing
capabilities increase.
[0003] It is generally accepted in the field of cryptology that the
most secure encryption technique is the Vernam cipher, i.e.,
one-time pad. A Vernam cipher employs a key to encrypt a message
that the intended recipient decrypts with an identical key. The
encrypted message is secure provided that the key is random, at
least equal to the message in length, used for only a single
message, and known only to the sender and intended receiver.
However, in modern communication networks the distribution of
Vernam cipher keys is often impractical, e.g., because the keys can
be quite long and key distribution itself is subject to
eavesdropping.
[0004] One technique for secure key distribution is known as
Quantum Key Distribution ("QKD"). Quantum Key Distribution
transmits an individual photon for each bit of the key being
distributed to an intended recipient. The photons may be
polarization modulated in order to differentiate logic 1 from logic
0. Distribution of the quantum key is secure because of the laws of
quantum physics. In particular, it is not possible to measure an
unknown quantum state of a photon without modifying it. Hence, an
eavesdropper attempting to intercept the key would introduce
detectable errors into the key. Unfortunately, photon-per-bit key
distribution is so inefficient with current technology as to be
impractical. This is due in-part to the attenuation technique and
equipment used to generate a single photon pulse. In particular, in
order to avoid transmitting more than one photon the attenuator
must be set such that about 91% of the attempted pulses generate
zero photons.
SUMMARY OF THE INVENTION
[0005] In accordance with the invention, a method of Quantum Key
Distribution to a target device, comprises the steps of: generating
a pulse having multiple photons, the pulse representing at least
one bit indicative of the Quantum Key; splitting the pulse into
first and second sub-pulses; modulating the first sub-pulse on a
first basis with a secret key; transmitting both the first and
second sub-pulses to the target device; receiving the first and
second sub-pulses back from the target device; modulating the
second sub-pulse on the first basis with the secret key; and
comparing the first and second sub-pulses to detect modulation
mismatch of the first basis.
[0006] A network architecture operable to distribute a Quantum Key
in accordance with the invention comprises: a first device
including: a laser operable to generate a pulse having multiple
photons, the pulse representing at least one bit indicative of the
Quantum Key; a coupler operable to split the pulse into first and
second sub-pulses; a first modulator operable to modulate the first
sub-pulse on a first basis with a secret key; a port operable to
transmit both the first and second sub-pulses to the target device;
a port operable to receive the first and second sub-pulses back
from a target device; logic operable to prompt modulation of the
second sub-pulse on the first basis with the secret key; and logic
operable to compare the first and second sub-pulses to detect
modulation mismatch of the first basis.
[0007] A general advantage of the invention is more efficient and
practical key distribution. Efficiency is enhanced because multiple
photons can be used to represent each bit of the key. Using
multiple photons enable use of attenuator setting that are less
likely to result in zero photons (complete attenuation). Security
is maintained using multiple pulses per bit because attempted
eavesdropping can be detected from phase mismatches in the key
pulses returned to the sender. Another advantage of the invention
is that the need for active polarization compensation is obviated.
In particular, since the initial pulse is split into two pulses
which traverse the same round-trip path there is no need for
polarization compensation. Further, the same laser can be employed
for both synchronization and key distribution. Other advantages
will be apparent in view of the following detailed description.
BRIEF DESCRIPTION OF THE FIGURES
[0008] FIGS. 1 and 2 are block diagrams illustrating distribution
of a quantum key from node Bob to node Alice, wherein FIG. 1 shows
processing of pulse P1 and FIG. 2 shows processing of pulse P2.
DETAILED DESCRIPTION
[0009] FIGS. 1 and 2 illustrate a node Alice (100) and a node Bob
(102) of a communications network. Alice and Bob employ double
phase encoding quantum key distribution ("QKD"). Alice, the sender
of the quantum key, includes a phase modulator PMa (104) and a
Faraday Mirror (106). Bob, the recipient of the quantum key,
includes an attenuator (108), phase modulator PMb (110), phase
modulator PMs (112), Polarization Beam Splitter ("PBS") (114), a
coupler (116), a laser diode (118), and photon detectors D0, D1
(120, 122).
[0010] A series of short laser pulses is employed for quantum key
distribution between Bob and Alice. The short laser pulses are
generated by the laser diode (118). Considering now the case of a
single pulse from the laser diode, coupler C1 (116) splits the
pulse into two pulses: P1 and P2. Pulse P1 is transmitted via the
long loop and P2 is transmitted via the short loop.
[0011] Referring now to only FIG. 1, the phase modulator PMs (112)
modulates a randomly-selected secret phase key .PHI.s into the
pulse P1 once it passes it. The secret phase key .PHI.s is unknown
to Alice and is used only by Bob. Although the secret phase is
randomly generated, it should differ from any phase sequence
modulated by phase modulators PMa and PMb, e.g., shift from the
bases B1(0, .pi.) and B2(.pi./2, 3 .pi./2). Phase modulator PMb
(110) is inactive at this time. The horizontal polarization of
pulse P1 is reflected by PBS (114) to the attenuator (108). The
attenuator reduces the average photon number in pulse P1 to a
selected level which is greater than one, so as to increase the
likelihood of efficient, successful transmission, but not so large
as to enable easy eavesdropping, e.g., .mu.=10. After suitable
attenuation the pulse P1 is fed to an optical fiber
(Q-channel).).
[0012] Alice is operable to receive pulse P1 from the optical fiber
and enable phase modulator PMa (104) to modulate a phase shift o1,
selected randomly from bases B1 and B2 based on Alice's key bit.
Faraday Mirror ("FM") (106) then reflects P1 back and flips its
polarization, i.e., a change of .pi./2. The resulting pulse P1 is
then transmitted back to node Bob (102).
[0013] Node Bob (102) is operable to receive pulse P1 from node
Alice (100). The PBS (114) is operable to transmit the returning
pulse P1 to the short loop due to the polarization flip by FM (106)
and subsequently to the coupler (116) where a combination is made
with returning pulse P2.
[0014] Referring now to FIG. 2, after being generated at the
coupler (116), pulse P2 takes the short loop at node Bob. The PBS
(114) transmits the vertical polarization of P2. Pulse P2 is then
subjected to the same attenuation as pulse P1 by the attenuator
(108), e.g., .mu.=10. The pulse P2 travels over the optical fiber
as was described above with regard to pulse P1. Alice is operable
to receive pulse P2 from the optical fiber. Following receipt of
pulse P2 Alice is operable to flip the polarization of pulse P2 at
Faraday Mirror FM (106), i.e., a change of .mu./2, and reflect the
pulse P2 back onto the optical fiber. Phase modulator PMa (104) is
inactive at this time. Bob is operable to receive the returning
pulse P2 from Alice. The pulse P2 is reflected to the long loop at
the PBS due it polarization flip at FM (106). On the long loop,
phase modulator PMb (110) modulates a phase shift of o2 onto pulse
P2, by randomly selecting a basis from B1 (phase 0) and B2 (phase
.pi./2). Phase modulator PMs then modulates pulse P2 with secret
phase key .PHI.s.
[0015] Referring again to both FIGS. 1 and 2, both pulses P1 and P2
arrive at the coupler of Bob at the same time because both pulses
have traversed the same overall round-trip path, albeit with the
loops in different order. Further, both pulses should contain the
same secret phase key .PHI.s. The phases of the returned pulses P1
and P2 at Bob's coupler are as follows:
[0016] pulse P1: o1+.PHI.s=.PHI.1
[0017] pulse P2: o2+.PHI.s=.PHI.2
[0018] Phase differences at Bob's coupler are then detected as
follows: .DELTA..PHI.=.PHI.1-.PHI.2=o1-o2
[0019] .DELTA..PHI.=0: constructive interference.fwdarw.detector
0
[0020] .DELTA..PHI.=.pi.: destructive interference.fwdarw.detector
1
[0021] .DELTA..PHI.: [0,.pi.].fwdarw.randomly detected.
[0022] After measuring the photon pulses, Bob publicly tells Alice
his measurement types. Alice then tells Bob which are correct. If
correct measurements are recorded in one detector, so-called
one-click, there is no "intercept-resend" attack. Bob will continue
BB84's error correction and privacy amplification and find the
final shared secret key.
[0023] A photon-split attack is the most dangerous attack against a
multi-photon quantum key distribution because each individual
photon in a pulse has 100% of the information of the encoded key
bit value. The current technique uses a secret phase key .PHI.s
modulated into pulse P1 on the way out and into pulse P2 after
returning back. Because of its randomization of .PHI.s, the
attacker EVE can not correctly guess the secret phase key applied
by Bob. Suppose that Eve uses a "photon-split" attack technique,
i.e., Eve splits a single photon portion p1 from P1 and p2 from P2.
Eve needs to combine p1 and p2 together to create an original
photon which carries quantum key information. Also suppose that Eve
learns the measurement information from the public communication
between Bob and Alice and successfully guesses phase shifts o1 and
o2. The difference of p1 and p2 will be o1-o2+.phi.s. From here, we
know that even if EVE knows o1 and o2, Eve still can not get a
definitely constructive or destructive interference from p1 and p2
due to the unknown secret phase key .phi.s. Therefore, the
invention is an absolutely secure key distribution technique, even
for multi-photon pulses.
[0024] While the invention is described through the above exemplary
embodiments, it will be understood by those of ordinary skill in
the art that modification to and variation of the illustrated
embodiments may be made without departing from the inventive
concepts herein disclosed. Moreover, while the preferred
embodiments are described in connection with various illustrative
structures, one skilled in the art will recognize that the system
may be embodied using a variety of specific structures.
Accordingly, the invention should not be viewed as limited except
by the scope and spirit of the appended claims.
* * * * *