jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

QKD WIP

Browse source
This commit is contained in:
jaseg 2024-07-29 18:37:27 +02:00
parent 5c0b61671b
commit 0b2bac425e
2 changed files with 60 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
chapter-qkd/chapter.pdf
View file

Binary file not shown.

88
chapter-qkd/chapter.tex
View file

@ -40,6 +40,8 @@
\usepackage{multicol} \usepackage{multicol}
\usepackage{tikz} \usepackage{tikz}
\usepackage{mathtools} \usepackage{mathtools}
\usepackage{setspace}
\usepackage{titlesec}
\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} \DeclarePairedDelimiter{\ceil}{\lceil}{\rceil}
\DeclarePairedDelimiter{\paren}{(}{)} \DeclarePairedDelimiter{\paren}{(}{)}
@ -57,7 +59,6 @@
\usepackage[binary-units,per-mode=fraction]{siunitx} \usepackage[binary-units,per-mode=fraction]{siunitx}
\DeclareSIUnit{\baud}{Bd} \DeclareSIUnit{\baud}{Bd}
\usepackage[hidelinks]{hyperref} \usepackage[hidelinks]{hyperref}
\usepackage{tabularx}
\usepackage{commath} \usepackage{commath}
\usepackage{graphicx,color} \usepackage{graphicx,color}
\usepackage{ccicons} \usepackage{ccicons}
@ -73,6 +74,11 @@
\usepackage{minitoc} \usepackage{minitoc}
\usepackage{minted} % pygmentized source code \usepackage{minted} % pygmentized source code
% Re-define heading formats to force single line spacing
\titleformat{\section}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{}
\titleformat{\subsection}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{}
\titleformat{\subsubsection}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{}
\newcommand{\degree}{\ensuremath{^\circ}} \newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} \newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\setlength{\marginparwidth}{3cm} \setlength{\marginparwidth}{3cm}
@ -86,20 +92,18 @@
\chapter{Physical Security in Quantum Key Distribution} \chapter{Physical Security in Quantum Key Distribution}
\minitoc \minitoc
\newpage \newpage
\setstretch{1.3}
\section{Cryptography in the Age of Quantum Computers} \section{Cryptography in the Age of Quantum Computers}
For a decade or two now, Quantum Computing has been creating a buzz that nobody in Computer Science and adjacent fields For a decade or two now, Quantum Computing has been creating a buzz that nobody in Computer Science and adjacent fields
could evade. Originating in the 1980ies as a highly academic fusion applying concepts from Computer Science in Quantum Physics, could evade. Originating in the 1980ies as a highly academic fusion applying concepts from Computer Science in Quantum
% FIXME citation Physics, \todo{Add citation on QKD origins} its concepts have long found their way into popular science articles.
its concepts have long found their way into popular science articles. Quantum Computing encompasses a model of Quantum Computing encompasses a model of computation that is fundamentally different from the \emph{classical}\footnote{
computation that is fundamentally different from the \emph{classical}\footnote{
In Quantum Computing, the term \emph{classical} is used as the complement of \emph{quantum}, and refers to the In Quantum Computing, the term \emph{classical} is used as the complement of \emph{quantum}, and refers to the
digital computers we know and (sometimes) love. This terminology stems from the distinction between classical and digital computers we know and (sometimes) love. This terminology stems from the distinction between classical and
quantum physics.} quantum physics.} digital circuits that underly all of modern computing. While at first this might seem like a step
digital circuits that underly all of modern computing. While at first this might seem like a step backwards into the era backwards into the era of early 1900s analog computing,\todo{Add citation on early analog computing}
of early 1900s analog computing,
% FIXME citation
the capabilites of a future quantum computer promise to far outpace those of contemporary classical computers. Key to the capabilites of a future quantum computer promise to far outpace those of contemporary classical computers. Key to
this improved processing capability is a property called \emph{Quantum Parallelism}. What this refers to is the fact this improved processing capability is a property called \emph{Quantum Parallelism}. What this refers to is the fact
that a quantum computer's internal state can simultaneously represent a multitude of states of a classical, digital that a quantum computer's internal state can simultaneously represent a multitude of states of a classical, digital
@ -108,10 +112,8 @@ computer, and the quantum computer can operate on all those states at once using
Applying Quantum Parallelism to practical problems is far more complicated than, e.g., translating a digital circuit Applying Quantum Parallelism to practical problems is far more complicated than, e.g., translating a digital circuit
solving some equation to a quantum circuit, but for certain problems we already know \emph{quantum algorithms} that solving some equation to a quantum circuit, but for certain problems we already know \emph{quantum algorithms} that
for large inputs solve these problems much faster than any classical computer ever could. Two of these algorithms, one for large inputs solve these problems much faster than any classical computer ever could. Two of these algorithms, one
by Shor % FIXME citation by Shor and one by Grover \todo{Add citations on Shor's and Grover's algorithm} are what caused most of the buzz around
and one by Grover % FIXME citation the field of quantum computing, because they spell trouble for a large part of modern cryptography.
are what caused most of the buzz around the field of quantum computing, because they spell trouble for a large part of
modern cryptography.
Besides the computational speed-up promised by Quantum Parallelism, there is one more interesting aspect of Quantum Besides the computational speed-up promised by Quantum Parallelism, there is one more interesting aspect of Quantum
Computing where it radically deviates from classical computing. The reason modern cryptography exists is that when we Computing where it radically deviates from classical computing. The reason modern cryptography exists is that when we
@ -120,13 +122,13 @@ we can do to prevent an attacker from reading this information. Even with crypto
cryptography gives us tools to very effectively make whatever information the attacker is able to read useless to them. cryptography gives us tools to very effectively make whatever information the attacker is able to read useless to them.
A basic principle of Quantum Physics is the \emph{No-Cloning Theorem}, which states that it is impossible to create an A basic principle of Quantum Physics is the \emph{No-Cloning Theorem}, which states that it is impossible to create an
identical, independent copy of an arbitrary, unknown quantum state. % FIXME citation identical, independent copy of an arbitrary, unknown quantum state. \todo{Add citation on No-Cloning Theorem}
An implication of this theorem is that when we encode classical information into quantum states in just the right way, An implication of this theorem is that when we encode classical information into quantum states in just the right way,
we can make it so that an attacker atttempting to eavesdrop on our quantum information can only actually read this we can make it so that an attacker atttempting to eavesdrop on our quantum information can only actually read this
information by destroying it in the process. This property can be exploited to replace a number of classical asymmetric information by destroying it in the process. This property can be exploited to replace a number of classical asymmetric
primitives in interactive settings, % FIXME citation, check if interactive only primitives in interactive settings, \todo{Add citation on substitution, check if interactive only} the most popular
the most popular application of which is replacing an asymmetric Diffie-Hellman key exchange % FIXME citation application of which is replacing an asymmetric Diffie-Hellman key exchange \todo{Add citation on DH-Kex} with a quantum
with a quantum process called Quantum Key Distribution that yields much of the same properties. process called Quantum Key Distribution that yields much of the same properties.
In the past decades, the field of cryptography has been fundamentally shaped by the development of Quantum Computing and In the past decades, the field of cryptography has been fundamentally shaped by the development of Quantum Computing and
Quantum Key Distribution. However, the popular conception that all of today's cryptography will be broken and that we Quantum Key Distribution. However, the popular conception that all of today's cryptography will be broken and that we
@ -252,6 +254,28 @@ flaw in the quantum secure algorithm is found. Note that here, because we assume
possibility of a flaw in the quantum secure algorithm extends beyond mathematical flaws leading to practical attacks possibility of a flaw in the quantum secure algorithm extends beyond mathematical flaws leading to practical attacks
with classical computers, and includes novel quantum algorithms. with classical computers, and includes novel quantum algorithms.
\subsection{Security assumptions in QKD}
While QKD protocols provide information-theoretic security, part of these protocols is always an authenticated channel
that is used by the protocol's parties to exchange information necessary to align both parties' quantum measurements so
that they can reconstruct the same secret key bit stream. In the security model of QKD, this authenticated channel does
some heavy lifting. While the QKD protocol provides key exchange--an asymmetric primitive--based on this authenticated
channel--which in its most simple implementation requires only symmetric primitives, an implementation of QKD using
symmetric primitives such as HMAC or CMAC for the authenticated channel would not achieve information-theoretic
security. To acheive information-theoretic security, the authenticated channel itself must use an
information-theoretically secure authentication method. The issue with that is that information-theoretically secure
authentication methods are (provably)\todo{citation on ``provably''} rather inefficient in their key use. While
symmetric MACs can use a single, short key for a very long time, information-theoretically secure MACs need a continuous
stream of fresh key bits.
In QKD, the authenticated channel can be bootstrapped by taking these MAC key bits from the QKD channel itself. The
disadvantage of doing that is that it consumes a fraction of the system's precious secure key rate. As a consequence, at
this point there is ongoing research\todo{citations on ongoing research} on both systems based on symmetric MACs and
systems using information-theoretically secure MACs, with commercial systems often choosing the
latter\cite{bibakQuantumKeyDistribution2021} owing to the low secure key rates that are the state of the art.
% \textcite{impagliazzoPersonalViewAveragecase1995}
\subsection{The Technical Implementation of QKD} \subsection{The Technical Implementation of QKD}
On the technical level, QKD must be distinguished from general Quantum Computing. While QKD systems employ the On the technical level, QKD must be distinguished from general Quantum Computing. While QKD systems employ the
@ -262,7 +286,6 @@ various aspects of currents in superconducters into phonons\cite{berriosHighFide
\subsection{Practical Challenges} \subsection{Practical Challenges}
\todo{I don't like this paragraph.} \todo{I don't like this paragraph.}
>>>>>>> b6e2696 (Add todo command)
The central challenge in general quantum computers is extending the lifetime of the quantum state encoding a qubit. The central challenge in general quantum computers is extending the lifetime of the quantum state encoding a qubit.
Quantum states are extremely sensitive to disturbances, and despite the best efforts to shield their quantum states Quantum states are extremely sensitive to disturbances, and despite the best efforts to shield their quantum states
against external influence, their lifetime is still inconveniently short compared to the timescales required for quantum against external influence, their lifetime is still inconveniently short compared to the timescales required for quantum
@ -407,23 +430,27 @@ With the exception of special cases such as the middle node in a MDI-QKD system,
components that the endpoint of a QKD connection uses. Only in a QKD relay, two transceivers are connected back-to-back components that the endpoint of a QKD connection uses. Only in a QKD relay, two transceivers are connected back-to-back
to one another. QKD provides physical security for the photons traversing the fiber that forms the systme's channel, and to one another. QKD provides physical security for the photons traversing the fiber that forms the systme's channel, and
the security envelope of the system begins where this fiber is terminated in the power splitters, single-photon the security envelope of the system begins where this fiber is terminated in the power splitters, single-photon
deetctors, lasers, and interferometers of the QKD transmitter and receiver. To process the raw measurements of the QKD detectors, lasers, and interferometers of the QKD transmitter and receiver. To process the raw measurements of the QKD
system into a usable stream of secret key bits, in addition to these components implementing the physics of the QKD system into a usable stream of secret key bits, in addition to these components implementing the physics of the QKD
system, a classical computer is needed. On top of the remote monitoring and management tasks that any piece of system, a classical computer is needed. On top of the remote monitoring and management tasks that any piece of
networking equipment is expected to perform nowadays, this computer is tasked with the information reconciliation and networking equipment is expected to perform nowadays, this computer is tasked with the information reconciliation and
privacy amplification that form the information-theoretic part of the QKD system. Since this computer necesesarily privacy amplification that form the information-theoretic part of the QKD system. Since this computer must necessarily
handles secret key bits in their plain text form, it, too, must be inside the relay node's physical protection envelope. handle secret key bits in their plain text form, it, too, must be inside the relay node's physical protection envelope.
\subsection{Physical requirements of QKD transceivers} \subsection{Physical requirements of QKD transceivers}
Putting a QKD relay node and associated machinery inside of an IHSM, we first need to answer two key questions. First,
\emph{will it fit?}, and second, \emph{Can we hook it up?}. In the following paragraphs, we will go through several
aspects of these general questions one by one.
\paragraph{Physical dimensions.} \paragraph{Physical dimensions.}
At this point, a number of commercial systems promising QKD exist. Common QKD protocols do not require any particularly At this point, a number of commercial systems promising QKD exist. Common QKD protocols do not require any particularly
large or power-hungry components, and so commercial systems have generally adopted the 19 Inch rackmount enclosure large or power-hungry components, and so commercial systems have generally adopted the 19 Inch rackmount enclosure
standard that is common to modern telecommunications equipment, with a width of $\approx\qty{50}{\centi\meter}$, a standard that is common to modern telecommunications equipment, with a width of $\approx\qty{50}{\centi\meter}$, a
height between $\approx\qtyrange{4}{30}{\centi\meter}$ and a depth below $\approx\qty{100}{\centi\meter}$.\todo{Re-check height between $\approx\qtyrange{4}{30}{\centi\meter}$ and a depth below $\approx\qty{100}{\centi\meter}$.\todo{Re-check
these shortly before submission}. While something of this size would be infeasible to protect with the security mesh of these numbers shortly before submission} While something of this size would be infeasible to protect with the security
a traditional hardware security module, placed vertically, even without modifications any of these systems are well mesh of a traditional hardware security module, placed vertically, even without modifications any of these systems are
within an envelope that can be protected with a single IHSM cage. well within an envelope that can be protected with a single IHSM cage.
\paragraph{Power supply.} \paragraph{Power supply.}
QKD systems do not contain any particularly power-hungry components. Unlike quantum computers, most of the signal path QKD systems do not contain any particularly power-hungry components. Unlike quantum computers, most of the signal path
@ -451,12 +478,17 @@ In a QKD relay node, the key stream never leaves the security envelope. The mana
links can be combined into a single, classical network link, requiring a single fiber when using a standard wavelength links can be combined into a single, classical network link, requiring a single fiber when using a standard wavelength
division multiplexing transceiver. The QKD link's clock channel and the quantum channel require a dedicated fiber each, division multiplexing transceiver. The QKD link's clock channel and the quantum channel require a dedicated fiber each,
adding up to a total of five fibers for a uni-directional QKD relay, or nine fibers for a bidirectional one. Since fiber adding up to a total of five fibers for a uni-directional QKD relay, or nine fibers for a bidirectional one. Since fiber
pigtails have an outer diameter of usually about \qty{1}{\milli\meter}, this amount of fibers can easily be fed through pigtails have an outer diameter of usually about \qty{1}{\milli\meter}, this amount of fibers can be fed through an
an IHSM's axis of rotation. The mechanical challenge in such a multi-fiber signal and data feedthrough is to observe the IHSM's axis of rotation. The mechanical challenge in such a multi-fiber signal and data feedthrough is to observe the
fiber's minimum bending radius, which for common fibers is usually in the range of fiber's minimum bending radius, which for common fibers is usually in the range of
\qtyrange{5}{10}{\milli\meter}\todo{Provide citation on bend radius. Maybe a small table of products by a few vendors?}. \qtyrange{5}{10}{\milli\meter}\todo{Provide citation on bend radius. Maybe a small table of products by a few vendors?}.
For detailed passthrough designs, we refer the reader to Chapter FIXME of this thesis.\todo{Actually write the chapter,
then cross-link here.} Concluding the above paragraphs, a QKD node is not a particularly challenging payload for an IHSM. The most problematic
requirement is feeding through a number of fibers for its various input and output signals, but fundamentally it is no
different from any server or other piece of IT equipment. In the following section, we will present a design that
provides a combined power and multi-fiber passthrough that is sufficient for QKD applications.
\subsection{Multi-fiber passthrough with active secondary mesh}