I have been having several nice discussions via email about quantum cryptography. I should mention to you all that my research is directed toward calculating the expected performance of quantum cryptography systems when they are built out of real, physical devices that currently exist on the shelf of in research labs.
Most papers, in fact all that I've seen, consider systems that are built out of parts from the local ideal physics stockroom. You know, the place that stocks lots of massless ropes and frictionless, massless pulleys.
What I'm discovering is that the limitations of real physical devices and the inclusion of noise sources such as thermal noise opens up a Pandora's box against quantum cryptographic systems.
I'm also involved in the development of "sophisticated" eavesdropping techniques. These eavesdropping techniques are designed to exploit all the limitations of the real physical devices used as the real physical hardware of the quantum cryptographys systems.
Not to give away my whole show, but consider these figures reported by Bennett and Brassard for an experimental test system they built. Out of 715,000 attempted photon exchanges only in roughly half of these, 357,500 cases, did Alice and Bob choose the same basis. So far, so good. Now, out of these 357,000 cases, only 2000 photon exchanges occurred where some noise source did not render the attempt useless. Thus in 355,500 cases out of 357,500 (99.4%) the photon exchange was nullified by noise. I call such cases "hard" errors. Of the 2000 remaining cases, another 79 were recieved in error. I call these "soft" errors.
What is frightening is that all of this occurred without any eavesdropping. So, assuming that there is some kind of statistical distribution to the number of hard errors that occur in a given number of trials, an eavesdropper is free to create say 2000 or 3000 hard errors without even being noticed! A very crafty and motivated eavesdropper may even be able to create only hard errors and no soft errors, thus completely escaping detection in systems that consider only the soft error rate.
I guess my bottom line, so far, is that quantum cryptography looks great when you are able to apply the nice quantum operators for everything, but once you have to use real devices everything goes out the window.
TSL
From: unruh@physics.ubc.ca (William Unruh)
Newsgroups: sci.crypt.research
Subject: Re: quantum cryptography
Date: 2 Oct 1994 09:06:51 GMT
Organization: The University of British Columbia
Message-ID: <36lt7b$8be@ccu2.auckland.ac.nz>
Reply-To: unruh@physics.ubc.ca (William Unruh)
tsl2@ctr.columbia.edu (Todd Larchuk) writes:
*>Most papers, in fact all that I've seen, consider systems that are
*>built out of parts from the local ideal physics stockroom. You know,
*>the place that stocks lots of massless ropes and frictionless,
*>massless pulleys.
But then you quote a real honest to goodness experiment which used real lasers, fiber optics, etc. Hmm
*>What I'm discovering is that the limitations of real physical devices
*>and the inclusion of noise sources such as thermal noise opens up a
*>Pandora's box against quantum cryptographic systems.
*>
*>I'm also involved in the development of "sophisticated" eavesdropping
*>techniques. These eavesdropping techniques are designed to exploit
*>all the limitations of the real physical devices used as the real
*>physical hardware of the quantum cryptographys systems.
*>
*>Not to give away my whole show, but consider these figures reported by
*>Bennett and Brassard for an experimental test system they built. Out of
*>715,000 attempted photon exchanges only in roughly half of these, 357,500
*>cases, did Alice and Bob choose the same basis. So far, so good. Now,
*>out of these 357,000 cases, only 2000 photon exchanges occurred where
*>some noise source did not rended the attempt useless. Thus in 355,500
*>cases out of 357,500 (99.4%) the photon exchange was nullified by
*>noise. I call such cases "hard" errors. Of the 2000 remaining cases,
*>another 79 were recieved in error. I call these "soft" errors.
*>
*>What is frightening is that all of this occurred without any
*>eavesdropping. So, assuming that there is some kind of statistical
*>distribution to the number of hard errors that occur in a given number
*>of trials, an eavesdropper is free to create say 2000 or 3000 hard
*>errors without even being noticed! A very crafty and motivated
*>eavesdropper may even be able to create only hard errors and no soft
*>errors, thus completely escaping detection in systems that consider
*>only the soft error rate.
*>
*>I guess my bottom line, so far, is that quantum cryptography look
*>great when you are able to apply the nice quantum operators for
*>everything, but once you have to use real devices everything goes out
*>the window.
Eavesdropping is useful only if what you receive is useful information. The eavesdropper MUST create errors- extra errors. (obviously those times that the eavesdropper saw noise photons aren't much good to him. Those time he saw "good ones" he created errors.) Then Alice and Bob can detect that errors at a certain rate are occuring. They must assume that ALL of those errors are due to an eavesdropper, not noise. Thus the eavesdropper can certainly deny the use of the line to Alice and bob (as can noise). But if they determine that sufficient good signals got through, they can use that fraction- compress the data so that only that number of useful bits remain, and the eavesdropper is SOL. Also Remember, photons are cheap. 10^6 photons a second are essentially free, and so even if you only get 10^2 good ones a second that's fine.
Your objections are much more relevant for quantum computing (but then that's what I wrote a paper on, so I would think so wouldn't I)
Bill Unruh
unruh@physics.ubc.ca
Back to @Man's Homepage