Get Complete Project Material File(s) Now! »

## Symmetric and Asymmetric Cryptography

Symmetric cryptography, or secret key cryptography, gathers together all the encryption and authentication methods where the different parties share the same key. This key is used for both encryption and decryption of a message. Even if the cipher is good, it is still very important to define

a secure procedure allowing to share the key since any leak (even partial) of the key considerably weakens the security of the symmetric scheme. A confidential meeting between the parties can play this role, or the encryptors used to perform the encryption and the decryption are simply made with

a common secret. Another possibility is to send a trusted secret courrier, i.e. a secure means of transport, for example some militaries holding secret keys stored on a protected storage medium such as smart cards. The major drawback of these procedures is that the number of secret keys that need to be exchanged, and also the deployment cost, scales quadratically with the number of parties. For a large scale infrastructure, like electronic commerce, such methods are not satisfactory. Another drawback is that if a key leaks at some point, the procedure must be done again.

Asymmetric cryptography, or public key cryptography, aims at solving these difficulties. It employs two different keys for encryption and decryption: the encryption key is public while the decryption key remains secret. With such a scheme, it is not required any more to share a common secret before transmitting confidential data. However, the two keys are related and the security of the scheme relies on some assumptions, for example the computational power of the eavesdropper is assumed to be bounded or some mathematical problems (e.g. factorizing large numbers) are assumed to have a non-polynomial complexity.

Another asymmetric cryptographic primitive of particular interest is dig- ital signature. With a pair composed of one private key and one public key, a user can sign a message with his secret key and output a signature. Then, any other user can check the authenticity of the signature with the public key and the signer cannot pretend he did not produce the signature since he is supposed to be the unique owner of his secret key. Symmetric primitives do not permit to produce non-repudiable signatures. This is because the same key is used both for the signature and the signature checking. This prevents any user from making the difference between signatures produced by the legitimate signatory and signatures produced by any other user.

Though asymmetric cryptography does not require to share secret keys, it requires to share authentic keys. Indeed, if one encrypts a message with the public key of a non-legitimate recipient, this non-legitimate recipient can decrypt the message. The usual solution used to ensure the authenticity of the public keys is called a Public Key Infrastructure (PKI). This consists in defining some certification authorities, which are in charge of verifying the matches between public keys and user identities. They provide certificates that describe a user identity and the associated public key. Digital signatures allow us to check the validity of these certificates.

### Quantum Key Distribution

Quantum Key Distribution is a technique allowing to create shared and secret random values at both ends of a communication link, with a security guaranteed without computational hardness assumptions [120]. It requires however a classical authenticated channel, together with an untrusted quantum channel, i.e. a physical channel that is used to send quantum states.

In practice, light is a medium of choice to prepare and exchange quantum states. Indeed, one can easily encode information in discrete variables such as the phase or the polarization of single photons, or in continuous variables, such as the phase of the amplitude of the electromagnetic field. The first family of techniques is denoted as DVQKD and the second as CVQKD. For both families the communication medium can be either an optical fiber or a free space optical link.

A lot of QKD demonstrations have been done during the past twenty years and some discrete variables commercial products have been developed [2, 3]. The work of this thesis led to the first commercial product based on continuous variables [5]. The main interest of this technology is that it is implemented with only off-the-shelf components optimized for the telecommunications industry.

#### The Security of a QKD Protocol

As we saw in chapter 1, the goal of QKD consists in establishing a secret key between two distant parties, i.e. a binary string that is unknown from any party except the two legitimate parties of the protocol, namely Alice and Bob. Once this key is obtained, it can be used to perform symmetric cryptography. A common scheme is the One-Time Pad (OTP) that consists in using one bit of secret key to encrypt and decrypt one bit of message using a Exclusive Or (XOR) operation. Such a scheme was proven to be information-theoretically secure by Shannon, which means that the encrypted message C provides no information about the plaintext M to any eavesdropper. Using the notations of chapter 2, this is expressed by H(M) = H(M|C): conditioning on the knowledge of the ciphertext does not lower the uncertainty on the plaintext. However, OTP security has serious drawbacks:

– keys must be perfectly random

– keys must be as long as the message

– keys must never be reused

When either of these conditions is not satisfied, OTP security collapses very abruptly. Another possibility consists in using the keys produced by a QKD system to renew the keys of a non-information theoretically secure symmetric cipher, such as AES. Chapter 9 includes a demonstration of a cryptosystem combining a CVQKD system and an AES based encryptor.

The notion of security of a key is of utmost importance. A particularity of a QKD protocol is that it is designed to abort if the key that it could produce is not secure with respect to a given security criterion.

**Table of contents :**

**1 From Classical Cryptography to Quantum Cryptography **

1.1 What is Cryptography?

1.2 Modern Cryptography

1.2.1 Symmetric and Asymmetric Cryptography

1.2.2 Usual Primitives

1.2.3 Threats

1.3 Quantum Key Distribution

1.3.1 Principle

1.3.2 Security Characteristics

1.3.3 DVQKD vs CVQKD in 2010

1.3.4 Threats

1.4 Other Quantum Cryptographic Primitives

1.4.1 Coin Flipping

1.4.2 Quantum Signatures

**2 Quantum Information with Gaussian Variables **

2.1 Quantum mechanics postulates

2.1.1 Notations and basic definitions

2.1.2 Quantum operators

2.1.3 Composite systems

2.1.4 Dynamics of a physical system

2.2 Classical Information Theory

2.2.1 Entropies

2.2.2 Channels and Capacities

2.2.3 Channel Coding

2.3 Single-mode Quantum Optics

2.3.1 One-mode Fock States

2.3.2 Coherent States

2.3.3 Squeezed States

2.4 Two-mode Squeezed States

2.5 Weyl Operator

2.6 Phase-Space Representation

2.7 Gaussian States

2.7.1 One mode Gaussian states

2.7.2 Two mode Gaussian states

2.8 Symplectic Analysis for Multimode Gaussian States

2.8.1 One-mode normal decomposition

2.8.2 Two-mode normal decomposition

2.8.3 Three-mode normal decomposition

2.9 Entropy of Gaussian States

2.9.1 Von Neumann entropy

2.9.2 Entropy of Gaussian states

2.9.3 Extremality of Gaussian states

2.10 Gaussian Operations

2.10.1 Gaussian unitary operations

2.10.2 Passive transformations

2.10.3 Active transformations

**3 Quantum Key Distribution with Continuous Variables **

3.1 The Security of a QKD Protocol

3.1.1 Key Security Criterion

3.1.2 QKD Protocol Steps

3.2 A Brief History of QKD Protocols

3.3 Security Analysis of the Ideal GG02 Protocol

3.3.1 Protocol Description

3.3.2 Some Potential Deviations to the Ideal GG02 Protocol

3.3.3 Security Proof against Collective Attacks

3.3.4 Security proof against General Attacks

3.4 Security Analysis of the Imperfect GG02 Protocol

3.4.1 Effect of an Imperfect Reconciliation Procedure

3.4.2 Effect of an Imperfect Homodyne Detection

3.4.3 Security of Gaussian Protocols with an ImperfectModulation

3.4.4 Imperfect Calibration of the Detection Setup

3.4.5 Improved Key Rate with Phase Noise Calibration

3.5 Conclusion

**4 Experimental Setup **

4.1 Optical fibers

4.1.1 Waveguides

4.1.2 Transmission characteristics

4.1.3 Dispersion

4.1.4 Connections

4.2 Laser Source

4.3 Electro-optic Modulators

4.4 Light detection

4.4.1 Homodyne Detection Principle

4.4.2 Impact of the Imperfections on the Homodyne Detection

4.4.3 Electronics of the Homodyne Detection

4.5 Time and Polarization Multiplexing

4.6 Optical Component Characteristics Summary

4.7 Acquisition and Control Cards

4.8 Random Numbers

4.9 Computing Power

**5 Preventing Calibration Attacks on the Local Oscillator in Continuous-Variable Quantum Key Distribution **

5.1 Theoretical Security vs Practical Attacks

5.2 Security assumptions and calibration techniques

5.3 Description of the local oscillator calibration attack

5.4 Analysis of the excess noise

5.5 A quantitative example

5.6 Countermeasure: real-time shot noise measurement techniques

5.7 Conclusion

**6 Increasing the Range of CVQKD **

6.1 Theory of Reconciliation of Gaussian Variables

6.2 Reconciliation of Gaussian Variables: Implementation with LDPC Codes

6.2.1 Simulation Results with Rotations

6.2.2 Use of rotations in higher dimension spaces

6.2.3 Dealing with a continuous range of SNR with puncturing, shortening and repetition

6.3 Practical use for a continuous-variable quantum key distribution system

6.4 A rate 1/50 multi-edge LDPC code

6.5 Puncturing / shortening performance

6.6 Conclusion

**7 Experimental Demonstration of Long-distance CVQKD **

7.1 Outlook of the Experiment

7.2 Experimental Results

7.3 Security Conditions

7.4 Multidimensional Reconciliation

7.5 Local Oscillator Manipulation

7.6 Hardware Stability

7.7 Post-processing Performance

7.8 Conclusion and Perspectives

**8 Increasing the Speed of CVQKD **

8.1 Effect of an imperfect error correction step in QKD

8.1.1 Secret key rate and error correction

8.1.2 Previous work

8.2 Polar codes for QKD: efficiency vs. block sizes

8.3 Decoding speed: numerical results

8.4 Privacy amplification

8.5 Network Bandwidth Consumption

8.6 Several Bits per Pulse

**9 Integration of CVQKD in Optical Networks **

9.1 QKD and Network Infrastructures

9.2 SEQURE demonstration field test

9.2.1 Structure of the demonstration

9.2.2 The quantum layer

9.3 Security considerations

9.4 Performance of the quantum layer

9.4.1 Events

9.4.2 Excess noise

9.4.3 Secret key rate

9.5 Performance of the encryption layer

9.6 SEQURE Demonstration Conclusion and Perspectives

9.7 Analysis of the Noise Contributions in a WDM Setup

9.7.1 Leakage from Classical Channels

9.7.2 Four-wave Mixing

9.7.3 Spontaneous Anti-Stokes Raman Scattering

9.8 Noise Photons in Local Oscillator Matched Mode

9.9 Experimental Results

9.10 Concluding Remarks

A Matrix Representation of the Octonions

B Local Oscillator Power Measurement and Clock Signal Generation

C Post-processing Scheduling

List of Abbreviations

**Bibliography**