1
QKD applications
and
new physical layer cryptography
6th Oct 2014
Quantum ICT Lab
Masahide Sasaki
Quantum-Safe Cryptography Workshop
2
Contents
(1) QKD applications
Two facts on user attitude
Our current efforts
(2) Security in global networks
Intrinsic limit on QKD
A new physical layer cryptography
3
Fact (1)
High end users (MoD, …) are seriously worried about
security threats on the physical layer after the Snowden
files, but have not decided yet to introduce QKD.
They are still watching.
The strongest security is not necessarily a reason
for the scheme to be adopted.
There are many strong crypto-schemes,
but most of them have not been used in practice yet.
4
From CRYPTREC report
RSA1024 won't work
any more against latest
computers (~2015)
RSA1024
RSA2048
Replace various systems
Doubling the key length
was strongly recommended.
Most of users still use RSA1024.
5
Implication from Fact (1)
- Stand-alone QKD is hard to be accepted.
- Start with an existing security system, then
integrate QKD into it, and realize new values.
Algorithmic cryptography New values of QKD
1. Updating the scheme itself
is not necessary
2. Can detect hacking
3. Simplest encryption :
one-time pad, C=X + K
--> No processing latency
--> Seamless cryptic connectivity
can be realized if key IDs are
properly managed.
1. Not provable
--> Need to be updated
2. Cannot detect hacking
3. Specs of high-end solutions
are usually not disclosed.
-->Hard to interconnect the
systems of different divisions
even in the same organization.
6
Fact (2)
Responses to our press releases on QKD applications
remarkably increased this year.
Ex. QKD-assisted secure smart phone (May 2014)
QKD-key + smart phone is something marvelous !
Potential customers who have asked us on it include
- Ministries (MIC, MHLW)
- Prefectural office
- General construction company
- Banks
- Car company
- Print company
They are looking at future society based on the Internet of Things,
and want to know what kind of security technology they should
introduce, and how to revise their security systems.
Conversation with them are very inspiring.
7
Service terminal
Partial access
Cannot access to
confidential data
Data files
QKD
Full access
Access control keys
One time pad
Data encryption key
Felica reader
Felica reader
Hierarchical access control to confidential data files
QKD-assisted secure smart phone
Wegman-Carter protocol
The server encrypts each
file by ACKs Data center
Useful to protect state secrets and medical chart
8
Implication from Fact (2)
There are new fields where security is becoming
a new concern. That is,
modern crypto and QKD are at the same start line.
- Medical network
- Controller Area Network (CAN)
- Robot network
…..
Security standards have
not been decided yet.
How to share symmetric keys
between control units and
how to manage them?
9
Server
Key distillation
board
Encoder
4 APDs
UPS
Decoder
Alice Bob
Console
1.2
5m
Key rate 100kbps
Distance 60km (for fiber loss 0.2dB/km)
Clock rate 1.24GHz
Latest model of QKD (Decoyed BB84, by NEC)
10
Integrate QKD with a commercial product, Comcipher
Data center
Layer-2 switch Layer-2 switch
Users
QKD
Comcipher(AES)
Throughput
10Gbps
Most of mission critical channels are made in the 2nd layer (data layer),
not going up to the 3rd layer (IP network layer)
- Enhance the security of AES by key refresh
- One-time pad mode is optional for high-end use.
Data layer encryptor
11
Node A Node B
X
Layer 2
switch
IP address Payload
Encrypted IP packet Auth tag IP header
Auth tag
One-time pad encryption
Universal hash function
Encrypted IP packet
Encrypted IP packet
Authenticated
cable
QKD platform
Layer 2 encryptor
(Comcipher, …)
- Data transmission
- Message authentication
Information theoretic security for
Layer 3
switch
in IPsec
12
Physical layer
protection
Application layer
Control plane
QKD platform
- Cyber security
- Modern crypto
Protect
controllers
Multi-layered monitoring and protection system
Security defense in depth
暗号鍵
Collaboration with modern cryptographers and cyber security engineers
13
Make a QKD show case for Tokyo Olympic 2020
Safest Tokyo Network
ImPACT Program (Oct 2014-Mar 2019) by the Cabinet office
Impulsing PAradigm Change through disruptive Technologies
14
Contents
(1) QKD applications
Two facts on user attitude
Our current efforts
(2) Security in global networks
Intrinsic limit on QKD
A new physical layer cryptography
15
Satellite airborne network
16
Small satellite SOCRATES (NICT, AES, NEC, JAXA)
・Launched on 24 May 2014
・Successfully put on the orbit(628km)
・Now under preparation for operation
50kg-satellite bus Small optical transponder 6.2kg
17
At 1550nm, 800nm, 967nm
Rate 1Mbps or 10Mbps
Satellite-ground laser link
Evaluate polarization encoding
Evaluate footprint jitter and wiretap risk
18
Unconditional security
QKD is very hard
at LEO altitude.
PPM capacity;
1Gbps link by 10W laser
19
The secret key capacity is upper bounded by
Intrinsic limit of QKD (repeaterless link)
Transmittance of
a lossy optical channel
Takeoka, et al., IEEE Trans. IT-60(8), 4987 (2014).
Takeoka et al., to appear in Nat. Commun.
Not very worth to pursue new
QKD protocols for higher key
rate over a lossy channel.
20
Algorithmic crypto (1st option)
- Hard to be updated in
satellites, when weakened.
- Using a long key causes
latency.
PPM capacity;
1Gbps link by 10W laser
21
Redundancy
Message Randomness
Physical layer cryptography
Error
correction
Deception
Opportunistic link when
Eve's channel is physically bounded.
"Information theoretic security" at higher rate
Ex.
Line-of-sight
communication
Wyner, Bell Syst. Tech. J., 54(8),1355 (1975).
Csiszár and Körner, IEEE Trans. Inf. Theory, IT-24(3), 339 (1978).
(SNR)Alice-Bob
> (SNR)Alice-Eve
22
Wiretapping ratio
0.01
0.5
0.95
0.999
Secre
cy c
ap
acit
y [
bp
s]
Secrecy capacity
Physical layer cryptography
23
Reliability function
Secrecy function
A priori prob.
0
1
0
1
X Y
0
1
Z
Decoding error
KL distance "Strongest measure"
Power constraint
Theory of finite length analysis
Han, Endo, & Sasaki, arXiv:1307.0608 [cs.IT]
To appear in IEEE IT
24
Stronger secrecy but lower reliability
n
Message Randomness
Tradeoff engineering : reliability vs secrecy
Rate shifting Rate exchange
CS CS
RB+RE=R'B+R'E
Stronger secrecy with the same
reliability (Message rate is degraded)
R'E=R'E+D
25
Physical layer crypto in fiber network
Multi-level-security embedding network coding
Network
Alice Bob
User 2
User p User q
User 2
Stronger Eve (prob p1)
Weaker Eve (prob p2)
It is unrealistic to assume that Alice and Bob know Eve's channel.
Coding must be designed to withstand
multiple possible realizations for the wiretap channel.
Statistically independent messages from other users
can be the random bits to deceive Eve.
High-security message can be embedded into low-security message.
When Eve is strong, a prescribed part of the bits remain secure.
26
New generation secure network
Quantum noise (Optical domain)
Thermal noise (RF domain)
QKD Phys Layer Crypto Algorithmic Crypto
Trinity College DublinのHPより転載
Combine Physics laws, Coding, PA, & Algorithms