1

QKD applications

and

new physical layer cryptography

6th Oct 2014

Quantum ICT Lab

Masahide Sasaki

Quantum-Safe Cryptography Workshop

2

Contents

(1) QKD applications

Two facts on user attitude

Our current efforts

(2) Security in global networks

Intrinsic limit on QKD

A new physical layer cryptography

3

Fact (1)

High end users (MoD, …) are seriously worried about

security threats on the physical layer after the Snowden

files, but have not decided yet to introduce QKD.

They are still watching.

The strongest security is not necessarily a reason

for the scheme to be adopted.

There are many strong crypto-schemes,

but most of them have not been used in practice yet.

4

From CRYPTREC report

RSA1024 won't work

any more against latest

computers (~2015)

RSA1024

RSA2048

Replace various systems

Doubling the key length

was strongly recommended.

Most of users still use RSA1024.

5

Implication from Fact (1)

- Stand-alone QKD is hard to be accepted.

- Start with an existing security system, then

integrate QKD into it, and realize new values.

Algorithmic cryptography New values of QKD

1. Updating the scheme itself

is not necessary

2. Can detect hacking

3. Simplest encryption :

one-time pad, C=X + K

--> No processing latency

--> Seamless cryptic connectivity

can be realized if key IDs are

properly managed.

1. Not provable

--> Need to be updated

2. Cannot detect hacking

3. Specs of high-end solutions

are usually not disclosed.

-->Hard to interconnect the

systems of different divisions

even in the same organization.

6

Fact (2)

Responses to our press releases on QKD applications

remarkably increased this year.

Ex. QKD-assisted secure smart phone (May 2014)

QKD-key + smart phone is something marvelous !

Potential customers who have asked us on it include

- Ministries (MIC, MHLW)

- Prefectural office

- General construction company

- Banks

- Car company

- Print company

They are looking at future society based on the Internet of Things,

and want to know what kind of security technology they should

introduce, and how to revise their security systems.

Conversation with them are very inspiring.

7

Service terminal

Partial access

Cannot access to

confidential data

Data files

QKD

Full access

Access control keys

One time pad

Data encryption key

Felica reader

Felica reader

Hierarchical access control to confidential data files

QKD-assisted secure smart phone

Wegman-Carter protocol

The server encrypts each

file by ACKs Data center

Useful to protect state secrets and medical chart

8

Implication from Fact (2)

There are new fields where security is becoming

a new concern. That is,

modern crypto and QKD are at the same start line.

- Medical network

- Controller Area Network (CAN)

- Robot network

…..

Security standards have

not been decided yet.

How to share symmetric keys

between control units and

how to manage them?

9

Server

Key distillation

board

Encoder

4 APDs

UPS

Decoder

Alice Bob

Console

1.2

5m

Key rate 100kbps

Distance 60km (for fiber loss 0.2dB/km)

Clock rate 1.24GHz

Latest model of QKD (Decoyed BB84, by NEC）

10

Integrate QKD with a commercial product, Comcipher

Data center

Layer-2 switch Layer-2 switch

Users

QKD

Comcipher（AES）

Throughput

10Gbps

Most of mission critical channels are made in the 2nd layer (data layer),

not going up to the 3rd layer (IP network layer)

- Enhance the security of AES by key refresh

- One-time pad mode is optional for high-end use.

Data layer encryptor

11

Node A Node B

X

Layer 2

switch

IP address Payload

Encrypted IP packet Auth tag IP header

Auth tag

One-time pad encryption

Universal hash function

Encrypted IP packet

Encrypted IP packet

Authenticated

cable

QKD platform

Layer 2 encryptor

(Comcipher, …)

- Data transmission

- Message authentication

Information theoretic security for

Layer 3

switch

in IPsec

12

Physical layer

protection

Application layer

Control plane

QKD platform

- Cyber security

- Modern crypto

Protect

controllers

Multi-layered monitoring and protection system

Security defense in depth

暗号鍵

Collaboration with modern cryptographers and cyber security engineers

13

Make a QKD show case for Tokyo Olympic 2020

Safest Tokyo Network

ImPACT Program (Oct 2014-Mar 2019) by the Cabinet office

Impulsing PAradigm Change through disruptive Technologies

14

Contents

(1) QKD applications

Two facts on user attitude

Our current efforts

(2) Security in global networks

Intrinsic limit on QKD

A new physical layer cryptography

15

Satellite airborne network

16

Small satellite SOCRATES (NICT, AES, NEC, JAXA)

・Launched on 24 May 2014

・Successfully put on the orbit(628km)

・Now under preparation for operation

50kg-satellite bus Small optical transponder 6.2kg

17

At 1550nm, 800nm, 967nm

Rate 1Mbps or 10Mbps

Satellite-ground laser link

Evaluate polarization encoding

Evaluate footprint jitter and wiretap risk

18

Unconditional security

QKD is very hard

at LEO altitude.

PPM capacity;

1Gbps link by 10W laser

19

The secret key capacity is upper bounded by

Intrinsic limit of QKD (repeaterless link)

Transmittance of

a lossy optical channel

Takeoka, et al., IEEE Trans. IT-60(8), 4987 (2014).

Takeoka et al., to appear in Nat. Commun.

Not very worth to pursue new

QKD protocols for higher key

rate over a lossy channel.

20

Algorithmic crypto (1st option)

- Hard to be updated in

satellites, when weakened.

- Using a long key causes

latency.

PPM capacity;

1Gbps link by 10W laser

21

Redundancy

Message Randomness

Physical layer cryptography

Error

correction

Deception

Opportunistic link when

Eve's channel is physically bounded.

"Information theoretic security" at higher rate

Ex.

Line-of-sight

communication

Wyner, Bell Syst. Tech. J., 54(8),1355 (1975).

Csiszár and Körner, IEEE Trans. Inf. Theory, IT-24(3), 339 (1978).

(SNR)Alice-Bob

> (SNR)Alice-Eve

22

Wiretapping ratio

0.01

0.5

0.95

0.999

Secre

cy c

ap

acit

y [

bp

s]

Secrecy capacity

Physical layer cryptography

23

Reliability function

Secrecy function

A priori prob.

0

1

0

1

X Y

0

1

Z

Decoding error

KL distance "Strongest measure"

Power constraint

Theory of finite length analysis

Han, Endo, & Sasaki, arXiv:1307.0608 [cs.IT]

To appear in IEEE IT

24

Stronger secrecy but lower reliability

n

Message Randomness

Tradeoff engineering : reliability vs secrecy

Rate shifting Rate exchange

CS CS

RB+RE=R'B+R'E

Stronger secrecy with the same

reliability (Message rate is degraded)

R'E=R'E+D

25

Physical layer crypto in fiber network

Multi-level-security embedding network coding

Network

Alice Bob

User 2

User p User q

User 2

Stronger Eve (prob p1)

Weaker Eve (prob p2)

It is unrealistic to assume that Alice and Bob know Eve's channel.

Coding must be designed to withstand

multiple possible realizations for the wiretap channel.

Statistically independent messages from other users

can be the random bits to deceive Eve.

High-security message can be embedded into low-security message.

When Eve is strong, a prescribed part of the bits remain secure.

26

New generation secure network

Quantum noise (Optical domain)

Thermal noise (RF domain)

QKD Phys Layer Crypto Algorithmic Crypto

Trinity College DublinのHPより転載

Combine Physics laws, Coding, PA, & Algorithms