[Cryptography] FYI: quantum cloning

Jerry Leichter leichter at lrw.com
Mon Feb 6 14:20:05 EST 2017 

> https://phys.org/news/2017-02-quantum-networks-hacking-threats.html
> http://advances.sciencemag.org/content/3/2/e1601915
> 
> |High-dimensional quantum cloning and applications to quantum hacking
> 
> |We perform optimal cloning of high-dimensional photonic 
> |states by means of the symmetrization method.
> 
> |In addition, a cloning attack on a Bennett and Brassard (BB84) 
> |quantum key distribution protocol is experimentally demonstrated 
> |to reveal the robustness of high-dimensional states in quantum 
> |cryptography.
> 
> I can't parse the technical stuff. Does the last paragraph mean
> they broke "old quantum crypto"?
Not an expert in the field, but ... no.  In QM, everything is probabilistic.  So all you can say is that a quantum Eve will be detected with no less than some probability.  They approach in this paper is two-fold:  First, the construct an "optimal cloner":  If Eve can clone the state of a photon that Alice sent Bob, Bob will see the original whole Eve will at her leisure read the clone.  Except that the No Cloning Theorem proves that you can't clone an unknown quantum state.  You can *copy* it, but you lose the original.

Still, QM never says "never"; it just puts bounds on what you can accomplish.  You can *approximately* clone a quantum state.  And they show how to do it optimally, even for complex (multi-dimensional) states.

So then they ask the question:  What effect does that have on the security of the original quantum key exchange protocol?  Except that they "improve" on that protocol by using high-dimensional states rather than the very simple states of the original thought experiments.  This turns out to make the system much more robust - you're encoding the information in multiple separate measurements at once so noise has less of an effect.  Of course, this potentially means a cloning attack might copy enough state to read the bit, even though the copy is "lossy".  So ... they analyze what happens if Eve uses the optimal cloner to try to read Alice's high-dimensionally-encoded bit.  It turns out this has a specific, observable effect on Alice and Bob's communication, and they can in turn optimally detect *that*.  So they end up showing how to construct a variant on the original key exchange protocol that's more error-resistant and actually does a better job of detecting Eve than the original.  And they actually show that they can do these things physically and the results seem to match the theory, which is nice.

Except ... you end up with a bound *for a particular attack*.  The attack happens to be "optimal" in some sense, but it's not the right sense.  You would want to look at the probabilities across *all possible attacks*, i.e., "optimal way to attack the protocol", not "optimal way to clone a high-D state", which is what you get.  So ... who knows for sure what this gives you.  The treatment of this stuff has gotten reasonably sophisticated, so I suspect we'll see some treatment of the general question in the future.

Exactly how this affects the original low-D protocol ... I don't know.

                                                        -- Jerry

More information about the cryptography mailing list