- 學位論文
量子密鑰分發的安全性證明之分析與比較
Analysis and Comparison of Security Proofs of Quantum Key Distribution
摘要
量子密鑰分發 (quantum key distribution, QKD) 是一種不需任何計算 性假設 (computational assumption) 即可使通訊雙方擁有相同且安全的 私鑰的密碼學演算法。雖然 BB84 為最早提出的 QKD 協定,但它容易實作,且與 decoy-method 搭配之下,目前仍是實務上可安全使用的 QKD 協定。 在本論文中,我們針對 BB84 協定做了完整的安全性證明。一個完 整的安全性證明,應包含「定義」、「假設」、「數學證明」三個部份。 本論文對於安全性定義給予完整的介紹,並詳細分析所有證明當中所 用到的假設,最後證明 BB84 協定在假設之下可以滿足安全性定義。 此外,除了少數證明與 QKD 沒有直接關聯的數學定理之外,安全性證明的每一個步驟均有解釋,而非直接引用其它論文的結果。對於剛 接觸 QKD 的學生,或是其它領域的研究者而言,本論文能作為認識 QKD 安全性證明的入門磚及參考。 本篇使用的證明手法主要根基於 [SP00] 與 [Koa09] 兩篇論文。首 先,我們利用 [SP00] 所提出的方法,將 BB84 協定的安全性化約 (reduce) 至糾纏態粹取協定上,並使用錯誤更正碼來描述協定過程。接著,再使用 [Koa09] 當中使用的技巧,利用不確定性原理 (uncertainty principle) 來分析糾纏態粹取協定的安全性。證明過程中,我們在兩個 地方做出改良。第一,[SP00] 當中的化約過程是利用兩協定的「等價」 關係來論證。在本論文中,我們利用當代密碼學中 indistinguishable game 的方式嚴謹定義「等價」這個概念。本論文實際將該定義應用在 安全性證明當中,並針對化約過程中的參數損失給予嚴謹的分析。第二,Koashi 的證明 [Koa09] 要求通訊雙方在後處理 (post-processing) 的通訊上需使用單次密碼本 (one-time pad) 加密。本論文證明即使雙方在 後處理的通訊保持公開,BB84 協定仍然安全。
並列摘要
Quantum key distribution (QKD) allows two parties to have a shared secret key without relying on any computational assumption. While BB84 is the oldest QKD protocol, it is easy to implement and compatible with decoy-method, which makes it secure in the practical world. In this thesis, we give a complete and self-contained security proof of BB84 protocol. By complete, we mean that we give a comprehensive introduction to all the building blocks of a security proof. We recall the formal security definition of QKD, analyze all the necesary assumptions and give a proof to show that BB84 attains the security definition. By self-contained, we mean that we analyze the security of BB84 step-by-step without outsourcing to other papers, except some mathematical facts whose proofs are not directly related to the main context. We believe that our treatment makes it easier to understand the security proof of QKD, especially for students and researchers from different backgrounds. Our work combines the proofs in [SP00] and [Koa09]. We reduce the security of BB84 to an entanglement-based protocol and describe the protocol by error correction codes, which were introduced in [SP00]. Then, we analyze the security of the entanglement-based protocol by uncertainty principle, which is the essential part of the proof in [Koa09]. Along the proof, we make two improvements. First, in cite{SP00}, the reduction is argued by the "equivalence" between two protocols. We formulate the notion of equivalence by an indistinguishable game, which fits the language of modern cryptography. We apply the new definition of equivalence to the proof and analyze the parameter loss in the reduction. Second, the proof in [Koa09] requires that the post-processing in the BB84 protocol must be encrypted by one-time pad. We remove this requirement and show that BB84 remains secure if the post-processing is done in public.