APPARATUS AND METHOD FOR SECURE SPACE COMMUNICATION

Abstract

Free-Space quantum keyless private communication method according to a communication protocol comprising exchanging information between an emitter (100) and a receiver (200) through a main quantum-classical channel and with an eavesdropper tapping said main channel through a wiretap channel, based on the wiretap channel model, wherein the overall degradation of the wiretap channel is superior than that of the main channel, comprising the steps of preparing, at the emitter (100), a message M composed of classical bits, coding said message M so as to transform it into a coded message X, practical modulating the amplitude and/or the phase of the optical pulses of the coded classical bits, sending the encoded message to the receiver (200) through a classical-quantum channel (500), such that an eavesdropper (300) tapping said channel is provided with partial information about the said states only, detecting and decoding the received message through quantum security analysis.

Claims

1. Free-Space quantum keyless private communication method according to a communication protocol comprising exchanging information between an emitter (100) and a receiver (200) through a main-classical-quantum channel and with an eavesdropper tapping said main channel through a wiretap channel, based on the wiretap channel model, wherein the overall degradation of the wiretap channel is superior than that of the main channel, comprising the steps of preparing, at the emitter (100), a message M composed of classical bits, coding said message M so as to transform it into a coded message X, converting the classical bits of the coded message into a signal to be sent to Bob by modulating the amplitude and/or the phase of the coherent states, sending the signal comprising the encoded message to the receiver (200) through a quantum-classical channel (500), such that an eavesdropper (300) tapping said channel is provided with partial information about the said states only, detecting and decoding the received message

2. Free-Space key distribution method according to claim 1, characterized in that said transformation step is a stochastic coding step.

3. Free-Space key distribution method according to claim 2, characterized in that the communication protocol is a one-way communication protocol.

4. Free-Space key distribution method according to claim 1, characterized in that the classical bits modulate a coherent state which is modeled with quantum electrodynamics,

5. Free-Space key distribution method according to claim 5, characterized in that it further comprises a degradation parameter calculation step depending on the receiver's parameter, such that $\left(d_B,d_E,{}_b,{}_E,{}_{\mathrm{div}}\right)=\frac{1}{{}_b}{\left(\frac{d_B}{d_E}\right)}^2{\left(\frac{D_R^E}{D_R^B}\right)}^2{e}^{-2{\left(\frac{2{}_E}{{}_{\mathrm{div}}}\right)}^2}$ where d.sub.B is the distance between the emitter and the receiver, d.sub.E is the distance between the emitter and the eavesdropper, D.sup.E.sub.R is the diameter of the of the antenna of the eavesdropper D.sup.B.sub.R is the diameter of the antenna of the receiver, .sub.B is the (additional) loss of the receiver such as atmospheric, pointing, optic circuits, and detector efficiency, .sub.div is the far field divergence, and .sub.E is Eve's angle to the satellite

6. Free-Space key distribution method according to claim 5, characterized in that it further comprises defining an exclusion surrounding the receiver (200) based on the degradation parameter .

7. Free-Space key distribution method according to claim 6, characterized in that exclusion surrounding the receiver (200) is defined such that the degradation parameter is lower than a given value smaller than 1.

8. Free-Space key distribution method according to claim 7, characterized in that the exclusion surrounding the receiver (200) is defined such that the degradation parameter is lower than 0.1.

9. Free-Space key distribution method according to claims 1 to 7, characterized in that the signal is an optical signal.

10. Free-Space quantum keyless private communication system comprising an emitter (100) and a receiver (200) adapted to exchange information through a main-classical-quantum channel and with an eavesdropper tapping said main channel through a wiretap channel, based on the wiretap channel model, wherein the overall degradation of the wiretap channel is superior than that of the main channel, adapted to carry out the method of any one of claims 1 to 9.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0032] Preferred embodiments of the invention are described in the following with reference to the drawings, which are for the purpose of illustrating the present preferred embodiments of the invention and not for the purpose of limiting the same. In the drawings,

[0033] FIG. 1a represents the different eavesdropping scenarios, with wiretap channel and physical layer wiretap channel eavesdropping;

[0034] FIG. 1b represents the wiretap channel principle of the prior art;

[0035] FIG. 1c represents the passive scenario,

[0036] FIG. 2 represents the general principle of the invention.

[0037] FIG. 3 represents probabilistic detection models for Bob and Eve.

[0038] FIG. 4 is a graph which represents numerical values of Cp() for OOK and sensitivity to noise assuming pdark0 and o=1.

DESCRIPTION OF PREFERRED EMBODIMENTS

[0039] FIG. 1, as mentioned and described above, presents various eavesdropping scenarios. An emitter 100 and a receiver 200 exchange data through a FSO communication channel, defined by the dashed lines, wherein an eavesdropper Eve1 300 may be located between 100 and 200, and intercepts and resend the beam, according to the wiretap channel scenario, or an eavesdropper Eve2 305 may be located on the ground and can only collect part of beam without resending it, according to the physical layer wiretap channel scenario, both attempting at gaining information on the exchanged data. Its description will not be repeated here in detail.

[0040] FIG. 1b represents the general principle of wiretap channel. It was introduced by Wyner (relaxing the conditions for Shannon's perfect secrecy) and generalized by Csiszar & Krner. It models a general communication system architecture with a transmitter that encodes messages M into codewords X of n symbols for transmission to a receiver, in the presence of an eavesdropper that obtains noisy observations Z of X. The literature proved the existence of coding schemes simultaneously ensuring reliable transmission and secrecy for discrete memoryless channels, which was extended to Gaussian channels and wireless channels. As a further evolution of the wiretap channel concept, it was noticed that secrecy is closely related to the concept of channel resolvability from information-spectrum methods developed by Han and Verd. This approach was pioneered by M. Hayashi and provides a completely different way to analyze the system and construct the codes to provide strong security. In the case of more powerful Eve, one usually considered a different architecture including a public channel where the objective is to distill secret keys. However, this needs 2-way communication.

[0041] FIG. 2 represents, on top, the general principle of the invention, i.e. the main channel and the wiretap channel and on the bottom, the information theoretical representation of the classical-quantum degraded wiretap channel. It shows classical input random variable X and output quantum systems B and E.

[0042] More particularly, it represents the general direct communication protocol as a one-way wiretap protocol where secret bits are channel encoded and sent over n uses of the optical channel. The protocol contains the following steps is the codeword received by Bob, i.e. it is a noisy version of the transmitted codeword Xn [0043] 1) The transmitter sends a stream of secret information bits, e.g. video, voice, etc., to an encoder, a preferably stochastic wiretap encoder. Practically, the transmitter generates a message, then encodes this message. This encoding step comprises the transmitter selecting a codeword X.sup.n to send the secret message M with probability q.sub.x, and sends it to Bob who receives Y.sup.n which is the codeword received by Bob, i.e. it is a noisy version of the transmitted codeword X.sub.n, but the channel also leaks information to the environment represented by the eavesdropper (Eve), who receives Z.sup.n.

[0044] The secrecy of the message depends on the structure of this encoder, which is characterized by the rate R=k/n (where k is the number of secret bits), the error probability after decoding, .sub.n, and a security measure, .sub.n. [0045] 2) For each use of the channel, therefore, once coded and before sending, the transmitter prepares a coherent state modulation by the random variable XX={0, 1}, where X=0 with probability q and X=1 with probability 1q. The OOK states transmitted by Alice are the vacuum state, |.sub.0>=|0>, and

[00002]$.Math.{}_1=e^{-\frac{1}{2}{.Math..Math.}^2}\underset{n=0}{\overset{}{.Math.}}\frac{{}^n}{{\left(n!\right)}^{1/2}}.Math.n$ [0046] in other words the encoded secret bits are sent to a discrete modulator, which modulates the amplitude (and/or the phase) of the transmitted optical pulses. Here, we assume discrete amplitude modulation of coherent states. [0047] 3) After n transmissions over the quantized propagating field, the receiver receives B.sub.n and the eavesdropper receives E.sub.n. The receiver estimates his received coherent state after measuring the arriving light and obtains Y.sub.n. He disposes of state-of-the-art detectors. Eve may apply the best quantum detection strategy to obtain Z.sub.n. The receiver (Bob) received the coded message and decodes it after measuring the arriving light.

[0048] According to the wiretap theory of the present invention, even when the eavesdropper is computationally unbounded, the wiretap code of the present invention ensures that if R is an achievable rate, both .sub.n and .sub.n tend to zero for large n, where .sub.n is the error probability and .sub.n is a security measure such that:

[00003]$\underset{n.fwdarw.}{\lim }{}_n=\underset{n.fwdarw.}{\lim }{}_n=0,$ [0049] which means that the error probability .sub.n and the information leakage towards the eavesdropper can be made arbitrarily low. Upper bounds are also known for the speed of convergence rate of leaked information. Hence, the protocol jointly provides information-theoretical reliable and secure communication. The supremum of all such rates is called the private capacity.

[0050] In other words, the private capacity (or secrecy capacity) of the classical-quantum wiretap channel of the present invention, is the performance metric of the present protocol.

[0051] More particularly, the meaning of strong security is that, given a uniform distribution of the message to be transmitted through the channel between an emitter and a receiver, an eavesdropper shall obtain no information about it. This criterion is the most common security criterion in classical and quantum information theory.

[0052] The metric of strong security is the amount of mutual information leaked to Eve using, that can be represented by .sub.n=I(X; Z).

[0053] When the communication channel between the emitter and the receiver is degradable, it is possible to assume symbol-wise detection and decoding for the channel N=(N.sub.B, N.sub.E). The probabilistic description of the degradability property for the classical channel is that X, Y and Z form a Markov chain, XYZ.

[0054] FIG. 2 shows the physical description of the protocol implemented with coherent states over a degradable channel according to the present invention.

[0055] The main channel between Alice (the emitter) and Bob (the receiver) and the wiretap channel between Alice (the emitter) and Eve (the eavesdropper) are preferably discrete memoryless channels. In this case, the private capacity of the quantum wiretap protocol (with quantum channel and information) is

[00004]$C_P\left(\right)=\underset{{}_{\mathrm{in}}}{\sup }{I}_c\left({}_{\mathrm{in}},\right),$ [0056] where .sub.in is the input density matrix and I.sub.c(.sub.in, N) is the coherent information defined as

I.sub.c(.sub.in,N)=S(N.sub.B(.sub.in)S(N.sub.E(.sub.in)), [0057] with S being the von Neumann entropy.

[0058] Now we will describe the degradable channel of the practical (energy-constrained) protocol over space links, which is used to derive the private capacity.

[0059] First, we consider an alphabet consisting of two pure coherent states, modulated by the random variable XX={0, 1}, where X=1 with probability q and X=0 with probability 1-q.

[0060] One assumes On OFF Keying (OOK), but the model could also be applied to e.g. Binary Phase Shift Keying (BPSK). The OOK states transmitted by Alice are the vacuum state, |.sub.0)=|0), and

[00005]$.Math.{}_1=e^{-\frac{1}{2}{.Math.{}_1.Math.}^2}\underset{n=0}{\overset{}{.Math.}}\frac{{}_1^n}{{\left(n!\right)}^{1/2}}.Math.n.$

[0061] Also, one assumes a single-mode free-space quantum bosonic channel for the wiretap channel in the semi-classical regime. The efficiency of Bob's channel is n.

[0062] The coefficient (0, 1) characterizes the channel power degradation, hence, the transmittance of Eve's channel is .

[0063] The received states are simply the vacuum, or |{square root over ()}.sub.1> and |{square root over ()}.sub.1> for Bob and Eve respectively. The wiretap channel transition probabilities depend on the coherent states received by Bob and Eve and by their detection strategies. As mentioned above, for practical purposes, we assume that Bob uses standard single photon detectors, i.e. a threshold detector and one also takes into account limited detection efficiency (included in ) and noise (dark counts probability p.sub.dark and stray light with a Poisson photon number distribution and average .sub.0).

[0064] Therefore, the conditional probabilities that Bob detects y given that Alice sent x are illustrated in FIG. 3 with .sub.0=(1p.sub.dark)e.sup..sup.O.sup. and .sub.1=(1p.sub.dark)e.sup.(/.sup.1.sup.|2+.sup.o.sup.).

[0065] On the other hand, since Eve is limited by its spatial position only, she instead performs an optimal quantum detection. For the single observation, this leads to the optimal error probability *, which is calculated as

[00006]$\begin{array}{c}{}^{*}=\underset{01}{\min }[\mathrm{qTr}\left(1-\right){}_1+\left(1-q\right)\mathrm{Tr}{}_0)]\\ =\frac{1}{2}-\frac{1}{2}{.Math.q{}_1-\left(1-q\right){}_0.Math.}_1\end{array},$ [0066] where .sub.1 stands for trace norm. In the binary source scenario, this bound is achieved by the Holevo-Helstrom projector, for which several practical implementations have been proposed such as the Kennedy receiver, the Dolinar receiver or the Sasaki-Hirota receiver.

[0067] The optimal error probability of Eve resulting from the above equation becomes

*()=(1{square root over (14q(1q)e.sup.|.sup.1.sup.|.sup.2)})/2,

[0068] The private capacity for the wiretap channel model coincides with the classical secrecy capacity and is defined as

[00007]$C_P\left(\right)=\underset{q}{\max }\left\{I\left(X;Y\right)-I\left(X;Z.Math.\right)\right\},$ [0069] where I(X, Y) is the Shannon mutual information of Alice using a state-of-the-art photon counting detector and I(X; Z|) is the maximum Shannon mutual information that Eve can physically detect.

[0070] When the optimized capacity is uniform, i.e. q=, we obtain.

[00008]$C_P\left(\right)={\left[h\left({}^{*}\left(\right)\right)+h\left(\frac{{}_0+{}_1}{2}\right)-\frac{h\left({}_1\right)+h\left({}_0\right)}{2}-1\right]}_{+}$ [0071] where [ ].sub.+ means the positive part and the notation h( ) is the binary Shannon entropy.

[0072] FIG. 4 shows the numerical results of the above equation and we observe that the secrecy rate is as high as 0.68 for =0.1 with little sensitivity to noise. And even for adverse channel conditions ( close to 1) there is a positive secrecy rate for reasonable noise (e.g. up to =0.9 for =10.sup.4), however we will see in the example below that in practice is best to aim for <0.1.

[0073] Indeed, the method of the present invention also preferably comprises a degradation parameter calculation step depending on the receiver's parameter. Indeed, in order to provide a communication channel between Alice and Bob which is less degraded than the channel between Alice and Eve, this degradation has to be mastered and fixed.

[0074] We can approximate the fraction of the light collected by Bob (receiver), the free space loss .sup.B, as the ratio of the telescope area and the footprint area [0075] with

[00009]${}_f^B=\frac{A_R}{A_F}=\frac{{\left(D_R/2\right)}^2}{{\left(D_F/2\right)}^2}=\frac{D_R^2}{{}_{\mathrm{div}}^2{d}_B^2},D_F{}_{\mathrm{div}}d$ [0076] where d.sub.B is the distance between transmitter and receiver, D.sub.R is the diameter of the telescope of Bob and DF is the diameter of the footprint area around Bob.

[0077] The number of photons detected by Bob can therefore be calculated by:

N.sub.t=.sub.f.sup.B.sub.bN.sub.t,

[0078] where .sub.b represents additional losses depending on the experimental situation.

[0079] For Eve (the eavesdropper) we calculate .sup.E (the fraction of the light collected by Eve) as above but one adds a factor taking into account the light intensity outside the exclusion angle supposing a Gaussian angular distribution of the beam as

[00010]${}_f^E=\frac{{\left(D_R^E\right)}^2}{{}_{\mathrm{div}}^2{d}_E^2}{e}^{-2{\left(\frac{2{}_E}{{}_{\mathrm{div}}}\right)}^2}.$

[0080] Then, the number of photons detected by Eve becomes simply .sup.EN.sub.t=N.sub.t, as we assume no additional loss for Eve. Hence, for fixed antenna sizes one can easily calculate as

[00011]$\left(d_B,d_E,{}_b,{}_E,{}_{\mathrm{div}}\right)=\frac{1}{{}_b}{\left(\frac{d_B}{d_E}\right)}^2{\left(\frac{D_R^E}{D_R^B}\right)}^2{e}^{-2{\left(\frac{2{}_E}{{}_{\mathrm{div}}}\right)}^2}$

[0081] And therefore , can easily be defined and tuned according to the parameters of the used devices.

EXAMPLE

[0082] As an example, we will now look into a realistic physical scenario, where we use as a reference the recent experiment of QKD with the Chinese LEO satellite Micius.

[0083] Here, the satellite has an orbit of about 500 km above the earth surface and exchanges keys over distances up to 1200 km if the satellite is close to the horizon. The transmitter is equipped with 300 mm Cassegrain telescope featuring a far field divergence .sub.div of 10 rad (full angle at 1/e.sup.2). The receiver at ground station has a telescope with a diameter D.sub.R of 1 m.

[0084] In the Micius experiment those are atmospheric turbulence 3-8 dB (.sub.atm), pointing errors (.sub.p)<3 dB, overall optical loss (.sub.o) from telescope input lens to detector 7.4 dB detector, detector efficiency .sub.det 50% (3 dB). In the following we can reasonably consider an overall .sub.b of 20 dB (1%).

[0085] For d.sub.B=d.sub.E=1200 km and .sub.E=r.sub.E/d, for the Micius system parameters and assuming a very large eavesdropper's receiving antenna D.sup.E of 2 m and a small exclusion radius r.sub.E=12.5 m we obtain:

=0.07<0.1

[0086] It is recommended to fix the exclusion radius such that <0.1 which is a good trade-off, even if any other value <1 is in principle possible. Indeed, this value is shown to be a good choice as it leads to high secret capacities >0.6, little sensitivity to noise and signal fluctuations for reasonable exclusion radii. This sensitivity is driven by the distinguishability of the coherent states at Eve's Holevo-Helstrom detector, the lower the the less sensitivity of the distinguishability to signal dynamics

[0087] We will now compare the present invention with conventional QKD protocols

[0088] In order to do so, the private capacity for different geometrical configuration, supposing that Alice and Bob have a satellite and a ground station equivalent to the Micius experiment need to be calculated.

[0089] Here, one considers OOK with a clock rate of 1 GHz. With a time window of 1 ns, state of the art single photon detectors, feature a p.sub.dark<10.sup.7, so detector noise has no significant effect on the secret capacity.

[0090] Considering an average number of noise photons, for different collection angles, filter bandwidths and temporal windows, of 10.sup.4 and 10.sup.7 as an achievable value for clear daytime sky, and a full moon clear night, respectively. During a cloudy day, one could expect a of 10.sup.2, and still positive private rate if the transmission of the channel is not reduced too much.

[0091] Table I below presents the private capacity for LEO, MEO and GEO satellites and different ambient light conditions.

TABLE-US-00001 TABLE I Comparison table between the achievable secret key rate for QKD and the achievable private rate for the wiretap channel presented in this work. For QKD with unrestricted Eve the values in the table are for an experiment carried out at night. In the case of a restricted Eve, daylight conditions are taken into account. QKD, = 10.sup.7 (night) Restricted Eve, = 10.sup.4 (clear day) Distance Channel Micius PLOB private Configuration [km] loss (.sub.f.sup.B) [4] [35] r.sub.E [m] QKD [23] rate (8) LEO 500-1200 22 dB <10 kb/s 10 Mb/s 12.5 0.1 360 Mb/s 680 Mb/s MEO 10000 40 dB 100 kb/s 100 0.1 360 Mb/s 680 Mb/s GEO 36000 52 dB 6 kb/s 340 0.1 360 Mb/s 680 Mb/s

[0092] Table I shows that the private capacity of a wiretap channel, outperforms QKD in terms of rate and most importantly in terms of resistance against noise. It has to be noted that the necessary laser power in order to reach the optimal signal strength of about 4 photons in average is moderate, e.g. about 15 mW and 15 W, for the GEO and the LEO setting, respectively, and therefore it is no limitation.

[0093] The above shows that in FSO communication protection area is needed for any kind of secure communication and how to achieve it. The above describes a downlink communication, however, similarly, an uplink can be considered in the same manner as well and its channel degradation can be estimated for reasonable assumptions on Eve's satellites as well.

[0094] The protocol of the present invention is sensitive to jam attacks, so are QKD protocols. However, the protocol of the present invention can also be used in coordination with security mechanisms in communication layers above the physical layer to provide the satellite system availability, integrity and confidentiality.

[0095] Given these boundary conditions, the above demonstrates that physical layer encryption can provide information-theoretically secure communication also in the presence of Eve only limited by the laws of quantum physics. As for the wiretap codes, explicit constructions are available that can provide the strong security.

[0096] One of the main advantage is that the present invention provides achievable private rates which are considerably higher than the QKD rates for the practical systems. Moreover, direct secret communication is also possible close to illuminated cities and even during daytime in contrast to QKD. Moreover, given the low rates, the secret keys generated by QKD will in practice not be used in combination with the one-time-pad but with symmetric encryption systems like AES. This means that the legitimate users have to choose between trusting physical security including exclusion areas around Alice and Bob which is needed for QKD as well or the computational security of encryption algorithms.