High-speed secure key distribution over an optical ... - OSA Publishing

2144

OPTICS LETTERS / Vol. 38, No. 12 / June 15, 2013

High-speed secure key distribution over an optical network based on computational correlation imaging Shen Li,1 Xu-Ri Yao,1 Wen-Kai Yu,1 Ling-An Wu,1,2,* and Guang-Jie Zhai1 1

Laboratory of Space Science Experiment Technology, Center for Space Science and Applied Research, Chinese Academy of Sciences, Beijing 100190, China 2 Laboratory of Optical Physics, Institute of Physics and Beijing National Laboratory for Condensed Matter Physics, Chinese Academy of Sciences, Beijing 100190, China *Corresponding author: [email protected] Received March 12, 2013; revised May 14, 2013; accepted May 17, 2013; posted May 20, 2013 (Doc. ID 186668); published June 13, 2013 We present a protocol for an optical key distribution network based on computational correlation imaging, which can simultaneously realize privacy amplification and multiparty distribution. With current technology, the key distribution rate could reach hundreds of Mbit/s with suitable choice of parameters. The setup is simple and inexpensive, and may be employed in real networks where high-speed long-distance secure communication is required. © 2013 Optical Society of America OCIS codes: (060.0060) Fiber optics and optical communications; (060.4250) Networks; (100.3010) Image reconstruction techniques. http://dx.doi.org/10.1364/OL.38.002144

It is known that a cryptosystem using secret keys derived from a Vernam one-time pad is proven to be secure, but delivering the keys safely to legitimate parties is a crucial problem. In quantum key distribution (QKD), the security is guaranteed by quantum mechanics. The first such scheme proposed in 1984 and now known as the BB84 protocol [1] was then followed by the Einstein– Podolsky–Rosen (EPR) [2], Bennett 92 [3], and many other protocols. However, they are all designed for point-to-point communication between two persons, and the realization of networks based on QKD is still a challenge. Various network systems have been demonstrated based on, for example, trusted relay nodes [4], optical nodes, [5], and wavelength division multiplexing [6]. Networks based on the EPR protocol have been considered [7], but due to the technical difficulties, have not yet been demonstrated. However, in the above systems, there exist safety leaks or they are complex and expensive, and thus difficult to apply in practice. Recently, another research area, “ghost” imaging (GI), has also attracted much attention [8–16]. In GI, an image is obtained through the second-order correlation of the intensities measured behind a beamsplitter at a “bucket” detector, which collects the total intensity transmitted through an object, and a spatially resolving reference detector in the other beam path. The first GI experiment in 1995 utilized an entangled photon source [8]. Later, pseudothermal [9,10] and true thermal light [11] were used. It was then realized that there would be no need for a reference detector to measure the field distribution at the object if this could be found by some other means. In 2008, a computational GI (CGI) scheme was proposed [12] and later demonstrated experimentally [14], in which a computer-controlled spatial light modulator was used to generate pseudorandom phase profiles on a laser beam, and hence retrieve the ghost image of an object with a single detector. In 2010, an optical encryption scheme based on CGI was used to transmit a 2D image with a 0146-9592/13/122144-03$15.00/0

preestablished secret key between two parties [15]. However, the scheme is not secure since an eavesdropper with only 10% of the key parameters could acquire a rough outline of the image. In this Letter, we present a classical protocol also based on CGI, but instead of using it to transmit images we exploit it to create a common secret key for secure communication within a network of users, simultaneously and with high efficiency, which is unattainable so far with QKD. With a random start key, our scheme can simultaneously realize privacy amplification and multiparty distribution, which is also unattainable so far with QKD. Moreover, since the transmission is over a purely public channel, there is no need to worry about photon losses, so the key generation rate and security are not affected by distance. The basic idea of our protocol is illustrated in Fig. 1. A server Alice (A) wishes to distribute the same secret key to several legitimate parties [Bob (B), Carol (C),… Nigel (N)] at the same time. We assume that Alice and all parties share some secret key as the start key, which takes the form of a random matrix fM i g with element values of 0 or 1, and may be established first by QKD. This is used as the computer command matrix to control a spatial light modulator [or digital micromirror device (DMD),

Fig. 1.

Schematic of the optical key distribution network.

© 2013 Optical Society of America

June 15, 2013 / Vol. 38, No. 12 / OPTICS LETTERS

as used in our experiment] to generate a field intensity distribution I i
r⃗ M , where ⃗r M is the transverse coordinate of a DMD pixel. The details of the protocol are as follows: 1. The legitimate parties use part of the start keys which they shared with Alice to verify her identity. This step is unnecessary if all parties trust each other. 2. Alice transforms n start keys into the matrices fM i g (i  1; 2; …n) used to modulate the DMD, from which the corresponding random intensity distributions I i
r⃗ M  are generated. Next, she measures the total light transmitted through a given object and obtains n bucket intensities I i corresponding to the n matrices fM i g

micromirrors, but because of beam size limitations only 160 × 160 pixels were used. A total number of N frames were taken per run, with a capture rate of 23 kHz. A series of random binary speckle patterns were generated by the DMD according to the control start key matrices fM i g stored beforehand in the computer. The bucket detector is a CCD camera synchronized with the DMD, but its output is integrated to give the total intensity readout. The image of the mask is reconstructed by computing the normalized second-order cross-correlation function g
x; y between the intensity patterns I i
r⃗ M  and the time-correlated intensities I i measured by BD: P

g
x; y ≡

ZZ Ii 

I i
r⃗ M I si
⃗r si T i
⃗r t dxdy;

(1)

where r⃗ s and I si
r⃗ s  are the transverse coordinates and the ith intensity distribution of the source, and ⃗r t and T i
r⃗ t  are the transverse coordinates and the ith transmission function of the object, respectively. She then sends these intensity values to the other parties by a public channel (i.e., not necessarily secure). 3. After receiving the n sets of I i from Alice, parties B, C,… N use these together with the I i
r⃗ M  obtained from their common start keys to decrypt the image. 4. The parties extract the gray level of each pixel in the decrypted image, take the least significant bit of each gray level, and align them into a sequence of bits according to their parity. The gray levels range from 0 to 2, each value having 16 decimal places. 5. After repeating this process, all the parties have simultaneously obtained identical bit sequences, which may then be used as secret keys for future communication amongst themselves. The generated I i is derived from a random start matrix and a true thermal light source with random Gaussian statistics; thus an eavesdropper can obtain no information about the key without knowledge of the start matrix. Figure 2 is the setup of our CGI-based optical key distribution network. The thermal light source is a halogen tungsten lamp. An aperture is used to limit the size of the beam, which is then focused by lens L1 (focal length 50.8 mm) onto the plane of the DMD. Lens L2 (focal length 100 mm) focuses the speckle pattern (I i
⃗r M I si
⃗r s ) created by the DMD onto the object (two different transmission masks were used in our experiment). Lens L3 is used to center the transmitted light on the bucket detector BD, which only measures the total intensity I i . The DMD consists of an array of 1024 × 768

Fig. 2.

Experimental setup.

2145

1 n i1
I i I i
r⃗ M  n P Pn : 1 1 n i1 I i n i1 I i
⃗r M  n

(2)

From this g
x; y and Eq. (1), we can obtain the image information as I s
⃗r s T
⃗r t  

n 1X I
⃗r T
r⃗ ; n i1 si s i t

(3)

where I s
r⃗ s  is the mean intensity distribution of the source and T
r⃗ t  is the mean transmission function of the object. P In Eq. 3, I s
⃗r s  
1∕n ni1 I si
⃗r s  reflects the characteristics of the mean intensity fluctuation of the thermal light source, which can be regarded as noise. If the object is a constant mask, we have T i
r⃗ t   T
r⃗ t . If the object P is a changing scattering medium, then T
⃗r t  
1∕n ni1 T i
⃗r t  is the mean transmission function of the medium. The randomness of the secret keys extracted from the gray level of the image mainly depends on the randomness of the fluctuations of the source and the environmental stray light noise. If we use a constant mask, T
⃗r t  could be considered as a watermark hidden in every I i , while the randomness of the bits extracted from the gray level of its images is not affected. When the parties measure the intensities I i from the public channel, they can check Alice's identity by whether they can recover the mask image through these I i . If Alice is impersonated by an eavesdropper Eve, the object mask cannot be retrieved, as Eve has no information about the content of fM i g or the correspondence between I i and fM i g. It should be pointed out that the mask must be changed after each communication, as agreed among all parties beforehand, otherwise Eve might be able to guess some parts of the original fM i g, and thus steal enough partial information about the image to guess the entire mask. If we use a changing scattering medium as the object, we could not only extract the least significant bit of the gray level but also the most significant bit, thus generating a greater number of random bits. Figure 3 shows the experimental results, where Fig. 3(a) is the original mask; Fig. 3(b) is the ghost image, like a watermark, recovered by computing g
x; y from a total of N  20; 298 exposures. We see that the image is not as clear as might be expected for CGI; the main reason for this is that our image includes noise from the intensity fluctuations of the thermal light source which, in CGI with a constant light source would not be present.

2146

OPTICS LETTERS / Vol. 38, No. 12 / June 15, 2013

Fig. 3. (a) Object mask, (b) ghost image of the mask retrieved from 20,298 frames, and (c) image of lens tissue from 597 frames. Table 1. ENT Test Results N

N

Entropy 1.000000 0.999998 Chi-square distribution 49.27% 56.42% Arithmetic mean value 0.5004 0.4993 Monte Carlo value for π 3.1244692 3.1425000 Serial correlation 0.000271 −0.000888 coefficient

Ideal Value 1 50% 0.5 3.1415926 0.0

This actually improves the randomness of the gray level of the image and so is not a drawback. To obtain more random bits from one data sequence, we divide the 20,298 pairs of I i and I i
r⃗ M  into 34 groups. Every group is used to obtain one image with n  597. Each image contains 160 × 160 pixels corresponding to 160 × 160 gray levels, so we can extract a total of 160 × 160 × 34  870; 400 secret bits from one data run. To test a scattering medium as the random bit source, we used a lens tissue as the object; its image is shown in Fig. 3(c), obtained with 597 frames. To collect enough data for key generation, a total of N  3582 exposures were taken with six different tissues. Taking n  597, we obtain 152,600 bits in a key. To test the randomness of our sequence, we use the ENT program [17], which is in common use internationally. The program computes the entropy, chi-square (χ 2 ), arithmetic mean, Monte Carlo estimation of π, and serial correlation coefficient of a random binary sequence. Table 1 shows the results of the tests for 870,400 and 152,600 secret bits, corresponding to the two different masks. We can see that the randomness is very good, no matter what the object is. Actually, we can create more secret bits by decreasing the number n used to produce an image, or by using the whole reflecting plane of the DMD. The key distribution rate in our scheme is mainly limited by the size and frame rate of the DMD. With current commercial technology, the former could be 2048 × 1536 pixels and the latter 40 kHz, so for n  100, the bit rate could reach hundreds of Mbit /s. We now examine the security of our protocol. Since I i is distributed by a public channel, it may be unsafe and tainted by noise. To ensure that I i is delivered to the legitimate parties correctly, we could add some redundant information to correct the error introduced by channel noise. To check for eavesdropping, let us assume that Eve could also measure all the I i . However, the setup used to generate I i contains a thermal light source which is a physical truly random source, so Eve cannot glean

any information from these I i without knowledge of the start matrices, which she can only guess. But it is impossible to guess all the control matrices correctly. The slightest difference in fM i g will lead to a different image and different bit key. Even if she uses an enumeration method on a supercomputer with a speed of 2 × 1016 flops, it will take her 10123 years to guess 1000 start keys. Thus the protocol can be considered secure. To conclude, we have experimentally demonstrated an optical protocol for a secret key distribution network based on computation correlation imaging. After the creation of a secure key, ideally by QKD, our scheme can simultaneously generate, amplify, and distribute a common key over long distances among many parties with a security better than that of conventional classical key distribution. The key distribution rate may reach hundreds of Mbit /s, and with improved technology, a rate of Gbit/s should be attainable. This is a particular advantage in network meetings and other commercial applications where high-speed secure communication is required. This work was supported by the National Basic Research Program of China (Grant 2010CB922904), the National Natural Science Foundation of China (Grants 60978002 and 61178010), and the Hi-Tech R & D Program of China (Grant 2011AA120102). References 1. C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing (IEEE, 1984), pp. 175–179. 2. A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). 3. C. H. Bennett, Phys. Rev. Lett. 68, 3121 (1992). 4. M. Dianati and R. Alleaume, in Proceedings of IEEE First International Conference on Quantum, Nano, and Micro Technologies (IEEE, 2007), pp. 13–19. 5. C. Elliott, A. Colvin, D. Pearson, O. Pikalo, J. Schlafer, and H. Yeh, Proc. SPIE 5815, 138 (2005). 6. X. F. Mo, T. Zhang, F. X. Xu, Z. F. Han, and G. C. Guo, http:// cn.arxiv.org/abs/quant‑ph/0610096. 7. F. G. Deng, X. S. Liu, Y. J. Ma, L. Xiao, and G. L. Long, Chin. Phys. Lett. 19, 893 (2002). 8. T. B. Pittman, Y. H. Shih, D. V. Strekalov, and A. V. Sergienko, Phys. Rev. A 52, R3429 (1995). 9. R. S. Bennink, S. J. Bentley, and R. W. Boyd, Phys. Rev. Lett. 89, 113601 (2002). 10. A. Gatti, E. Brambilla, M. Bache, and L. A. lugiato, Phys. Rev. Lett. 93, 093602 (2004). 11. D. Zhang, Y. H. Zhai, and L. A. Wu, Opt. Lett. 30, 2354 (2005). 12. J. H. Shapiro, Phys. Rev. A 78, 061802(R) (2008). 13. B. I. Erkmen and J. H. Shapiro, Phys. Rev. A 77, 043809 (2008). 14. Y. Bromberg, O. Katz, and Y. Silberberg, Phys. Rev. A 79, 053840 (2009). 15. P. Clemente, V. Durn, V. Torres-Company, E. Tajahuerce, and J. Lancis, Opt. Lett. 35, 2391 (2010). 16. G. Brida, M. V. Chekhova, G. A. Fornaro, M. Genovese, E. D. Lopaeva, and I. Ruo Berchera, Phys. Rev. A 83, 063807 (2011) 17. J. Walker, http://www.fourmilab.ch/random (2008).