A Medley of Potpourri

Friday, November 1, 2024

Quantum key distribution

From Wikipedia, the free encyclopedia

https://en.wikipedia.org/wiki/Quantum_key_distribution

Quantum key distribution (QKD) is a secure communication method that implements a cryptographic protocol involving components of quantum mechanics. It enables two parties to produce a shared random secret key known only to them, which then can be used to encrypt and decrypt messages. The process of quantum key distribution is not to be confused with quantum cryptography, as it is the best-known example of a quantum-cryptographic task.

An important and unique property of quantum key distribution is the ability of the two communicating users to detect the presence of any third party trying to gain knowledge of the key. This results from a fundamental aspect of quantum mechanics: the process of measuring a quantum system in general disturbs the system. A third party trying to eavesdrop on the key must in some way measure it, thus introducing detectable anomalies. By using quantum superpositions or quantum entanglement and transmitting information in quantum states, a communication system can be implemented that detects eavesdropping. If the level of eavesdropping is below a certain threshold, a key can be produced that is guaranteed to be secure (i.e., the eavesdropper has no information about it). Otherwise no secure key is possible, and communication is aborted.

The security of encryption that uses quantum key distribution relies on the foundations of quantum mechanics, in contrast to traditional public key cryptography, which relies on the computational difficulty of certain mathematical functions, and cannot provide any mathematical proof as to the actual complexity of reversing the one-way functions used. QKD has provable security based on information theory, and forward secrecy.

The main drawback of quantum-key distribution is that it usually relies on having an authenticated classical channel of communication. In modern cryptography, having an authenticated classical channel means that one already has exchanged either a symmetric key of sufficient length or public keys of sufficient security level. With such information already available, in practice one can achieve authenticated and sufficiently secure communication without using QKD, such as by using the Galois/Counter Mode of the Advanced Encryption Standard. Thus QKD does the work of a stream cipher at many times the cost.

Quantum key distribution is used to produce and distribute only a key, not to transmit any message data. This key can then be used with any chosen encryption algorithm to encrypt (and decrypt) a message, which can then be transmitted over a standard communication channel. The algorithm most commonly associated with QKD is the one-time pad, as it is provably secure when used with a secret, random key. In real-world situations, it is often also used with encryption using symmetric key algorithms like the Advanced Encryption Standard algorithm.

Quantum key exchange

Quantum communication involves encoding information in quantum states, or qubits, as opposed to classical communication's use of bits. Usually, photons are used for these quantum states. Quantum key distribution exploits certain properties of these quantum states to ensure its security. There are several different approaches to quantum key distribution, but they can be divided into two main categories depending on which property they exploit.

Prepare and measure protocols: In contrast to classical physics, the act of measurement is an integral part of quantum mechanics. In general, measuring an unknown quantum state changes that state in some way. This is a consequence of quantum indeterminacy and can be exploited in order to detect any eavesdropping on communication (which necessarily involves measurement) and, more importantly, to calculate the amount of information that has been intercepted.

Entanglement based protocols: The quantum states of two (or more) separate objects can become linked together in such a way that they must be described by a combined quantum state, not as individual objects. This is known as entanglement and means that, for example, performing a measurement on one object affects the other. If an entangled pair of objects is shared between two parties, anyone intercepting either object alters the overall system, revealing the presence of the third party (and the amount of information they have gained).

These two approaches can each be further divided into three families of protocols: discrete variable, continuous variable and distributed phase reference coding. Discrete variable protocols were the first to be invented, and they remain the most widely implemented. The other two families are mainly concerned with overcoming practical limitations of experiments. The two protocols described below both use discrete variable coding.

BB84 protocol: Charles H. Bennett and Gilles Brassard (1984)

This protocol, known as BB84 after its inventors and year of publication, was originally described using photon polarization states to transmit the information. However, any two pairs of conjugate states can be used for the protocol, and many optical-fibre-based implementations described as BB84 use phase encoded states. The sender (traditionally referred to as Alice) and the receiver (Bob) are connected by a quantum communication channel which allows quantum states to be transmitted. In the case of photons this channel is generally either an optical fibre or simply free space. In addition they communicate via a public classical channel, for example using broadcast radio or the internet. The protocol is designed with the assumption that an eavesdropper (referred to as Eve) can interfere in any way with the quantum channel, while the classical channel needs to be authenticated. The security of the protocol comes from encoding the information in non-orthogonal states. Quantum indeterminacy means that these states cannot in general be measured without disturbing the original state (see No-cloning theorem). BB84 uses two pairs of states, with each pair conjugate to the other pair, and the two states within a pair orthogonal to each other. Pairs of orthogonal states are referred to as a basis. The usual polarization state pairs used are either the rectilinear basis of vertical (0°) and horizontal (90°), the diagonal basis of 45° and 135° or the circular basis of left- and right-handedness. Any two of these bases are conjugate to each other, and so any two can be used in the protocol. Below the rectilinear and diagonal bases are used.

Basis	0	1

The first step in BB84 is quantum transmission. Alice creates a random bit (0 or 1) and then randomly selects one of her two bases (rectilinear or diagonal in this case) to transmit it in. She then prepares a photon polarization state depending both on the bit value and basis, as shown in the adjacent table. So for example a 0 is encoded in the rectilinear basis (+) as a vertical polarization state, and a 1 is encoded in the diagonal basis (x) as a 135° state. Alice then transmits a single photon in the state specified to Bob, using the quantum channel. This process is then repeated from the random bit stage, with Alice recording the state, basis and time of each photon sent.

According to quantum mechanics (particularly quantum indeterminacy), no possible measurement distinguishes between the 4 different polarization states, as they are not all orthogonal. The only possible measurement is between any two orthogonal states (an orthonormal basis). So, for example, measuring in the rectilinear basis gives a result of horizontal or vertical. If the photon was created as horizontal or vertical (as a rectilinear eigenstate) then this measures the correct state, but if it was created as 45° or 135° (diagonal eigenstates) then the rectilinear measurement instead returns either horizontal or vertical at random. Furthermore, after this measurement the photon is polarized in the state it was measured in (horizontal or vertical), with all information about its initial polarization lost.

As Bob does not know the basis the photons were encoded in, all he can do is to select a basis at random to measure in, either rectilinear or diagonal. He does this for each photon he receives, recording the time, measurement basis used and measurement result. After Bob has measured all the photons, he communicates with Alice over the public classical channel. Alice broadcasts the basis each photon was sent in, and Bob the basis each was measured in. They both discard photon measurements (bits) where Bob used a different basis, which is half on average, leaving half the bits as a shared key.

Alice's random bit	0	1	1	0	1	0	0	1
Alice's random sending basis
Photon polarization Alice sends
Bob's random measuring basis
Photon polarization Bob measures
PUBLIC DISCUSSION OF BASIS
Shared secret key	0		1			0		1

To check for the presence of an eavesdropper, Alice and Bob now compare a predetermined subset of their remaining bit strings. If a third party (usually referred to as Eve, for "eavesdropper") has gained any information about the photons' polarization, this introduces errors in Bob's measurements. Other environmental conditions can cause errors in a similar fashion. If more than $p$ bits differ they abort the key and try again, possibly with a different quantum channel, as the security of the key cannot be guaranteed. $p$ is chosen so that if the number of bits known to Eve is less than this, privacy amplification can be used to reduce Eve's knowledge of the key to an arbitrarily small amount at the cost of reducing the length of the key.

E91 protocol: Artur Ekert (1991)

Artur Ekert's scheme uses entangled pairs of photons. These can be created by Alice, by Bob, or by some source separate from both of them, including eavesdropper Eve. The photons are distributed so that Alice and Bob each end up with one photon from each pair.

The scheme relies on two properties of entanglement. First, the entangled states are perfectly correlated in the sense that if Alice and Bob both measure whether their particles have vertical or horizontal polarizations, they always get the same answer with 100% probability. The same is true if they both measure any other pair of complementary (orthogonal) polarizations. This necessitates that the two distant parties have exact directionality synchronization. However, the particular results are completely random; it is impossible for Alice to predict if she (and thus Bob) will get vertical polarization or horizontal polarization. Second, any attempt at eavesdropping by Eve destroys these correlations in a way that Alice and Bob can detect.

Similarly to BB84, the protocol involves a private measurement protocol before detecting the presence of Eve. The measurement stage involves Alice measuring each photon she receives using some basis from the set $Z_{0}, Z_{\frac{π}{8}}, Z_{\frac{π}{4}}$ while Bob chooses from $Z_{0}, Z_{\frac{π}{8}}, Z_{- \frac{π}{8}}$ where $Z_{θ}$ is the ${| ↑ ⟩, | \to ⟩}$ basis rotated by $θ$ . They keep their series of basis choices private until measurements are completed. Two groups of photons are made: the first consists of photons measured using the same basis by Alice and Bob while the second contains all other photons. To detect eavesdropping, they can compute the test statistic $S$ using the correlation coefficients between Alice's bases and Bob's similar to that shown in the Bell test experiments. Maximally entangled photons would result in $| S | = 2 \sqrt{2}$ . If this were not the case, then Alice and Bob can conclude Eve has introduced local realism to the system, violating Bell's theorem. If the protocol is successful, the first group can be used to generate keys since those photons are completely anti-aligned between Alice and Bob.

Device-independent quantum key distribution

In traditional QKD, the quantum devices used must be perfectly calibrated, trustworthy, and working exactly as they are expected to. Deviations from expected measurements can be extremely hard to detect, which leaves the entire system vulnerable. A new protocol called device independent QKD (DIQKD) or measurement device independent QKD (MDIQKD) allows for the use of uncharacterized or untrusted devices, and for deviations from expected measurements to be included in the overall system. These deviations will cause the protocol to abort when detected, rather than resulting in incorrect data.

DIQKD was first proposed by Mayers and Yao, building off of the BB84 protocol. They presented that in DIQKD, the quantum device, which they refer to as the photon source, be manufactured to come with tests that can be run by Alice and Bob to "self-check" if their device is working properly. Such a test would only need to consider the classical inputs and outputs in order to determine how much information is at risk of being intercepted by Eve. A self checking, or "ideal" source would not have to be characterized, and would therefore not be susceptible to implementation flaws.

Recent research has proposed using a Bell test to check that a device is working properly. Bell's theorem ensures that a device can create two outcomes that are exclusively correlated, meaning that Eve could not intercept the results, without making any assumptions about said device. This requires highly entangled states, and a low quantum bit error rate. DIQKD presents difficulties in creating qubits that are in such high quality entangled states, which makes it a challenge to realize experimentally.

Twin fields quantum key distribution

Twin fields quantum key distribution (TFQKD) was introduced in 2018, and is a version of DIQKD designed to overcome the fundamental rate-distance limit of traditional quantum key distribution. The rate-distance limit, also known as the rate-loss trade off, describes how as distance increases between Alice and Bob, the rate of key generation decreases exponentially. In traditional QKD protocols, this decay has been eliminated via the addition of physically secured relay nodes, which can be placed along the quantum link with the intention of dividing it up into several low-loss sections. Researchers have also recommended the use of quantum repeaters, which when added to the relay nodes make it so that they no longer need to be physically secured. Quantum repeaters, however, are difficult to create and have yet to be implemented on a useful scale. TFQKD aims to bypass the rate-distance limit without the use of quantum repeaters or relay nodes, creating manageable levels of noise and a process that can be repeated much more easily with today's existing technology.

The original protocol for TFQKD is as follows: Alice and Bob each have a light source and one arm on an interferometer in their laboratories. The light sources create two dim optical pulses with a randomly phase p_a or p_b in the interval [0, 2π) and an encoding phase γ_a or γ_b. The pulses are sent along a quantum to Charlie, a third party who can be malicious or not. Charlie uses a beam splitter to overlap the two pulses and perform a measurement. He has two detectors in his own lab, one of which will light up if the bits are equal (00) or (11), and the other when they are different (10, 01). Charlie will announce to Alice and Bob which of the detectors lit up, at which point they publicly reveal the phases p and γ. This is different from traditional QKD, in which the phases used are never revealed.

Information reconciliation and privacy amplification

The quantum key distribution protocols described above provide Alice and Bob with nearly identical shared keys, and also with an estimate of the discrepancy between the keys. These differences can be caused by eavesdropping, but also by imperfections in the transmission line and detectors. As it is impossible to distinguish between these two types of errors, guaranteed security requires the assumption that all errors are due to eavesdropping. Provided the error rate between the keys is lower than a certain threshold (27.6% as of 2002), two steps can be performed to first remove the erroneous bits and then reduce Eve's knowledge of the key to an arbitrary small value. These two steps are known as information reconciliation and privacy amplification respectively, and were first described in 1988.

Information reconciliation is a form of error correction carried out between Alice and Bob's keys, in order to ensure both keys are identical. It is conducted over the public channel and as such it is vital to minimise the information sent about each key, as this can be read by Eve. A common protocol used for information reconciliation is the cascade protocol, proposed in 1994. This operates in several rounds, with both keys divided into blocks in each round and the parity of those blocks compared. If a difference in parity is found then a binary search is performed to find and correct the error. If an error is found in a block from a previous round that had correct parity then another error must be contained in that block; this error is found and corrected as before. This process is repeated recursively, which is the source of the cascade name. After all blocks have been compared, Alice and Bob both reorder their keys in the same random way, and a new round begins. At the end of multiple rounds Alice and Bob have identical keys with high probability; however, Eve has additional information about the key from the parity information exchanged. However, from a coding theory point of view information reconciliation is essentially source coding with side information. In consequence any coding scheme that works for this problem can be used for information reconciliation. Lately turbocodes, LDPC codes and polar codes have been used for this purpose improving the efficiency of the cascade protocol.

Privacy amplification is a method for reducing (and effectively eliminating) Eve's partial information about Alice and Bob's key. This partial information could have been gained both by eavesdropping on the quantum channel during key transmission (thus introducing detectable errors), and on the public channel during information reconciliation (where it is assumed Eve gains all possible parity information). Privacy amplification uses Alice and Bob's key to produce a new, shorter key, in such a way that Eve has only negligible information about the new key. This is performed using a randomness extractor, for example, by applying a universal hash function, chosen at random from a publicly known set of such functions, which takes as its input a binary string of length equal to the key and outputs a binary string of a chosen shorter length. The amount by which this new key is shortened is calculated, based on how much information Eve could have gained about the old key (which is known due to the errors this would introduce), in order to reduce the probability of Eve having any knowledge of the new key to a very low value.

Implementations

Experimental

In 1991, John Rarity, Paul Tapster and Artur Ekert, researchers from the UK Defence Research Agency in Malvern and Oxford University, demonstrated quantum key distribution protected by the violation of the Bell inequalities.

In 2008, exchange of secure keys at 1 Mbit/s (over 20 km of optical fibre) and 10 kbit/s (over 100 km of fibre), was achieved by a collaboration between the University of Cambridge and Toshiba using the BB84 protocol with decoy state pulses.^[19]

In 2007, Los Alamos National Laboratory/NIST achieved quantum key distribution over a 148.7 km of optic fibre using the BB84 protocol. Significantly, this distance is long enough for almost all the spans found in today's fibre networks. A European collaboration achieved free space QKD over 144 km between two of the Canary Islands using entangled photons (the Ekert scheme) in 2006, and using BB84 enhanced with decoy states in 2007.

As of August 2015 the longest distance for optical fiber (307 km) was achieved by University of Geneva and Corning Inc. In the same experiment, a secret key rate of 12.7 kbit/s was generated, making it the highest bit rate system over distances of 100 km. In 2016 a team from Corning and various institutions in China achieved a distance of 404 km, but at a bit rate too slow to be practical.

In June 2017, physicists led by Thomas Jennewein at the Institute for Quantum Computing and the University of Waterloo in Waterloo, Canada achieved the first demonstration of quantum key distribution from a ground transmitter to a moving aircraft. They reported optical links with distances between 3–10 km and generated secure keys up to 868 kilobytes in length.

Also in June 2017, as part of the Quantum Experiments at Space Scale project, Chinese physicists led by Pan Jianwei at the University of Science and Technology of China measured entangled photons over a distance of 1203 km between two ground stations, laying the groundwork for future intercontinental quantum key distribution experiments. Photons were sent from one ground station to the satellite they had named Micius and back down to another ground station, where they "observed a survival of two-photon entanglement and a violation of Bell inequality by 2.37 ± 0.09 under strict Einstein locality conditions" along a "summed length varying from 1600 to 2400 kilometers." Later that year BB84 was successfully implemented over satellite links from Micius to ground stations in China and Austria. The keys were combined and the result was used to transmit images and video between Beijing, China, and Vienna, Austria.

In August 2017, a group at Shanghai Jiaotong University experimentally demonstrate that polarization quantum states including general qubits of single photon and entangled states can survive well after travelling through seawater, representing the first step towards underwater quantum communication.

In May 2019 a group led by Hong Guo at Peking University and Beijing University of Posts and Telecommunications reported field tests of a continuous-variable QKD system through commercial fiber networks in Xi'an and Guangzhou over distances of 30.02 km (12.48 dB) and 49.85 km (11.62 dB) respectively.

In December 2020, Indian Defence Research and Development Organisation tested a QKD between two of its laboratories in Hyderabad facility. The setup also demonstrated the validation of detection of a third party trying to gain knowledge of the communication. Quantum based security against eavesdropping was validated for the deployed system at over 12 km (7.5 mi) range and 10 dB attenuation over fibre optic channel. A continuous wave laser source was used to generate photons without depolarization effect and timing accuracy employed in the setup was of the order of picoseconds. The Single photon avalanche detector (SPAD) recorded arrival of photons and key rate was achieved in the range of kbps with low Quantum bit error rate.

In March 2021, Indian Space Research Organisation also demonstrated a free-space Quantum Communication over a distance of 300 meters. A free-space QKD was demonstrated at Space Applications Centre (SAC), Ahmedabad, between two line-of-sight buildings within the campus for video conferencing by quantum-key encrypted signals. The experiment utilised a NAVIC receiver for time synchronization between the transmitter and receiver modules. Later in January 2022, Indian scientists were able to successfully create an atmospheric channel for exchange of crypted messages and images. After demonstrating quantum communication between two ground stations, India has plans to develop Satellite Based Quantum Communication (SBQC).

In July 2022, researchers published their work experimentally implementing a device-independent quantum key distribution (DIQKD) protocol that uses quantum entanglement (as suggested by Ekert) to insure resistance to quantum hacking attacks. They were able to create two ions, about two meters apart that were in a high quality entangled state using the following process: Alice and Bob each have ion trap nodes with an ⁸⁸Sr⁺ qubit inside. Initially, they excite the ions to an electronic state, which creates an entangled state. This process also creates two photons, which are then captured and transported using an optical fiber, at which point a Bell-basis measurement is performed and the ions are projected to a highly entangled state. Finally the qubits are returned to new locations in the ion traps disconnected from the optical link so that no information can be leaked. This is repeated many times before the key distribution proceeds.

A separate experiment published in July 2022 demonstrated implementation of DIQKD that also uses a Bell inequality test to ensure that the quantum device is functioning, this time at a much larger distance of about 400m, using an optical fiber 700m long. The set up for the experiment was similar to the one in the paragraph above, with some key differences. Entanglement was generated in a quantum network link (QNL) between two ⁸⁷Rb atoms in separate laboratories located 400m apart, connected by the 700m channel. The atoms are entangled by electronic excitation, at which point two photons are generated and collected, to be sent to the bell state measurement (BSM) setup. The photons are projected onto a |ψ⁺ state, indicating maximum entanglement. The rest of the key exchange protocol used is similar to the original QKD protocol, with the only difference being that keys are generated with two measurement settings instead of one.

Since the proposal of Twin Field Quantum Key Distribution in 2018, a myriad of experiments have been performed with the goal of increasing the distance in a QKD system. The most successful of which was able to distribute key information across a distance of 833.8 km.

In 2023, Scientists at Indian Institute of Technology (IIT) Delhi have achieved a trusted-node-free quantum key distribution (QKD) up to 380 km in standard telecom fiber with a very low quantum bit error rate (QBER).

Commercial

Many companies around the world offer commercial quantum key distribution, for example: ID Quantique (Geneva), MagiQ Technologies, Inc. (New York), QNu Labs (Bengaluru, India), QuintessenceLabs (Australia), QRate (Russia), SeQureNet (Paris), Quantum Optics Jena (Germany) and KEEQuant (Germany). Several other companies also have active research programs, including KETS Quantum Security (UK), Toshiba, HP, IBM, Mitsubishi, NEC and NTT (See External links for direct research links).

In 2004, the world's first bank transfer using quantum key distribution was carried out in Vienna, Austria. Quantum encryption technology provided by the Swiss company Id Quantique was used in the Swiss canton (state) of Geneva to transmit ballot results to the capital in the national election occurring on 21 October 2007. In 2013, Battelle Memorial Institute installed a QKD system built by ID Quantique between their main campus in Columbus, Ohio and their manufacturing facility in nearby Dublin. Field tests of Tokyo QKD network have been underway for some time.

Quantum key distribution networks

DARPA

The DARPA Quantum Network, was a 10-node quantum key distribution network, which ran continuously for four years, 24 hours a day, from 2004 to 2007 in Massachusetts in the United States. It was developed by BBN Technologies, Harvard University, Boston University, with collaboration from IBM Research, the National Institute of Standards and Technology, and QinetiQ. It supported a standards-based Internet computer network protected by quantum key distribution.

SECOQC

The world's first computer network protected by quantum key distribution was implemented in October 2008, at a scientific conference in Vienna. The name of this network is SECOQC (Secure Communication Based on Quantum Cryptography) and the EU funded this project. The network used 200 km of standard fibre-optic cable to interconnect six locations across Vienna and the town of St Poelten located 69 km to the west.

SwissQuantum

Id Quantique has successfully completed the longest running project for testing Quantum Key Distribution (QKD) in a field environment. The main goal of the SwissQuantum network project installed in the Geneva metropolitan area in March 2009, was to validate the reliability and robustness of QKD in continuous operation over a long time period in a field environment. The quantum layer operated for nearly 2 years until the project was shut down in January 2011 shortly after the initially planned duration of the test.

Chinese networks

In May 2009, a hierarchical quantum network was demonstrated in Wuhu, China. The hierarchical network consisted of a backbone network of four nodes connecting a number of subnets. The backbone nodes were connected through an optical switching quantum router. Nodes within each subnet were also connected through an optical switch, which were connected to the backbone network through a trusted relay.

Launched in August 2016, the QUESS space mission created an international QKD channel between China and the Institute for Quantum Optics and Quantum Information in Vienna, Austria − a ground distance of 7,500 km (4,700 mi), enabling the first intercontinental secure quantum video call. By October 2017, a 2,000-km fiber line was operational between Beijing, Jinan, Hefei and Shanghai. Together they constitute the world's first space-ground quantum network. Up to 10 Micius/QUESS satellites are expected, allowing a European–Asian quantum-encrypted network by 2020, and a global network by 2030.

Tokyo QKD Network

The Tokyo QKD Network was inaugurated on the first day of the UQCC2010 conference. The network involves an international collaboration between 7 partners; NEC, Mitsubishi Electric, NTT and NICT from Japan, and participation from Europe by Toshiba Research Europe Ltd. (UK), Id Quantique (Switzerland) and All Vienna (Austria). "All Vienna" is represented by researchers from the Austrian Institute of Technology (AIT), the Institute for Quantum Optics and Quantum Information (IQOQI) and the University of Vienna.

Los Alamos National Laboratory

A hub-and-spoke network has been operated by Los Alamos National Laboratory since 2011. All messages are routed via the hub. The system equips each node in the network with quantum transmitters—i.e., lasers—but not with expensive and bulky photon detectors. Only the hub receives quantum messages. To communicate, each node sends a one-time pad to the hub, which it then uses to communicate securely over a classical link. The hub can route this message to another node using another one time pad from the second node. The entire network is secure only if the central hub is secure. Individual nodes require little more than a laser: Prototype nodes are around the size of a box of matches.

Singapore's National Quantum-Safe Network Plus (NQSN+)

National Quantum-Safe Network Plus (NQSN+) was launched by IMDA in 2023 and is part of Singapore’s Digital Connectivity Blueprint, which outlines the next bound of Singapore’s digital connectivity to 2030. NQSN+ will support network operators to deploy quantum-safe networks nationwide, granting businesses easy access to quantum-safe solutions that safeguard their critical data. The NQSN+ will start with two network operators, Singtel and SPTel, together with SpeQtral. Each will build a nationwide, interoperable quantum-safe network that can serve all businesses. Businesses can work with NQSN+ operators to integrate quantum-safe solutions such as Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) and be secure in the quantum age.

Eagle-1

In 2024, the ESA plans to launch the satellite Eagle-1, an experimental space-based quantum key distribution system.

Attacks and security proofs

Intercept and resend

The simplest type of possible attack is the intercept-resend attack, where Eve measures the quantum states (photons) sent by Alice and then sends replacement states to Bob, prepared in the state she measures. In the BB84 protocol, this produces errors in the key Alice and Bob share. As Eve has no knowledge of the basis a state sent by Alice is encoded in, she can only guess which basis to measure in, in the same way as Bob. If she chooses correctly, she measures the correct photon polarization state as sent by Alice, and resends the correct state to Bob. However, if she chooses incorrectly, the state she measures is random, and the state sent to Bob cannot be the same as the state sent by Alice. If Bob then measures this state in the same basis Alice sent, he too gets a random result—as Eve has sent him a state in the opposite basis—with a 50% chance of an erroneous result (instead of the correct result he would get without the presence of Eve). The table below shows an example of this type of attack.

Alice's random bit	0	1	1	0	1	0	0	1
Alice's random sending basis
Photon polarization Alice sends
Eve's random measuring basis
Polarization Eve measures and sends
Bob's random measuring basis
Photon polarization Bob measures
PUBLIC DISCUSSION OF BASIS
Shared secret key	0		0			0		1
Errors in key	✓		✘			✓		✓

The probability Eve chooses the incorrect basis is 50% (assuming Alice chooses randomly), and if Bob measures this intercepted photon in the basis Alice sent he gets a random result, i.e., an incorrect result with probability of 50%. The probability an intercepted photon generates an error in the key string is then 50% × 50% = 25%. If Alice and Bob publicly compare $n$ of their key bits (thus discarding them as key bits, as they are no longer secret) the probability they find disagreement and identify the presence of Eve is

P_{d} = 1 - {(\frac{3}{4})}^{n}

So to detect an eavesdropper with probability $P_{d} = 0.999999999$ Alice and Bob need to compare $n = 72$ key bits.

Man-in-the-middle attack

Quantum key distribution is vulnerable to a man-in-the-middle attack when used without authentication to the same extent as any classical protocol, since no known principle of quantum mechanics can distinguish friend from foe. As in the classical case, Alice and Bob cannot authenticate each other and establish a secure connection without some means of verifying each other's identities (such as an initial shared secret). If Alice and Bob have an initial shared secret then they can use an unconditionally secure authentication scheme (such as Carter-Wegman,) along with quantum key distribution to exponentially expand this key, using a small amount of the new key to authenticate the next session. Several methods to create this initial shared secret have been proposed, for example using a 3rd party or chaos theory. Nevertheless, only "almost strongly universal" family of hash functions can be used for unconditionally secure authentication.

Photon number splitting attack

In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice many implementations use laser pulses attenuated to a very low level to send the quantum states. These laser pulses contain a very small number of photons, for example 0.2 photons per pulse, which are distributed according to a Poisson distribution. This means most pulses actually contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split off the extra photons and transmit the remaining single photon to Bob. This is the basis of the photon number splitting attack, where Eve stores these extra photons in a quantum memory until Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then measure her photons in the correct basis and obtain information on the key without introducing detectable errors.

Even with the possibility of a PNS attack a secure key can still be generated, as shown in the GLLP security proof; however, a much higher amount of privacy amplification is needed reducing the secure key rate significantly (with PNS the rate scales as $t^{2}$ as compared to $t$ for a single photon sources, where $t$ is the transmittance of the quantum channel).

There are several solutions to this problem. The most obvious is to use a true single photon source instead of an attenuated laser. While such sources are still at a developmental stage QKD has been carried out successfully with them. However, as current sources operate at a low efficiency and frequency key rates and transmission distances are limited. Another solution is to modify the BB84 protocol, as is done for example in the SARG04 protocol, in which the secure key rate scales as $t^{3 / 2}$ . The most promising solution is the decoy states in which Alice randomly sends some of her laser pulses with a lower average photon number. These decoy states can be used to detect a PNS attack, as Eve has no way to tell which pulses are signal and which decoy. Using this idea the secure key rate scales as $t$ , the same as for a single photon source. This idea has been implemented successfully first at the University of Toronto, and in several follow-up QKD experiments, allowing for high key rates secure against all known attacks.

Denial of service

Because currently a dedicated fibre optic line (or line of sight in free space) is required between the two points linked by quantum key distribution, a denial of service attack can be mounted by simply cutting or blocking the line. This is one of the motivations for the development of quantum key distribution networks, which would route communication via alternate links in case of disruption.

Trojan-horse attacks

A quantum key distribution system may be probed by Eve by sending bright light into the quantum channel and analyzing the back-reflections in a Trojan-horse attack. In a recent research study it has been shown that Eve discerns Bob's secret basis choice with higher than 90% probability, breaching the security of the system.

Security proofs

If Eve is assumed to have unlimited resources, for example both classical and quantum computing power, there are many more attacks possible. BB84 has been proven secure against any attacks allowed by quantum mechanics, both for sending information using an ideal photon source which only ever emits a single photon at a time, and also using practical photon sources which sometimes emit multiphoton pulses. These proofs are unconditionally secure in the sense that no conditions are imposed on the resources available to the eavesdropper; however, there are other conditions required:

Eve cannot physically access Alice and Bob's encoding and decoding devices.
The random number generators used by Alice and Bob must be trusted and truly random (for example a Quantum random number generator).
The classical communication channel must be authenticated using an unconditionally secure authentication scheme.
The message must be encrypted using one-time pad like scheme

Quantum hacking

Hacking attacks target vulnerabilities in the operation of a QKD protocol or deficiencies in the components of the physical devices used in construction of the QKD system. If the equipment used in quantum key distribution can be tampered with, it could be made to generate keys that were not secure using a random number generator attack. Another common class of attacks is the Trojan horse attack which does not require physical access to the endpoints: rather than attempt to read Alice and Bob's single photons, Eve sends a large pulse of light back to Alice in between transmitted photons. Alice's equipment reflects some of Eve's light, revealing the state of Alice's basis (e.g., a polarizer). This attack can be detected, e.g. by using a classical detector to check the non-legitimate signals (i.e. light from Eve) entering Alice's system. It is also conjectured that most hacking attacks can similarly be defeated by modifying the implementation, though there is no formal proof.

Several other attacks including faked-state attacks, phase remapping attacks, and time-shift attacks are now known. The time-shift attack has even been demonstrated on a commercial quantum cryptosystem. This is the first demonstration of quantum hacking against a non-homemade quantum key distribution system. Later on, the phase-remapping attack was also demonstrated on a specially configured, research oriented open QKD system (made and provided by the Swiss company Id Quantique under their Quantum Hacking program). It is one of the first 'intercept-and-resend' attacks on top of a widely used QKD implementation in commercial QKD systems. This work has been widely reported in media.

The first attack that claimed to be able to eavesdrop the whole key without leaving any trace was demonstrated in 2010. It was experimentally shown that the single-photon detectors in two commercial devices could be fully remote-controlled using specially tailored bright illumination. In a spree of publications thereafter, the collaboration between the Norwegian University of Science and Technology in Norway and Max Planck Institute for the Science of Light in Germany, has now demonstrated several methods to successfully eavesdrop on commercial QKD systems based on weaknesses of avalanche photodiodes (APDs) operating in gated mode. This has sparked research on new approaches to securing communications networks.

Counterfactual quantum key distribution

The task of distributing a secret key could be achieved even when the particle (on which the secret information, e.g. polarization, has been encoded) does not traverse through the quantum channel using a protocol developed by Tae-Gon Noh. Here Alice generates a photon which, by not taking a measurement until later, exists in a superposition of being in paths (a) and (b) simultaneously. Path (a) stays inside Alice's secure device and path (b) goes to Bob. By rejecting the photons that Bob receives and only accepting the ones he doesn't receive, Bob & Alice can set up a secure channel, i.e. Eve's attempts to read the counterfactual photons would still be detected. This protocol uses the quantum phenomenon whereby the possibility that a photon can be sent has an effect even when it is not sent. So-called interaction-free measurement also uses this quantum effect, as for example in the bomb testing problem, whereby an experimenter can conceptually determine which bombs are not duds without setting them off, except in a counterfactual sense.

History

Quantum cryptography was proposed first by Stephen Wiesner, then at Columbia University in New York, who, in the early 1970s, introduced the concept of quantum conjugate coding. His seminal paper titled "Conjugate Coding" was rejected by IEEE Information Theory but was eventually published in 1983 in SIGACT News (15:1 pp. 78–88, 1983). In this paper he showed how to store or transmit two messages by encoding them in two "conjugate observables", such as linear and circular polarization of light, so that either, but not both, of which may be received and decoded. He illustrated his idea with a design of unforgeable bank notes. A decade later, building upon this work, Charles H. Bennett, of the IBM Thomas J. Watson Research Center, and Gilles Brassard, of the University of Montreal, proposed a method for secure communication based on Wiesner's "conjugate observables". In 1990, Artur Ekert, then a PhD student at Wolfson College, University of Oxford, developed a different approach to quantum key distribution based on quantum entanglement.

Future

The current commercial systems are aimed mainly at governments and corporations with high security requirements. Key distribution by courier is typically used in such cases, where traditional key distribution schemes are not believed to offer enough guarantee. This has the advantage of not being intrinsically distance limited, and despite long travel times the transfer rate can be high due to the availability of large capacity portable storage devices. The major difference of quantum key distribution is the ability to detect any interception of the key, whereas with courier the key security cannot be proven or tested. QKD (quantum key distribution) systems also have the advantage of being automatic, with greater reliability and lower operating costs than a secure human courier network.

Kak's three-stage protocol has been proposed as a method for secure communication that is entirely quantum unlike quantum key distribution in which the cryptographic transformation uses classical algorithms.

Factors preventing wide adoption of quantum key distribution outside high security areas include the cost of equipment, and the lack of a demonstrated threat to existing key exchange protocols. However, with optic fibre networks already present in many countries the infrastructure is in place for a more widespread use.

An Industry Specification Group (ISG) of the European Telecommunications Standards Institute (ETSI) has been set up to address standardisation issues in quantum cryptography.

European Metrology Institutes, in the context of dedicated projects, are developing measurements required to characterise components of QKD systems.

Toshiba Europe has been awarded a prestigious Institute of Physics Award for Business Innovation. This recognises Toshiba's pioneering QKD technology developed over two decades of research, protecting communication infrastructure from present and future cyber-threats, and commercialising UK-manufactured products which pave the road to the quantum internet.

Toshiba also took the Semi Grand Prix award in the Solutions Category for the QKD has won the Minister of Economy, Trade and Industry Award in CEATEC AWARD 2021, the prestigious awards presented at CEATEC, Japan's premier electronics industry trade show.

Deprecation from governmental institutions

Some organizations have recommended using "post-quantum cryptography (or quantum-resistant cryptography)" as an alternative because of the problems it raises in practical use. For example, the US National Security Agency, European Union Agency for Cybersecurity of EU (ENISA), National Cyber Security Centre (United Kingdom), French Secretariat for Defense and Security (ANSSI), and German German Federal Office for Information Security (BSI) recommend it. (read through the bibliography for details).

For example, the US National Security Agency addresses five issues:

Quantum key distribution is only a partial solution. QKD generates keying material for an encryption algorithm that provides confidentiality. Such keying material could also be used in symmetric key cryptographic algorithms to provide integrity and authentication if one has the cryptographic assurance that the original QKD transmission comes from the desired entity (i.e. entity source authentication). QKD does not provide a means to authenticate the QKD transmission source. Therefore, source authentication requires the use of asymmetric cryptography or preplaced keys to provide that authentication. Moreover, the confidentiality services QKD offers can be provided by quantum-resistant cryptography, which is typically less expensive with a better understood risk profile.
Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network, and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches.
Quantum key distribution increases infrastructure costs and insider threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration.
Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than in most physical engineering scenarios making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems.
Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD.

In response to problem 1 above, attempts to deliver authentication keys using post-quantum cryptography (or quantum-resistant cryptography) have been proposed worldwide. On the other hand, quantum-resistant cryptography is cryptography belonging to the class of computational security. In 2015, a research result was already published that "sufficient care must be taken in implementation to achieve information-theoretic security for the system as a whole when authentication keys that are not information-theoretic secure are used" (if the authentication key is not information-theoretically secure, an attacker can break it to bring all classical and quantum communications under control and relay them to launch a man-in-the-middle attack). Ericsson, a private company, also cites and points out the above problems and then presents a report that it may not be able to support the zero trust security model, which is a recent trend in network security technology.

Quantum cryptography

From Wikipedia, the free encyclopedia

Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best known example of quantum cryptography is quantum key distribution, which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical (i.e. non-quantum) communication. For example, it is impossible to copy data encoded in a quantum state. If one attempts to read the encoded data, the quantum state will be changed due to wave function collapse (no-cloning theorem). This could be used to detect eavesdropping in quantum key distribution (QKD).

History

In the early 1970s, Stephen Wiesner, then at Columbia University in New York, introduced the concept of quantum conjugate coding. His seminal paper titled "Conjugate Coding" was rejected by the IEEE Information Theory Society but was eventually published in 1983 in SIGACT News. In this paper he showed how to store or transmit two messages by encoding them in two "conjugate observables", such as linear and circular polarization of photons, so that either, but not both, properties may be received and decoded. It was not until Charles H. Bennett, of the IBM's Thomas J. Watson Research Center, and Gilles Brassard met in 1979 at the 20th IEEE Symposium on the Foundations of Computer Science, held in Puerto Rico, that they discovered how to incorporate Wiesner's findings. "The main breakthrough came when we realized that photons were never meant to store information, but rather to transmit it." In 1984, building upon this work, Bennett and Brassard proposed a method for secure communication, which is now called BB84, the first Quantum Key Distribution system.Independently, in 1991 Artur Ekert proposed to use Bell's inequalities to achieve secure key distribution. Ekert's protocol for the key distribution, as it was subsequently shown by Dominic Mayers and Andrew Yao, offers device-independent quantum key distribution.

Companies that manufacture quantum cryptography systems include MagiQ Technologies, Inc. (Boston), ID Quantique (Geneva), QuintessenceLabs (Canberra, Australia), Toshiba (Tokyo), QNu Labs (India) and SeQureNet (Paris).

Advantages

Cryptography is the strongest link in the chain of data security. However, interested parties cannot assume that cryptographic keys will remain secure indefinitely. Quantum cryptography has the potential to encrypt data for longer periods than classical cryptography. Using classical cryptography, scientists cannot guarantee encryption beyond approximately 30 years, but some stakeholders could use longer periods of protection. Take, for example, the healthcare industry. As of 2017, 85.9% of office-based physicians are using electronic medical record systems to store and transmit patient data. Under the Health Insurance Portability and Accountability Act, medical records must be kept secret. Quantum key distribution can protect electronic records for periods of up to 100 years. Also, quantum cryptography has useful applications for governments and militaries as, historically, governments have kept military data secret for periods of over 60 years. There also has been proof that quantum key distribution can travel through a noisy channel over a long distance and be secure. It can be reduced from a noisy quantum scheme to a classical noiseless scheme. This can be solved with classical probability theory. This process of having consistent protection over a noisy channel can be possible through the implementation of quantum repeaters. Quantum repeaters have the ability to resolve quantum communication errors in an efficient way. Quantum repeaters, which are quantum computers, can be stationed as segments over the noisy channel to ensure the security of communication. Quantum repeaters do this by purifying the segments of the channel before connecting them creating a secure line of communication. Sub-par quantum repeaters can provide an efficient amount of security through the noisy channel over a long distance.

Applications

Quantum cryptography is a general subject that covers a broad range of cryptographic practices and protocols. Some of the most notable applications and protocols are discussed below.

Quantum key distribution

The best-known and developed application of quantum cryptography is QKD, which is the process of using quantum communication to establish a shared key between two parties (Alice and Bob, for example) without a third party (Eve) learning anything about that key, even if Eve can eavesdrop on all communication between Alice and Bob. If Eve tries to learn information about the key being established, discrepancies will arise causing Alice and Bob to notice. Once the key is established, it is then typically used for encrypted communication using classical techniques. For instance, the exchanged key could be used for symmetric cryptography (e.g. one-time pad).

The security of quantum key distribution can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with classical key distribution. This is usually described as "unconditional security", although there are some minimal assumptions required, including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise a man-in-the-middle attack would be possible.

While QKD is secure, its practical application faces some challenges. There are in fact limitations for the key generation rate at increasing transmission distances. Recent studies have allowed important advancements in this regard. In 2018, the protocol of twin-field QKD was proposed as a mechanism to overcome the limits of lossy communication. The rate of the twin field protocol was shown to overcome the secret key-agreement capacity of the lossy communication channel, known as repeater-less PLOB bound, at 340 km of optical fiber; its ideal rate surpasses this bound already at 200 km and follows the rate-loss scaling of the higher repeater-assisted secret key-agreement capacity (see figure 1 of and figure 11 of^[2] for more details). The protocol suggests that optimal key rates are achievable on "550 kilometers of standard optical fibre", which is already commonly used in communications today. The theoretical result was confirmed in the first experimental demonstration of QKD beyond the PLOB bound which has been characterized as the first effective quantum repeater. Notable developments in terms of achieving high rates at long distances are the sending-not-sending (SNS) version of the TF-QKD protocol and the no-phase-postselected twin-field scheme.

Mistrustful quantum cryptography

In mistrustful cryptography the participating parties do not trust each other. For example, Alice and Bob collaborate to perform some computation where both parties enter some private inputs. But Alice does not trust Bob and Bob does not trust Alice. Thus, a secure implementation of a cryptographic task requires that after completing the computation, Alice can be guaranteed that Bob has not cheated and Bob can be guaranteed that Alice has not cheated either. Examples of tasks in mistrustful cryptography are commitment schemes and secure computations, the latter including the further examples of coin flipping and oblivious transfer. Key distribution does not belong to the area of mistrustful cryptography. Mistrustful quantum cryptography studies the area of mistrustful cryptography using quantum systems.

In contrast to quantum key distribution where unconditional security can be achieved based only on the laws of quantum physics, in the case of various tasks in mistrustful cryptography there are no-go theorems showing that it is impossible to achieve unconditionally secure protocols based only on the laws of quantum physics. However, some of these tasks can be implemented with unconditional security if the protocols not only exploit quantum mechanics but also special relativity. For example, unconditionally secure quantum bit commitment was shown impossible by Mayers and by Lo and Chau. Unconditionally secure ideal quantum coin flipping was shown impossible by Lo and Chau. Moreover, Lo showed that there cannot be unconditionally secure quantum protocols for one-out-of-two oblivious transfer and other secure two-party computations. However, unconditionally secure relativistic protocols for coin flipping and bit-commitment have been shown by Kent.

Quantum coin flipping

Unlike quantum key distribution, quantum coin flipping is a protocol that is used between two participants who do not trust each other. The participants communicate via a quantum channel and exchange information through the transmission of qubits. But because Alice and Bob do not trust each other, each expects the other to cheat. Therefore, more effort must be spent on ensuring that neither Alice nor Bob can gain a significant advantage over the other to produce a desired outcome. An ability to influence a particular outcome is referred to as a bias, and there is a significant focus on developing protocols to reduce the bias of a dishonest player, otherwise known as cheating. Quantum communication protocols, including quantum coin flipping, have been shown to provide significant security advantages over classical communication, though they may be considered difficult to realize in the practical world.

A coin flip protocol generally occurs like this:

Alice chooses a basis (either rectilinear or diagonal) and generates a string of photons to send to Bob in that basis.
Bob randomly chooses to measure each photon in a rectilinear or diagonal basis, noting which basis he used and the measured value.
Bob publicly guesses which basis Alice used to send her qubits.
Alice announces the basis she used and sends her original string to Bob.
Bob confirms by comparing Alice's string to his table. It should be perfectly correlated with the values Bob measured using Alice's basis and completely uncorrelated with the opposite.

Cheating occurs when one player attempts to influence, or increase the probability of a particular outcome. The protocol discourages some forms of cheating; for example, Alice could cheat at step 4 by claiming that Bob incorrectly guessed her initial basis when he guessed correctly, but Alice would then need to generate a new string of qubits that perfectly correlates with what Bob measured in the opposite table. Her chance of generating a matching string of qubits will decrease exponentially with the number of qubits sent, and if Bob notes a mismatch, he will know she was lying. Alice could also generate a string of photons using a mixture of states, but Bob would easily see that her string will correlate partially (but not fully) with both sides of the table, and know she cheated in the process. There is also an inherent flaw that comes with current quantum devices. Errors and lost qubits will affect Bob's measurements, resulting in holes in Bob's measurement table. Significant losses in measurement will affect Bob's ability to verify Alice's qubit sequence in step 5.

One theoretically surefire way for Alice to cheat is to utilize the Einstein-Podolsky-Rosen (EPR) paradox. Two photons in an EPR pair are anticorrelated; that is, they will always be found to have opposite polarizations, provided that they are measured in the same basis. Alice could generate a string of EPR pairs, sending one photon per pair to Bob and storing the other herself. When Bob states his guess, she could measure her EPR pair photons in the opposite basis and obtain a perfect correlation to Bob's opposite table. Bob would never know she cheated. However, this requires capabilities that quantum technology currently does not possess, making it impossible to do in practice. To successfully execute this, Alice would need to be able to store all the photons for a significant amount of time as well as measure them with near perfect efficiency. This is because any photon lost in storage or in measurement would result in a hole in her string that she would have to fill by guessing. The more guesses she has to make, the more she risks detection by Bob for cheating.

Quantum commitment

In addition to quantum coin-flipping, quantum commitment protocols are implemented when distrustful parties are involved. A commitment scheme allows a party Alice to fix a certain value (to "commit") in such a way that Alice cannot change that value while at the same time ensuring that the recipient Bob cannot learn anything about that value until Alice reveals it. Such commitment schemes are commonly used in cryptographic protocols (e.g. Quantum coin flipping, Zero-knowledge proof, secure two-party computation, and Oblivious transfer).

In the quantum setting, they would be particularly useful: Crépeau and Kilian showed that from a commitment and a quantum channel, one can construct an unconditionally secure protocol for performing so-called oblivious transfer. Oblivious transfer, on the other hand, had been shown by Kilian to allow implementation of almost any distributed computation in a secure way (so-called secure multi-party computation). (Note: The results by Crépeau and Kilian together do not directly imply that given a commitment and a quantum channel one can perform secure multi-party computation. This is because the results do not guarantee "composability", that is, when plugging them together, one might lose security.)

Early quantum commitment protocols were shown to be flawed. In fact, Mayers showed that (unconditionally secure) quantum commitment is impossible: a computationally unlimited attacker can break any quantum commitment protocol.

Yet, the result by Mayers does not preclude the possibility of constructing quantum commitment protocols (and thus secure multi-party computation protocols) under assumptions that are much weaker than the assumptions needed for commitment protocols that do not use quantum communication. The bounded quantum storage model described below is an example for a setting in which quantum communication can be used to construct commitment protocols. A breakthrough in November 2013 offers "unconditional" security of information by harnessing quantum theory and relativity, which has been successfully demonstrated on a global scale for the first time. More recently, Wang et al., proposed another commitment scheme in which the "unconditional hiding" is perfect.

Physical unclonable functions can be also exploited for the construction of cryptographic commitments.

Bounded- and noisy-quantum-storage model

One possibility to construct unconditionally secure quantum commitment and quantum oblivious transfer (OT) protocols is to use the bounded quantum storage model (BQSM). In this model, it is assumed that the amount of quantum data that an adversary can store is limited by some known constant Q. However, no limit is imposed on the amount of classical (i.e., non-quantum) data the adversary may store.

In the BQSM, one can construct commitment and oblivious transfer protocols. The underlying idea is the following: The protocol parties exchange more than Q quantum bits (qubits). Since even a dishonest party cannot store all that information (the quantum memory of the adversary is limited to Q qubits), a large part of the data will have to be either measured or discarded. Forcing dishonest parties to measure a large part of the data allows the protocol to circumvent the impossibility result, commitment and oblivious transfer protocols can now be implemented.

The protocols in the BQSM presented by Damgård, Fehr, Salvail, and Schaffner do not assume that honest protocol participants store any quantum information; the technical requirements are similar to those in quantum key distribution protocols. These protocols can thus, at least in principle, be realized with today's technology. The communication complexity is only a constant factor larger than the bound Q on the adversary's quantum memory.

The advantage of the BQSM is that the assumption that the adversary's quantum memory is limited is quite realistic. With today's technology, storing even a single qubit reliably over a sufficiently long time is difficult. (What "sufficiently long" means depends on the protocol details. By introducing an artificial pause in the protocol, the amount of time over which the adversary needs to store quantum data can be made arbitrarily large.)

An extension of the BQSM is the noisy-storage model introduced by Wehner, Schaffner and Terhal. Instead of considering an upper bound on the physical size of the adversary's quantum memory, an adversary is allowed to use imperfect quantum storage devices of arbitrary size. The level of imperfection is modelled by noisy quantum channels. For high enough noise levels, the same primitives as in the BQSM can be achieved and the BQSM forms a special case of the noisy-storage model.

In the classical setting, similar results can be achieved when assuming a bound on the amount of classical (non-quantum) data that the adversary can store. It was proven, however, that in this model also the honest parties have to use a large amount of memory (namely the square-root of the adversary's memory bound). This makes these protocols impractical for realistic memory bounds. (Note that with today's technology such as hard disks, an adversary can cheaply store large amounts of classical data.)

Position-based quantum cryptography

The goal of position-based quantum cryptography is to use the geographical location of a player as its (only) credential. For example, one wants to send a message to a player at a specified position with the guarantee that it can only be read if the receiving party is located at that particular position. In the basic task of position-verification, a player, Alice, wants to convince the (honest) verifiers that she is located at a particular point. It has been shown by Chandran et al. that position-verification using classical protocols is impossible against colluding adversaries (who control all positions except the prover's claimed position). Under various restrictions on the adversaries, schemes are possible.

Under the name of 'quantum tagging', the first position-based quantum schemes have been investigated in 2002 by Kent. A US-patent was granted in 2006. The notion of using quantum effects for location verification first appeared in the scientific literature in 2010. After several other quantum protocols for position verification have been suggested in 2010, Buhrman et al. claimed a general impossibility result: using an enormous amount of quantum entanglement (they use a doubly exponential number of EPR pairs, in the number of qubits the honest player operates on), colluding adversaries are always able to make it look to the verifiers as if they were at the claimed position. However, this result does not exclude the possibility of practical schemes in the bounded- or noisy-quantum-storage model (see above). Later Beigi and König improved the amount of EPR pairs needed in the general attack against position-verification protocols to exponential. They also showed that a particular protocol remains secure against adversaries who controls only a linear amount of EPR pairs. It is argued in that due to time-energy coupling the possibility of formal unconditional location verification via quantum effects remains an open problem. The study of position-based quantum cryptography also has connections with the protocol of port-based quantum teleportation, which is a more advanced version of quantum teleportation, where many EPR pairs are simultaneously used as ports.

Device-independent quantum cryptography

A quantum cryptographic protocol is device-independent if its security does not rely on trusting that the quantum devices used are truthful. Thus the security analysis of such a protocol needs to consider scenarios of imperfect or even malicious devices. Mayers and Yao proposed the idea of designing quantum protocols using "self-testing" quantum apparatus, the internal operations of which can be uniquely determined by their input-output statistics. Subsequently, Roger Colbeck in his Thesis^[56] proposed the use of Bell tests for checking the honesty of the devices. Since then, several problems have been shown to admit unconditional secure and device-independent protocols, even when the actual devices performing the Bell test are substantially "noisy", i.e., far from being ideal. These problems include quantum key distribution, randomness expansion, and randomness amplification.

In 2018, theoretical studies performed by Arnon- Friedman et al. suggest that exploiting a property of entropy that is later referred to as "Entropy Accumulation Theorem (EAT)", an extension of Asymptotic equipartition property, can guarantee the security of a device independent protocol.

Post-quantum cryptography

Quantum computers may become a technological reality; it is therefore important to study cryptographic schemes used against adversaries with access to a quantum computer. The study of such schemes is often referred to as post-quantum cryptography. The need for post-quantum cryptography arises from the fact that many popular encryption and signature schemes (schemes based on ECC and RSA) can be broken using Shor's algorithm for factoring and computing discrete logarithms on a quantum computer. Examples for schemes that are, as of today's knowledge, secure against quantum adversaries are McEliece and lattice-based schemes, as well as most symmetric-key algorithms. Surveys of post-quantum cryptography are available.

There is also research into how existing cryptographic techniques have to be modified to be able to cope with quantum adversaries. For example, when trying to develop zero-knowledge proof systems that are secure against quantum adversaries, new techniques need to be used: In a classical setting, the analysis of a zero-knowledge proof system usually involves "rewinding", a technique that makes it necessary to copy the internal state of the adversary. In a quantum setting, copying a state is not always possible (no-cloning theorem); a variant of the rewinding technique has to be used.

Post quantum algorithms are also called "quantum resistant", because – unlike quantum key distribution – it is not known or provable that there will not be potential future quantum attacks against them. Even though they may possibly be vulnerable to quantum attacks in the future, the NSA is announcing plans to transition to quantum resistant algorithms. The National Institute of Standards and Technology (NIST) believes that it is time to think of quantum-safe primitives.

Quantum cryptography beyond key distribution

So far, quantum cryptography has been mainly identified with the development of quantum key distribution protocols. Symmetric cryptosystems with keys that have been distributed by means of quantum key distribution become inefficient for large networks (many users), because of the necessity for the establishment and the manipulation of many pairwise secret keys (the so-called "key-management problem"). Moreover, this distribution alone does not address many other cryptographic tasks and functions, which are of vital importance in everyday life. Kak's three-stage protocol has been proposed as a method for secure communication that is entirely quantum unlike quantum key distribution, in which the cryptographic transformation uses classical algorithms.

Besides quantum commitment and oblivious transfer (discussed above), research on quantum cryptography beyond key distribution revolves around quantum message authentication, quantum digital signatures, quantum one-way functions and public-key encryption,quantum fingerprinting and entity authentication (for example, see Quantum readout of PUFs), etc.

Y-00 protocol

H. P. Yuen presented Y-00 as a stream cipher using quantum noise around 2000 and applied it for the U.S. Defense Advanced Research Projects Agency (DARPA) High-Speed and High-Capacity Quantum Cryptography Project as an alternative to quantum key distribution. The review paper summarizes it well.

Unlike quantum key distribution protocols, the main purpose of Y-00 is to transmit a message without eavesdrop-monitoring, not to distribute a key. Therefore, privacy amplification may be used only for key distributions. Currently, research is being conducted mainly in Japan and China: e.g.

The principle of operation is as follows. First, legitimate users share a key and change it to a pseudo-random keystream using the same pseudo-random number generator. Then, the legitimate parties can perform conventional optical communications based on the shared key by transforming it appropriately. For attackers who do not share the key, the wire-tap channel model of Aaron D. Wyner is implemented. The legitimate users' advantage based on the shared key is called "advantage creation". The goal is to achieve longer covert communication than the information-theoretic security limit (one-time pad) set by Shannon. The source of the noise in the above wire-tap channel is the uncertainty principle of the electromagnetic field itself, which is a theoretical consequence of the theory of laser described by Roy J. Glauber and E. C. George Sudarshan (coherent state).^[ Therefore, existing optical communication technologies are sufficient for implementation that some reviews describes: e.g. Furthermore, since it uses ordinary communication laser light, it is compatible with existing communication infrastructure and can be used for high-speed and long-distance communication and routing.

Although the main purpose of the protocol is to transmit the message, key distribution is possible by simply replacing the message with a key. Since it is a symmetric key cipher, it must share the initial key previously; however, a method of the initial key agreement was also proposed.

On the other hand, it is currently unclear what implementation realizes information-theoretic security, and security of this protocol has long been a matter of debate.

Implementation in practice

In theory, quantum cryptography seems to be a successful turning point in the information security sector. However, no cryptographic method can ever be absolutely secure. In practice, quantum cryptography is only conditionally secure, dependent on a key set of assumptions.

Single-photon source assumption

The theoretical basis for quantum key distribution assumes the use of single-photon sources. However, such sources are difficult to construct, and most real-world quantum cryptography systems use faint laser sources as a medium for information transfer. These multi-photon sources open the possibility for eavesdropper attacks, particularly a photon splitting attack. An eavesdropper, Eve, can split the multi-photon source and retain one copy for herself. The other photons are then transmitted to Bob without any measurement or trace that Eve captured a copy of the data. Scientists believe they can retain security with a multi-photon source by using decoy states that test for the presence of an eavesdropper. However, in 2016, scientists developed a near perfect single photon source and estimate that one could be developed in the near future.^[]

Identical detector efficiency assumption

In practice, multiple single-photon detectors are used in quantum key distribution devices, one for Alice and one for Bob. These photodetectors are tuned to detect an incoming photon during a short window of only a few nanoseconds. Due to manufacturing differences between the two detectors, their respective detection windows will be shifted by some finite amount. An eavesdropper, Eve, can take advantage of this detector inefficiency by measuring Alice's qubit and sending a "fake state" to Bob. Eve first captures the photon sent by Alice and then generates another photon to send to Bob.^[115] Eve manipulates the phase and timing of the "faked" photon in a way that prevents Bob from detecting the presence of an eavesdropper. The only way to eliminate this vulnerability is to eliminate differences in photodetector efficiency, which is difficult to do given finite manufacturing tolerances that cause optical path length differences, wire length differences, and other defects.

Deprecation of quantum key distributions from governmental institutions

Because of the practical problems with quantum key distribution, some governmental organizations recommend the use of post-quantum cryptography (quantum resistant cryptography) instead. For example, the US National Security Agency, European Union Agency for Cybersecurity of EU (ENISA), UK's National Cyber Security Centre, French Secretariat for Defense and Security (ANSSI), and German Federal Office for Information Security (BSI) recommend post-quantum cryptography.

For example, the US National Security Agency addresses five issues:^[116]

Quantum key distribution is only a partial solution. QKD generates keying material for an encryption algorithm that provides confidentiality. Such keying material could also be used in symmetric key cryptographic algorithms to provide integrity and authentication if one has the cryptographic assurance that the original QKD transmission comes from the desired entity (i.e. entity source authentication). QKD does not provide a means to authenticate the QKD transmission source. Therefore, source authentication requires the use of asymmetric cryptography or pre-placed keys to provide that authentication. Moreover, the confidentiality services QKD offers can be provided by quantum-resistant cryptography, which is typically less expensive with a better understood risk profile.
Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network, and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches.
Quantum key distribution increases infrastructure costs and insider-threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration.
Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than what is available in most physical engineering scenarios, making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems.^[121]
Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD.

Quantum Cryptography in Education

Quantum cryptography, specifically the BB84 protocol, has become an important topic in physics and computer science education. The challenge of teaching quantum cryptography lies in the technical requirements and the conceptual complexity of quantum mechanics. However, simplified experimental setups for educational purposes are becoming more common , allowing undergraduate students to engage with the core principles of quantum key distribution (QKD) without requiring advanced quantum technology.

Search This Blog

Friday, November 1, 2024

Quantum key distribution

Quantum key exchange

BB84 protocol: Charles H. Bennett and Gilles Brassard (1984)

E91 protocol: Artur Ekert (1991)

Device-independent quantum key distribution

Twin fields quantum key distribution

Information reconciliation and privacy amplification

Implementations

Experimental

Commercial

Quantum key distribution networks

DARPA

SECOQC

SwissQuantum

Chinese networks

Tokyo QKD Network

Los Alamos National Laboratory

Singapore's National Quantum-Safe Network Plus (NQSN+)

Eagle-1

Attacks and security proofs

Intercept and resend

Man-in-the-middle attack

Photon number splitting attack

Denial of service

Trojan-horse attacks

Security proofs

Quantum hacking

Counterfactual quantum key distribution

History

Future

Deprecation from governmental institutions

Quantum cryptography

History

Advantages

Applications

Quantum key distribution

Mistrustful quantum cryptography

Quantum coin flipping

Quantum commitment

Bounded- and noisy-quantum-storage model

Position-based quantum cryptography

Device-independent quantum cryptography

Post-quantum cryptography

Quantum cryptography beyond key distribution

Y-00 protocol

Implementation in practice

Single-photon source assumption

Identical detector efficiency assumption

Deprecation of quantum key distributions from governmental institutions

Quantum Cryptography in Education

Representation of a Lie group