The following information has been extracted from the Secure Quantum Key Distribution Article, and provides more information into QKD.
Introduction to QKD
Quantum cryptography, specifically quantum key distribution is being considered as an important cryptographic method as quantum computers begin to be further developed. One difference between classical cryptography and quantum cryptography, is that the eavesdropper, Eve, is able to store a transcript of any classically encrypted transmission, but cannot do so for a quantum encrypted transmission. This is because classical encryption involves the process of using a mathematically difficult algorithm known as key, which encrypts the data within the transmission so that a passive eavesdropper, like Eve, is unable to decipher the message without the use of either the same key (symmetric keys) or the partner key (asymmetric keys). However, Eve is still able to intercept the data without either Bob or Alice being aware of her. For QKD, Alice sends Bob a sequence of polarized photon, that are either rectilinear or diagonal. As Bob receives the photons, he records the photon through a randomly chosen basis of either rectilinear or diagonal basis. Bob records his basis choice and the result of the respective photon, which he then verifies his data with Alice to determine matching results. The non-matching photon data is ignored and the matching data is compiled to generate a sifted key. Alice and Bob can check whether their data has been intercepted by Eve by checking their quantum bit error rate. If the error rate is below a certain threshold, then they can be confident that their data is secure. ‘The quantum data can have classical post-processing protocols such as error correction and privacy amplification to generate a secure key. This key can be used to make the communication unconditionally secure using a one-time pad protocol.’
One-time pad is a protocol in which the key is the same length as the message. The message is interpreted as a binary string, as is the key. The message is encrypted using a bitwise exclusive-OR between the two corresponding bits in the binary string.
Security model of QKD
The security of the QKD method is based upon the perfect key distribution, where Alice and Bob share a truly random secret key. A QKD system is considered to be ϵ-secure ‘if and only if the probability distribution of an outcome of any measurement performed on the QKD scheme and the resulting key deviates at most ϵ from the one of the perfect key distribution protocol and the perfect key.’ The value of ϵ is approximately 10-10, but this can be adjusted based upon agreements between Bob and Alice on their privacy level. To consider the security of the QKD protocol, the security of the generated key when it is employed in a cryptosystem needs to be taken into account. This is known as composable security. To calculate the composable security, each security protocol is considered to have a defined security parameter,ϵi, with the total security of the cryptographic scheme being defined as Σiϵi.
However, the implementation of QKD relies on imperfect devices. The BB84 protocol provides the theory of Alice and Bob transmitting data through single polarized photons. Yet efficient single-photon sources and measuring devices are still a matter of the future. (During this publication). One current method for implementing the BB84 protocol is through the use of phase-randomized weak coherent state pulses (WCPs) that have a typical average photon number of 0.1 or higher. These states are created using standard semiconductor lasers and and calibrated attenuators. The limitation with these systems is that some signals may contain more than one photon prepared in the same quantum state. This is a security weakness as Eve can perform a Photon-Number-Splitting (P-N-S) attack upon the multi-photon pulses and obtain the portion of key that was generated with that information without Alice and Bob being aware.
The BB84 protocol relies upon Alice and Bob using single-photon states to create the secure key. To generate a key from this data, Bob and Alice do not necessarily need to identify which detected pulses specifically came from the single-photon emissions, but rather can ‘estimate a lower bound for the total number of such events.’ This estimation technique contains the worst case scenario where Eve were to block as many single photon pulses as she could. This assumption can be used to provide a key generation rate that scales as η2, where η is the transmittance of the quantum channel. ‘This quantity has the form η = 10-(αd)/(10), where α is the loss coefficient of the channel measured in dB/km (α ≈ 0.2 dB/km for standard commercial fibres) and d is the the covered distance in km.’
Eve however, may not be performing a PNS attack, so to improve the achievable secret key rate, their needs to be a more precise method for determining the number of single-photon pulses detected by Bob. The decoy-state method, which can ‘basically reach the performance of single-photon sources, where the key generation scales linearly with η’ can be used. Rather than sending equal intensity signals, Alice sends a signal with an intensity that has been randomly picked from a set of prescribed values. The states sent in the chosen intensity are known as signal states, and states that exist with different intensities are considered as decoy states. ‘Once Bob has detected all the signals, Alice broadcasts the intensity used for each pulse. A crucial assumption here is that all other possible degrees of freedom of the signals (apart from the intensity) are equal for all of them.’ The result of this technique is that even if Eve has knowledge of the number of photons contained within a certain pulse, ‘her decision on whether or not to send that signal to Bob cannot depend on its intensity. That is, Eve’s decision is based upon what is known a priori.‘ Hence, the probability of ‘having a detection event given that Alice sent a single-photon pulse is the same for the signal and decoy pulses. This results in Alice and Bob being able to more precisely estimate the portion of detected events that occur from single-photons.
In recent years, QKD has been experimentally implemented. The signal can be transmitted through free space with approximately 800nm wavelength, through optical fibres with wavelengths of around 1310nm and 1550nm. The use of polarized photons, called polarization coding, is used mostly for free space transmission. Fibre optic based transmission uses different coding implementations, such as time-bin coding, phase coding, and frequency coding. These different techniques are used due to optical fibres being more likely to cause disturbances to the polarizion coding due to the fibre’s susceptibility to environmental effects and birefringence.
Entanglement-based QKD protocols allow Alice and Bob to transmit their information through further distances due to this protocol being more resilient to losses than WCP protocols. (It can stand up to about 70 dB). ‘For instance, they could employ a parametric down-conversion source to generate polarization entangled photons that are distributed between [Alice and Bob]’. This scheme however suffers from systems that are more involved than the ones for WCPs, and they have a lower low loss regime for their secret key. Aside from polarization coding, energy-time entangled pairs could be used.
For QKD for distances shorter than 100km, distributed-phase-reference QKD protocols could be used. This protocol involves Alice encoding the information coherently between adjacent pulses rather than in individual pulses. ‘This approach includes the differential phase shift (DPS) and the coherent-one-way (COW) protocols.’ DPS protocol involves Alice preparing a train of WCPs of equal intensity but with modulated phases. ‘Bob uses a one-bit delay Mach-Zehnder interferometer, followed by two single-photon detectors to measure the incoming pulses. The COW protocol involves all the pulses having a common phase but with varied intensities. These protocols are considered to belong to discrete-variable QKD schemes.
Another set of methods belong to the continuous-variable systems (CV-QKD), where the device ‘consists of homodyne or heterodyne measurements if the light-field quadratures. These protocols do not need single-photon detectors, but rather can be implemented through the use of standard telecom components.
QKD components and data-processing
‘For the optical layer of a QKD system, the following components are typically needed:’
- Light Sources
Attenuated laser pulses can be used for the signal source. The signal is modeled as a WCP. Application of global phase randomization results in the state becoming a classical mixture of Fock states with Poissonian distribution.
- Single-photon detectors
‘Single photon detection is the ultimate limit of the detection of light.’ Traditional detectors include silicon detectors and InGaAs detectors. Si detectors are used for the 800nm wavelengths, and free-space transmission. InGaAs avalanche photo-diodes (APD) are used for telecom and fibre optic based transmission. InGaAS detectors have had previous issues such as low detection efficiency (15%) compared to the Si detectors (~50%), and a ‘long dead time after a detection event.’ This dead-time reduces the repetition rate to a few MHz. This issue however, has been resolved in recent years with the use of the following techniques: Self-differentiating APDs, sine-wave grating technique, a hybrid approach of SD-APDs and sine-wave grating techniques, superconducting nanowire single-photon detectors (SNSPDs). The detection efficiency for InGaAs has increased to 50%, with SNSPD detection efficiency of ~93%. The SNSPDs have a caveat, in that their operating temperature is around 0.1K (-273.14 ºC)
- Standard linear optical components
These optical components include polarizing beam-splitters, beam-splitters, amplitude modulators, and phase modulators.
- Random number generators
Random number are required in QKD for basis choice, bit-value choice, phase randomization, intensity choice in the decoy state method, and for data post-processing. Quantum mechanics offers randomness based upon physical principles rather than complex mathematical algorithms. ‘A simple way to build a quantum random number generator (QRNG) is to send a WCP through a 50:50 beam-splitter and put two single-photon detectors on the two outgoing arms. The actual bit value (0 or 1) generated depends on which detector detects a photon.’
- Classical post-processing techniques
This includes techniques such as error correction and privacy amplification, which are used to fix any errors in the transmission, and ‘remove any residual information that Eve might have on the raw key.’ A difficulty with classical post-processing is the computational complexity of the protocols that is required to process a very large amount of raw data in a short amount of time.
- Authenticated Channel
Alice and Bob need to have an authenticated classical channel through which Bob and Alice verify the results of the QKD transmissions. This channel requires a short authentication key that ‘may be provided in the initial shipment of the QKD system through a temper-resistant device.’ After the first successful QKD session, the authentication key can be renewed by the key generated from the QKD.
As of 2015, when this article was published, QKD networks had been deployed in USA, Austria, Switzerland, Chine, and Japan. ‘The [Japanese-Tokyo] network consists of three main layers: a QKD layer, a key management layer, and an application layer.’ To the user in the application layer, the QKD layer and the key management layer can be considered as a black box, which supplies them keys. (Tokyo has a layer structure that is based upon a trusted node architecture. ) ‘Secure communication is possible between any nodes in the network by relaying on the secret key that is controlled by command of the key management server.’ This type of network can be employed for the provision of secure communications with smart phones. When a user needs a new key to protect communications, they could connect to the QKD network and store the obtained in their phone, for use when needed. ‘Other potential of QKD include, for example, offsite backup, enterprise private networks, critical infrastructure protection, backbone protection, and high security access networks.’
‘In principle, QKD only secures the communication channel, so Eve may try to attack the sources, i.e. the preparation stage of the quantum signal, and the measurement device.’ The sources can protected by preventative methods against Eve. For instance, ‘Alice can prepare her quantum signals (e.g. the polarization state of phase-randomized WCPs) in a fully protected environment outside the influence of an eavesdropper. The use of optical isolators is an example of this. The measurement device, Bob’s single-photon detector, is harder to protect due to Eve being allowed to send any signal, as it is more difficult to protect Bob’s device from any possible attack. ‘The most important hacking attack so far against the detectors of the system is the so-called detector blinding attack. Here, Eve shines bright light into the detectors to make them enter into the so-called linear mode operation, where they are no longer sensitive to single-photon pulses but only to strong light pulses. This provides Eve with complete control in which detector ‘clicks’ each time through the transmission of bright pulses. This method allows Eve to completely learn the secret key. Other aspects that are exploitable are: the sources detection efficiency mismatch, and the dead-time of detectors.
There are three main approaches in counter-measuring any hacking. The first approach is to use security patches. This provides security against any and all known attacks but implies vulnerability of the system against any hacking advances. This technique is akin to most classical cryptographic techniques.
The second approach is called device-independent QKD (DI-QKD) In this approach, Alice and Bob consider their devices as black boxes. In other words, ‘they do not need to fully characterize their different elements.’ ‘The security of DI-QKD relies on the violation of a Bell inequality, which certifies the presence of quantum correlations. This approach is impractical with current technology due to high decoupling and channel loss, limited detection efficiency of current single-photon detectors (this is considered as the detection efficiency loophole, which requires detection efficiency to be ~80% or more for a loophole free Bell test).
The third approach is MDI-QKD. This approach allows Alice and Bob to perform QKD with untrusted measurement devices, even ones developed by Eve. MDI-QKD security is based upon the idea of time reversal. ‘Alice and Bob prepare quantum signals and send them to an untrusted relay, Charles/Eve, who is supposed to perform a Bell-state measurement on the signals received. The honesty of Charles can be verified by comparing a subset of the transmitted data.’ MDI-QKD can be achieved through current ‘optical components with low detection efficiency and high lossy channels.’ MDI-QKD has a key rate that is far greater than that of DI-QKD, and has been demonstrated in laboratories and field tests (as of publication). ‘The key assumption of MDI-QKD is that Alice and Bob trust their sources.” One downside of MDI-QKD is that it has a ‘relatively low secret key rate when compared to the decoy state BB84 protocol.’ This is due to MDI-QKD requiring two-fold coincidence detector events. These are currently restrained due to the low detection efficiency of InGaAs single-photon detectors, however the downside is not an issue if SNSPDs (at ~0.1K) are utilized. ‘MDI-QKD could be used to build a QKD network with untrusted nodes, which would be desirable from a security standpoint.’
This article gives an idea of the advancement of QKD since the publication of BB84. This article contains techniques and terminology that I’m not familiar with, so my next step is to look up the terms that I am unfamiliar with. From this, I will build up a glossary to provide myself with greater comprehension of the prospects discussed within this article, and any further article that I examine.
Lo Hoi-Kwong et al. (21 May 2015). Secure Quantum Key Distribution. https://arxiv.org/pdf/1505.05303.pdf