Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Quantum key distribution
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Attacks and security proofs == === Intercept and resend === The simplest type of possible attack is the intercept-resend attack, where Eve measures the quantum states (photons) sent by Alice and then sends replacement states to Bob, prepared in the state she measures. In the BB84 protocol, this produces errors in the key Alice and Bob share. As Eve has no knowledge of the basis a state sent by Alice is encoded in, she can only guess which basis to measure in, in the same way as Bob. If she chooses correctly, she measures the correct photon polarization state as sent by Alice, and resends the correct state to Bob. However, if she chooses incorrectly, the state she measures is random, and the state sent to Bob cannot be the same as the state sent by Alice. If Bob then measures this state in the same basis Alice sent, he too gets a random result—as Eve has sent him a state in the opposite basis—with a 50% chance of an erroneous result (instead of the correct result he would get without the presence of Eve). The table below shows an example of this type of attack. {| class="wikitable" style="text-align: center; margin: 1em auto 1em auto" |- ! Alice's random bit | style="width:40pt;"| 0 || style="width:40pt;"| 1 || style="width:40pt;"| 1 || style="width:40pt;"| 0 || style="width:40pt;"| 1 || style="width:40pt;"| 0 || style="width:40pt;"| 0 || style="width:40pt;"| 1 |- ! Alice's random sending basis | [[File:PlusCM128.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] |- ! Photon polarization Alice sends | [[File:Arrow north.svg|20x20px]] || [[File:Arrow east.svg|20x20px]] || [[File:Arrow southeast.svg|15x15px]] || [[File:Arrow north.svg|20x20px]] || [[File:Arrow southeast.svg|15x15px]] || [[File:Arrow northeast.svg|15x15px]] || [[File:Arrow northeast.svg|15x15px]] || [[File:Arrow east.svg|20x20px]] |- ! Eve's random measuring basis | [[File:PlusCM128.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] |- ! Polarization Eve measures and sends | [[File:Arrow north.svg|20x20px]] || [[File:Arrow northeast.svg|15x15px]] || [[File:Arrow east.svg|20x20px]] || [[File:Arrow north.svg|20x20px]] || [[File:Arrow southeast.svg|15x15px]] || [[File:Arrow east.svg|20x20px]] || [[File:Arrow northeast.svg|15x15px]] || [[File:Arrow east.svg|20x20px]] |- ! Bob's random measuring basis | [[File:PlusCM128.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] || [[File:Multiplication Sign.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] || [[File:PlusCM128.svg|15x15px]] |- ! Photon polarization Bob measures | [[File:Arrow north.svg|20x20px]] || [[File:Arrow northeast.svg|15x15px]] || [[File:Arrow northeast.svg|15x15px]] || [[File:Arrow southeast.svg|15x15px]] || [[File:Arrow east.svg|20x20px]] || [[File:Arrow northeast.svg|15x15px]] || [[File:Arrow north.svg|20x20px]] || [[File:Arrow east.svg|20x20px]] |- ! PUBLIC DISCUSSION OF BASIS | colspan=8 | |- ! Shared secret key | 0 || || 0 || || || 0 || || 1 |- ! Errors in key | ✓ || || ✘ || || || ✓ || || ✓ |} The probability Eve chooses the incorrect basis is 50% (assuming Alice chooses randomly), and if Bob measures this intercepted photon in the basis Alice sent he gets a random result, i.e., an incorrect result with probability of 50%. The probability an intercepted photon generates an error in the key string is then 50% × 50% = 25%. If Alice and Bob publicly compare <math>n</math> of their key bits (thus discarding them as key bits, as they are no longer secret) the probability they find disagreement and identify the presence of Eve is {{center|<math>P_d = 1 - \left(\frac{3}{4}\right)^n</math>}} So to detect an eavesdropper with probability <math>P_d = 0.999999999</math> Alice and Bob need to compare <math>n = 72</math> key bits. === Man-in-the-middle attack === Quantum key distribution is vulnerable to a [[man-in-the-middle attack]] when used without authentication to the same extent as any classical protocol, since no known principle of quantum mechanics can distinguish friend from foe. As in the classical case, Alice and Bob cannot authenticate each other and establish a secure connection without some means of verifying each other's identities (such as an initial shared secret). If Alice and Bob have an initial shared secret then they can use an unconditionally secure authentication scheme (such as [[Carter-Wegman MAC|Carter-Wegman]],<ref>{{cite journal | last1=Wegman | first1=Mark N. | last2=Carter | first2=J.Lawrence | title=New hash functions and their use in authentication and set equality | journal=Journal of Computer and System Sciences | publisher=Elsevier BV | volume=22 | issue=3 | year=1981 | issn=0022-0000 | doi=10.1016/0022-0000(81)90033-7 | pages=265–279| doi-access=free }}</ref>) along with quantum key distribution to exponentially expand this key, using a small amount of the new key to authenticate the next session.<ref>{{Cite arXiv |eprint = quant-ph/0701168|last1 = Nguyen|first1 = Kim-Chi|title = Using quantum key distribution for cryptographic purposes: A survey|author2 = Gilles Van Assche|last3 = Cerf|first3 = Nicolas J.|year = 2007}}</ref> Several methods to create this initial shared secret have been proposed, for example using a 3rd party<ref>{{cite journal | last1 = Zhang | first1 = Z. | last2 = Liu | first2 = J. | last3 = Wang | first3 = D. | last4 = Shi | first4 = S. | year = 2007 | title = Quantum direct communication with authentication | journal = Phys. Rev. A | volume = 75 | issue = 2| page = 026301 | doi=10.1103/physreva.75.026301| arxiv = quant-ph/0604125 | bibcode = 2007PhRvA..75b6301Z | s2cid = 5529511 }}</ref> or chaos theory.<ref>D. Huang, Z. Chen, Y. Guo and M. Lee "Quantum Secure Direct Communication Based on Chaos with Authentication", Journal of the Physical Society of Japan Vol. 76 No. 12, 124001 (2007) ({{cite web |url=https://journals.jps.jp/doi/10.1143/JPSJ.76.124001 |title=124001 |doi=10.1143/JPSJ.76.124001 |access-date=2 May 2024}})</ref> Nevertheless, only "almost strongly universal" family of hash functions can be used for unconditionally secure authentication.<ref>{{cite web|url=http://www.lysator.liu.se/~jc/mthesis/5_Unconditionally_secure_au.html|title=5. Unconditionally secure authentication|access-date=18 August 2016}}</ref> === Photon number splitting attack === In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice many implementations use laser pulses attenuated to a very low level to send the quantum states. These laser pulses contain a very small number of photons, for example 0.2 photons per pulse, which are distributed according to a [[Poisson distribution]]. This means most pulses actually contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split off the extra photons and transmit the remaining single photon to Bob. This is the basis of the photon number splitting attack,<ref>{{cite journal | last1=Brassard | first1=Gilles | last2=Lütkenhaus | first2=Norbert | last3=Mor | first3=Tal | last4=Sanders | first4=Barry C. | title=Limitations on Practical Quantum Cryptography | journal=Physical Review Letters | publisher=American Physical Society (APS) | volume=85 | issue=6 | date=2000-08-07 | issn=0031-9007 | doi=10.1103/physrevlett.85.1330 | pmid=10991544 | pages=1330–1333| arxiv=quant-ph/9911054 | bibcode=2000PhRvL..85.1330B | s2cid=18688722 }}</ref> where Eve stores these extra photons in a quantum memory until Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then measure her photons in the correct basis and obtain information on the key without introducing detectable errors. Even with the possibility of a PNS attack a secure key can still be generated, as shown in the GLLP security proof;<ref name="GLLP" /> however, a much higher amount of privacy amplification is needed reducing the secure key rate significantly (with PNS the rate scales as <math>t^2</math> as compared to <math>t</math> for a single photon sources, where <math>t</math> is the transmittance of the quantum channel). There are several solutions to this problem. The most obvious is to use a true single photon source instead of an attenuated laser. While such sources are still at a developmental stage QKD has been carried out successfully with them.<ref>{{cite journal | last1=Intallura | first1=P. M. | last2=Ward | first2=M. B. | last3=Karimov | first3=O. Z. | last4=Yuan | first4=Z. L. | last5=See | first5=P. | last6=Shields | first6=A. J. | last7=Atkinson | first7=P. | last8=Ritchie | first8=D. A. |display-authors=5| title=Quantum key distribution using a triggered quantum dot source emitting near 1.3μm | journal=Applied Physics Letters | volume=91 | issue=16 | date=2007-10-15 | issn=0003-6951 | doi=10.1063/1.2799756 | page=161103| arxiv=0710.0565 | bibcode=2007ApPhL..91p1103I | s2cid=118994015 }}</ref> However, as current sources operate at a low efficiency and frequency key rates and transmission distances are limited. Another solution is to modify the BB84 protocol, as is done for example in the [[SARG04]] protocol,<ref>{{cite journal | last1=Scarani | first1=Valerio | last2=Acín | first2=Antonio | last3=Ribordy | first3=Grégoire | last4=Gisin | first4=Nicolas | title=Quantum Cryptography Protocols Robust against Photon Number Splitting Attacks for Weak Laser Pulse Implementations | journal=Physical Review Letters | volume=92 | issue=5 | date=2004-02-06 | issn=0031-9007 | doi=10.1103/physrevlett.92.057901 | pmid=14995344 | page=057901| arxiv=quant-ph/0211131 | bibcode=2004PhRvL..92e7901S | s2cid=4791560 }}</ref> in which the secure key rate scales as <math>t^{3/2}</math>. The most promising solution is the [[decoy states]]<ref name="HwangDecoy"/><ref name="VWDecoy"/><ref name="wangDecoy"/><ref name="LoDecoy"/><ref name="PracticalDecoy"/> in which Alice randomly sends some of her laser pulses with a lower average photon number. These decoy states can be used to detect a PNS attack, as Eve has no way to tell which pulses are signal and which decoy. Using this idea the secure key rate scales as <math>t</math>, the same as for a single photon source. This idea has been implemented successfully first at the University of Toronto,<ref>{{cite journal | last1=Zhao | first1=Yi | last2=Qi | first2=Bing | last3=Ma | first3=Xiongfeng | last4=Lo | first4=Hoi-Kwong | last5=Qian | first5=Li | title=Experimental Quantum Key Distribution with Decoy States | journal=Physical Review Letters | publisher=American Physical Society (APS) | volume=96 | issue=7 | date=2006-02-22 | issn=0031-9007 | doi=10.1103/physrevlett.96.070502 | pmid=16606067 | page=070502| hdl=1807/10013 | bibcode=2006PhRvL..96g0502Z | arxiv=quant-ph/0503192 | s2cid=2564853 }}</ref><ref>Y.Zhao, B. Qi, X. Ma, H.-K. Lo, and L. Qian, in Proc. IEEE ISIT, pp. 2094–2098 (2006).</ref> and in several follow-up QKD experiments,<ref>{{cite journal | last1=Yuan | first1=Z. L. | last2=Sharpe | first2=A. W. | last3=Shields | first3=A. J. | title=Unconditionally secure one-way quantum key distribution using decoy pulses | journal=Applied Physics Letters | publisher=AIP Publishing | volume=90 | issue=1 | year=2007 | issn=0003-6951 | doi=10.1063/1.2430685 | page=011118| arxiv=quant-ph/0610015 | bibcode=2007ApPhL..90a1118Y | s2cid=20424612 }}</ref> allowing for high key rates secure against all known attacks. === Denial of service === Because currently a dedicated fibre optic line (or line of sight in free space) is required between the two points linked by quantum key distribution, a [[denial of service attack]] can be mounted by simply cutting or blocking the line. This is one of the motivations for the development of quantum key distribution networks, which would route communication via alternate links in case of disruption. === Trojan-horse attacks === A quantum key distribution system may be probed by Eve by sending bright light into the quantum channel and analyzing the back-reflections in a Trojan-horse attack. In a recent research study it has been shown that Eve discerns Bob's secret basis choice with higher than 90% probability, breaching the security of the system.<ref>{{cite journal | last1 = Jain | first1 = N. |display-authors=etal | year = 2014 | title = Trojan-horse attacks threaten the security of practical quantum cryptography | journal = New Journal of Physics | volume = 16 | issue = 12| page = 123030 | doi=10.1088/1367-2630/16/12/123030| arxiv = 1406.5813 | bibcode = 2014NJPh...16l3030J | s2cid = 15127809 }}</ref> === Security proofs === If Eve is assumed to have unlimited resources, for example both classical and quantum computing power, there are many more attacks possible. BB84 has been proven secure against any attacks allowed by quantum mechanics, both for sending information using an ideal photon source which only ever emits a single photon at a time,<ref>{{cite journal | last1=Shor | first1=Peter W. | last2=Preskill | first2=John | title=Simple Proof of Security of the BB84 Quantum Key Distribution Protocol | journal=Physical Review Letters | volume=85 | issue=2 | date=2000-07-10 | issn=0031-9007 | doi=10.1103/physrevlett.85.441 | pmid=10991303 | pages=441–444| url=https://authors.library.caltech.edu/2745/1/SHOprl00.pdf | bibcode=2000PhRvL..85..441S | arxiv=quant-ph/0003004 | s2cid=703220 }}</ref> and also using practical photon sources which sometimes emit multiphoton pulses.<ref name="GLLP">D. Gottesman, H.-K. Lo, N. L¨utkenhaus, and J. Preskill, Quant. Inf. Comp. 4, 325 (2004)</ref> These proofs are unconditionally secure in the sense that no conditions are imposed on the resources available to the eavesdropper; however, there are other conditions required: # Eve cannot physically access Alice and Bob's encoding and decoding devices. # The random number generators used by Alice and Bob must be trusted and truly random (for example a [[Hardware random number generator|Quantum random number generator]]). # The classical communication channel must be authenticated using an unconditionally secure authentication scheme. # The message must be encrypted using [[one-time pad]] like scheme
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)