Quantum key distribution: (4) Cryptography using untrusted devices
Part of my Womanium Global Quantum Project
Following Ekert’s proposal of employing entanglement and CHSH inequality for further security guarantees, Bennet and Brassard (BB84), together with Mermin, proposed an entanglement-based version of BB84*. Although these protocols and other similar protocols provided security proofs, they all assume the devices will act exactly as the theoretical model. Real-world devices, however, are susceptible to errors and can be manipulated, which leads to a gap between ‘theoretical security’ and ‘implementation security’.
This article provides an overview of quantum cryptography that does not trust that the devices will act as per the theory.
Device-independent QKD (DI-QKD)
DI-QKD deals with devices as ‘black boxes’, i.e. with no assumptions regarding how they work internally. It further assumes that the entanglement source is controlled by Charlie.
With a setting similar to the schematic above, the protocol follows these steps:
- Charlie sends entangled particles over the quantum channel to Alice and Bob who chooses three and two different measurements, respectively as shown in the figure, both with outcomes ±1.
- Alice and Bob communicate over the classical channel to calculate S as discussed before here.
- Alice and Bob calculate a second parameter called the quantum bit error rate (QBER) or Q, which is the probability of them getting different outcomes upon measuring A_0 and B_1.
If S is low (significantly lower than 2√2 as explained before) and Q is high, then the protocol should be repeated. Otherwise, Alice and Bob use S and Q to perform classical post-processing. In this stage, they obtain a secure key from the raw key that is not fully secure (depending on the outcomes of calculating S and Q).
Side-channel attacks
Although DI-QKD makes no assumptions regarding the source and the inner working of the devices, it trusts the detectors/measurement devices controlled by Alice and Bob. It might sound reasonable to trust the devices controlled by the authorized parties, but this ignores the possibility of what we call side-channel attacks.
Instead of targeting the protocol in use, side-channel attacks exploit imperfections in the implementation setting. By monitoring and analyzing the variations in the timing of operations done by each party, Charlie can obtain information about the data being processed. Charlie can also blind the photon detectors by shining bright light on the detector to make it lose its sensitivity to the single-photon pulse it should receive from the other party. This gave rise to the need for a protocol that does not assume measurement devices are secure and flawless.
Measurement device-independent QKD (MDI-QKD)
To eliminate the detector side-channel attacks, MDI-QKD was proposed in 2012. A MDI-QKD protocol uses the generic setting above and consists of the following steps:
- Alice and Bob prepare weak coherent pulses (nearly single-photon pulses), encode logical bits in the photon polarization as discussed in BB84.
- Alice and Bob send both pulses to the untrusted relay (Charlie), where the pulses meet at a beam splitter where a Bell state measurement (BSM)* is conducted.
- Charlie announces the results of his measurement to Alice and Bob.
- Alice and Bob discard the unsuccessful measurements and announce the preparation bases for successful pairs.
If, for example, the BSM results in the singlet state, and Alice and Bob have prepared the photons in the same basis, one of them should flip the outcome and use the results as the key.
It should be noted that in this protocol the error rate should be calculated and the raw key should be processed accordingly to obtain the secure key. CHSH is used to upper bound Charlie’s knowledge in some variations of the protocol as well. For further mathematical explanation, check this webinar of Womanium QKD module. on entanglement-based QKD, including DI-QKD and MDI-QKD.
The protocols covered so far belong to the discrete variable QKD (DV-QKD) family. There is another family called continuous variable QKD (CV-QKD). Photon polarization is used to encode information in DV-QKD, but in CV-QKD, variables of the electromagnetic waves, such as amplitude and phase of the light wave, are used to encode the information. The following is a breif comparison:
Although it might look like CV-QKD has more advantages, especially as it scores best in the integration with the existing infrastructure, it still needs development both theoretically and experimentally. In theory, its security proofs are challenging, and its parameters are unbounded unlike DV-QKD parameters, CHSH violation and QBER. In experiment, it is more susceptible to noise. It is easy to discard noisy single signals in DV-QKD, which is not possible in CV-QKD and, hence, entails more noise.
You might be thinking that this is too complex to be implemented/deployed on the ground, but quantum key distribution has been used in key events, including 2010 FIFA World Cup!
In the next article, some key implementations and networks will be discussed.
*Bell measurement is the measurement of two qubits to determine their Bell state. There are four Bell states representing the states of two maximally entangled particles (discussed before in E91). For more information on Bell state and how to perform the measurement in Python, check this page.
Opinions expressed here, if any, are solely my own and do not represent any entity’s views.