Quantum Key Distrbution

Basic Ideas

16-10-2024
 OTP and Beyond

• OTP provides unconditional security provided the

communicating parties have a shared key that is uniformly
random and as large as the plaintext.
• The question is how to distribute such large keys a priori?
• Symmetric Key Cryptography allows us to use keys as small as
128-bits.
• Though security is no-longer uncoditional it’s still believed to
be secure against quantum adversary.
 Key Distribution Problem and DHKA

• Public Key agreement allows us to derive pseudorandom key.

• Security is conditional – depends on computational power of
the adversary.
• DHKA is insecure against quantum attackers.
• Store-Now-Decrypt-Later
• Quantum-Safe Crypto: supposed to effectively address this
problem.
 Quantum Key Distribution

Is it possible to harness the power of quantum mechanics so that

we can go beyond what is clasically possible?
 Quantum Key Distribution

Is it possible to harness the power of quantum mechanics so that

we can go beyond what is clasically possible?

QKD: Basic Principles

1. “No clone”: Not possible to make a copy of an unknown
quantum state.
2. “No free data”: Information gain implies disturbance
• When we try to distinguish between two non-orthogonal
quantum states; any information gain is only at the cost of
introducing disturbance to the signal.
• Proof: [Prop. 12.18 of Nielsen-Chuang]
 Bangalore 1984

• IISc celebrated its Platinum Jubilee.

• Dec. 09 to 14: International Conference on Computers,
Systems and Signal Processing
• One of the papers presented in that conference was by Charles
Bennett and Gilles Brassard:
• Quantum Cryptography: Public Key Distribution and Coin
Tossing.
 The “Wise Man”

• The idea of using principles of quantum mechanics to build

unbreakable cryptosystems dates back to 1960s.
• Stephen Wiesner [1942-2021] As a graduate student at
Columbia University in New York in the late 1960s and early
1970s, he discovered several of the most important ideas in
quantum information theory, including quantum money (which
led to quantum key distribution)...[Wikipedia]
Stephen J. Wiesner was an American-Israeli research physicist,
inventor and construction laborer.
 QKD: Settings

• Communicating parties: Alice and Bob

• Alice and Bob communicate over
1. a classical channel (to exchange bits)
2. a quantum channel (to send/receive qubits)
• Attacker Eve has access to these channels.
• Aim: gain information about the secret without being
detected.
• Security Goal: Must be impossible for Eve to gain any
information in whatsoever ways without violating the laws of
(quantum) physics.
 QKD: Setting

• Consider the following qubit states:

1. |ψ00 i = |0i
2. |ψ10 i = |1i
3. |ψ01 i = |+i = √1 (|0i + |1i)
2
4. |ψ11 i = |−i = √1 (|0i − |1i)
2
 QKD: Setting

• Consider the following qubit states:

1. |ψ00 i = |0i
2. |ψ10 i = |1i
3. |ψ01 i = |+i = √1 (|0i + |1i)
2
4. |ψ11 i = |−i = √1 (|0i − |1i)
2
• They form two ortho-normal bases: B0 = {|ψ00 i, |ψ10 i} and
B1 = {|ψ01 i, |ψ11 i}.
• Computational basis (Pauli Z eigenbasis), and
diagonal/conjugate basis (Pauli X eigenbasis)
• The two are mutually independent – if a state of one basis is
measured in the other basis, the outcomes are always equally
likely.
 Ideal/Honest World

Let’s first consider the case of no-Eve/no-noise in the

communication channels.
 Ideal/Honest World

Let’s first consider the case of no-Eve/no-noise in the

communication channels.

Alice:
1. Generate two uniformly random strings: a, b ∈R {0, 1}m .
2. Prepare qubit states: |ψa0 b0 i, |ψa1 b1 i, · · · , |ψam−1 bm−1 i
3. Send the m qubits to Bob using the quantum channel.
 Ideal/Honest World

Let’s first consider the case of no-Eve/no-noise in the

communication channels.

Alice:
1. Generate two uniformly random strings: a, b ∈R {0, 1}m .
2. Prepare qubit states: |ψa0 b0 i, |ψa1 b1 i, · · · , |ψam−1 bm−1 i
3. Send the m qubits to Bob using the quantum channel.
Bob:
1. Generate a uniformly random string b0 ∈R {0, 1}m .
2. Measure the i-th qubit received in Bbi0 for 0 ≤ i ≤ m − 1.
3. Record the outcome of the measurements: a0 = a00 a10 · · · am−1
0
 What is a0 ?

• If bi0 = bi , then ai0 =?

 What is a0 ?

• If bi0 = bi , then ai0 =?

• ai
 What is a0 ?

• If bi0 = bi , then ai0 =?

• ai
• If bi0 = b̄i , then ai0 =?
 What is a0 ?

• If bi0 = bi , then ai0 =?

• ai
• If bi0 = b̄i , then ai0 =?
• ai0 ∈R {0, 1}
 Shared Key

• Alice and Bob uses the classical channel to reveal the

bit-strings b and b0 .
• Note: a and a0 remain secret.
 Shared Key

• Alice and Bob uses the classical channel to reveal the

bit-strings b and b0 .
• Note: a and a0 remain secret.
• Alice (resp. Bob) retains ai (resp. ai0 ) if bi0 = bi . Otherwise,
discard that bit.
• How many bits are expected to be discarded?
 Shared Key

• Alice and Bob uses the classical channel to reveal the

bit-strings b and b0 .
• Note: a and a0 remain secret.
• Alice (resp. Bob) retains ai (resp. ai0 ) if bi0 = bi . Otherwise,
discard that bit.
• How many bits are expected to be discarded?
• m/2
• ã: remaining bit string of Alice; ã0 : remaining bit string of
Bob.
 Toy Example

a 1 0 0 1 0 1 1 0
b 1 1 0 0 1 0 1 0
 Toy Example

a 1 0 0 1 0 1 1 0
b 1 1 0 0 1 0 1 0
ψ ψ11 ψ01 ψ00 ψ10 ψ01 ψ10 ψ11 ψ00
 Toy Example

a 1 0 0 1 0 1 1 0
b 1 1 0 0 1 0 1 0
ψ ψ11 ψ01 ψ00 ψ10 ψ01 ψ10 ψ11 ψ00
b0 0 1 1 0 1 1 0 0
 Toy Example

a 1 0 0 1 0 1 1 0
b 1 1 0 0 1 0 1 0
ψ ψ11 ψ01 ψ00 ψ10 ψ01 ψ10 ψ11 ψ00
b0 0 1 1 0 1 1 0 0
a0 0 0 0 1 0 0 1 0
 Toy Example

a 1 0 0 1 0 1 1 0
b 1 1 0 0 1 0 1 0
ψ ψ11 ψ01 ψ00 ψ10 ψ01 ψ10 ψ11 ψ00
b0 0 1 1 0 1 1 0 0
a0 0 0 0 1 0 0 1 0
ã 0 1 0 0
 Real world
• In reality communication channels are prone to both malicious
Eve and random noise!
• So we need additional measures to ensure that Alice and Bob
can securely derive the same key.
 Real world
• In reality communication channels are prone to both malicious
Eve and random noise!
• So we need additional measures to ensure that Alice and Bob
can securely derive the same key.
• Classical channel: What can Eve do if she can modify the
messages?
 Real world
• In reality communication channels are prone to both malicious
Eve and random noise!
• So we need additional measures to ensure that Alice and Bob
can securely derive the same key.
• Classical channel: What can Eve do if she can modify the
messages?
• (Wo)Man-in-the-Middle Attack
• Play the role of Bob with Alice
• Play the role of Alice with Bob
• Work out the details of the attack.
 Real world
• In reality communication channels are prone to both malicious
Eve and random noise!
• So we need additional measures to ensure that Alice and Bob
can securely derive the same key.
• Classical channel: What can Eve do if she can modify the
messages?
• (Wo)Man-in-the-Middle Attack
• Play the role of Bob with Alice
• Play the role of Alice with Bob
• Work out the details of the attack.
• Countermeasure?
 Real world
• In reality communication channels are prone to both malicious
Eve and random noise!
• So we need additional measures to ensure that Alice and Bob
can securely derive the same key.
• Classical channel: What can Eve do if she can modify the
messages?
• (Wo)Man-in-the-Middle Attack
• Play the role of Bob with Alice
• Play the role of Alice with Bob
• Work out the details of the attack.
• Countermeasure? authenticate the messages sent over
classical channel!
 Real world
• In reality communication channels are prone to both malicious
Eve and random noise!
• So we need additional measures to ensure that Alice and Bob
can securely derive the same key.
• Classical channel: What can Eve do if she can modify the
messages?
• (Wo)Man-in-the-Middle Attack
• Play the role of Bob with Alice
• Play the role of Alice with Bob
• Work out the details of the attack.
• Countermeasure? authenticate the messages sent over
classical channel!
• A Circularity? To agree upon a shared key, Alice and Bob need
to start with a shared key in the first place!
 Quantum Channel
• Suppose Alice first shares b with Bob and then sends the
qubits.
 Quantum Channel
• Suppose Alice first shares b with Bob and then sends the
qubits.
• Intercept and Resend: Eve will capture the i-th qubit,
measure and then resend.
 Quantum Channel
• Suppose Alice first shares b with Bob and then sends the
qubits.
• Intercept and Resend: Eve will capture the i-th qubit,
measure and then resend.
• b must not be revealed beforehand: Eve can still guess bi with
probability 1/2.
• Case 1: If correct, Eve’s action remains undetected.
• Case 2: Eve’s prediction is wrong:
 Quantum Channel
• Suppose Alice first shares b with Bob and then sends the
qubits.
• Intercept and Resend: Eve will capture the i-th qubit,
measure and then resend.
• b must not be revealed beforehand: Eve can still guess bi with
probability 1/2.
• Case 1: If correct, Eve’s action remains undetected.
• Case 2: Eve’s prediction is wrong:
• Eve’s measurement result is random and so is the state that
she sends
• Suppose Bob has chosen the correct basis: bi0 = bi .
• But now, ai0 ∈R {0, 1}.
 Quantum Channel
• Suppose Alice first shares b with Bob and then sends the
qubits.
• Intercept and Resend: Eve will capture the i-th qubit,
measure and then resend.
• b must not be revealed beforehand: Eve can still guess bi with
probability 1/2.
• Case 1: If correct, Eve’s action remains undetected.
• Case 2: Eve’s prediction is wrong:
• Eve’s measurement result is random and so is the state that
she sends
• Suppose Bob has chosen the correct basis: bi0 = bi .
• But now, ai0 ∈R {0, 1}.
• Suppose Alice and Bob publicly compare ai and ai0 where
bi0 = bi :
• What’s the probability of detecting error if Eve intercepted and
resent that qubit?
 Quantum Channel
• Suppose Alice first shares b with Bob and then sends the
qubits.
• Intercept and Resend: Eve will capture the i-th qubit,
measure and then resend.
• b must not be revealed beforehand: Eve can still guess bi with
probability 1/2.
• Case 1: If correct, Eve’s action remains undetected.
• Case 2: Eve’s prediction is wrong:
• Eve’s measurement result is random and so is the state that
she sends
• Suppose Bob has chosen the correct basis: bi0 = bi .
• But now, ai0 ∈R {0, 1}.
• Suppose Alice and Bob publicly compare ai and ai0 where
bi0 = bi :
• What’s the probability of detecting error if Eve intercepted and
resent that qubit? 1/4
 Estimating Error

• Next step for Alice and Bob is to estimate the bit error rate:
• BER: proportion of bits in ã0 that are not equal to those in ã.
 Estimating Error

• Next step for Alice and Bob is to estimate the bit error rate:
• BER: proportion of bits in ã0 that are not equal to those in ã.
• Alice and Bob use the classical channel to reveal a random
subset of ã and ã0 .
• Half the bits chosen of ã and ã0 at random indices are
compared (and discarded).
• Alice and Bob know how many bits in the revealed samples
differ.
• Assume the proportion of errors in undisclosed bits is
approximately same.
• If error is above some predetermined threshold (t); they abort
the protocol
 Toy Example with Eve

a 1 0 0 1 0 1 1 0
b 1 1 0 0 1 0 1 0
ψ ψ11 ψ01 ψ00 ψ10 ψ01 ψ10 ψ11 ψ00
be 1 0 1 0 1 1 1 1
ψeve ψ11 ψ10 ψ01 ψ10 ψ01 ψ11 ψ11 ψ01
 Toy Example with Eve

a 1 0 0 1 0 1 1 0
b 1 1 0 0 1 0 1 0
ψ ψ11 ψ01 ψ00 ψ10 ψ01 ψ10 ψ11 ψ00
be 1 0 1 0 1 1 1 1
ψeve ψ11 ψ10 ψ01 ψ10 ψ01 ψ11 ψ11 ψ01
b0 0 1 1 0 1 1 0 0
 Toy Example with Eve

a 1 0 0 1 0 1 1 0
b 1 1 0 0 1 0 1 0
ψ ψ11 ψ01 ψ00 ψ10 ψ01 ψ10 ψ11 ψ00
be 1 0 1 0 1 1 1 1
ψeve ψ11 ψ10 ψ01 ψ10 ψ01 ψ11 ψ11 ψ01
b0 0 1 1 0 1 1 0 0
a0 0 1 0 1 0 1 1 0
 Toy Example with Eve

a 1 0 0 1 0 1 1 0
b 1 1 0 0 1 0 1 0
ψ ψ11 ψ01 ψ00 ψ10 ψ01 ψ10 ψ11 ψ00
be 1 0 1 0 1 1 1 1
ψeve ψ11 ψ10 ψ01 ψ10 ψ01 ψ11 ψ11 ψ01
b0 0 1 1 0 1 1 0 0
a0 0 1 0 1 0 1 1 0
ã 0 1 0 0
ã0 1 1 0 0
 Information Reconciliation

• From the estimate of BER Alice and Bob derive an

upperbound of information Eve may gain about the remaining
bits.
• If error is less than some threshold, then Alice and Bob assume
the undisclosed bits of ã and ã0 differ at around t indices.
• Goal: Correct error in these un-known positions and derive a
key-string about which Eve has no information (with very high
probability).
• This can be achieved if the BER is around 10%
• Some more bits need to be sacrificed.
 Privacy amplification

• A cryptographic technique that allows Alice and Bob to derive

a shared key about which Eve has practically no information
(with high probability).
• Trade off: The final key will be even shorter than the length
of the undisclosed bits in ã and ã0 .
• Suppose Alice and Bob share three secret bits: x, y , z.
• At most one of these bits is revealed to Eve, but which one
that Alice and Bob don’t know.
• Is it still possible for Alice and Bob to agree upon a two-bit
secret?
 Privacy amplification

• A cryptographic technique that allows Alice and Bob to derive

a shared key about which Eve has practically no information
(with high probability).
• Trade off: The final key will be even shorter than the length
of the undisclosed bits in ã and ã0 .
• Suppose Alice and Bob share three secret bits: x, y , z.
• At most one of these bits is revealed to Eve, but which one
that Alice and Bob don’t know.
• Is it still possible for Alice and Bob to agree upon a two-bit
secret?
• a = x ⊕ y, b = y ⊕ z
• More generally, one can use universal hash function.
• Recall: we used strongly universal (hash) function to construct
one-time MAC scheme.
 Final Key

• For error correction: Alice starts with m = (4 + )n-bits of a

and b.
• Around 2n-bits are discarded due to the mis-match of b and
b0 .
• Around n-bits of ã and ã0 are revealed;
• Final key string is derived from the remaing bits in ã and ã0
after error correction (through information reconciliation and
privacy amplification).
 QKD Variants

B92 Protocol: Bennett in 1992 proposed a two-state protocol:

• Alice sends a ∈ {0, 1} which is encoded as:

1
|ψ0 i = |0i; or |ψ1 i = √ (|0i + |1i)
2
• Bob measures either in B0 = {|0i, |1i} or B1 = √1 (|0i ± |1i)
2
• From measurement Bob obtains b ∈ {0, 1}.
• Based on public discussion they derive a common key.
Ekert91: Ekert proposed his protocol using EPR pair.
• Can be generated by Alice/Bob or a third-party, even Eve!
[Exercise] Study the details of B92 and Ekert91 Protocol.
 QKD as Key Expansion

• Suppose that Alice and Bob somehow share a common

random key: k.
• They can use QKD to derive further key bits that are
information theoretically secure.
 QKD as Key Expansion

• Suppose that Alice and Bob somehow share a common

random key: k.
• They can use QKD to derive further key bits that are
information theoretically secure.
• Use k as the secret key of some one-time MAC used to
authenticate the classical channel in BB84.
• A part of the key derived from QKD is used as OTP key; rest
is used to authenticate the classical channel in the next round
of QKD.
 Side Channel Attacks

• Devil lies in the details.

• Several attacks have been proposed based on the concrete
hardware used to implement QKD.
• Photon Number Splitting, Trojan Horse, DoS, . . .
• Device Independent QKD has been proposed to resist some
attacks
• Implementation is still a challenge.
 QKD: Limitations

• QKD solves only a small part of the problem of secure

communication.
• QKD has fundamental practical limitations, does not address
large parts of the security problem, and is poorly understood
in terms of potential attacks. [CESG Whitepaper (Feb. 2016)]
• NSA views quantum-resistant (or post-quantum)
cryptography as a more cost effective and easily maintained
solution than quantum key distribution. . . . NSA does not
support the usage of QKD or QC to protect communications
in National Security Systems . . .
[https://www.nsa.gov/Cybersecurity/Quantum-Key-
Distribution-QKD-and-Quantum-Cryptography-QC/]
 Assignment

1. What can be the consequence for BB84 protocol if there is

some quantum algorithm to break:
1.1 the MAC scheme used for authenticating the classical data
1.2 the random number generator used by Alice/Bob.
2. Argue whether there is any benefit in terms of cryptographic
security of using Ekert91 over BB84?
3. Do you think QKD will help us in securing the internet
against the threat of quantum computer? You may justify
your answer in terms of the following:
• Cryptographic functionality
• Efficiency of communication
Deadline: 23rd October, midnight.
No collaboration; brief to-the-point answer is expected.