JAMES ELCOCK
Key distribution is a fundamental part of modern communications. Without it, no secure channel between people could exist. Modern key distribution uses algorithms such as RSA and Diffie-Hellman to produce a shared hidden key between two parties to allow them to communicate, typically over a symmetrically encrypted connection using the key. The problem with these schemes is that they are not provably secure. Given enough computing power, they can be broken. This isn’t a problem with conventional computers as it would be unfeasible, however, with the birth and growth of quantum computers, soon these algorithms could be brute-forced; thus a new key distribution scheme is needed.
Overview
Quantum key distribution (QKD) is a key distribution methodology involving aspects of quantum mechanics. It allows for two parties to produce a shared key which can then be used for symmetric encryption.
A key property of QKD is the fact that two communicating parties can easily detect an eavesdropper trying to gain knowledge of the key. This is due to the fact that QKD utilises superposition and/or entanglement depending on the protocol, and to gain information on the key the eavesdropper must take measurements of the particles which will result in said particles no longer being in superposition or entangled. Both parties will then notice this and if a certain threshold of tampered particles is reached, communication will be aborted. Otherwise, the key is guaranteed to be safe as the eavesdropper doesn’t have enough information on it.
The drawbacks of QKD are that it assumes that laws of quantum mechanics apply and that either party is not being impersonated by a man in the middle. This is in addition to the fact that currently a secure channel is needed to authenticate the key. This means that QKD is not very useful at the moment as, to create a secure channel using QKD, you must already have a secure channel. However, I believe this limit will be fixed as more resources are poured into it.
Protocols
There are various protocols for QKD but the two I will cover are BB84 and Decoy state. This is as BB84 is well known and a representative example protocol and Decoy State is the most widely implemented QKD scheme.
BB84
BB84 is a protocol developed by Charles Bennett and Gilles Brassard in 1984 and is still widely used. It is provably secure under the assumptions that there is an authenticated classical channel to communicate in, that the no-cloning theorem holds, that the random number generators used are truly random and that the eavesdropper doesn’t have physical access to the emitter and receiver’s computers.
It works by having an emitter and a receiver exchange single photons. The polarisation of these photons is used for encoding bit values and this would currently be done in a fibre optic cable but this may change in the future. Four polarisation states (vertical, horizontal, \(+45^{\circ}\) and \(-45 ^{\circ}\) ) are used for the encoding (eg: the vertical and \(+45^{\circ}\) states could be used to encode a 1).
No measurement by an eavesdropper could determine between all four possible states (although it can determine if two states are orthogonal).
The receiver uses filters on each of the incoming photons. Filters are used to differentiate between horizontal states and vertical states sent by the emitter. To distinguish between the diagonal states the filter must be rotated \(45^{\circ}\) (see Figure 1). If a photon is sent through a filter with the incorrect orientation then it will be randomly deflected to one of the orientations that the filter was meant to be used for. This means that it is impossible to know the states before the filter for the receiver and after the filter for the eavesdropper as they don’t have the filter configuration. The choice of which filter to use is decided randomly.
[Figure 1: Polarisation Filters]
Once a large number of photons have been exchanged, the receiver sends the filter configuration to the emitter over a classical secure channel and the emitter says when the filters were and weren’t compatible. Both sides then discard the value of the bits sent where the filter configuration was incompatible which leaves both sides with a key approximately half the length of the number of photons sent (this process is called sifting the key). The eavesdropper has no clue which bits were dropped and which weren’t so he cannot get the key.
[Figure 2: The process of BB84 key distribution]
Key distillation is then performed to account for any errors that occurred due to imperfections in the equipment or eavesdropper interference. All of these errors are assumed to be because of the eavesdropper (the worst-case scenario) and are then corrected using a classical error correction protocol. Here we can also calculate how much information the eavesdropper may have. Next, a privacy amplification protocol is applied to reduce the eavesdropper’s information on the key. Here the key is compressed by a rate dependent on the amount of information the eavesdropper may have acquired. Finally, there is an authentication step to prevent a man in the middle attack. This is done by comparing a predetermined subset of keys via a classical secure channel. Now we have a secure key that can be used for symmetric encryption.
[Figure 3: Impact of sifting and distillation steps on key size]
The problems with BB84 include: a secure channel is needed for confirming information between the receiver and emitter and the fibre optic cable used could easily be cut or blocked for a denial of service attack. Furthermore, it is hard to send single photons. This means that in actual implementations LASER pulses have to be sent at a set rate. The number of photons will be distributed with a Poisson distribution, for example with \(\lambda\) = 0.2. This means most pulses contain no photons, some have one and some have multiple, but on average a photon is sent every 5 pulses. If a pulse has more than one photon then the eavesdropper can take the extra photons and then measure them to gain info on the key without introducing any errors. This is called a photon number splitting (PNS) attack.
Decoy State
While BB84 may have theoretical backing, "Decoy State" is the most widely implemented QKD scheme. Decoy state solves the PNS issue by sending multiple qubits (i.e: photons) at randomly chosen intensity levels. One will be the actual qubit (called a signal state) and the others will be decoys. The emitter then publicly announces which intensity levels represent the signal state for each bit. For an eavesdropper to successfully acquire information without being detected, they must measure photons and maintain an error rate close to the natural error rate of the equipment. However, due to varying photon-number statistics it is impossible to maintain this error rate. This makes it Decoy State practical for real-world use.
Implementations
Currently, only a handful of companies offer QKD, these being ID-Quantique, MagiQ Technologies, QNu Labs, QuintessenceLabs, QRate and SeQureNet. It should be noted that many large companies also have active research programs in; these companies include Toshiba, IBM, Mitsubishi, HP and NTT.
Summary
To summarise, there are several different QKD protocols and each of these protocols follows a similar basic structure but vary in the specific implementation. BB84 is very secure, but is hard to implement due to difficulties producing single photons and decoy-state is again secure, but uses decoy photons instead of filters. Such protocols aren’t frequently used now but will definitely become important in the future.
Bibliography
Wikipedia Contributors. (n.d.). Quantum key distribution. Wikipedia. Retrieved 1 October 2021, from https://en.wikipedia.org/wiki/Quantum_key_distribution
Wikipedia Contributors. (n.d.). Decoy state. Wikipedia. Retrieved 1 October 2021, from https://en.wikipedia.org/wiki/Decoy_state
Wikipedia Contributors. (n.d.). BB84. Wikipedia. Retrieved 1 October 2021, from https://en.wikipedia.org/wiki/BB84
Scarani, V., & Kurtsiefer, C. (2014, September 17). The black paper of quantum cryptography: Real implementation problems. ScienceDirect. Retrieved 1 October 2021, from https://www.sciencedirect.com/science/article/pii/S0304397514006938
LO, H. K. (2005). DECOY STATE QUANTUM KEY DISTRIBUTION. International Journal of Quantum Information, 03. https://doi.org/10.1142/s0219749905001328
ID Quantique SA. (2020). Understanding Quantum Cryptography White Paper. Retrieved 1 October 2021, from https://marketing.idquantique.com/acton/attachment/11868/f-020d/1/-/-/-/-/Understanding%20Quantum%20Cryptography_White%20Paper.pdf
Decoy state explained. (n.d.). Everything Explained Today. Retrieved 1 October 2021, from http://everything.explained.today/Decoy_state/