Security in quantum cryptography

Quantum cryptography exploits principles of quantum physics for the secure processing of information. A prominent example is secure communication, i.e., the task of transmitting confidential messages from one location to another. The cryptographic requirement here is that the transmitted messages remain inaccessible to anyone other than the designated recipients, even if the communication channel is untrustworthy. In classical cryptography, this can usually be guaranteed only under computational hardness assumptions, such as when factoring large integers is infeasible. In contrast, the security of quantum cryptography relies entirely on the laws of quantum mechanics. Here this physical notion of security is reviewed, with a focus on quantum key distribution and secure communication.

Figure 1

(a) A noiseless channel that perfectly delivers the message from Alice to Bob. (b) A noisy channel that alters the message sent from Alice to Bob. (c) Alice encodes her message into a larger space, and Bob decodes it upon reception. In (a)—(c) each box represents a reactive system that produces an output upon receiving an input. Boxes with rounded corners are local operations performed by a party [such as encoding and decoding in (c)]. The rectangular box is a possibly noisy channel form Alice to Bob, which upon receiving Alice’s input produces an output at Bob’s end of the channel. The arrows represent quantum states transmitted from one system to another.

Figure 2

In the real-world ideal-world paradigm, security is defined in terms of indistinguishability. A distinguisher has black-box access to a system that, depending on an unknown bit $B$, is either the real cryptographic protocol ($B=0$) or an ideal functionality ($B=1$). After interacting with the system, the distinguisher outputs a guess $D$ for $B$. The real protocol is considered as secure as the ideal system if the success probability $\mathrm{Pr}[D=B]$ of the best possible distinguisher is close to that of a random guess, i.e., to $1/2$.

Figure 3

A constructive view of cryptography. A cryptographic protocol uses weak resources to construct other (stronger) resources. These resources are depicted in the boxes, and the arrows are protocols. Each box is a one-time-use resource, so the same resource appears in multiple boxes if different protocols require it. The long secret key resource in the center is split in three shorter keys, each of which is used by a separate protocol. The example of secure message transmission illustrated here is discussed in Sec. 7.

Figure 4

Real and ideal one-time pad systems. Boxes with rounded corners are local systems executed at Alice’s, Bob’s, or Eve’s interfaces. The rectangular boxes are shared resources modeling channels or shared keys. Arrows represent the transmission of messages between systems or to the environment (distinguisher). The real world is depicted in (a). The protocol consists of a part ${\pi }_A^{\mathrm{OTP}}$ executed by Alice (who has access to the interfaces on the left-hand side) and a part ${\pi }_B^{\mathrm{OTP}}$ executed by Bob (on the right-hand side). It takes a message $x$ at Alice’s outer interface as well as a key $k$ and outputs a ciphertext $y$ toward the authentic channel. Bob’s part of the protocol takes $y$ and $k$ as input and outputs the decrypted message. The channel may leak $y$ at Eve’s interface (at the bottom). The ideal world is depicted in (b). The secure channel transmits the message perfectly from Alice’s to Bob’s interface, leaking only the message length at Eve’s interface. The simulator ${\sigma }_E^{\mathrm{OTP}}$ generates a random string $y$ of length $|x|$, making the real and ideal systems perfectly indistinguishable. (a) The real OTP system consists of the OTP protocol $({\pi }_A^{\mathrm{OTP}},{\pi }_B^{\mathrm{OTP}})$ together with a secret key and authentic channel resources. (b) The ideal OTP system consists of the ideal secure channel and a simulator ${\sigma }_E^{\mathrm{OTP}}$.

Figure 5

Depiction of Definition t1. A protocol $({\pi }_A,{\pi }_B)$ constructs $\mathcal{S}$ from $\mathcal{R}$ within $ϵ$ if the condition illustrated here holds. The sequences of arrows at the interfaces between the objects represent arbitrary rounds of communication.

Figure 6

Depictions of some shared secret key resources. (a) A resource that always gives a key $k$ to Alice and Bob, and nothing to Eve. (b) A resource that allows Eve to decide whether Alice and Bob get a key $k$ or an error $\perp$. (c) A resource that generates a perfect key with probability $1-\delta$ and outputs an error $\perp$ with probability $\delta$.

Figure 7

The real QKD system (Alice has access to the left interface, Bob to the right interface, and Eve to the lower interface) consists of the protocol (${\pi }_A^{\mathrm{QKD}},{\pi }_B^{\mathrm{QKD}}$), the insecure quantum channel $\mathcal{Q}$ in (a) [a noisy channel ${\mathcal{Q}}^{\prime }$ in (b)], and the two-way authentic classical channel $\mathcal{A}$ [${\mathcal{A}}^{\prime }$ in (b)]. As before, arrows represent the transmission of classical or quantum messages. The protocols of Alice and Bob (${\pi }_A^{\mathrm{QKD}},{\pi }_B^{\mathrm{QKD}}$) abort if they detect too much interference, i.e., if ${\rho }^{\prime }$ is not similar enough to $\rho$ to obtain a secret key of the desired length. They run the classical postprocessing over the authentic channel, obtaining keys $k_A$ and $k_B$. The message $t$ depicted on the two-way authentic channel represents the entire transcript of the classical communication between Alice and Bob during the protocol. (a) Eve’s interfaces of the channel resources give her full access to the quantum communication and allow her to read the messages on the authentic channel. (b) In a model with natural noise, the resources $\mathcal{Q}$ and $\mathcal{A}$ are replaced by nonmalicious variants ${\mathcal{Q}}^{\prime }$ and ${\mathcal{A}}^{\prime }$ that have a blank interface for Eve and a fixed noise model for the channel ${\mathcal{Q}}^{\prime }$.

Figure 8

Key resource from Fig. 6 with a simulator ${\sigma }_E$. This corresponds to the ideal world in Eq. (8).

Figure 9

The distinguisher interacting with either the real or ideal QKD system first receives a register $C$ containing the quantum states sent from Alice to Bob. It applies a map $\mathcal{E}:\mathcal{L}({\mathcal{H}}_C)\to \mathcal{L}({\mathcal{H}}_{C{E}^{\prime }})$ of its choice, keeps the $E^{\prime }$ register, and puts $C$ back in the insecure channel. Finally, it gets the transcript of the classical communication $T$, and Alice’s and Bob’s outputs $A$ and $B$. It thus holds a state ${\rho }_{AB{E}^{\prime }T}$, which it measures to decide whether it was interacting with the real or ideal system.

Figure 10

The ideal QKD system (Alice has access to the left interface, Bob has access to the right interface, and Eve has access to the lower interface) consists of the ideal secret key resource and a simulator ${\sigma }_E^{\mathrm{QKD}}$.

Figure 11

Generic QKD protocol.

Figure 12

Prepare-and-measure raw key distribution.

Figure 13

Entanglement-based raw key distribution.

Figure 14

Entanglement-based raw key distribution with postponed measurement.

Figure 15

Parameter estimation.

Figure 16

Information reconciliation.

Figure 17

Privacy amplification.

Figure 18

A secret key resource with adaptive key length. This resources allows Eve to choose the length $m$ of the final key $k$, which is then output at Alice’s and Bob’s interfaces.

Figure 19

A real QKD system that uses a source of entangled states. Instead of having access to an insecure channel as in Fig. 7, Alice and Bob use a source of entanglement $\mathcal{E}$ that is controlled by Eve. This means that Eve may generate an arbitrary state ${\rho }_{ABE}$, of which the $A$ register goes to Alice and the $B$ register goes to Bob.

Figure 20

We split Alice’s part of an entanglement-based QKD protocol into two parts, the measurement of the incoming states (denoted by $\alpha$) and the rest of the protocol (denoted by ${\pi }_A^{\mathrm{QKD}}$).

Figure 21

Pictorial proof for the security of the construction of $\alpha \mathcal{E}$ from $\mathcal{Q}$ and $\alpha {\mathcal{E}}^{\prime }$ from ${\mathcal{Q}}^{\prime }$. Any protocol that is designed to run with a source of entangled states $\mathcal{E}$ and that measures the incoming states on Alice’s side as does $\alpha$ can be equivalently used with an insecure channel $\mathcal{Q}$ and a converter $\gamma$ that generates the states to be sent on the channel. (a) When modeling soundness, the adversary can modify the messages on the insecure channel $\mathcal{Q}$. The simulator ${\sigma }_E$ generates the entangled state ${\rho }_{AB}$ that is expected from a nonadversarial source of entangled states and outputs the $B$ part at the outer interface, making the systems on the left and right indistinguishable. (b) When modeling completeness, the source of entanglement ${\mathcal{E}}^{\prime }$ prepares the state ${\rho }_{AB}$. The systems on the left and right are indistinguishable.

Figure 22

A real QKD system with a deterministic protocol $({\pi }_A^{\mathrm{QKD}},{\pi }_B^{\mathrm{QKD}})$ and explicit sources of randomness ${\mathcal{R}}_A$ and ${\mathcal{R}}_B$.

Figure 23

The real-world setting for a DI-QKD protocol. Eve can program the devices $\mathcal{D}$ but cannot receive any output from them.

Figure 24

The real-world setting for a MDI-QKD protocol. The only quantum operations performed by ${\pi }_A^{\mathrm{MDI}\mathrm{QKD}}$ and ${\pi }_B^{\mathrm{MDI}\mathrm{QKD}}$ are the generation of quantum states. The communication resources $\mathcal{C}$ send quantum systems from Alice or Bob to Eve, and classical bits from Eve to Alice and Bob.

Figure 25

An authentic channel resource. The message input at Alice’s interface is visible to Eve, who gets to decide whether Bob receives it or not. But this guarantees that if Bob does receive a message, it corresponds to the one sent by Alice.

Figure 26

The real authentication system consists of the authentication protocol $({\pi }_A^{\mathrm{auth}},{\pi }_B^{\mathrm{auth}})$ as well as the secret key and insecure channel resources $\mathcal{K}$ and $\mathcal{C}$. As in previous illustrations, Alice has access to the left interface, Bob has access to the right interface, and Eve has access to the lower interface.

Figure 27

The ideal authentication system (Alice has access to the left interface, Bob has access to the right interface, and Eve has access to the lower interface) consists of the ideal authentication resource and a simulator ${\sigma }_E^{\mathrm{auth}}$.

Figure 28

A secret key resource allowing Eve to control who gets the key: the2 bits Eve inputs control whether Alice or Bob obtain, respectively, a key or an error message from the resource.

Figure 29

A secure channel that allows Eve to learn the length of the message and prevent Bob from receiving it. When Alice inputs a message $x$ at her interface, information about the length of the message is given to Eve, who can additionally press a switch that either delivers Alice’s message to Bob or instead provides him with an error message $\perp$.

Figure 30

Composition of QKD, authentication, and OTP protocols. For simplicity, we have drawn only one round of authentication as a subroutine of QKD as ${\pi }_{AB}^{\mathrm{auth}}({\mathcal{K}}^{a_{\mathrm{QKD}}}\parallel \mathcal{C})$ (red solid line). The QKD protocol ${\pi }_{AB}^{\mathrm{QKD}}$ (violet dashed line) constructs a shared key resource that produces the long key $(k_1,k_2,k_3)$. The second authentication protocol ${\pi }_{AB}^{\mathrm{auth}}$ (blue densely dotted line) then uses part of this key to construct another authentic channel, and the OTP protocol ${\pi }_{AB}^{\mathrm{OTP}}$ (green dash-dotted line) uses another part of this key to encrypt and decrypt the message sent on the channel.

Figure 31

A secure quantum channel that allows Eve to learn the length of the quantum message (informally denoted as $|\rho |$) and prevent Bob from receiving it. When Alice inputs a message $\rho$ at her interface, information about the length of the message is given to Eve, who can additionally flip a switch that either delivers Alice’s message to Bob or provides him with an error message $\perp$.

Figure 32

The ideal system for a secure channel with key recycling. It consists of a secure channel $\mathcal{S}$ and key resource $\mathcal{K}$. The adversary controls the length of the recycled key (through her input to $\mathcal{K}$), as well as whether the receiver obtains the message (through her input to $\mathcal{S}$).

Figure 33

Ideal DQC resource. The client has access to the left interface, and the server has access to the right interface. The server obtains some information $\ell$ about the input and can decide whether the client gets the correct outcome or an error by inputting a bit $c$.

Figure 34

An ideal world in which a secret key is produced by $\mathcal{K}$ and new devices ${\mathcal{D}}_A$ and ${\mathcal{D}}_B$ independent of $\mathcal{K}$ are accessible to the players.