Broken Quantum Cryptography FAQ

• Q1: Why do you say that Quantum Cryptography (QC) is broken?

  (Headlines are headlines, but nevermind)

  We have

      a) found a gap in the security proof of QC, and
      b) found out what to do to make use of the gap.

  This can be read as having "broken" the system, in plain English. We have also

      c) found a way to close the gap,

  which of course is good.

• Q2: So is ideal QC broken?

  No. The ideal case (with ideal components and where no noise is allowed in the system) is still secure.

• Q3: So is practical QC broken now, forever?

  No. The modification we propose will close the gap in the security proof. Also, the gap would be difficult to make use of. As in all good science (including practical QC itself) there is a number of ifs and buts.

• Q4: Where in QC lies the problem?

  In QC, the users transmit (or generate) a cryptographic key on a quantum channel. They need to communicate on a regular (classical) channel as well. Changes to the quantum transmission can be detected by looking at the noise level. Changes to the classical transmission cannot; authentication is needed. The problem is in the authentication.

• Q5: What is the problem in the authentication?

  The authentication protocol used ("Wegman-Carter") needs cryptographic key to work. So the users need to share key initially to start up the system. This is done by other means than QC when the system is set up. The initially shared key is consumed, and after a while the users need to authenticate with QC-generated, and therefore not completely secret key.

• Q5: But Wegman-Carter authentication is unbreakable?

  Yes, it is insensitive to a) partly known key, and also to b) message chosen by the adversary. But it is only insensitive to these one at a time. In QC, we have both problems simultaneously. The key is partly known, being generated in an earlier QC round, and the message is partly chosen by the adversary, since it is influenced by events on the quantum channel. This is the root of the problem.

• Q6: What do you mean when say your modification makes QC secure?

  The security is restored to (almost) the level of first-round QC, i.e., that of using a secret key for authentication. In this situation, there are other results that establish security.

• Q7: What is the nature of your modification?

  The modification proposed in our paper is basically an extra exchange of a small amount of random bits (not key bits) on the classical channel. It does not degrade performance of a QC system noticeably. It is difficult to make use of the gap, but nevertheless, we recommend usage of this or an equivalent extra security measure in QC.

• Q8: Where can I find your paper?

  At IEEE Trans. Inf. Theory or quant-ph/0611009.

• Q9: Who are you?

  Jörgen Cederlöf (jc@lysator.liu.se), MSc, currently with Google Inc., Mountain View, CA, USA; and
  Jan-Åke Larsson (see right), PhD, docent, associate professor at Linköping University, Sweden.