Research on the border
between Quantum Cryptography and State-of-the-art Classical
Cryptography
Project within CENIIT, the
Center for Industrial Information Technology
Jan-Åke Larsson, Information Coding, ISY
(Nedanstående finns bara på engelska, kontakta
mig för information på svenska.)
Overview
Quantum Cryptography (QC) is an emerging technology in
communication security which is attracting much attention
presently. It combines cutting-edge quantum technology with classical
cryptographic techniques to make communication systems unconditionally
secure. It was first conceived in the early eighties but the present
interest is much dependent on recent technological developments that
enable its usage outside the laboratory. The benefit of using QC is
that the security of the system is based on laws of nature rather than
computational complexity, as is the case in so-called Public Key
Cryptography. The advances in technology has resulted in a few
commercial products,
from idQuantique
and MagiQ Technologies.
Another less successful attempt
was SmartQuantum which
recently (2010) went out of business. There are a number of other
companies that are doing research and product development on QC
including Hitachi, NEC, and Siemens, and a number of these have
prototypes ready. Recently
the SECOQC backbone was started in
Vienna as the endpoint of an Integrated Project within the Sixth
Framework Programme of the European Union. Another example is
the Swiss Quantum network
connecting CERN, the University of Geneva, and the University of
Applied Sciences Western Switzerland, which is used to secure data
from the Large Hadron Collider.
In QC, the users transmit (or generate) a cryptographic key on a
quantum channel, but also need to communicate on a regular (classical)
channel to establish the key. Changes to the quantum transmission can
be detected by looking at the noise level. Changes to the classical
transmission cannot; authentication is needed. For the moment,
this project is focused on security of the authentication system used
in practical systems. The authentication protocol proposed for use in
QC ("Wegman-Carter authentication") is theoretically secure on its
own, but J. Cederlöf and I [IEEE
Trans. Inf. Theory, 54:1735, 2008] have found that some care
should be taken when using it as part of a QC system. The present
security proofs does not give the correct life-time for repeated use
of a practical QC device. This problem arises at the borderline
between the quantum and the classical parts of the system. In the
referenced paper, we also propose a simple solution to this problem,
that does not degrade the performance of the system.
The mentioned authentication protocol needs cryptographic key to
work, so the system will consume some of its own generated key. And
authentication protocols that consume less key is better, because the
system will produce more key that can be used for other
purposes. There are some proposals, but we have found that care needs
to be taken in selecting which to use and how to use it, since less
used key tends to imply a weaker authentication, see for example the
paper by A. Abidin and myself [International
Journal of Quantum Information, 7:1047-1052, 2009] on the
vulnerability of one such proposal.
In QC, much research and development activity is presently centred
on practical devices for deployment in existing networks, and their
security. This project is intended to do theoretical but directly
applicable research, specifically to establish security of practical
(even commercial) systems. The current focus is on the authentication
protocols proposed for QC that consume less key than Wegman-Carter
authentication. The main issues are a) to review existing
authentication proposals and their use in QC, b) to quantify the
extent of any problems with each proposal, and c) to devise secure
procedures for its use in QC. We are also looking at the notion of
"universal composability" as used in current security proofs of QC,
and its application within the authentication framework. An extension
would be to investigate how our findings apply to other combined
quantum-classical systems and their sensitivity to this type of
problem.
Another project which is just starting is intended to study one
particular encoding technique known as energy-time entanglement, which
is very different to its nature from, e.g., polarization entanglement.
Entanglement is a property that is only present in truly
quantum-mechanical systems, and this can be tested via a "Bell
inequality", a statistical bound for the results of certain
measurements. A violation of the bound ensures that the system truly
is quantum-mechanical, from which it can be inferred that the intended
QC system truly is secure. However, energy-time entanglement has
been found to need stronger tests than the standard Bell inequality.
This project aims to evaluate effects of these more restrictive
security tests. Questions concerning issues like the size of the
security margin, noise tolerance, range, and key output rate will be
addressed in this project. The ultimate goal of this project is to
strengthen the security, and to improve the performance of
energy-time-entanglement-based QC. This will be achieved by using
more suitable inequalities as tests of security, made available by
recent developments in research on Bell inequalities and their
properties. Another intent is to go to higher-dimensional systems,
where each photon encodes a number ranging from 0 up to some chosen
N>1. This is relatively easy in the energy-time setup as compared with
polarization-based QC, and enables both a higher rate in bits per
photon, and better security tests in terms of a stronger
violation. There are also other extensions such as the behaviour of
quantum repeaters using this coding, quantum secret sharing systems,
and so on.
Current status
At the moment, Aysajan Abidin (a PhD student funded by the Research
school in Interdisciplinary Mathematics at the department of
Mathematics) is working with me on authentication within QC. The most
recent developments includes results on information-theoretically
secure hash functions that were presented at Western European Workshop
on Research in Cryptology (WEWoRC) 2011, Weimar, Germany, July 2011.
Aysajan gave a talk with the title "New Universal Hash Functions", and
a paper on this will appear in the conference proceedings. We have
also contributed to QCRYPT at ETH Zürich, September 2011, the
contribution had the title "Security of Authentication with a Fixed
Key in Quantum Key Distribution". This caused quite some discussion,
and the curious can find more information in the
preprint arxiv.org/abs/1109.5168.
We have continued work on our 2009 paper on two-step authentication
mentioned above, and have found general requirements that such a
system needs to fulfil to be information-theoretically
complete. Together with the group that proposed the system (at
the
Austrian Institute of Technology
and Universität Wien and the Institut
für Quantenoptik und Quanteninformation, we have also analysed the
weaknesses of the system they proposed, and the improvements that are
possible. This has been presented as a poster at QCRYPT at ETH Zürich,
September 2011, and more thorougly as a talk at SPIE Security +
Defence in Prague, September 2011. A longer paper with the full
results, intended for a journal, is under preparation.
Finally, some basic questions of energy-time entanglement has been
answered
in arxiv.org/abs/1103.6131,
but there are several open problems.
Industrial relevance
There are a number of other companies that are doing research and
product development on QC including Hitachi, NEC, and Siemens, and a
number of these have prototypes ready. As mentioned, the advances in
technology has resulted in a few commercial products,
from idQuantique
and MagiQ Technologies (a third
from SmartQuantum is not in
production anymore). The present project has the best contacts with
idQuantique; currently we are reviewing the authentication system that
they use. Contact persons at idQuantique are Gregoire Ribordy (CEO)
and Matthieu Legré.
Within Sweden there is not so much industrial activity. There is a
substantial academic interest in Sweden centered around optical
equipment, most notably at KTH, and SU. The Linneaus center for
advanced optics and photonics at KTH are very interested in the output
of my group since they are actively investigating the quantum-optical
side of QC. I have particularly good contacts with Mohamed
Bourennane's group in quantum optics at Fysikum, Stockholm.
Also, the Vinnova project "All-optical overlay networks"
(joint between KTH, LiU, and Handelshögskolan) has shown interest,
since QC is one product that demands access to the optical
network. The project is a cooperation between the division of
information coding at ISY, Linköping; KTH (School of Information and
Communication Technology); Stockholm School of Economics and Net
Insight AB. The project is financed by Vinnova and Net Insight AB.
Jan-Åke Larsson
Kontakt:
Institutionen för Systemteknik
Linköpings Universitet
It has long been argued that the best-effort strategy on which Internet is based will limit its use for real-time applications such as video or telephony. However, it has been shown that such services can indeed tolerate some jitter and rate variations through various error resilience and concealment techniques. Despite of that the Internet infrastructure is continuously upgraded with higher performance components, which further reduce the transmission problems; still there are certain classes of applications that undoubtedly will need new transmission paradigms. An example is the remote control of an industrial process that may require jitter levels down to a few microseconds. Another example is quantum cryptography where an optical transparent path between sender and receiver is to be established. In this paper we present a concept based on an optical overlay network infrastructure. This network concept can be applied in an incremental way and will enable the current network infrastructure to handle demands with such extreme QoS requirements.
Keywords
hybrid network; overlay; circuit-switching; real-time; hard QoS; all-optical; time-critical transmission, Engineering and Technology
BIBTEX
@article{diva2:343155,
author = {Forchheimer, Robert and Wosinska, Lena and Monti, Paolo},
title = {{An Optical Overlay Network Concept for Hard QoS Requirements}},
journal = {ICTON: 2009 11TH INTERNATIONAL CONFERENCE ON TRANSPARENT OPTICAL NETWORKS, VOLS 1 AND 2},
year = {2009},
pages = {1195--1198},
}
In this paper, we review and comment on "A novel protocol-authentication algorithm ruling out a man-in-the-middle attack in quantum cryptography" [M. Peev et al., Int. J. Quant. Inf. 3 (2005) 225]. In particular, we point out that the proposed primitive is not secure when used in a generic protocol, and needs additional authenticating properties of the surrounding quantum-cryptographic protocol.
@article{diva2:234516,
author = {Abidin, Aysajan and Larsson, Jan-Åke},
title = {{Vulnerability of "A Novel Protocol-Authentication Algorithm Ruling out a Man-in-the-Middle Attack in Quantum Cryptography"}},
journal = {International Journal of Quantum Information},
year = {2009},
volume = {7},
number = {5},
pages = {1047--1052},
}
Unconditionally secure message authentication is an important part of Quantum Cryptography (QC). We analyze security effects of using a key obtained from QC for authentication purposes in later rounds of QC. In particular, the eavesdropper gains partial knowledge onthe key in QC that may have an effect on the security of the authentication in the later round. Our initial analysis indicates that this partial knowledge has little effect on the authentication part of the system, in agreement with previous results on the issue. However, when taking the full QC protocol into account, the picture is different. By accessing the quantum channel used in QC, the attacker can change the message to be authenticated. This together with partial knowledge of the key does incur a security weaknessof the authentication. The underlying reason for this is that the authentication used, which is insensitive to such message changes when the key is unknown, becomes sensitive when used with a partially known key. We suggest a simple solution to this problem, and stress usage of this or an equivalent extra security measure in QC.
Keywords
Natural Sciences
BIBTEX
@article{diva2:260369,
author = {Cederlöf, Jörgen and Larsson, Jan-Åke},
title = {{Security aspects of the Authentication used in Quantum Cryptography}},
journal = {IEEE Transactions on Information Theory},
year = {2008},
volume = {54},
number = {4},
pages = {1735--1741},
}
The use of entanglement by quantum-cryptographic protocol to transfer the data was discussed. The detection of individual eavesdropping attack on each qubit was detected by the security test where the qubits provides the key, and there exists a coherent attack internal to these groups, which goes unnoticed in security tests. The result shows that the level of the individual qubits also detect the coherent attack by testing equality for the measurements. A modified test was proposed to ensure security against a coherent attack.
Keywords
Natural Sciences
BIBTEX
@article{diva2:243445,
author = {Larsson, Jan-Åke},
title = {{No information flow using statistical fluctuations and quantum cryptography}},
journal = {Phys. Rev. A 69, 042317},
year = {2004},
volume = {69},
number = {4},
pages = {42317--},
}
Quantum Cryptography, or more accurately, Quantum Key Distribution (QKD) is based on using an unconditionally secure "quantum channel" to share a secret key among two users. A manufacturer of QKD devices could, intentionally or not, use a (semi-) classical channel instead of the quantum channel, which would remove the supposedly unconditional security. One example is the BB84 protocol, where the quantum channel can be implemented in polarization of single photons. Here, use of several photons instead of one to encode each bit of the key provides a similar but insecure system. For protocols based on violation of a Bell inequality (e.g., the Ekert protocol) the situation is somewhat different. While the possibility is mentioned by some authors, it is generally thought that an implementation of a (semi-) classical channel will differ significantly from that of a quantum channel. Here, a counterexample will be given using an identical physical setup as is used in photon-polarization Ekert QKD. Since the physical implementation is identical, a manufacturer may include this modification as a Trojan Horse in manufactured systems, to be activated at will by an eavesdropper. Thus, the old truth of cryptography still holds: you have to trust the manufacturer of your cryptographic device. Even when you do violate the Bell inequality.
Keywords
quantum cryptography, Trojan Horse, Ekert protocol, Bell inequality, Natural Sciences
BIBTEX
@article{diva2:259439,
author = {Larsson, Jan-Åke},
title = {{A practical Trojan Horse for Bell-inequality-based quantum cryptography}},
journal = {Quantum Information and Computation},
year = {2002},
volume = {2},
pages = {434--442},
}
Aysajan Abidin, Christoph Pacher, Thomas Lorünser, Jan-Åke Larsson, Momtchil Peev, "Quantum cryptography and authentication with low key-consumption", Proceedings of SPIE - The International Society for Optical Engineering, Proceedings of SPIE, Vol. 8189, 818916-, 2011.
Quantum Key Distribution (QKD - also referred to as Quantum Cryptography) is a technique for secret key agreement. It has been shown that QKD rigged with Information-Theoretic Secure (ITS) authentication (using secret key) of the classical messages transmitted during the key distribution protocol is also ITS. Note, QKD without any authentication can trivially be broken by man-in-the-middle attacks. Here, we study an authentication method that was originally proposed because of its low key consumption; a two-step authentication that uses a publicly known hash function, followed by a secret strongly universal2 hash function, which is exchanged each round. This two-step authentication is not information-theoretically secure but it was argued that nevertheless it does not compromise the security of QKD. In the current contribution we study intrinsic weaknesses of this approach under the common assumption that the QKD adversary has access to unlimited resources including quantum memories. We consider one implementation of Quantum Cryptographic protocols that use such authentication and demonstrate an attack that fully extract the secret key. Even including the final key from the protocol in the authentication does not rule out the possibility of these attacks. To rectify the situation, we propose a countermeasure that, while not informationtheoretically secure, restores the need for very large computing power for the attack to work. Finally, we specify conditions that must be satisfied by the two-step authentication in order to restore informationtheoretic security.
Keywords
Natural Sciences
BIBTEX
@inproceedings{diva2:515405,
author = {Abidin, Aysajan and Pacher, Christoph and Lorünser, Thomas and Larsson, Jan-Åke and Peev, Momtchil},
title = {{Quantum cryptography and authentication with low key-consumption}},
booktitle = {Proceedings of SPIE - The International Society for Optical Engineering},
year = {2011},
series = {Proceedings of SPIE},
volume = {8189},
pages = {818916--},
}
Secure message authentication is an important part of Quantum Key Distribution. In this paper we analyze special properties of a Strongly Universal2 hash function family, an understanding of which is important in the security analysis of the authentication used in Quantum Cryptography. We answer the following question: How much of Alices message does Eve need to influence so that the message along with its tag will give her enough information to create the correct tag for her message?
@inproceedings{diva2:221270,
author = {Abidin, Aysajan and Larsson, Jan-Åke},
title = {{Special Properties of Strongly Universal$_{2}$ Hash Functions Important in Quantum Cryptography}},
booktitle = {AIP Conference Proceedings, ISSN 0094-243X, Foundations of Probability and Physics--5, Växjö, augusti 2008},
year = {2009},
pages = {289--293},
publisher = {American Institute of Physics},
address = {New York},
}
@inproceedings{diva2:258010,
author = {Larsson, Jan-Åke and Cederlöf, Jörgen},
title = {{Security aspects of the authentication used in quantum key growing}},
booktitle = {Advanced Free-Space Optical Communication Techniques/Applications III,2006},
year = {2006},
pages = {63990H--},
publisher = {SPIE The International Society for Optical Engineering},
address = {Washington},
}
Authentication is an indispensable part of Quantum Cryptography, which is an unconditionally secure key distribution technique based on the laws of nature. Without proper authentication, Quantum Cryptography is vulnerable to “man-in-the-middle” attacks. Therefore, to guarantee unconditional security of any Quantum Cryptographic protocols, the authentication used must also be unconditionally secure. The standard in Quantum Cryptography is to use theWegman-Carter authentication, which is unconditionally secure and is based on the idea of universal hashing.
In this thesis, we first investigate properties of a Strongly Universal hash function family to facilitate understanding the properties of (classical) authentication used in Quantum Cryptography. Then, we study vulnerabilities of a recently proposed authentication protocol intended to rule out a "man-in-the-middle" attack on Quantum Cryptography. Here, we point out that the proposed authentication primitive is not secure when used in a generic Quantum Cryptographic protocol. Lastly, we estimate the lifetime of authentication using encrypted tags when the encryption key is partially known. Under simplifying assumptions, we derive that the lifetime is linearly dependent on the length of the authentication key. Experimental results that support the theoretical results are also presented.
Keywords
Natural Sciences
BIBTEX
@phdthesis{diva2:324702,
author = {Abidin, Aysajan},
title = {{Weaknesses of Authentication inQuantum Cryptography and Strongly Universal Hash Functions}},
school = {Linköping University},
type = {{Linköping Studies in Science and Technology. Thesis No. 1447}},
year = {2010},
address = {Sweden},
}
The thesis presents the basics of Quantum Key Distribution, a survey of the present techniques, a look at the possible future, and finally a comparison to the alternative technique of using public key or manual distribution of keys.
Techniques to integrate QKD with the existing telecom fiber infrastructure have been studied, and so has the EU-funded project SECOQC.
Last the security and efficiency of QKD have been examined, with focus on what level of security that is required, existing security solutions have been used as a comparison.
@mastersthesis{diva2:211122,
author = {Vestgöte, Karl},
title = {{Quantum Key Distribution - current state of the technology and prospects in the near future}},
school = {Linköping University},
type = {{LiTH-ISY-EX-ET--09/0358--SE}},
year = {2009},
address = {Sweden},
}
Quantum key growing, often called quantum cryptography or quantum key distribution, is a method using some properties of quantum mechanics to create a secret shared cryptography key even if an eavesdropper has access to unlimited computational power. A vital but often neglected part of the method is unconditionally secure message authentication. This thesis examines the security aspects of authentication in quantum key growing. Important concepts are formalized as Python program source code, a comparison between quantum key growing and a classical system using trusted couriers is included, and the chain rule of entropy is generalized to any Rényi entropy. Finally and most importantly, a security flaw is identified which makes the probability to eavesdrop on the system undetected approach unity as the system is in use for a long time, and a solution to this problem is provided.
