Blog

Asymmetric Cryptography and QKD, Part 2

Can QKD replace asymmetric key exchange algorithms?

The transition to quantum-resistant cryptography is generating a strong debate between supporters and opponents of alternatives to resistant key exchange channels, including the deployment of QKD. This is a rather turbulent area, where all the proposed and used solutions have their advantages and disadvantages. In the case of deployment, it is therefore necessary to know the limitations of these proposals and choose the protection method carefully according to the desired purpose.

What QKD (Quantum Key Distribution) offers

If I am not mistaken, no method of distributing key material via a quantum channel can yet be purely quantum, but this cannot be perceived as a weakness. The strength of these protocols lies precisely in the ability to distribute information, while any attempt at eavesdropping also detects this eavesdropping. All of these protocols use a classical communication channel for distributing supporting information. On the other hand, the basic feature of QKD is the distribution of key material and the detection of eavesdropping. It is just that each protocol approaches this differently. As a problem from the perspective of cryptography, I see the need to address the integrity of communication via a separate channel or externally. It is also very problematic to determine when the classical key exchange ends and when the agreement on a shared secret begins. Classical key exchange describes a situation where one party generates a key and sends it to the other party. In contrast, key agreement is a situation where the parties agree on key material, which is not transported, by exchanging specific information.

From the point of view of cryptography, QKD is one of the specific versions of the KEM protocol. More precisely, a protocol that ensures key agreement and at the same time solves eavesdropping detection. As already mentioned, it is currently unable to solve the problems associated with authentication, verification of the identity of the counterparty and digital signature. But that is not its purpose. One of the most important steps in the case of QKD is the disposal of any information that the attacker could have obtained. In English, the term “Privacy amplification” is used for this. At this time, the key material itself is created from a long string of characters that are the result of the measurement using a hash function. At the moment, the following protocols are used to distribute information to derive the key:

BB84

1984, Charles Bennet and Gilles Brassard

This is probably the best-known protocol. It is based on the encoding of quantum states in two bases. It is most often implemented and explained using the polarization of a light signal, i.e. electromagnetic radiation. During communication, one party sends signals using two different polarizations and two different bases. This means a total of four states in two bases. As a rule, in one base, logical 0 and logical 1 are at an angle of 90˚ to each other. When transmitting, randomly chosen bases are then used, which are inclined at 45° to each other (otherwise π/4). So the first base is 0˚, 90° and the second base is 45° and 135°. The other party then measures the input in a randomly chosen polarization and evaluates the results based on the received values. If its choice of base is the same, it gets the correct bit, if it is different, it gets a random value. After the classical channel, the counterparties compare information about the bases used (not about the bits, i.e. about the polarization). It is also necessary to verify the error rate of the channel and ensure error correction. Thanks to this, both the detection of eavesdropping and the distribution of the key material are ensured.

Physical inference – Malus' law: If the plane of polarized light is rotated by 90˚ relative to the plane of the polarization filter, no radiation will pass. If the planes are oriented the same way, the radiation will pass. Finally, if they are at an angle of 45˚ to each other, half of the photons will pass.

E91

1991, Artur Ekert

It uses quantum entanglement. The advantage of this approach is security based on quantum entanglement and Bell inequalities. Secure operation of the channel requires sufficient violation of Bell inequalities, its reduction is demonstrated by its error rate or attack by an attacker. This solution is more elegant than BB84, but on the other hand more demanding to implement. At the beginning, the source of entangled photons is at the sender. These photons are distributed to both sides. If the sender measures one logical state on his device, the receiver, depending on the chosen bases, measures the corresponding correlated state. This correlation of states can also be used to detect attacks on the communication channel. After the transmission is completed, they exchange information about the used measurement bases and part of the measured data using a classical channel, from which the QBER can be determined and Bell correlations evaluated. Based on the error rates, it is possible to provide indirect evidence of an attack on the communication channel.

Physical insert – Bell's inequalities: As a simplified idea, it is possible to use a set of envelopes. In one, I write yes as the answer, in the other, no. I randomly take one of the envelopes and send it, so the other party knows which envelope I have. There is a correlation of states between the envelopes, determined during their preparation. Thus, the correlation (the average value of measuring relationships) corresponds to ⎮S⎮≦2 In the quantum world, however, this change only occurs during measurement. We can imagine this as a situation where the measurement of one state determines the state of the other. Or even whoever measures first, in fact, decides what the other party will see. Bell described these relations in quantum physics and here we arrive at the value ⎮S⎮≦2√2≈2.828. Deviations from these values downwards are therefore suspicious, they cannot go upwards.

Decoy-State BB84

2005 group of authors Hoi-Kwong Lo, Xiongfeng Ma and Kai Chen, and authors Xiang-Bin Wang and Oliver Marquardt

Creating a source capable of sending a single photon is an extremely challenging task and at the same time a huge weakness of the protocol BB84. An ideal single-photon source practically does not exist, so the sent signal was usually multi-photon. For this reason, the Photon Number Splitting Attack was designed, which worked with the possibility of capturing one or more photons. Today, although we have technologies capable of at least partially solving such a task, their availability is limited. An example of a solution is the use of True Single-Photon Emitters (SPS, uses quantum dots) or Parametric Down-Conversion (SPDC). content is transmitted using coherent pulses of different intensities. These intensities are called the signal used for data transmission, the decoy as bait, the false information or noise and finally the vacuum state, which is used for testing noise and receiver properties. Using a classical channel, the counterparts then compare information about the used bases (not polarizations) and information about the used pulse intensities.

CV-QKD

1999-2003, authors T.C. Ralph, M. Hillery, F. Grosshans and P. Grangier, further Ch. Silberhorn, N. Lütkenhaus, B. Huttner and S. L. Braunstein

Continuous Variable QKD uses continuous quantities of light instead of individual photons. For example, the amplitude and phase are used, similar to classical optical communication. The channel itself adds some noise, so a large number of measurements need to be made. And any additional measurements that may occur along the path add additional noise. Therefore, it is continuously evaluated if it exceeds a certain limit, it is impossible to distinguish a possible eavesdropping from ordinary noise and it is not possible to extract the key safely. Currently, this procedure is compatible with telecommunications traffic, but it is very sensitive to noise.

MDI-QKD

2011, Hoi-Kwong Lo, Mohsen Curty, and Bing Qi

Measurement Device Independent QKD is a protocol based on the BB84 protocol, but this time they do not exchange information directly. These quantum states are sent to a third party, which performs a Bell State Measurement and reports its result to both communication partners. In this communication, the third party is not considered trustworthy. Since the information is sent by both communication partners simultaneously, the third party knows the origin of the individual signals, but does not have enough information to derive the resulting key. Nevertheless, it can measure the result, i.e. the correlation of the individual states. Based on information about these measurements and the parties' knowledge of the detected states (base, statistics, information for error correction), it is possible to deduce a common key.

DI-QKD

2005-2010 authors Jonathan Barrett, Roger Colbeck and Adrian Kent, then Lluís Masanes, Stefano Pironio and Antonio Acín, finally Esther Hänggi, Renato Renner and Stefan Wolf

Device Independent QKD is the latest addition to this rich family of key transfer protocols and is probably the most paranoid. It considers even the photon sources on the sides that the parties have under their control as untrustworthy, considering them a black box. Therefore, both sides exchange quantum signals generated by these devices and then analyze the statistical correlations of the measurement results. The information itself is compared and the output is a set of correlations. The information is then compared. The individual inputs and some of the outputs are then sent over the classical channel. The information provided does not allow the transmitted secret to be deduced, but it allows to verify whether the channel has been tapped. Security here is not derived from trust in the physical implementation of the device, but from the statistical properties measured by correlation. So, with great exaggeration, it can be expressed in the style of - physics is not addressed here, but only statistics. Security here ensures the violation of Bell's inequalities.

Conclusion

Quantum key distribution represents an interesting attempt to connect cryptography and physics. Cryptography is built on the computational complexity of mathematical problems, quantum cryptography on the properties of quantum mechanics. However, its deployment brings new technical requirements, operational limitations, and new classes of attacks aimed at these implementations. Therefore, QKD cannot be perceived as a universal replacement for current cryptography, but rather as a specialized mechanism for distributing key material. It does not solve most of the problems that asymmetric cryptography solves today. Therefore, the deployment must be combined with classical cryptographic mechanisms.

Based on the development and concerns about quantum computers, it has become clear that the problem can be solved in several ways. The first is post-quantum cryptography, which preserves the existing communication infrastructure and replaces only mathematical primitives. The second is QKD, which uses the physical properties of quantum systems at the cost of a significantly more demanding infrastructure. Both approaches have their advantages and limitations. As it turns out, there is no single universal solution to all security problems. Just as asymmetric cryptography did not replace symmetric ciphers and digital signatures did not replace authentication, QKD is unlikely to replace all of modern cryptography. The greatest benefit of QKD may not be the technology itself, but the fact that it has forced cryptologists to formulate more precisely what “security” actually means. The debate between QKD and post-quantum cryptography proponents has shown that mathematical security, information-theoretic security, implementation security, and system security are distinct concepts that cannot be confused. But neither can any of them be ignored.

Author's Note

I am not a physicist and can only consider myself an enthusiast in this field, trying to understand at least some of the topics. For this reason, the explanations given are only an approximation, which is intended to help popularize and explain some areas related to QKD and cryptography.

Reference:

  1. Quantum Cryptography: Public Key Distribution and Coin Tossing, 1984, Charles H. Bennett, Gilles Brassard
    Source: https://research.ibm.com/
  2. Quantum Cryptography Based on Bell’s Theorem, 1991, Artur K. Ekert
    Source: https://doi.org/
  3. Quantum Key Distribution Based on Weak Coherent Pulses with Two-Photon Components, 2005, Hoi-Kwong Lo, Xiongfeng Ma, Kai Chen
    Source: https://doi.org/
  4. Beating the Photon Number Splitting Attack in Practical Quantum Cryptography, 2005, Xiang-Bin Wang
    Source: https://doi.org/
  5. Continuous Variable Quantum Key Distribution: Theoretical and Practical Review, 2003, Frédéric Grosshans, Nicolas J. Cerf, Jean Wenger, Romain Tualle-Brouri, Philippe Grangier
    Source: https://doi.org/
  6. Continuous-variable quantum key distribution, 2016, Stefano Pirandola, Ulrik L. Andersen, Leonardo Banchi et al.
    Source: https://arxiv.org/
  7. Measurement-Device-Independent Quantum Key Distribution, 2012, Hoi-Kwong Lo, Marcos Curty, Bing Qi
    Source: https://doi.org/
  8. Device-Independent Quantum Key Distribution Secure Against Collective Attacks, 2005, Jonathan Barrett, Roger Colbeck, Adrian Kent
    Source: https://doi.org/
  9. Device-independent quantum key distribution and randomness expansion, 2016, Antonio Acín, Stefano Pironio, et al.
    Source: https://arxiv.org/
  10. Security of Quantum Key Distribution, 2001, Peter W. Shor, John Preskill
    Source: https://doi.org/
  11. Practical issues in quantum key distribution and quantum cryptography, 2014, Vadim Makarov
    Source: https://doi.org/

Autor článku:

Jan Dušátko
Jan Dušátko

Jan Dušátko has been working with computers and computer security for almost a quarter of a century. In the field of cryptography, he has cooperated with leading experts such as Vlastimil Klíma or Tomáš Rosa. Currently he works as a security consultant, his main focus is on topics related to cryptography, security, e-mail communication and Linux systems.

1. Introductory Provisions

1.1. These General Terms and Conditions are, unless otherwise agreed in writing in the contract, an integral part of all contracts relating to training organised or provided by the trainer, Jan Dušátko, IČ 434 797 66, DIČ 7208253041, with location Pod Harfou 938/58, Praha 9 (next as a „lector“).
1.2. The contracting parties in the general terms and conditions are meant to be the trainer and the ordering party, where the ordering party may also be the mediator of the contractual relationship.
1.3. Issues that are not regulated by these terms and conditions are dealt with according to the Czech Civil Code, i.e. Act No.89/2012 Coll.
1.4. All potential disputes will be resolved according to the law of the Czech Republic.

2. Creation of a contract by signing up for a course

2.1. Application means unilateral action of the client addressed to the trainer through a data box with identification euxesuf, e-mailu with address register@cryptosession.cz or register@cryptosession.info, internet pages cryptosession.cz, cryptosession.info or contact phone +420 602 427 840.
2.2. By submitting the application, the Client agrees with these General Terms and Conditions and declares that he has become acquainted with them.
2.3. The application is deemed to have been received at the time of confirmation (within 2 working days by default) by the trainer or intermediary. This confirmation is sent to the data box or to the contact e-mail.
2.4. The standard time for registration is no later than 14 working days before the educational event, unless otherwise stated. In the case of a natural non-business person, the order must be at least 28 working days before the educational event.
2.5. More than one participant can be registered for one application.
2.6. If there are more than 10 participants from one Client, it is possible to arrange for training at the place of residence of the intermediary or the Client.
2.7. Applications are received and processed in the order in which they have been received by the Provider. The Provider immediately informs the Client of all facts. These are the filling of capacity, too low number of participants, or any other serious reason, such as a lecturer's illness or force majeure. In this case, the Client will be offered a new term or participation in another educational event. In the event that the ordering party does not agree to move or participate in another educational event offered, the provider will refund the participation fee. The lack of participants is notified to the ordering party at least 14 days before the start of the planned term.
2.8. The contract between the provider and the ordering party arises by sending a confirmation from the provider to the ordering party.
2.9. The contract may be changed or cancelled only if the legal prerequisites are met and only in writing.

3. Termination of the contract by cancellation of the application

3.1. The application may be cancelled by the ordering party via e-mail or via a data mailbox.
3.2. The customer has the right to cancel his or her application for the course 14 days before the course takes place without any fees. If the period is shorter, the subsequent change takes place. In the interval of 7-13 days, an administrative fee of 10% is charged, cancellation of participation in a shorter interval than 7 days then a fee of 25%. In case of cancellation of the application or order by the customer, the possibility of the customer's participation in an alternative period without any additional fee is offered. The right to cancel the application expires with the implementation of the ordered training.
3.3. In case of cancellation of the application by the trainer, the ordering party is entitled to a full refund for the unrealized action.
3.4. The ordering party has the right to request an alternative date or an alternative training. In such case, the ordering party will be informed about all open courses. The alternative date cannot be enforced or enforced, it depends on the current availability of the course. If the alternative training is for a lower price, the ordering party will pay the difference. If the alternative training is for a lower price, the trainer will return the difference in the training prices to the ordering party.

4. Price and payment terms

4.1. By sending the application, the ordering party accepts the contract price (hereinafter referred to as the participation fee) indicated for the course.
4.2. In case of multiple participants registered with one application, a discount is possible.
4.3. The participation fee must be paid into the bank account of the company held with the company Komerční banka č. 78-7768770207/0100, IBAN:CZ5301000000787768770207, BIC:KOMBCZPPXXX. When making the payment, a variable symbol must be provided, which is indicated on the invoice sent to the client by the trainer.
4.4. The participation fee includes the provider's costs, including the training materials. The provider is a VAT payer.
4.5. The client is obliged to pay the participation fee within 14 working days of receipt of the invoice, unless otherwise stated by a separate contract.
4.6. If the person enrolled does not attend the training and no other agreement has been made, his or her absence is considered a cancellation application at an interval of less than 7 days, i.e. the trainer is entitled to a reward of 25% of the course price. The overpayment is returned within 14 days to the sender's payment account from which the funds were sent. Payment to another account number is not possible.
4.7. An invoice will be issued by the trainer no later than 5 working days from the beginning of the training, which will be sent by e-mail or data box as agreed.

5. Training conditions

5.1. The trainer is obliged to inform the client 14 days in advance of the location and time of the training, including the start and end dates of the daily programme.
5.2. If the client is not a student of the course, he is obliged to ensure the distribution of this information to the end participants. The trainer is not responsible for failure to comply with these terms and conditions.
5.2. By default, the training takes place from 9 a.m. to 5 p.m. at a predetermined location.
5.3. The trainer can be available from 8 a.m. to 9 a.m. and then from 17 a.m. to 6 p.m. for questions from the participants, according to the current terms and conditions.
5.4. At the end of the training, the certificate of absorption is handed over to the end users.
5.5. At the end of the training, the end users evaluate the trainer's approach and are asked to comment on the evaluation of his presentation, the manner of presentation and the significance of the information provided.

6. Complaints

6.1. If the participant is grossly dissatisfied with the course, the trainer is informed of this information.
6.2. The reasons for dissatisfaction are recorded in the minutes in two copies on the same day. One is handed over to the client and one is held by the trainer.
6.3. A statement on the complaint will be submitted by e-mail within two weeks. A solution will then be agreed within one week.
6.4. The customer's dissatisfaction may be a reason for discontinuing further cooperation, or financial compensation up to the price of the training, after deduction of costs.

7. Copyright of the provided materials

7.1. The training materials provided by the trainer in the course of the training meet the characteristics of a copyrighted work in accordance with Czech Act No 121/2000 Coll.
7.2. None of the training materials or any part thereof may be further processed, reproduced, distributed or used for further presentations or training in any way without the prior written consent of the trainer.

8. Liability

8.1. The trainer does not assume responsibility for any shortcomings in the services of any third party that he uses in the training.
8.2. The trainer does not assume responsibility for injuries, damages and losses incurred by the participants in the training events or caused by the participants. Such costs, caused by the above circumstances, shall be borne exclusively by the participant in the training event.

9. Validity of the Terms

9.1 These General Terms and Conditions shall be valid and effective from 1 October 2024.

Consent to the collection and processing of personal data

According to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "the Regulation"), the processor xxx (hereinafter referred to as "the Controller") processes personal data. Individual personal data that are part of the processing during specific activities at this web presentation and in the course of trade are also broken down.
Although the collection of data is ubiquitous, the operation of this website is based on the right to privacy of each user. For this reason, the collection of information about users takes place to the extent absolutely necessary and only if the user decides to contact the operator. We consider any further collection and processing of data unethical.

Information about the records of access to the web presentation

This website does not collect any cookies. The site does not use any analytical scripts of third parties (social networks, cloud providers). For these reasons, an option is also offered for displaying the map in the form of a link, where the primary source is OpenStreet and alternatives then the frequently used Maps of Seznam, a.s., or Google Maps of Google LLC Inc. The use of any of these sources is entirely at the discretion of the users of this site. The administrator is not responsible for the collection of data carried out by these companies, does not provide them with data about users and does not cooperate on the collection of data.
Logging of access takes place only at the system level, the reason being the identification of any technical or security problems. Other reasons are overview access statistics. No specific data is collected or monitored in this area and all access records are deleted after three months.

Information about contacting the operator of the site

The form for contacting the operator of the site (administrator) contains the following personal data: name, surname, e-mail. These data are intended only for this communication, corresponding to the address of the user and are kept for the time necessary to fulfil the purpose, up to a maximum of one year, unless the user determines otherwise.

Information about the order form

In case of an interest in the order form, the form contains more data, i.e. name, surname, e-mail and contact details for the organisation. These data are intended only for this communication, corresponding to the address of the user and are kept for one year, unless the user determines otherwise. In the event that a business relationship is concluded on the basis of this order, only the information required by Czech law on the basis of business relations (company name and address, bank account number, type of course and its price) will continue to be kept by the administrator.

Information about the course completion document

Within the course, a course completion document is issued by the processor. This document contains the following data: student's name and surname, the name and date of the course completion and the employer's name. The information is subsequently used for the creation of a linear hash tree (non-modifiable record). This database contains only information about the provided names and company names, which may or may not correspond to reality and is maintained by the processor for possible re-issuance or verification of the document's issuance.

Rights of the personal data subject

The customer or visitor of this website has the possibility to request information about the processing of personal data, the right to request access to personal data, or the right to request the correction or deletion of any data held about him. In the case of deletion, this requirement cannot be fulfilled only if it is not data strictly necessary in the course of business. The customer or visitor of this website also has the right to obtain explanations regarding the processing of his personal data if he finds out or believes that the processing is carried out in violation of the protection of his private and personal life or in violation of applicable legislation, and the right to request removal of the resulting situation and to ensure the correction.
Furthermore, the customer/visitor of this website may request restriction of processing or object to the processing of personal data and has the right to withdraw his/her consent to the processing of personal data at any time in writing, without prejudice to the lawfulness of their processing prior to such withdrawal. For this purpose, the contact e-mail address support@cryptosession.cz is used.
The customer/visitor has the right to file a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.