Technical Report MSC-2009-03

Title: On the Security of Theoretical and Realistic Quantum Key Distribution Schemes
Authors: Ran Gelles
Supervisors: Tal Mor
Abstract: Theoretical QKD protocols commonly rely on the use of qubits (quantum bits). In reality, however, due to practical limitations, the legitimate users are forced to employ a larger quantum (Hilbert) space, say a quhexit (quantum six-dimensional) space, or even a much larger quantum Hilbert space. Various attacks exploit these limitations. Although security can still be proved in some very special cases, a general framework that considers such realistic QKD protocols, as well as attacks on such protocols, is still missing.

We describe a general method of attacking realistic QKD protocols, which we call the `quantum-space attack'. The description is based on assessing the enlarged quantum space actually used by a protocol, the `quantum space of the protocol'. We show that this space is the effective space needed for attacking a protocol, hence this is the space needed for a general security analysis of the protocol. Analyzing a larger space will only add complexity to the analysis, while analyzing a smaller space might miss possible attacks.

The new method of analyzing the security of practical QKD scheme via the enlarged quantum space of the protocol, is demonstrated for schemes in which the qubits are implemented by photons. This demonstration is highly relevant since many of the practical QKD systems nowadays are implemented via photons. Photonic QKD schemes are commonly implemented using a device named interferometer. The structure of such an interferometer inevitably causes the enlargement of the quantum space in use (for instance, by adding vacuum ancillas). This enlargement exposes the protocols to new kinds of attacks that have not yet been analyzed.

We consider several QKD protocols that are implemented using interferometers. We analyze the enlarged space actually in use and define the requirements for their robustness. While we prove that the common interferometric protocol implementation is robust against simple attacks, we also demonstrate the difficulty of proving its robustness against stronger attacks. We finally present an interferometric-QKD implementation variant that is found to be non robust and therefore totally insecure.

The ultimate goal of QKD is to have practical protocols that are proven secure. A full security proof means security against the most general quantum space attack, namely, the joint attack performed onto the quantum space of the protocol. As providing such a proof is very difficult (maybe even impossible), it is important to analyze less general security results such as security against the collective attack and robustness against the joint attack.

Here we also improve the non-optimal security proof of ideal BB84 against the collective attack (for theoretical QKD) to the standards of the joint attack. We prove an exponential advantage relative to the bound reached in previous paper for the collective attack. Our proof is maintained simple since it deals with collective attacks and not with joint attacks. This simple proof might be useful for future analysis of other quantum cryptographic protocols, or of more realistic models of QKD schemes.

The last topic of this research regards the QKD scheme in which Alice is "quantum" yet Bob is "classical", as recently published by Boyer, Kenigsberg and Mor. Here we analyze two protocols with this constraint, and prove their robustness: we show that any adversary attempt to obtain information (even a tiny amount of information), necessarily induces some errors that the legitimate users could notice. The first protocol is the one presented in the paper of Boyer et al, with an improved robustness proof, that is applicable to other scheme configurations, such as sending the qubits one by one. The second protocol is based on a protocol presented in a conference paper by Boyer et al, yet we extend and generalize it, remove several of its limitations, and prove its robustness.

CopyrightThe above paper is copyright by the Technion, Author(s), or others. Please contact the author(s) for more information

Remark: Any link to this technical report should be to this page (, rather than to the URL of the PDF files directly. The latter URLs may change without notice.

To the list of the MSC technical reports of 2009
To the main CS technical reports page

Computer science department, Technion