#bb84

burnsie:

The flourishing field of quantum cryptography might have its roots in the 1980s, approximately when the BB84 protocol was published. While this protocol makes use of quantum 'peculiarities' and provides a way of distributing secret keys between two parties, Alice and Bob; it has been possible to prove its security. In particular the latter point is a decisive advancement in comparison to classical cryptography such as commonly used RSA encryption: the security of classical cryptography is most often based on our trust that technological advancements are a slow process. If there was a large and rapid leap forward in terms of computational power, encryption methods that can be broken via prime factoring, e.g. RSA, would lose their security instantly. Hence, quantum key distribution (QKD) is a promising attempt to provide secure communication: its security is not based on 'naive' confidence in slowness of technological advances, instead it is based on fundamental laws of nature. Quantum mechanics itself provides ways to keep Alice and Bob safe from an eavesdropper, Eve.

Limits of provable security

However, the provable security of QKD only works in theory. As usual the devil lies in the details, hence in the assumptions of such proofs: usually, they do not take into account that the practical implementation of QKD protocols relies on real, flawed devices. Unfortunately, this crucially undermines the practical security of QKD in real life applications. Even commercial QKD systems have been hacked in the past [1]. Research groups such as Vadim Makarov’s Quantum Hacking Lab focus on work of this kind. Thus, the dream of secure communication via quantum mechanics seems to be in danger. The possibility of hacking QKD motivates to develop specific countermeasures and/or new protocols that cannot fall prey to eavesdroppers. Among these new developments one can find the attempt of Device-Independent QKD (DIQKD), that tries to tackle security issues of quantum cryptography in a structural manner.

Key idea of DIQKD protocols

Facing the issue of imperfect devices, one can imagine that the manufacturer of the devices might be identified as Eve with malicious intentions. To be less dramatic and paranoid, the manufacturer might be just careless such that the devices do not work properly, hence causing a lack of security during the key distribution. However, given the possible imperfect/malicious devices makes it necessary to implement some kind of 'self-testing' into the protocol. The key idea of DIQKD protocols is to make use of Bell inequalities, such that the protocol can be aborted if the necessary degree of 'quantumness' is not achieved in a run of the protocol. Creating keys this way requires playing games such as the following Clauser-Horne-Shimony-Holt game (CHSH-game) [2]:

The encircled plus denotes binary addition (XOR) and the "·" is basically equivalent to a logical AND. The probability (A derivation of these probabilities can be found e.g. in these lecture notes: [3]) of the winning condition of the last line is 75% for a classical device, i.e. if there is no entanglement. Whereas under the usage of maximally entangled states (e.g. the Φ^+ Bell state) the maximal winning probability can be 86%. As a result, Alice and Bob do not need to trust the devices, they can test their reliability by themselfes via checking the correlations using their public channel. Hence, DIQKD protocols do not rely on specifying the internal functionality of the devices. The fact that this self-testing is reliable is based on monogamy of entanglement - a feature of quantum entanglement that ensures that a bipartite state cannot share any of its entanglement with a third system, i.e. in our case Eve. Thus, since Bob and Alice can test whether there is a maximally entangled state shared between both of them, they can be simultaneously sure that Eve cannot obtain information about their shared state.

DIQKD protocols work like the following in principle (see for a similar example e.g. Box 1 in [2]): Both, Alice and Bob possess a device in each of their isolated laboratories such that they can play the CHSH-game. The index i denotes the round in the interval [1,n]. For every round they perform the subsequent steps:

Both parties choose their setting x_i, y_i randomly.

They actually input the settings and record their outputs a_i, b_i.

They share the inputs and outputs of a sufficiently small subset of rounds such that they can test the "quantumness" and abort the process in case the winning probability is too low.

If the "quantumness" is satisfying, they do the usual QKD post processing (as in the BB84 protocol) with the bits of the remaining rounds, i.e. error correction, key sifting, privacy amplification and finally, they successfully distributed a key.

Is such a distributed key necessarily safe in practice? The security of protocols of this kind has been proven mathematically as for the BB84 protocol, but might it be reasonable to expect backdoors that arise once such protocols will be actually practically implemented? We will discuss this question in an upcoming part.

---

[1] Lars Lydersen et al. “Hacking commercial quantum cryptography systems by tailored bright illumination”. In: Nature Photonics 4.10 (Oct. 2010), pp. 686–689. doi: 10.1038/nphoton.2010.214. arXiv: 1008.4593 [quant-ph].

[2] Rotem Arnon-Friedman et al. “Practical device-independent quantum cryptography via entropy accumulation”. In: Nature Communications 9.1 (Jan. 2018). doi: 10.1038/s41467-017-02307-4. url: https:doi.org/10.1038/s41467-017-02307-4.