Vulnerabilities in Quantum Key Distribution Protocols

Recently proposed quantum key distribution protocols are shown to be vulnerable to a classic manin-the-middle attack using entangled pairs created by Eve. It appears that the attack could be applied to any protocol that relies on manipulation and return of entangled qubits to create a shared key. The protocols that are cryptana lyzed in this paper were proven secure with respect to some eavesdropping approaches, and results reported here do not invalidate these proofs. Rather, they suggest that quantum cryptographic protocols, like conventional protocols, may be vulnerable to methods of attack that were not envisaged by their designers. Introduction. The history of cryptography is replete with examples of protocols that were believed to be secure but shown to be vulnerable to novel attacks, often years after their design. Although sophisticated tools (and even specialized logics) have been designed to analyze and prove various properties of protocols, it is generally accepted that the best assurance of security is obtained through careful review by many experts familiar with vulnerabilities of similar protocols. An experience base of known vulnerabilities is a crucial component of this review. Because it is so new that there were no commercial products available before this year, little is known of vulnerabilities that may occur in the design and implementations of quantum cryptographic protocols. But if the history of cryptography is a reliable guide, it should be expected that even quantum cryptographic protocols designed by experts will have unanticipated vulnerabilities. The results presented in this paper suggest that this expectation is as true for quantum cryptography as it is for conventional. Protocol Vulnerabilities. Li [1] describes a QKD protocol using Greenberger-Horne-Zeilinger (GHZ) states that requires no classical communication. The protocol is described as follows, for communicating parties Alice and Bob: 1. Alice creates a three qubit system in GHZ state ( ) 111 000 2 1 + , sending the third qubit to Bob. 2. To encode a ‘1’, Bob uses the operator x σ on the received qubit; to encode ‘0’, he does nothing to the received qubit. 3. Bob returns the qubit to Alice. 4. Steps 1 – 3 are repeated, with Alice combining each received qubit with the corresponding two qubits of the original tripartite systems she retained, until a bit stream has been received by Alice. Alice then executes a controlled-NOT operation on the first two qubits, with the second qubit as control and the first as target. She then does a Bell state measurement on the last two qubits (of the 3-qubit GHZ system). She then maps the Bell state measurements as follows: ( ) 11 00 2 1 + = ‘0’; ( ) 10 01 2 1 + = ‘1’ A Bell state of ( ) 11 00 2 1 − or ( ) 10 01 2 1 − indicates eavesdropping by Eve. Li [1] shows that this protocol is secure with respect to an attack in which Eve measures qubits returning from Bob to Alice, with a probability that Eve escapes detection of 2, for n qubits. It is also shown that the protocol is secure with respect to an attack where Eve executes a controlled-NOT operation on the qubits sent from Bob to Alice. Unfortunately, the protocol is vulnerable to a quantum version of a classic manin-the-middle attack, which we will refer to as an EPR man-in-the-middle attack, conducted as follows: 1. Alice creates a three-qubit system in GHZ state ( ) 111 000 2 1 + , sending the third qubit to Bob. 2. Eve captures the qubit, creates her own two-qubit system, then forwards to Bob one qubit of a two-qubit system in EPR state ( ) 11 00 2 1 + . 3. To encode a ‘1’, Bob uses the operator σx on the received qubit; to encode ‘0’, he does nothing to the received qubit. 4. Bob returns the qubit to Eve, thinking it is being returned to Alice. 5. Eve combines the received qubit with the one she retained from the EPR pair that she created, then executes a Bell state measurement on the pair. Bit values are decoded as in step 4 of the Li protocol. Eve then records the bit value for the qubit received from Bob Taking the qubit she captured previously from Alice, she either executes x σ to encode a ‘1’ or does nothing to encode ‘0’, and returns the qubit to Alice. At end, Eve has a complete copy of the key shared by Alice and Bob. The attack requires Eve to know or guess the basis that is used by Alice and Bob, but since no classical communication is exchanged, the basis must be the same throughout the protocol. In a realistic implementation, the basis will be either standard, or chosen from a small number of possibilities that Eve can guess and determine quickly in a high traffic network. Since any realistic implementation will have less than perfect transmission, Eve can evade detection by removing qubits at a low enough rate to remain below the normal transmission error rate. Eve can measure random qubits in a basis of her choosing, obtaining a long-term distribution of values for 0 and 1 in her basis, designated P0 = a and P1 = ß for the proportion of 0 and 1 respectively. If she has guessed correctly, she will obtain P0 = P1 = .50. If not, she simply rotates her basis enough to obtain the 50/50 distribution, an angle of 4 ) (cos 0 1 π θ − = − P . This relationship can be seen from Figure 1. Figure 1. Determining correct basis from long-term distribution. ? Guessed basis