Quantum Key Distribution Without Sifting

We propose a novel quantum key distribution protocol that uses AES to expand an initial secret, allowing us to individually authenticate every qubit, with tags that are efficient to construct. In exchange for an increase in the amount of classical data to be transmitted, the tags can be handled such that they allow secure key generation from two photon states, and make BB84 exactly 100% efficient. This can be implemented as part of a software patch on pre-existing devices as no hardware modification is required. The scheme is secure so long as AES cannot be broken, therefore it is ideal for real-world implementations that use encryption schemes other than the one-time pad. Background and Motivation Assuming it is implemented perfectly, BB84 [1] is an unconditionally secure way of distributing cryptographic keys. It is of particular value for schemes that themselves offer unconditional security, such as the one time pad, but which have no intrinsic method for generating a shared secret. However, for day-to-day real-world communications, BB84-with-one-time-pad is not fast enough to be useful, so the quantum key distribution is better supplying keys to practically computationally secure applications, such as AES-256 GCM instead. In this case, BB84 still surpasses modern cryptographic alternatives, as it offers eavesdropper detection, and is secure against quantum computers. Yet a number of issues remain. Half of the qubits transmitted from Alice to Bob are discarded during sifting, rendering BB84 only 50% efficient, and photon number splitting (PNS) attacks exploit the use of weak coherent pulses in place of a single photon source. In this more realistic system, AES GCM is now the weakest link with regards to mathematical attacks (although it is still strong in absolute terms), so we ask whether a reduction in the theoretical security of BB84 can be leveraged to counter the issues above? In addition, can this new protocol be constructed in such a way that it is vulnerable only to mathematical attacks that would break the data encryption scheme, thus giving no additional benefit to attackers who target the key generation? PNS resistance and (asymptotic) efficiency improvements are already provided by the decoy state [2] and biased basis [3] protocols respectively, both by modifying the quantum hardware. Therefore, our protocol must not require any physical changes be made to the BB84 setup. SARG04 [4] helps mitigate against PNS attacks without making hardware changes, so our protocol must overall be better than this. 1 ar X iv :1 70 7. 03 33 1v 1 [ qu an tph ] 1 1 Ju l 2 01 7