A Novel Protocol-Authentication Algorithm Ruling Out a Man-in-the-Middle Attack in Quantum Cryptography

Quantum Key Distribution (QKD) or ”quantum cryptography” is a Quantum Mechanics based cryptographic primitive which, in principle, holds the potential of absolutely secure communication that cannot be compromised by any eavesdropping technique. The strength of the QKD primitive is the unconditionally secure simultaneous generation of two identical bit streams at two distinct locations which subsequently could be used as a key in symmetric (unconditionally or computationally secure) encryption schemes. However, it is well known that QKD requires a public channel with trusted integrity as otherwise a potential adversary (Eve) can easily mount a ”man-in-the-middle attack”. In case the eavesdropper can manipulate messages on the public channel there is no way to guarantee that in the course of a QKD protocol the two legitimate communication parties (Alice and Bob) are really exchanging the messages they are sending to each other. Eve can simply cut the quantum channel and subsequently communicate over both the quantum and the public channels with Bob as if she would be Alice and with Alice as if she would be Bob. Eventually, she would thus share two independent keys with the two legitimate parties and gain full control of all the subsequently transmitted encrypted information without being noticed at all. The described type of attack can be counteracted by authenticating the QKD protocol messages transmitted over the public channel. Basically public key authentication methods and symmetric key authentication methods can be used (see Ref. [1] for a discussion of the relative merits and drawbacks of these methods). It is however straightforward to notice that unconditionally secure key generation by means of QKD is only feasible if it is combined with methods providing unconditionally secure authentication. Standard public key methods are automatically ruled out if one would stick to this requirement as the latter are only computationally secure and potentially subject to cryptanalysis by means of quantum computers. Therefore, already in Ref. [2] it was proposed to use unconditionally secure symmetric message authentication methods as e.g. developed in Ref. [3] to ensure the integrity of the public channel. The main idea of the application of these methods in QKD is to intertwine the transcript of the public channel communication with an independent secret, which the two legitimate parties share and on this basis provide a mechanism for authenticating this communication. Alice and Bob need therefore an initial secret key, which they use only once. Subsequently in each QKD session they repeatedly renew the mutual secret by reserving part of the newly generated key. This key is to be used for channel authentication purposes in the next session. This paradigm has been elaborated in subsequent publications[4, 5]. It should be noted that while thus the unconditional security of QKD is retained, it is basically degraded from a secret key generation scheme in the strict sense to a secret key growing technique. In what follows we restrict our discussion to symmetric key message authentication methods and, similar to Wegman and Carter[3], base our approach on strongly universal2 functions. In Section 2 we discuss a general method for producing message authentication tags using only a moderate amount of the secret key. In Section 3 we briefly discuss the details of the authentication algorithm in relation to the QKD protocol. We also present a modular integrated software library implementing full scale QKD-protocols including public channel authentication used in the framework of a recent quantum cryptographic experiment[6].