Quantum key distribution (QKD) is a
secure communication
Secure communication is when two entities are communicating and do not want a third party to listen in. For this to be the case, the entities need to communicate in a way that is unsusceptible to eavesdropping or interception. Secure communication ...
method which implements a
cryptographic protocol
A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describe ...
involving components of
quantum mechanics
Quantum mechanics is a fundamental theory in physics that provides a description of the physical properties of nature at the scale of atoms and subatomic particles. It is the foundation of all quantum physics including quantum chemistry, ...
. It enables two parties to produce a shared
random
In common usage, randomness is the apparent or actual lack of pattern or predictability in events. A random sequence of events, symbols or steps often has no :wikt:order, order and does not follow an intelligible pattern or combination. Ind ...
secret
key
Key or The Key may refer to:
Common meanings
* Key (cryptography), a piece of information that controls the operation of a cryptography algorithm
* Key (lock), device used to control access to places or facilities restricted by a lock
* Key (map ...
known only to them, which can then be used to encrypt and decrypt
messages. It is often incorrectly called
quantum cryptography
Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best known example of quantum cryptography is quantum key distribution which offers an information-theoretically secure solution ...
, as it is the best-known example of a quantum cryptographic task.
An important and unique property of quantum key distribution is the ability of the two communicating users to detect the presence of any third party trying to gain
knowledge
Knowledge can be defined as awareness of facts or as practical skills, and may also refer to familiarity with objects or situations. Knowledge of facts, also called propositional knowledge, is often defined as true belief that is distinc ...
of the key. This results from a fundamental aspect of quantum mechanics: the process of measuring a
quantum system
Quantum mechanics is a fundamental theory in physics that provides a description of the physical properties of nature at the scale of atoms and subatomic particles. It is the foundation of all quantum physics including quantum chemistry, ...
in general disturbs the system. A third party trying to eavesdrop on the key must in some way measure it, thus introducing detectable anomalies. By using
quantum superposition
Quantum superposition is a fundamental principle of quantum mechanics. It states that, much like waves in classical physics, any two (or more) quantum states can be added together ("superposed") and the result will be another valid quantum ...
s or
quantum entanglement
Quantum entanglement is the phenomenon that occurs when a group of particles are generated, interact, or share spatial proximity in a way such that the quantum state of each particle of the group cannot be described independently of the state of ...
and transmitting information in
quantum state
In quantum physics, a quantum state is a mathematical entity that provides a probability distribution for the outcomes of each possible measurement on a system. Knowledge of the quantum state together with the rules for the system's evolution in ...
s, a communication system can be implemented that detects eavesdropping. If the level of eavesdropping is below a certain threshold, a key can be produced that is guaranteed to be secure (i.e., the eavesdropper has no information about it), otherwise no secure key is possible and communication is aborted.
The security of encryption that uses quantum key distribution relies on the foundations of quantum mechanics, in contrast to traditional
public key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
, which relies on the computational difficulty of
certain mathematical functions, and cannot provide any mathematical proof as to the actual complexity of reversing the one-way functions used. QKD has provable security based on
information theory
Information theory is the scientific study of the quantification (science), quantification, computer data storage, storage, and telecommunication, communication of information. The field was originally established by the works of Harry Nyquist a ...
, and
forward secrecy
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key ...
.
The main drawback of quantum key distribution is that it usually relies on having an
authenticated classical channel of communications. In modern cryptography, having an authenticated classical channel means that one has either already exchanged a
symmetric key
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between th ...
of sufficient length or public keys of sufficient security level. With such information already available, in practice one can achieve authenticated and sufficiently secure communications without using QKD, such as by using the
Galois/Counter Mode
In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achiev ...
of the
Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
. Thus QKD does the work of a
stream cipher
stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream ...
at many times the cost.
Quantum key distribution is only used to produce and distribute a key, not to transmit any message data. This key can then be used with any chosen
encryption algorithm
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
to encrypt (and decrypt) a message, which can then be transmitted over a standard
communication channel
A communication channel refers either to a physical transmission medium such as a wire, or to a logical connection over a multiplexed medium such as a radio channel in telecommunications and computer networking. A channel is used for informa ...
. The algorithm most commonly associated with QKD is the
one-time pad
In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a ran ...
, as it is
provably secure
Provable security refers to any type or level of computer security that can be proved. It is used in different ways by different fields.
Usually, this refers to mathematical proofs, which are common in cryptography. In such a proof, the capabiliti ...
when used with a secret, random key. In real-world situations, it is often also used with encryption using
symmetric key algorithms
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between th ...
like the
Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
algorithm.
Quantum key exchange
Quantum communication involves encoding information in quantum states, or
qubit
In quantum computing, a qubit () or quantum bit is a basic unit of quantum information—the quantum version of the classic binary bit physically realized with a two-state device. A qubit is a two-state (or two-level) quantum-mechanical system, ...
s, as opposed to classical communication's use of
bit
The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
s. Usually,
photons
A photon () is an elementary particle that is a quantum of the electromagnetic field, including electromagnetic radiation such as light and radio waves, and the force carrier for the electromagnetic force. Photons are massless, so they alway ...
are used for these quantum states. Quantum key distribution exploits certain properties of these quantum states to ensure its security. There are several different approaches to quantum key distribution, but they can be divided into two main categories depending on which property they exploit.
; Prepare and measure protocols : In contrast to classical physics, the act of measurement is an integral part of quantum mechanics. In general, measuring an unknown quantum state changes that state in some way. This is a consequence of
quantum indeterminacy
Quantum indeterminacy is the apparent ''necessary'' incompleteness in the description of a physical system, that has become one of the characteristics of the standard description of quantum physics. Prior to quantum physics, it was thought that
: ...
and can be exploited in order to detect any eavesdropping on communication (which necessarily involves measurement) and, more importantly, to calculate the amount of information that has been intercepted.
; Entanglement based protocols : The quantum states of two (or more) separate objects can become linked together in such a way that they must be described by a combined quantum state, not as individual objects. This is known as
entanglement and means that, for example, performing a measurement on one object affects the other. If an entangled pair of objects is shared between two parties, anyone intercepting either object alters the overall system, revealing the presence of the third party (and the amount of information they have gained).
These two approaches can each be further divided into three families of protocols: discrete variable, continuous variable and distributed phase reference coding. Discrete variable protocols were the first to be invented, and they remain the most widely implemented. The other two families are mainly concerned with overcoming practical limitations of experiments. The two protocols described below both use discrete variable coding.
BB84 protocol: Charles H. Bennett and Gilles Brassard (1984)
This protocol, known as
BB84
BB84 is a quantum key distribution scheme developed by Charles Bennett and Gilles Brassard in 1984. It is the first quantum cryptography protocol. The protocol is provably secure, relying on two conditions: (1) the quantum property that informatio ...
after its inventors and year of publication, was originally described using
photon polarization
Photon polarization is the quantum mechanical description of the classical polarized sinusoidal plane electromagnetic wave. An individual photon
can be described as having right or left circular polarization, or a superposition of the two. Equi ...
states to transmit the information. However, any two pairs of
conjugate states can be used for the protocol, and many
optical-fibre-based implementations described as BB84 use phase encoded states. The sender (traditionally referred to as
Alice) and the receiver (Bob) are connected by a
quantum communication channel which allows
quantum states
In quantum physics, a quantum state is a mathematical entity that provides a probability distribution for the outcomes of each possible measurement in quantum mechanics, measurement on a system. Knowledge of the quantum state together with the rul ...
to be transmitted. In the case of photons this channel is generally either an optical fibre or simply
free space
A vacuum is a space devoid of matter. The word is derived from the Latin adjective ''vacuus'' for "vacant" or "void". An approximation to such vacuum is a region with a gaseous pressure much less than atmospheric pressure. Physicists often dis ...
. In addition they communicate via a public classical channel, for example using broadcast radio or the internet. The protocol is designed with the assumption that an
eavesdropper
Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information.
Etymology
The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...
(referred to as Eve) can interfere in any way with the quantum channel, while the classical channel needs to be
authenticated
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
.
The security of the protocol comes from encoding the information in
non-orthogonal states.
Quantum indeterminacy
Quantum indeterminacy is the apparent ''necessary'' incompleteness in the description of a physical system, that has become one of the characteristics of the standard description of quantum physics. Prior to quantum physics, it was thought that
: ...
means that these states cannot in general be measured without disturbing the original state (see
No-cloning theorem In physics, the no-cloning theorem states that it is impossible to create an independent and identical copy of an arbitrary unknown quantum state, a statement which has profound implications in the field of quantum computing among others. The theore ...
). BB84 uses two pairs of states, with each pair
conjugate to the other pair, and the two states within a pair orthogonal to each other. Pairs of orthogonal states are referred to as a
basis
Basis may refer to:
Finance and accounting
* Adjusted basis, the net cost of an asset after adjusting for various tax-related items
*Basis point, 0.01%, often used in the context of interest rates
* Basis trading, a trading strategy consisting ...
. The usual polarization state pairs used are either the
rectilinear basis of vertical (0°) and horizontal (90°), the
diagonal basis of 45° and 135° or the
circular basis of left- and right-handedness. Any two of these bases are conjugate to each other, and so any two can be used in the protocol. Below the rectilinear and diagonal bases are used.
The first step in BB84 is quantum transmission. Alice creates a random
bit
The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
(0 or 1) and then randomly selects one of her two bases (rectilinear or diagonal in this case) to transmit it in. She then prepares a photon polarization state depending both on the bit value and basis, as shown in the adjacent table. So for example a 0 is encoded in the rectilinear basis (+) as a vertical polarization state, and a 1 is encoded in the diagonal basis (x) as a 135° state. Alice then transmits a single photon in the state specified to Bob, using the quantum channel. This process is then repeated from the random bit stage, with Alice recording the state, basis and time of each photon sent.
According to quantum mechanics (particularly
quantum indeterminacy
Quantum indeterminacy is the apparent ''necessary'' incompleteness in the description of a physical system, that has become one of the characteristics of the standard description of quantum physics. Prior to quantum physics, it was thought that
: ...
), no possible measurement distinguishes between the 4 different polarization states, as they are not all orthogonal. The only possible measurement is between any two orthogonal states (an orthonormal basis). So, for example, measuring in the rectilinear basis gives a result of horizontal or vertical. If the photon was created as horizontal or vertical (as a rectilinear
eigenstate) then this measures the correct state, but if it was created as 45° or 135° (diagonal eigenstates) then the rectilinear measurement instead returns either horizontal or vertical at random. Furthermore, after this measurement the photon is polarized in the state it was measured in (horizontal or vertical), with all information about its initial polarization lost.
As Bob does not know the basis the photons were encoded in, all he can do is to select a basis at random to measure in, either rectilinear or diagonal. He does this for each photon he receives, recording the time, measurement basis used and measurement result. After Bob has measured all the photons, he communicates with Alice over the public classical channel. Alice broadcasts the basis each photon was sent in, and Bob the basis each was measured in. They both discard photon measurements (bits) where Bob used a different basis, which is half on average, leaving half the bits as a shared key.
To check for the presence of an eavesdropper, Alice and Bob now compare a predetermined subset of their remaining bit strings. If a third party (usually referred to as Eve, for "eavesdropper") has gained any information about the photons' polarization, this introduces errors in Bob's measurements. Other environmental conditions can cause errors in a similar fashion. If more than
bits differ they abort the key and try again, possibly with a different quantum channel, as the security of the key cannot be guaranteed.
is chosen so that if the number of bits known to Eve is less than this,
privacy amplification can be used to reduce Eve's knowledge of the key to an arbitrarily small amount at the cost of reducing the length of the key.
E91 protocol: Artur Ekert (1991)
Artur Ekert
Artur Konrad Ekert FRS (born 19 September 1961) is a Polish professor of quantum physics at the Mathematical Institute, University of Oxford, professorial fellow in quantum physics and cryptography at Merton College, Oxford, Lee Kong Chian C ...
's scheme
uses entangled pairs of photons. These can be created by Alice, by Bob, or by some source separate from both of them, including eavesdropper Eve. The photons are distributed so that Alice and Bob each end up with one photon from each pair.
The scheme relies on two properties of entanglement. First, the entangled states are perfectly correlated in the sense that if Alice and Bob both measure whether their particles have vertical or horizontal polarizations, they always get the same answer with 100% probability. The same is true if they both measure any other pair of complementary (orthogonal) polarizations. This necessitates that the two distant parties have exact directionality synchronization. However, the particular results are completely random; it is impossible for Alice to predict if she (and thus Bob) will get vertical polarization or horizontal polarization. Second, any attempt at eavesdropping by Eve destroys these correlations in a way that Alice and Bob can detect.
Similarly to
BB84
BB84 is a quantum key distribution scheme developed by Charles Bennett and Gilles Brassard in 1984. It is the first quantum cryptography protocol. The protocol is provably secure, relying on two conditions: (1) the quantum property that informatio ...
, the protocol involves a private measurement protocol before detecting the presence of Eve. The measurement stage involves Alice measuring each photon she receives using some basis from the set
while Bob chooses from
where
is the
basis rotated by
. They keep their series of basis choices private until measurements are completed. Two groups of photons are made: the first consists of photons measured using the same basis by Alice and Bob while the second contains all other photons. To detect eavesdropping, they can compute the test statistic
using the correlation coefficients between Alice's bases and Bob's similar to that shown in the
Bell test experiments
A Bell test, also known as Bell inequality test or Bell experiment, is a real-world physics experiment designed to test the theory of quantum mechanics in relation to Albert Einstein's concept of local realism. Named for John Stewart Bell, the e ...
. Maximally entangled photons would result in
. If this were not the case, then Alice and Bob can conclude Eve has introduced local realism to the system, violating
Bell's Theorem. If the protocol is successful, the first group can be used to generate keys since those photons are completely anti-aligned between Alice and Bob.
Device Independent Quantum Key Distribution
In traditional QKD, the quantum devices used must be perfectly calibrated, trustworthy, and working exactly as they are expected to.
Deviations from expected measurements can be extremely hard to detect, which leaves the entire system vulnerable. A new protocol called Device Independent QKD (DIQKD) or Measurement Device Independent QKD (MDIQKD) allows for the use of uncharacterized or untrusted devices, and for deviations from expected measurements to be included in the overall system.
These deviations will cause the protocol to abort when detected, rather than resulting in incorrect data.
DIQKD was first proposed by Mayers and Yao, building off of the BB84 protocol. They presented that in DIQKD, the quantum device, which they refer to as the photon source, be manufactured to come with tests that can be run by Alice and Bob to “self-check” if their device is working properly. Such a test would only need to consider the classical inputs and outputs in order to determine how much information is at risk of being intercepted by Eve. A self checking, or “ideal” source would not have to be characterized,
and would therefore not be susceptible to implementation flaws.
Recent research has proposed using a Bell test to check that a device is working properly.
Bell’s theorem ensures that a device can create two outcomes that are exclusively correlated, meaning that Eve could not intercept the results, without making any assumptions about said device. This requires highly entangled states, and a low quantum bit error rate.
DIQKD presents difficulties in creating qubits that are in such high quality entangled states, which makes it a challenge to realize experimentally.
Twin Fields Quantum Key Distribution
Twin Fields Quantum Key Distribution (TFQKD) was introduced in 2018, and is a version of DIQKD designed to overcome the fundamental rate-distance limit of traditional quantum key distribution.
The rate-distance limit, also known as the rate-loss trade off, describes how as distance increases between Alice and Bob, the rate of key generation decreases exponentially.
In traditional QKD protocols, this decay has been eliminated via the addition of physically secured relay nodes, which can be placed along the quantum link with the intention of dividing it up into several low-loss sections. Researchers have also recommended the use of quantum repeaters, which when added to the relay nodes make it so that they no longer need to be physically secured.
Quantum repeaters, however, are difficult to create and have yet to be implemented on a useful scale.
TFQKD aims to bypass the rate-distance limit without the use of quantum repeaters or relay nodes, creating manageable levels of noise and a process that can be repeated much more easily with today's existing technology.
The original protocol for TFQKD is as follows: Alice and Bob each have a light source and one arm on an interferometer in their laboratories. The light sources create two dim optical pulses with a randomly phase ''p
a'' or ''p
b'' in the interval
_This_is_different_from_traditional_QKD,_in_which_the_phases_used_are_never_revealed.
__Information_reconciliation_and_privacy_amplification_
The_quantum_key_distribution_protocols_described_above_provide_Alice_and_Bob_with_nearly_identical_shared_keys,_and_also_with_an_estimate_of_the_discrepancy_between_the_keys._These_differences_can_be_caused_by_eavesdropping,_but_also_by_imperfections_in_the_transmission_line_and_detectors._As_it_is_impossible_to_distinguish_between_these_two_types_of_errors,_guaranteed_security_requires_the_assumption_that_all_errors_are_due_to_eavesdropping._Provided_the_error_rate_between_the_keys_is_lower_than_a_certain_threshold_(27.6%_as_of_2002),_two_steps_can_be_performed_to_first_remove_the_erroneous_bits_and_then_reduce_Eve's_knowledge_of_the_key_to_an_arbitrary_small_value._These_two_steps_are_known_as_information_reconciliation_and_privacy_amplification_respectively,_and_were_first_described_in_1992.
Information_reconciliation_is_a_form_of_error_correction_carried_out_between_Alice_and_Bob's_keys,_in_order_to_ensure_both_keys_are_identical._It_is_conducted_over_the_public_channel_and_as_such_it_is_vital_to_minimise_the_information_sent_about_each_key,_as_this_can_be_read_by_Eve._A_common_protocol_used_for_information_reconciliation_is_the_cascade_protocol,_proposed_in_1994._This_operates_in_several_rounds,_with_both_keys_divided_into_blocks_in_each_round_and_the_parity_(telecommunication).html" ;"title=", 2π) and an encoding phase γa or γb. The pulses are sent along a quantum to Charlie, a third party who can be malicious or not. Charlie uses a beam splitter to overlap the two pulses and perform a measurement. He has two detectors in his own lab, one of which will light up if the bits are equal (00) or (11), and the other when they are different (10, 01). Charlie will announce to Alice and Bob which of the detectors lit up, at which point they publicly reveal the phases ''p'' and γ. This is different from traditional QKD, in which the phases used are never revealed.
Information reconciliation and privacy amplification
The quantum key distribution protocols described above provide Alice and Bob with nearly identical shared keys, and also with an estimate of the discrepancy between the keys. These differences can be caused by eavesdropping, but also by imperfections in the transmission line and detectors. As it is impossible to distinguish between these two types of errors, guaranteed security requires the assumption that all errors are due to eavesdropping. Provided the error rate between the keys is lower than a certain threshold (27.6% as of 2002), two steps can be performed to first remove the erroneous bits and then reduce Eve's knowledge of the key to an arbitrary small value. These two steps are known as information reconciliation and privacy amplification respectively, and were first described in 1992.
Information reconciliation is a form of error correction carried out between Alice and Bob's keys, in order to ensure both keys are identical. It is conducted over the public channel and as such it is vital to minimise the information sent about each key, as this can be read by Eve. A common protocol used for information reconciliation is the cascade protocol, proposed in 1994. This operates in several rounds, with both keys divided into blocks in each round and the parity (telecommunication)">parity of those blocks compared. If a difference in parity is found then a binary search is performed to find and correct the error. If an error is found in a block from a previous round that had correct parity then another error must be contained in that block; this error is found and corrected as before. This process is repeated recursively, which is the source of the cascade name. After all blocks have been compared, Alice and Bob both reorder their keys in the same random way, and a new round begins. At the end of multiple rounds Alice and Bob have identical keys with high probability; however, Eve has additional information about the key from the parity information exchanged. However, from a coding theory point of view information reconciliation is essentially source coding with side information, in consequence any coding scheme that works for this problem can be used for information reconciliation. Lately turbocodes, LDPC codes and polar codes have been used for this purpose improving the efficiency of the cascade protocol.
Privacy amplification is a method for reducing (and effectively eliminating) Eve's partial information about Alice and Bob's key. This partial information could have been gained both by eavesdropping on the quantum channel during key transmission (thus introducing detectable errors), and on the public channel during information reconciliation (where it is assumed Eve gains all possible parity information). Privacy amplification uses Alice and Bob's key to produce a new, shorter key, in such a way that Eve has only negligible information about the new key. This can be done using a universal hash function
In mathematics and computing, universal hashing (in a randomized algorithm or data structure) refers to selecting a hash function at random from a family of hash functions with a certain mathematical property (see definition below). This guarantees ...
, chosen at random from a publicly known set of such functions, which takes as its input a binary string of length equal to the key and outputs a binary string of a chosen shorter length. The amount by which this new key is shortened is calculated, based on how much information Eve could have gained about the old key (which is known due to the errors this would introduce), in order to reduce the probability of Eve having any knowledge of the new key to a very low value.
Implementations
Experimental
In 2008, exchange of secure keys at 1 Mbit/s (over 20 km of optical fibre) and 10 kbit/s (over 100 km of fibre), was achieved by a collaboration between the University of Cambridge
, mottoeng = Literal: From here, light and sacred draughts.
Non literal: From this place, we gain enlightenment and precious knowledge.
, established =
, other_name = The Chancellor, Masters and Schola ...
and Toshiba
, commonly known as Toshiba and stylized as TOSHIBA, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan. Its diversified products and services include power, industrial and social infrastructure system ...
using the BB84
BB84 is a quantum key distribution scheme developed by Charles Bennett and Gilles Brassard in 1984. It is the first quantum cryptography protocol. The protocol is provably secure, relying on two conditions: (1) the quantum property that informatio ...
protocol with decoy state pulses.
In 2007, Los Alamos National Laboratory
Los Alamos National Laboratory (often shortened as Los Alamos and LANL) is one of the sixteen research and development laboratories of the United States Department of Energy (DOE), located a short distance northwest of Santa Fe, New Mexico, ...
/NIST
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
achieved quantum key distribution over a 148.7 km of optic fibre using the BB84 protocol. Significantly, this distance is long enough for almost all the spans found in today's fibre networks. A European collaboration achieved free space QKD over 144 km between two of the Canary Islands
The Canary Islands (; es, Canarias, ), also known informally as the Canaries, are a Spanish autonomous community and archipelago in the Atlantic Ocean, in Macaronesia. At their closest point to the African mainland, they are west of Morocc ...
using entangled photons (the Ekert scheme) in 2006, and using BB84
BB84 is a quantum key distribution scheme developed by Charles Bennett and Gilles Brassard in 1984. It is the first quantum cryptography protocol. The protocol is provably secure, relying on two conditions: (1) the quantum property that informatio ...
enhanced with decoy states[H.-K. Lo, in Proceedings of 2004 IEEE ISIT (IEEE Press, New York, 2004), p. 137][H.-K. Lo, X. Ma, K. Chen]
"Decoy State Quantum Key Distribution"
Physical Review Letters, 94, 230504 (2005) in 2007.
the longest distance for optical fiber (307 km)[
] was achieved by University of Geneva
The University of Geneva (French: ''Université de Genève'') is a public research university located in Geneva, Switzerland. It was founded in 1559 by John Calvin as a theological seminary. It remained focused on theology until the 17th centu ...
and Corning Inc. In the same experiment, a secret key rate of 12.7 kbit/s was generated, making it the highest bit rate system over distances of 100 km. In 2016 a team from Corning and various institutions in China achieved a distance of 404 km, but at a bit rate too slow to be practical.
In June 2017, physicists led by Thomas Jennewein at the Institute for Quantum Computing
The Institute for Quantum Computing (IQC) is an affiliate scientific research institute of the University of Waterloo located in Waterloo, Ontario with a multidisciplinary approach to the field of quantum information processing. IQC was founde ...
and the University of Waterloo
The University of Waterloo (UWaterloo, UW, or Waterloo) is a public research university with a main campus in Waterloo, Ontario
Waterloo is a city in the Canadian province of Ontario. It is one of three cities in the Regional Municipality ...
in Waterloo, Canada achieved the first demonstration of quantum key distribution from a ground transmitter to a moving aircraft. They reported optical links with distances between 3–10 km and generated secure keys up to 868 kilobytes in length.
Also in June 2017, as part of the Quantum Experiments at Space Scale
Quantum Experiments at Space Scale (QUESS; ), is a Chinese research project in the field of quantum physics.
Tiangong-2 is China's second Space Laboratory module which was launched on 15 September 2016. Tiangong-2 carries a total of 14 mission an ...
project, Chinese physicists led by Pan Jianwei at the University of Science and Technology of China
A university () is an educational institution, institution of higher education, higher (or Tertiary education, tertiary) education and research which awards academic degrees in several Discipline (academia), academic disciplines. Universities ty ...
measured entangled photons over a distance of 1203 km between two ground stations, laying the groundwork for future intercontinental quantum key distribution experiments. Photons were sent from one ground station to the satellite they had named '' Micius'' and back down to another ground station, where they "observed a survival of two-photon entanglement and a violation of Bell inequality by 2.37 ± 0.09 under strict Einstein locality conditions" along a "summed length varying from 1600 to 2400 kilometers." Later that year BB84 was successfully implemented over satellite links from ''Micius'' to ground stations in China and Austria. The keys were combined and the result was used to transmit images and video between Beijing, China, and Vienna, Austria.
In August 2017, a group at Shanghai Jiaotong University experimentally demonstrate that polarization quantum states including general qubits of single photon and entangled states can survive well after travelling through seawater, representing the first step towards underwater quantum communication.
In May 2019 a group lead by Hong Guo at Peking University and Beijing University of Posts and Telecommunications reported field tests of a continuous-variable QKD system through commercial fiber networks in Xi'an and Guangzhou over distances of 30.02 km (12.48 dB) and 49.85 km (11.62 dB) respectively.
In December 2020, Indian Defence Research and Development Organisation
The Defence Research and Development Organisation (DRDO) (IAST: ''Raksā Anūsandhān Evam Vikās Sangaṭhan'') is the premier agency under the Department of Defence Research and Development in Ministry of Defence of the Government of India ...
tested a QKD between two of its laboratories in Hyderabad facility. The setup also demonstrated the validation of detection of a third party trying to gain knowledge of the communication. Quantum based security against eavesdropping was validated for the deployed system at over range and 10 dB attenuation over fibre optic channel. A continuous wave
A continuous wave or continuous waveform (CW) is an electromagnetic wave of constant amplitude and frequency, typically a sine wave, that for mathematical analysis is considered to be of infinite duration. It may refer to e.g. a laser or particle ...
laser source was used to generate photons without depolarization effect and timing accuracy employed in the setup was of the order of picoseconds. The Single photon avalanche detector (SPAD) recorded arrival of photons and key rate was achieved in the range of kbps with low Quantum bit error rate.
In March 2021, Indian Space Research Organisation
The Indian Space Research Organisation (ISRO; ) is the national space agency of India, headquartered in Bengaluru. It operates under the Department of Space (DOS) which is directly overseen by the Prime Minister of India, while the Chairman ...
also demonstrated a free-space Quantum Communication over a distance of 300 meters. A free-space QKD was demonstrated at Space Applications Centre
The Space Applications Centre (SAC) is an institution of research in Ahmedabad under the aegis of the Indian Space Research Organisation (ISRO). It is one of the major centres of ISRO that is engaged in the research, development and demonstrat ...
(SAC), Ahmedabad, between two line-of-sight buildings within the campus for video conferencing by quantum-key encrypted signals. The experiment utilised a NAVIC
The Indian Regional Navigation Satellite System (IRNSS), with an operational name of NavIC (acronym for 'Navigation with Indian Constellation; also, 'sailor' or 'navigator' in Indian languages), is an autonomous regional satellite navigation s ...
receiver for time synchronization between the transmitter and receiver modules. Later in January 2022, Indian scientists were able to successfully create an atmospheric channel for exchange of crypted messages and images. After demonstrating quantum communication between two ground stations, India has plans to develop Satellite Based Quantum Communication (SBQC).
In July of 2022, researchers published their work experimentally implementing a device-independent quantum key distribution (DIQKD) protocol that uses quantum entanglement (as suggested by Ekert) to insure resistance to quantum hacking attacks. They were able to create two ions, about two meters apart that were in a high quality entangled state using the following process: Alice and Bob each have ion trap nodes with an 88Sr+ qubit inside. Initially, they excite the ions to an electronic state, which creates an entangled state. This process also creates two photons, which are then captured and transported using an optical fiber, at which point a Bell-basis measurement is performed and the ions are projected to a highly entangled state. Finally the qubits are returned to new locations in the ion traps disconnected from the optical link so that no information can be leaked. This is repeated many times before the key distribution proceeds.
A separate experiment published in July 2022 demonstrated implementation of DIQKD that also uses a Bell inequality test to ensure that the quantum device is functioning, this time at a much larger distance of about 400m, using an optical fiber 700m long. The set up for the experiment was similar to the one in the paragraph above, with some key differences. Entanglement was generated in a Quantum Network Link (QNL) between two 87Rb atoms in separate laboratories located 400m apart, connected by the 700m channel.The atoms are entangled by electronic excitation, at which point two photons are generated and collected, to be sent to the bell state measurement (BSM) setup. The photons are projected onto a , ψ+> state, indicating maximum entanglement. The rest of the key exchange protocol used is similar to the original QKD protocol, with the only difference being that keys are generated with two measurement settings instead of one.
Since the proposal of Twin Field Quantum Key Distribution in 2018, a myriad of experiments have been performed with the goal of increasing the distance in a QKD system. The most successful of which was able to distribute key information across a distance of 833.8 km.
Commercial
There are currently seven companies offering commercial quantum key distribution systems around the world; ID Quantique
ID Quantique (IDQ) is a Swiss company, based in Geneva, Switzerland, and provides quantum key distribution (QKD) systems, quantum safe network encryption, single photon counters, and hardware random number generators.
It was founded in 2001 ...
(Geneva), MagiQ Technologies, Inc. MagiQ Technologies, Inc., or MagiQ, is an American technology development company headquartered in Somerville, Massachusetts. Established in 1999, it announced the availability of a commercial quantum key distribution product (Navajo) in 2003. Addi ...
(New York), QNu Labs (Bengaluru
Bangalore (), officially Bengaluru (), is the capital and largest city of the Indian state of Karnataka. It has a population of more than and a metropolitan population of around , making it the third most populous city and fifth most ...
, India
India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the so ...
), QuintessenceLabs
QuintessenceLabs Pty Ltd. (or QuintessenceLabs) is a cybersecurity company headquartered in Canberra, Australia with offices in San Jose, California. QuintessenceLabs produces encryption key and policy management products that conform to the K ...
(Australia), QRate (Russia), SeQureNet (Paris) and Quantum Optics Jena (Germany). Several other companies also have active research programs, including KETS Quantum Security (UK), Toshiba
, commonly known as Toshiba and stylized as TOSHIBA, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan. Its diversified products and services include power, industrial and social infrastructure system ...
, HP, IBM, Mitsubishi
The is a group of autonomous Japanese multinational companies in a variety of industries.
Founded by Yatarō Iwasaki in 1870, the Mitsubishi Group historically descended from the Mitsubishi zaibatsu, a unified company which existed from 1870 ...
, NEC
is a Japanese multinational information technology and electronics corporation, headquartered in Minato, Tokyo. The company was known as the Nippon Electric Company, Limited, before rebranding in 1983 as NEC. It provides IT and network soluti ...
and NTT (See External links
An internal link is a type of hyperlink on a web page to another page or resource, such as an image or document, on the same website or domain.
Hyperlinks are considered either "external" or "internal" depending on their target or destination ...
for direct research links).
In 2004, the world's first bank transfer using quantum key distribution was carried out in Vienna
en, Viennese
, iso_code = AT-9
, registration_plate = W
, postal_code_type = Postal code
, postal_code =
, timezone = CET
, utc_offset = +1
, timezone_DST ...
, Austria
Austria, , bar, Östareich officially the Republic of Austria, is a country in the southern part of Central Europe, lying in the Eastern Alps. It is a federation of nine states, one of which is the capital, Vienna, the most populous ...
. Quantum encryption technology provided by the Swiss company Id Quantique
ID Quantique (IDQ) is a Swiss company, based in Geneva, Switzerland, and provides quantum key distribution (QKD) systems, quantum safe network encryption, single photon counters, and hardware random number generators.
It was founded in 2001 ...
was used in the Swiss canton (state) of Geneva to transmit ballot results to the capital in the national election occurring on 21 October 2007. In 2013, Battelle Memorial Institute
Battelle Memorial Institute (more widely known as simply Battelle) is a private nonprofit applied science and technology development company headquartered in Columbus, Ohio. Battelle is a charitable trust organized as a nonprofit corporation u ...
installed a QKD system built by ID Quantique between their main campus in Columbus, Ohio and their manufacturing facility in nearby Dublin. Field tests of Tokyo QKD network have been underway for some time.
Quantum key distribution networks
DARPA
The DARPA Quantum Network
The DARPA Quantum Network (2002–2007) was the world's first quantum key distribution (QKD) network, operating 10 optical nodes across Boston and Cambridge, Massachusetts. It became fully operational on October 23, 2003 in BBN's laboratories, an ...
, was a 10-node quantum key distribution network, which ran continuously for four years, 24 hours a day, from 2004 to 2007 in Massachusetts in the United States. It was developed by BBN Technologies
Raytheon BBN (originally Bolt Beranek and Newman Inc.) is an American research and development company, based next to Fresh Pond in Cambridge, Massachusetts, United States.
In 1966, the Franklin Institute awarded the firm the Frank P. Brown ...
, Harvard University
Harvard University is a private Ivy League research university in Cambridge, Massachusetts. Founded in 1636 as Harvard College and named for its first benefactor, the Puritan clergyman John Harvard, it is the oldest institution of higher le ...
, Boston University
Boston University (BU) is a private research university in Boston, Massachusetts. The university is nonsectarian, but has a historical affiliation with the United Methodist Church. It was founded in 1839 by Methodists with its original campu ...
, with collaboration from IBM Research
IBM Research is the research and development division for IBM, an American multinational information technology company headquartered in Armonk, New York, with operations in over 170 countries. IBM Research is the largest industrial research org ...
, the National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
, and QinetiQ. It supported a standards-based Internet computer network
A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
protected by quantum key distribution.
SECOQC
The world's first computer network
A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
protected by quantum key distribution was implemented in October 2008, at a scientific conference in Vienna. The name of this network is SECOQC (Secure Communication Based on Quantum Cryptography) and the EU funded this project. The network used 200 km of standard fibre optic cable
A fiber-optic cable, also known as an optical-fiber cable, is an assembly similar to an electrical cable, but containing one or more optical fibers that are used to carry light. The optical fiber elements are typically individually coated with ...
to interconnect six locations across Vienna and the town of St Poelten
ST, St, or St. may refer to:
Arts and entertainment
* Stanza, in poetry
* Suicidal Tendencies, an American heavy metal/hardcore punk band
* Star Trek, a science-fiction media franchise
* Summa Theologica, a compendium of Catholic philosophy ...
located 69 km to the west.
SwissQuantum
Id Quantique
ID Quantique (IDQ) is a Swiss company, based in Geneva, Switzerland, and provides quantum key distribution (QKD) systems, quantum safe network encryption, single photon counters, and hardware random number generators.
It was founded in 2001 ...
has successfully completed the longest running project for testing Quantum Key Distribution (QKD) in a field environment. The main goal of the SwissQuantum network project installed in the Geneva metropolitan area in March 2009, was to validate the reliability and robustness of QKD in continuous operation over a long time period in a field environment. The quantum layer operated for nearly 2 years until the project was shut down in January 2011 shortly after the initially planned duration of the test.
Chinese networks
In May 2009, a hierarchical quantum network was demonstrated in Wuhu
Wuhu () is a prefecture-level city in southeastern Anhui province, China. Sitting on the southeast bank of the Yangtze River, Wuhu borders Xuancheng to the southeast, Chizhou and Tongling to the southwest, Hefei city to the northwest, Ma'anshan ...
, China
China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...
. The hierarchical network consisted of a backbone network of four nodes connecting a number of subnets. The backbone nodes were connected through an optical switching quantum router. Nodes within each subnet were also connected through an optical switch, which were connected to the backbone network through a trusted relay.
Launched in August 2016, the QUESS space mission created an international QKD channel between China and the Institute for Quantum Optics and Quantum Information in Vienna
en, Viennese
, iso_code = AT-9
, registration_plate = W
, postal_code_type = Postal code
, postal_code =
, timezone = CET
, utc_offset = +1
, timezone_DST ...
, Austria
Austria, , bar, Östareich officially the Republic of Austria, is a country in the southern part of Central Europe, lying in the Eastern Alps. It is a federation of nine states, one of which is the capital, Vienna, the most populous ...
− a ground distance of , enabling the first intercontinental secure quantum video call. By October 2017, a 2,000-km fiber line was operational between Beijing
}
Beijing ( ; ; ), alternatively romanized as Peking ( ), is the capital of the People's Republic of China. It is the center of power and development of the country. Beijing is the world's most populous national capital city, with over 21 ...
, Jinan
Jinan (), Postal Map Romanization, alternately romanization of Chinese, romanized as Tsinan, is the Capital (political), capital of Shandong province in East China, Eastern China. With a population of 9.2 million, it is the second-largest city i ...
, Hefei
Hefei (; ) is the capital and largest city of Anhui Province, People's Republic of China. A prefecture-level city, it is the political, economic, and cultural center of Anhui. Its population was 9,369,881 as of the 2020 census and its built-up ( ...
and Shanghai
Shanghai (; , , Standard Mandarin pronunciation: ) is one of the four direct-administered municipalities of the People's Republic of China (PRC). The city is located on the southern estuary of the Yangtze River, with the Huangpu River flow ...
. Together they constitute the world's first space-ground quantum network. Up to 10 Micius/QUESS satellites are expected, allowing a European–Asian quantum-encrypted network by 2020, and a global network by 2030.
Tokyo QKD Network
The Tokyo QKD Network was inaugurated on the first day of the UQCC2010 conference. The network involves an international collaboration between 7 partners; NEC
is a Japanese multinational information technology and electronics corporation, headquartered in Minato, Tokyo. The company was known as the Nippon Electric Company, Limited, before rebranding in 1983 as NEC. It provides IT and network soluti ...
, Mitsubishi Electric
, established on 15 January 1921, is a Japanese multinational electronics and electrical equipment manufacturing company headquartered in Tokyo, Japan. It is one of the core companies of Mitsubishi. The products from MELCO include elevators an ...
, NTT and NICT from Japan, and participation from Europe by Toshiba
, commonly known as Toshiba and stylized as TOSHIBA, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan. Its diversified products and services include power, industrial and social infrastructure system ...
Research Europe Ltd. (UK), Id Quantique
ID Quantique (IDQ) is a Swiss company, based in Geneva, Switzerland, and provides quantum key distribution (QKD) systems, quantum safe network encryption, single photon counters, and hardware random number generators.
It was founded in 2001 ...
(Switzerland) and All Vienna (Austria). "All Vienna" is represented by researchers from the Austrian Institute of Technology
AIT Austrian Institute of Technology is Austria's largest Research and Technology Organization (RTO), employing about 1,300 people mostly based at the main facilities Vienna Tech Gate, Vienna TECHbase, Seibersdorf, Wiener Neustadt, Ranshofen and G ...
(AIT), the Institute for Quantum Optics and Quantum Information (IQOQI) and the University of Vienna
The University of Vienna (german: Universität Wien) is a public research university located in Vienna, Austria. It was founded by Duke Rudolph IV in 1365 and is the oldest university in the German-speaking world. With its long and rich histor ...
.
Los Alamos National Laboratory
A hub-and-spoke network has been operated by Los Alamos National Laboratory since 2011. All messages are routed via the hub. The system equips each node in the network with quantum transmitters—i.e., lasers—but not with expensive and bulky photon detectors. Only the hub receives quantum messages. To communicate, each node sends a one-time pad to the hub, which it then uses to communicate securely over a classical link. The hub can route this message to another node using another one time pad from the second node. The entire network is secure only if the central hub is secure. Individual nodes require little more than a laser: Prototype nodes are around the size of a box of matches.
Eagle-1
In 2024, the ESA
, owners =
, headquarters = Paris, Île-de-France, France
, coordinates =
, spaceport = Guiana Space Centre
, seal = File:ESA emblem seal.png
, seal_size = 130px
, image = Views in the Main Control Room (1205 ...
plans to launch the satellite Eagle-1, an experimental space-based quantum key distribution system.
Attacks and security proofs
Intercept and resend
The simplest type of possible attack is the intercept-resend attack, where Eve measures the quantum states (photons) sent by Alice and then sends replacement states to Bob, prepared in the state she measures. In the BB84 protocol, this produces errors in the key Alice and Bob share. As Eve has no knowledge of the basis a state sent by Alice is encoded in, she can only guess which basis to measure in, in the same way as Bob. If she chooses correctly, she measures the correct photon polarization state as sent by Alice, and resends the correct state to Bob. However, if she chooses incorrectly, the state she measures is random, and the state sent to Bob cannot be the same as the state sent by Alice. If Bob then measures this state in the same basis Alice sent, he too gets a random result—as Eve has sent him a state in the opposite basis—with a 50% chance of an erroneous result (instead of the correct result he would get without the presence of Eve). The table below shows an example of this type of attack.
The probability Eve chooses the incorrect basis is 50% (assuming Alice chooses randomly), and if Bob measures this intercepted photon in the basis Alice sent he gets a random result, i.e., an incorrect result with probability of 50%. The probability an intercepted photon generates an error in the key string is then 50% × 50% = 25%. If Alice and Bob publicly compare of their key bits (thus discarding them as key bits, as they are no longer secret) the probability they find disagreement and identify the presence of Eve is
So to detect an eavesdropper with probability Alice and Bob need to compare key bits.
Man-in-the-middle attack
Quantum key distribution is vulnerable to a man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
when used without authentication to the same extent as any classical protocol, since no known principle of quantum mechanics can distinguish friend from foe. As in the classical case, Alice and Bob cannot authenticate each other and establish a secure connection without some means of verifying each other's identities (such as an initial shared secret). If Alice and Bob have an initial shared secret then they can use an unconditionally secure authentication scheme (such as Carter-Wegman,) along with quantum key distribution to exponentially expand this key, using a small amount of the new key to authenticate the next session. Several methods to create this initial shared secret have been proposed, for example using a 3rd party or chaos theory. Nevertheless, only "almost strongly universal" family of hash functions can be used for unconditionally secure authentication.
Photon number splitting attack
In the BB84
BB84 is a quantum key distribution scheme developed by Charles Bennett and Gilles Brassard in 1984. It is the first quantum cryptography protocol. The protocol is provably secure, relying on two conditions: (1) the quantum property that informatio ...
protocol Alice sends quantum states to Bob using single photons. In practice many implementations use laser pulses attenuated to a very low level to send the quantum states. These laser pulses contain a very small number of photons, for example 0.2 photons per pulse, which are distributed according to a Poisson distribution
In probability theory and statistics, the Poisson distribution is a discrete probability distribution that expresses the probability of a given number of events occurring in a fixed interval of time or space if these events occur with a known co ...
. This means most pulses actually contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split off the extra photons and transmit the remaining single photon to Bob. This is the basis of the photon number splitting attack, where Eve stores these extra photons in a quantum memory until Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then measure her photons in the correct basis and obtain information on the key without introducing detectable errors.
Even with the possibility of a PNS attack a secure key can still be generated, as shown in the GLLP security proof; however, a much higher amount of privacy amplification is needed reducing the secure key rate significantly (with PNS the rate scales as as compared to for a single photon sources, where is the transmittance of the quantum channel).
There are several solutions to this problem. The most obvious is to use a true single photon
source instead of an attenuated laser. While such sources are still at a developmental stage QKD has been carried out successfully with them. However, as current sources operate at a low efficiency and frequency key rates and transmission distances are limited. Another solution is to modify the BB84 protocol, as is done for example in the SARG04 SARG04 (named after Valerio Scarani, Antonio Acin, Gregoire Ribordy, and Nicolas Gisin) is a 2004 quantum cryptography protocol derived from the first protocol of that kind, BB84.
Origin
Researchers built SARG04 when they noticed that by using ...
protocol, in which the secure key rate scales as . The most promising solution is the decoy states in which Alice randomly sends some of her laser pulses with a lower average photon number. These decoy states can be used to detect a PNS attack, as Eve has no way to tell which pulses are signal and which decoy. Using this idea the secure key rate scales as , the same as for a single photon source. This idea has been implemented successfully first at the University of Toronto, and in several follow-up QKD experiments, allowing for high key rates secure against all known attacks.
Denial of service
Because currently a dedicated fibre optic line (or line of sight in free space) is required between the two points linked by quantum key distribution, a denial of service attack
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
can be mounted by simply cutting or blocking the line. This is one of the motivations for the development of quantum key distribution networks, which would route communication via alternate links in case of disruption.
Trojan-horse attacks
A quantum key distribution system may be probed by Eve by sending bright light into the quantum channel and analyzing the back-reflections in a Trojan-horse attack. In a recent research study it has been shown that Eve discerns Bob's secret basis choice with higher than 90% probability, breaching the security of the system.
Security proofs
If Eve is assumed to have unlimited resources, for example both classical and quantum computing power, there are many more attacks possible. BB84 has been proven secure against any attacks allowed by quantum mechanics, both for sending information using an ideal photon source which only ever emits a single photon at a time, and also using practical photon sources which sometimes emit multiphoton pulses.[D. Gottesman, H.-K. Lo, N. L¨utkenhaus, and J. Preskill, Quant. Inf. Comp. 4, 325 (2004)] These proofs are unconditionally secure in the sense that no conditions are imposed on the resources available to the eavesdropper; however, there are other conditions required:
# Eve cannot physically access Alice and Bob's encoding and decoding devices.
# The random number generators used by Alice and Bob must be trusted and truly random (for example a Quantum random number generator
In computing, a hardware random number generator (HRNG) or true random number generator (TRNG) is a device that generates random numbers from a physical process, rather than by means of an algorithm. Such devices are often based on microscop ...
).
# The classical communication channel must be authenticated using an unconditionally secure authentication scheme.
# The message must be encrypted using one-time pad
In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a ran ...
like scheme
Quantum hacking
Hacking attacks target vulnerabilities in the operation of a QKD protocol or deficiencies in the components of the physical devices used in construction of the QKD system. If the equipment used in quantum key distribution can be tampered with, it could be made to generate keys that were not secure using a random number generator attack
The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and unpredictable to others. To achieve this unpredictability, some randomization is typically employed. Modern cryptographic protoco ...
. Another common class of attacks is the Trojan horse
The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
attack which does not require physical access to the endpoints: rather than attempt to read Alice and Bob's single photons, Eve sends a large pulse of light back to Alice in between transmitted photons. Alice's equipment reflects some of Eve's light, revealing the state of Alice's basis (e.g., a polarizer). This attack can be detected, e.g. by using a classical detector to check the non-legitimate signals (i.e. light from Eve) entering Alice's system. It is also conjectured that most hacking attacks can similarly be defeated by modifying the implementation, though there is no formal proof.
Several other attacks including faked-state attacks, phase remapping attacks, and time-shift attacks are now known. The time-shift attack has even been demonstrated on a commercial quantum cryptosystem. This is the first demonstration of quantum hacking against a non-homemade quantum key distribution system. Later on, the phase-remapping attack was also demonstrated on a specially configured, research oriented open QKD system (made and provided by the Swiss company Id Quantique
ID Quantique (IDQ) is a Swiss company, based in Geneva, Switzerland, and provides quantum key distribution (QKD) systems, quantum safe network encryption, single photon counters, and hardware random number generators.
It was founded in 2001 ...
under their Quantum Hacking program). It is one of the first 'intercept-and-resend' attacks on top of a widely used QKD implementation in commercial QKD systems. This work has been widely reported in media.
The first attack that claimed to be able to eavesdrop the whole key without leaving any trace was demonstrated in 2010. It was experimentally shown that the single-photon detectors in two commercial devices could be fully remote-controlled using specially tailored bright illumination. In a spree of publications thereafter, the collaboration between the Norwegian University of Science and Technology
Norwegian, Norwayan, or Norsk may refer to:
*Something of, from, or related to Norway, a country in northwestern Europe
*Norwegians, both a nation and an ethnic group native to Norway
*Demographics of Norway
*The Norwegian language, including the ...
in Norway and Max Planck Institute for the Science of Light in Germany, has now demonstrated several methods to successfully eavesdrop on commercial QKD systems based on weaknesses of avalanche photodiodes (APDs) operating in gated mode. This has sparked research on new approaches to securing communications networks.
Counterfactual quantum key distribution
The task of distributing a secret key could be achieved even when the particle (on which the secret information, e.g. polarization, has been encoded) does not traverse through the quantum channel using a protocol developed by Tae-Gon Noh. Here Alice generates a photon which, by not taking a measurement until later, exists in a superposition of being in paths (a) and (b) simultaneously. Path (a) stays inside Alice's secure device and path (b) goes to Bob. By rejecting the photons that Bob receives and only accepting the ones he doesn't receive, Bob & Alice can set up a secure channel, i.e. Eve's attempts to read the ''counterfactual'' photons would still be detected. This protocol uses the quantum phenomenon whereby the possibility that a photon can be sent has an effect even when it isn't sent. So-called interaction-free measurement In physics, interaction-free measurement is a type of measurement in quantum mechanics that detects the position, presence, or state of an object without an interaction occurring between it and the measuring device. Examples include the Renninger ne ...
also uses this quantum effect, as for example in the bomb testing problem, whereby an experimenter can conceptually determine which bombs are not duds without setting them off, except in a counterfactual
Counterfactual conditionals (also ''subjunctive'' or ''X-marked'') are conditional sentences which discuss what would have been true under different circumstances, e.g. "If Peter believed in ghosts, he would be afraid to be here." Counterfactual ...
sense.
History
Quantum cryptography was proposed first by Stephen Wiesner, then at Columbia University in New York, who, in the early 1970s, introduced the concept of quantum conjugate coding. His seminal paper titled "Conjugate Coding" was rejected by IEEE Information Theory but was eventually published in 1983 in SIGACT News (15:1 pp. 78–88, 1983). In this paper he showed how to store or transmit two messages by encoding them in two "conjugate observables", such as linear and circular polarization of light, so that either, but not both, of which may be received and decoded. He illustrated his idea with a design of unforgeable bank notes. A decade later, building upon this work, Charles H. Bennett, of the IBM Thomas J. Watson Research Center
The Thomas J. Watson Research Center is the headquarters for IBM Research. The center comprises three sites, with its main laboratory in Yorktown Heights, New York, U.S., 38 miles (61 km) north of New York City, Albany, New York and wit ...
, and Gilles Brassard
Gilles Brassard, is a faculty member of the Université de Montréal, where he has been a Full Professor since 1988 and Canada Research Chair since 2001.
Education and early life
Brassard received a Ph.D. in Computer Science from Cornell Unive ...
, of the University of Montreal
A university () is an institution of higher (or tertiary) education and research which awards academic degrees in several academic disciplines. Universities typically offer both undergraduate and postgraduate programs. In the United States, the ...
, proposed a method for secure communication based on Wiesner's "conjugate observables". In 1990, Artur Ekert
Artur Konrad Ekert FRS (born 19 September 1961) is a Polish professor of quantum physics at the Mathematical Institute, University of Oxford, professorial fellow in quantum physics and cryptography at Merton College, Oxford, Lee Kong Chian C ...
, then a PhD student at Wolfson College, University of Oxford, developed a different approach to quantum key distribution based on quantum entanglement
Quantum entanglement is the phenomenon that occurs when a group of particles are generated, interact, or share spatial proximity in a way such that the quantum state of each particle of the group cannot be described independently of the state of ...
.
Future
The current commercial systems are aimed mainly at governments and corporations with high security requirements. Key distribution by courier is typically used in such cases, where traditional key distribution schemes are not believed to offer enough guarantee. This has the advantage of not being intrinsically distance limited, and despite long travel times the transfer rate can be high due to the availability of large capacity portable storage devices. The major difference of quantum key distribution is the ability to detect any interception of the key, whereas with courier the key security cannot be proven or tested. QKD (Quantum Key Distribution) systems also have the advantage of being automatic, with greater reliability and lower operating costs than a secure human courier network.
Kak's three-stage protocol has been proposed as a method for secure communication that is entirely quantum unlike quantum key distribution in which the cryptographic transformation uses classical algorithms.
Factors preventing wide adoption of quantum key distribution outside high security areas include the cost of equipment, and the lack of a demonstrated threat to existing key exchange protocols. However, with optic fibre networks already present in many countries the infrastructure is in place for a more widespread use.
An Industry Specification Group (ISG) of the European Telecommunications Standards Institute (ETSI
The European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization in the field of information and communications. ETSI supports the development and testing of global technical standard ...
) has been set up to address standardisation issues in quantum cryptography.
European Metrology Institutes, in the context of dedicated projects, are developing measurements required to characterise components of QKD systems.
Toshiba Europe has been awarded a prestigious Institute of Physics Award for Business Innovation. This recognises Toshiba’s pioneering QKD technology developed over two decades of research, protecting communication infrastructure from present and future cyber-threats, and commercialising UK-manufactured products which pave the road to the quantum internet. The Institute of Physics (IOP) is the professional body and learned society for physics, and the leading body for practising physicists, in the UK and Ireland. With a rich history of supporting business innovation and growth, it is committed to working with ‘physics-based’ businesses, and companies that apply and employ physics and physicists.
Toshiba also took the Semi Grand Prix award in the Solutions Category for the QKD has won the Minister of Economy, Trade and Industry Award in CEATEC AWARD 2021, the prestigious awards presented at CEATEC, Japan’s premier electronics industry trade show.
Deprecation of quantum key distributions from governmental institutions
Some organizations have recommended using "Post-Quantum Cryptography (or quantum-resistant cryptography)" as an alternative because of the problems it raises in practical use. For example, National Security Agency
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
of USA, European Union Agency for Cybersecurity
The European Union Agency for Cybersecurity – self-designation ENISA from the abbreviation of its original name – is an agency of the European Union. It is fully operational since September 1, 2005. The Agency is located in Athens, Greece an ...
of EU (ENISA), National Cyber Security Centre (United Kingdom)
The National Cyber Security Centre (NCSC) is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. Based in London, it became operational i ...
, and French Secretariat for Defense and Security (ANSSI) recommend it. (read through the bibliography for details).[ ]
For example, the U.S. National Security Agency addresses five issues:
# Quantum key distribution is only a partial solution. QKD generates keying material for an encryption algorithm that provides confidentiality. Such keying material could also be used in symmetric key cryptographic algorithms to provide integrity and authentication if one has the cryptographic assurance that the original QKD transmission comes from the desired entity (i.e. entity source authentication). QKD does not provide a means to authenticate the QKD transmission source. Therefore, source authentication requires the use of asymmetric cryptography or preplaced keys to provide that authentication. Moreover, the confidentiality services QKD offers can be provided by quantum-resistant cryptography, which is typically less expensive with a better understood risk profile.
# Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network, and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches.
# Quantum key distribution increases infrastructure costs and insider threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration.
# Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than in most physical engineering scenarios making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems.
# Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD.
In response to problem 1 above, attempts to deliver authentication keys using post-quantum cryptography (or quantum-resistant cryptography) have been proposed worldwide. On the other hand, quantum-resistant cryptography is cryptography belonging to the class of computational security. In 2015, a research result was already published that "sufficient care must be taken in implementation to achieve information-theoretic security for the system as a whole when authentication keys that are not information-theoretic secure are used" (when the authentication key is not information-theoretic secure (If the authentication key is not information-theoretically secure, an attacker can break it to bring all classical and quantum communications under control and relay them to launch a Man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
).
Ericsson, a private company, also cites and points out the above problems and then presents a report that it may not be able to support the Zero trust security model
The zero trust security model, also known as zero trust architecture (ZTA), zero trust network architecture or zero trust network access (ZTNA), and sometimes known as perimeterless security, describes an approach to the design and implementation ...
, which is a recent trend in network security technology.
See also
* List of quantum key distribution protocols
Quantum key distribution (QKD) protocols are used in quantum key distribution. The first protocol of that kind was BB84, introduced in 1984 by Charles H. Bennett and Gilles Brassard. After that, many other protocols have been defined.
List of q ...
* Quantum computing
Quantum computing is a type of computation whose operations can harness the phenomena of quantum mechanics, such as superposition, interference, and entanglement. Devices that perform quantum computations are known as quantum computers. Though ...
* Quantum cryptography
Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best known example of quantum cryptography is quantum key distribution which offers an information-theoretically secure solution ...
* Quantum information science
Quantum information science is an interdisciplinary field that seeks to understand the analysis, processing, and transmission of information using quantum mechanics principles. It combines the study of Information science with quantum effects in p ...
* Quantum network
Quantum networks form an important element of quantum computing and quantum communication systems. Quantum networks facilitate the transmission of information in the form of quantum bits, also called qubits, between physically separated quantum ...
References
External links
; General and review
Quantum Computing 101
Scientific American Magazine (January 2005 Issue) Best-Kept Secrets
Non-technical article on quantum cryptography
Physics World Magazine (March 2007 Issue)
Non-technical article on current state and future of quantum communication
*
*
SECOQC White Paper on Quantum Key Distribution and Cryptography
European project to create a large scale quantum cryptography network, includes discussion of current QKD approaches and comparison with classical cryptography
May 2003 Tomasz Grabowski
ARDA Quantum Cryptography Roadmap
Lectures at the Institut Henri Poincaré (slides and videos)
; More specific information
* Description of entanglement based quantum cryptography from Artur Ekert.
*
* Description of BB84 protocol and privacy amplification by Sharon Goldwater
Sharon J. Goldwater is an American and British computer scientist, cognitive science, cognitive scientist, developmental linguistics, developmental linguist, and natural language processing researcher who holds the Personal Chair of Computational ...
.
*
Public debate on the Security of Quantum Key Distribution at the conference Hot Topics in Physical Informatics, 11 November 2013
; Further information
Quantiki.org - Quantum Information portal and wiki
Interactive BB84 simulation
; Quantum key distribution simulation
Online Simulation and Analysis Toolkit for Quantum Key Distribution
; Quantum cryptography research groups
Experimental Quantum Cryptography with Entangled Photons
NIST Quantum Information Networks
Free Space Quantum Cryptography
Experimental Continuous Variable QKD, MPL Erlangen
Experimental Quantum Hacking, MPL Erlangen
Quantum cryptography lab. Pljonkin A.P.
; Companies selling quantum devices for cryptography
AUREA Technology
sells the optical building blocks for Quantum cryptography
id Quantique
sells Quantum Key Distribution products
MagiQ Technologies
sells quantum devices for cryptography
QuintessenceLabs
Solutions based on continuous wave lasers
SeQureNet
sells Quantum Key Distribution products using continuous-variables
; Companies with quantum cryptography research programmes
Hewlett Packard
IBM
{{DEFAULTSORT:Quantum Key Distribution
Cryptography
Quantum information science
Quantum cryptography