Internet DRAFT - draft-licalsi-quantum-crypto-difficulty

draft-licalsi-quantum-crypto-difficulty







Quantum Internet Research Group                              D. Li Calsi
Internet-Draft                                                   P. Kohl
Intended status: Informational                                  JH. Choi
Expires: 17 May 2024                                           J. Nötzel
                                     TQSD Technische Universität München
                                                        14 November 2023


 On the difficulty of Quantum Cryptography in presence of packet losses
               draft-licalsi-quantum-crypto-difficulty-01

Abstract

   From the communication viewpoint, qubits are different from classical
   bits.  A qubit may be transmitted directly but it can’t be cloned or
   measured without altering its state, so existing copy-and-resend
   schemes can’t be used to handle a transmission failure.  Moreover, in
   some cases, the sender does not know the state of the transmitted
   qubit, so a qubit loss may cause irrevocable damage.  This draft
   presents the causes of transmission failures, and analyses the
   vulnerabilities of several crypto protocols that such defects may
   bring forth.  Thus, quantum teleportation is highly recommended for
   certain applications.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 17 May 2024.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.






Li Calsi, et al.           Expires 17 May 2024                  [Page 1]

Internet-Draft          Quantum crypto difficulty          November 2023


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Problems of direct transmission . . . . . . . . . . . . . . .   3
     2.1.  Quantum information limit . . . . . . . . . . . . . . . .   3
     2.2.  Transmission limit  . . . . . . . . . . . . . . . . . . .   4
       2.2.1.  Absorption due to Material Choice . . . . . . . . . .   4
       2.2.2.  Dispersion and Spectral Broadening  . . . . . . . . .   6
       2.2.3.  Polarisation-dependency . . . . . . . . . . . . . . .   7
     2.3.  Transduction limit  . . . . . . . . . . . . . . . . . . .   7
   3.  Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . .   8
     3.1.  Attacks to public-key encryption and digital signature  .   9
     3.2.  Attacks to authentication . . . . . . . . . . . . . . . .  10
     3.3.  Attacks to quantum money  . . . . . . . . . . . . . . . .  11
     3.4.  Attacks to Oblivious Transfer . . . . . . . . . . . . . .  11
   4.  Conclusion  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     4.1.  Quantum teleportation . . . . . . . . . . . . . . . . . .  12
     4.2.  Security by design  . . . . . . . . . . . . . . . . . . .  13
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     7.1.  Informative References  . . . . . . . . . . . . . . . . .  13
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  15
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15

1.  Introduction

   Despite our efforts to mitigate this phenomenon, real networks are
   subject to packet losses.  The problem is still present in classical
   communication, where it causes disruptions to communications
   requiring re-transmissions.  The problem is a consequence of several
   phenomena such as network congestion, strong channel noise, and
   hardware/software faults.  Quantum communication is much more
   sensitive to noise than classical communication due to the physical
   nature of the communication medium.  Because of that, it is
   reasonable to assume that data losses will eventually occur in real
   quantum communication systems.  While classically this is often
   regarded as a threat to communication performance, in quantum
   communications it also threatens the security of some protocols.  In



Li Calsi, et al.           Expires 17 May 2024                  [Page 2]

Internet-Draft          Quantum crypto difficulty          November 2023


   fact, several quantum cryptography protocols are provably secure
   because attackers can only access a single copy of some target
   quantum state and cannot clone quantum information.  For instance,
   the majority of QKD protocols assume that Alice and Bob exchange
   qubits once and no retransmission is needed, although some qubits
   might be lost.  If we drop these assumptions, the security of such
   protocols is threatened, although with varying degrees.  While some
   protocols can tolerate replicas of quantum states, others suffer much
   more from these attacks, and could potentially be broken.  The threat
   is a consequence of the fact that losses and malicious man-in-the-
   middle attacks are fundamentally indistinguishable.  When some packet
   is lost in classical or quantum networks, it is impossible to tell
   whether that happened due to innocent errors or due to malicious
   agents.  While classical cryptography is agnostic to how many copies
   of some message the attacker can access, (that is possessing m>1
   copies of some message will not help the attacker) the same cannot be
   claimed for most quantum cryptography protocols.  In the following we
   consider some cryptographical primitives using quantum states to
   defend against attackers.  We show attacks based on the presence of
   data losses threatening their security or practicality, and discuss
   possible mitigations.

2.  Problems of direct transmission

2.1.  Quantum information limit

   Qubits may be directly transmitted by encoding them into a physical
   medium, such as photons and sending them over a quantum channel, e.g.
   an optical fiber.  However, a qubit is more vulnerable to a link
   failure than a classical bit, so direct transmission may cause some
   serious, even irrevocable problem.

   In fact quantum states often are rather fragile to environmental
   noise, so a transmission failur in the direct link is more likely.
   Furthermore, the qubit's state description and evolution is governed
   by the laws of quantum mechanics, such as the quantum measurement
   postulate and the no-cloning theorem.  The latter entails the severe
   constraint that it’s impossible to read and copy an arbitrary unknown
   qubit without altering its state.  Hence, the classical recovery
   mechanisms such as copy-and-retransmission are often unfeasible.

   In some quantum applications, e.g.  BB84 QKD [Bennett] a sender may
   know the state of the qubit to send, so, in case of a link failure it
   can prepare and resend the same state.  However, for some
   applications this is not possible.  For example, a bank may issue a
   quantum banknote (using Wiesner’s scheme for quantum money [Wiesner])
   to a user.  If the user sends the banknote's qubits to the bank for
   verification via direct transmission, and (some part of) the banknote



Li Calsi, et al.           Expires 17 May 2024                  [Page 3]

Internet-Draft          Quantum crypto difficulty          November 2023


   is lost just once due to a link failure, then it cannot be recovered.
   That is because the user has no idea of the state of the quantum
   banknote, else he would be able to generate an arbitrarily high
   number of copies and break the scheme.

   Even when a retransmission is possible, that may result in a security
   vulnerability.  Several quantum cryptography protocols rely on the
   characteristic that qubits can’t be copied.  However, retransmission
   may allow a malicious node to acquire a copy of the state.  For
   example, as we will see later, some Quantum Public Key scheme
   [Nikolopoulos1], assumes only limited number of public keys are
   distributed.  An attacker may falsely claim a link failure and
   acquire another copy of public key to compute the matching private
   key.

2.2.  Transmission limit

   Transmission is limited by different phenomena in the real world.  We
   will focus on fibre optical networks here, as they are widely
   employed commercially.

   There are different mechanisms of loss which can occur in optical
   fibres, resulting in insertion loss e.g.  intrinsic absorption/
   scattering, dispersion, absorption due to splicing/connections,
   Radiation Induced Attenuation, and micro- and macrobends.
   Additionally there is return loss caused by reflection of signal at
   material interfaces.  Polarisation can be another source of losses as
   polarisation is not necessarily (perfectly) maintained in
   transmission and also source and receiver may have a polarisation
   dependence.

   In theory one could use a single fibre to connect two endpoints
   avoiding splicing and connections, and also use perfectly straight
   fibre, resulting in no loss due to bends.  Additionally radiation
   induced attenuation due to cosmic radiation and the like cannot be
   easily quantified.  Thus we will focus here on intrinsic absorption,
   dispersion and polarisation as they are more independent of a
   specific implementation.

2.2.1.  Absorption due to Material Choice

   Optical fibres exhibit losses when light is transmitted through them
   like any other material.  Obviously optical fibres are engineered in
   a way, s.t. losses of light are minimised, but some absorption is
   intrinsic.  If one looks at the intrinsic properties of the fibres it
   is evident which wavelengths are advantageous.  These wavelengths are
   often employed in telecommunication applications.  Generally fibre
   optical networks use silica (SiO2) fibres with very little



Li Calsi, et al.           Expires 17 May 2024                  [Page 4]

Internet-Draft          Quantum crypto difficulty          November 2023


   attenuation in the infrared (IR) range.  The light with wavelengths
   from 600 nm to 1800 nm exhibits low absorption in silica fibres.
   [Kohl]

   There are different local minima in those ranges, which are created
   by different loss mechanisms in the fibres.  With increasing
   wavelength λ the elastical scattering on particles with diameter d ≪
   λ is governed by the Rayleigh scattering cross-section Cs,λ ∝ 1/λ^4.
   [Howell] This means increasing λ yields lower attenuation.  This is
   counteracted by the increasing absorption of IR by SiO2 with
   increasing wavelength.  Additionally, there is the OH– absorption
   peak around ∼ 1440 nm.  This results in the lowest attenuations in
   the so-called O-band around ∼ 1310 nm and the so-called C-band around
   ∼ 1550 nm which includes the global minimum of attenuation.  [Kohl]
   The O-band is worth mentioning, because it includes the region for
   zero wave packet dispersion, which minimises signal distortion due to
   chromatic effects [Zeuner] [Portalupi] and also using the same fibre
   for classical communication and quantum key distribution (QKD) via
   Wavelength Division Multiplexing (WDM) works best for the O-band in
   metropolitan area networks.  [Gruenenfelder] This explains the choice
   of wavelength bands used in telecommunication, but also shows that
   still in the best case scenario there is absorption of around 0,2 dB/
   km in commercial networks using the C-band.  It would be possible to
   consider hollow-core optical fibres to reduce absorption and achieve
   an in general different behaviour, but those fibres are not widely
   employed in commercial networks (yet?).  Additionally, this does not
   change the general principle that there always will be intrinsic
   losses.  In quantum communication applications encoding qubits e.g.
   in the polarisation of single photons this loss mechanism may lead to
   problems, as physical qubits may be lost in transmission.  To
   mitigate this, one would for example employ error correction
   procedures which encode the information of one logical qubit in
   multiple physical ones, where the number of physical qubits is high
   enough to correct errors arising from missing photons due to
   absorptive effects in transmission.  On the other hand, encoding of
   information into laser pulses in different time bins – i.e. arrival
   times of photons – may not suffer as strongly from absorption.  So in
   summary – depending on the encoding of information into a physical
   property of the sent photons – absorption may pose a significant
   challenge.











Li Calsi, et al.           Expires 17 May 2024                  [Page 5]

Internet-Draft          Quantum crypto difficulty          November 2023


2.2.2.  Dispersion and Spectral Broadening

   Another fundamental effect which may be problematic in transmission
   is dispersion – i.e. wavelength dependency of the refractive index in
   a material.  This may lead to broadening of a pulse with non-zero
   spectral linewidth (non-zero linewidth is unavoidable in reality),
   because the different frequencies the light is consisting of travel
   with different velocities through the medium.  This broadens the
   pulse temporally.

   Similarly there is also spectral broadening.  Even atomic transitions
   are not able to produce perfectly monochromatic light.  Some
   intrinsic effects produce a Lorentzian distribution of wavelengths in
   the best case, while accounting for thermal effects produces a
   Gaußian distribution.  [Fox] This broadening might contribute to
   losses due to wavelength-dependent efficiency of detectors.  Also
   absorption is wavelength dependent as shown above, thus it may also
   lead to attenuation in this way.  It is also obvious that a finite
   energy pulse of light which broadens spectrally has to obey
   conservation of energy, that means the same amount of energy has to
   be spread over more wavelengths than before, implying that the energy
   spreads as well, reducing the amplitude of the peak as a whole.

   The problem with dispersion is the following: As quantum computation
   and e.g. quantum repeaters with photons rely on two-photon
   interference (Hong-Ou-Mandel effect), photons need to be
   indistinguishable, i.e. identical in every respect.  Dispersion now
   introduces variation in the photon wavepacket impacting the success
   rate of quantum operations.  Especially if photons travel through a
   different path dispersion will introduce some distinguishability,
   which might prove fatal.  [Portalupi] As mentioned before in the
   O-band around 1310 nm photons exhibit zero wave packet dispersion in
   SiO2 fibres.  [Zeuner] Thus, depending on the requirements and
   structure of a specific setup or implementation of protocol it may be
   advisable to choose the C-band if dispersion effects can be mitigated
   – e.g. if all photons traverse the same fibre or they do not have to
   interfere, but have to travel longer distances – while choosing the
   O-band in applications where dispersion might hinder interference.
   The concept of soliton is worth mentioning in this context, as in
   this case nonlinear effects and dispersion cancel.  [Taylor] So if
   one is able to generate solitons one is able to counteract the
   effects of dispersion.  This might be a route construct physical
   systems circumventing this problem.








Li Calsi, et al.           Expires 17 May 2024                  [Page 6]

Internet-Draft          Quantum crypto difficulty          November 2023


2.2.3.  Polarisation-dependency

   Depending on application and encoding the polarisation of light is
   instrumental in quantum cryptography (often QKD protocols use
   polarisation encoding).  Thus, it is important to note that in
   transmission in a real fibre (even a polarisation maintaining (PM)
   fibre) the polarisation is not maintained perfectly.  This can be
   measured via the polarisation extinction ratio (PER) given in [dB].
   Thus over long distances it is possible that the polarisation state
   of light is altered, which may result in loss of quantum information.
   Additionally, many optical components have a polarisation dependence
   with different efficiencies for the different polarisation states,
   e.g. detectors may have a higher sensitivity for one polarisation
   rather than the other, resulting in statistically skewed results.

   In consequence one has to calculate the impact of all of these
   effects in a given setup and ponder if this significantly impacts the
   given system.

2.3.  Transduction limit

   Not only the transmission limits are a concern, but also the
   transduction limits.  Transduction limits would be the limiting
   factors, which are not due to the actual losses in transmission, but
   due to the losses which occur in the conversion from flying qubits to
   stationary qubits and vice versa.

   This is obviously highly dependent on the implementation of a given
   system, but normally one uses photons as flying qubits, which have to
   interface with a system used as a stationary qubit.  These light-
   matter interactions can be described by cavity quantum
   electrodynamics (QED).

   Typically in cavity QED one considers a matter Two-Level System (TLS)
   in a resonator cavity.  This matter system would then be the
   stationary qubit and light entering the cavity to interact with the
   matter TLS would be the flying qubit to be transduced.  The complete
   systems dynamics are determined by different properties: The emitter
   decay rate γ is the rate of decay of the TLS into the cavity mode,
   which is often approximated by the lifetime τ of the excited state in
   the TLS via γ ≈ 1/τ. The cavity loss rate κ is the rate of photons
   exiting the cavity, which is determined by the quality factor Q of
   the resonator: κ ∝ 1/Q.  Also very important is the coupling strength
   g0 between TLS and photon, which is dependent on the mode volume V0
   of the resonator: g0 ∝ √1/V0.  [Mueller]






Li Calsi, et al.           Expires 17 May 2024                  [Page 7]

Internet-Draft          Quantum crypto difficulty          November 2023


   The cavities built around the TLS can take different forms.  There
   are e.g. micropillar resonators which use the principle of the Fabry-
   Pérot interferometer with Q ∼ 2000 and V0 = 5 · (λ/n)^3 where n is
   the refractive index inside the cavity and λ is the wavelength of the
   emitted light from the TLS, microsphere cavities with Q ∼ 8 · 10^9
   and V0 ∼ 3000 μm^3, or photonic crystals with Q ∼ 13000 and V0 = 1,2
   · (λ/n)^3.  [Mueller] Those are some cavities which can be built
   around the TLS according to ones requirements.  Those TLS include for
   example semiconductor quantum dots (QDs).  It has been shown, that
   InAs QDs can have electron spin lifetimes exceeding 1 s (albeit in
   this case the QD was charged electrically).  [Gillard] In case of
   QDs, it has to be kept in mind that normally the spin coherence times
   seem to be more on the order of tens of microseconds but they have
   excellent optical properties which allow generation of spin-photon
   entanglement efficiently.  Other material systems like vacancy
   centers in diamond exhibit spin coherence time of whole seconds but
   with low emission efficiencies.  [Dusanowski] So there seems to be a
   trade-off between advantageous spin and photonic properties.  Spin
   decoherence also limits the lifetimes of stationary qubits apart from
   the losses in transduction.  With such information one could estimate
   how good a flying qubit can be transduced to a stationary one and how
   good the stationary qubit can be preserved.

3.  Vulnerabilities

   Several protocols in quantum cryptography found their security upon
   (at least one of) two core assumptions:

   *  Bounded copies: adversaries have up to N copies of some quantum
      state, with N depending on the cite protocol.  In some cases, N =
      1.

   *  Unknown State: despite holding one or more copies of some
      state |ψ>, adversaries do lack information on what state they
      hold.

   Despite such assumptions being theoretically sound and convenient,
   the limits presented in Section 2 jeopardize their validity.  This
   may lead to protocol-specific attacks, either leaking partial
   information or completely breaking the protocol’s security or
   usability.  In the following, we explain how such a vulnerability may
   result in an attack against popular quantum cryptographic protocols.









Li Calsi, et al.           Expires 17 May 2024                  [Page 8]

Internet-Draft          Quantum crypto difficulty          November 2023


3.1.  Attacks to public-key encryption and digital signature

   We start by considering the quantum public-key encryption scheme
   devised by [Nikolopoulos1].  Such a protocol is a fit example, as it
   bases its security on both the aforementioned assumptions.  In fact,
   it supposes an upper bound to the number of distributed public keys,
   and that public key holders do not know which state they hold.  If
   one of these assumptions is broken, it is trivial to leak the private
   key from the quantum public key.

   We can compute the upper limit of N based on acceptable security
   risk.  Suppose that Alice generates m′ copies of her public key, with
   m′ is less than N, and distributes them in a quantum network.  Due to
   the inherent limits of telecommunication, it is likely that some of
   these quantum keys are lost.  However, the cause for this loss is
   quite tricky and could be one of the following:

   *  Benign faults: the quantum key is lost forever due to
      unforeseeable hazards.

   *  Malicious attack: some attacker could fake a hazard and steal the
      quantum key for future attacks.

   The two situations are indistinguishable to Alice, as she does not
   have a global view of what happens in the network.  Therefore, Alice
   has two options when some agent claims a public key loss:

   *  Optimism: Alice trusts the claim, i.e., she believes it was the
      consequence of a benign fault.  She then prepares one or more
      copies of the public key, and re-transmits them.

   *  Pessimism: Alice does not trust the claim, as she fears it is the
      result of a malicious attack.  She will not replace the lost
      quantum key.

   A pessimistic policy works from a security viewpoint, but jeopardizes
   the protocol's usability.  In fact, if Alice misjudges and the loss
   resulted from benign faults, then benign users will no longer be able
   to encrypt a message for Alice, as they lack the public key to run
   encryption.  On the other hand, an optimistic policy guarantees
   enough public key copies for every user, but may jeopardize the
   protocol's security.  Malicious users could exploit this policy to
   collect enough public key copies, measure them, and find the private
   key.  A similar reasoning holds for the quantum digital signature
   scheme by Gottesman and Chuang [Gottesman].  The latter distributes
   quantum public keys obtained from a classical private key via a
   classical-quantum one-way function.  The one-way property follows
   again from the bounded-copies assumption.  What if one public key



Li Calsi, et al.           Expires 17 May 2024                  [Page 9]

Internet-Draft          Quantum crypto difficulty          November 2023


   copy is lost?  If Alice plays optimistically, malicious users can
   exploit her trust to gather several public key copies.  If such an
   action is repeated over time, it can lead to information leakage and
   possibly an inversion of the one-way function.  On the other hand, if
   Alice plays pessimistically, benign users who lost a public key due
   to noise will be unable to verify signatures.

3.2.  Attacks to authentication

   In the following, we show how the phenomenon of data loss may
   jeopardize the security of some authentication protocols.  Hong et
   al’s protocol [Hong] is based on measuring single photons for m
   rounds, and implicitly makes the bounded-copies assumption.  It is
   assumed that Alice and Bob pre-share a classical secret key, and at
   authentication time they verify that their keys are the same.  For
   this purpose Bob encodes two classical key bits into one state from
   {|0⟩, |1⟩, |+⟩, |−⟩} according to pre-defined rules, then sends it to
   Bob for verification.  To prove the protocol’s security, they assume
   that at authentication time Alice and Bob are able to send and
   measure each photon once.  Let us now assume that some losses occur
   when Bob prepares a photon in position i in state |ψ_i> ∈
   {|0⟩, |1⟩, |+⟩, |−⟩}. If Bob acts optimistically, he will prepare a
   copy of state |ψ_i> and re-send it to Alice.  The latter could
   possibly happen m times, depending on the number of faults.  This
   allows malicious users to exploit this behavior and accumulate m
   copies of state |ψ_i>, then use them to distinguish which of the four
   possible states it is.  This allows adversaries to leak the
   corresponding key bits k_i.  On the other hand, if Bob plays
   pessimistically, he will not re-send state |ψ_i>.  This scenario may
   lead to security issues or impracticality depending on which policy
   Alice takes.  If Alice decides to skip that position, the protocol’s
   security decreases, since attackers with a partial knowledge of the
   shared key can still be successfully authenticated.  The attacker may
   simply claim that his qubit was lost, and still pass authentication.
   On the other hand, if Alice is intransigent, she may just reject
   Bob’s authentication attempt, and ask him to re-attempt later.  While
   that works fine when data losses are occasional accidents, curren and
   future quantum technologies will likely undergo a loss rate such that
   with a high probability one loss will occur in every protocol.  This
   implies that even an honest Bob will likely be unable to prove his
   identity, as most authentication attempts will fail due to Alice’s
   intransigent policy.  Despite employing security measures such as
   random decoy states and a thresholding mechanism to prevent an
   exceedingly high number of lost states, such mechanisms do not
   prevent all qubit-loss-based attacks, as they require restricting
   assumptions to work, such as knowledge of the physical communication
   link or passive adversaries.




Li Calsi, et al.           Expires 17 May 2024                 [Page 10]

Internet-Draft          Quantum crypto difficulty          November 2023


   Other proposals are more resilient to lost qubits.  Kanamori’s
   protocol [Kanamori] uses a random session key ϕ to mask the
   information on the classical pre-shared key.  In case of a single
   qubit, even if an attacker with no a prior knowledge intercepts it,
   it can't extract any information on it, as they would only receive a
   maximally-mixed state that is independent of the secret key.

3.3.  Attacks to quantum money

   Wiesner’s quantum money [Wiesner] also relies on the bounded-copies
   and unknown-state assumptions.  If one possesses several copies of
   the same quantum note, one may use them to attack the scheme.
   Specifically, they can use simple measurements and operations to
   learn the note’s quantum state, and produce arbitrarily many copies.
   Let's consider a quantum note with n qubits.  If an attacker wants to
   cheat with probability δ, it needs approximately m copies of the note
   where m = -log_2(1-δ^(1/n)).

   We remark that once the attack is repeated for all the n qubits, you
   know all their bases and values, and may therefore forge as many
   banknotes as you like.  Now, suppose a user claims that a quantum
   note was lost.  If Alice acts optimistically and re-issues the
   banknote, some attacker can exploit this to gather copies of the note
   and later run the attack.  On the other hand, Alice could act
   pessimistically and refuse to re-issue the lost qubits.  Although
   this preserves the protocol’s security, it prevents benign users from
   verifying the note in the future.

3.4.  Attacks to Oblivious Transfer

   The BBCS [Brassard] protocol is extremely sensitive to multicopy
   attacks.  In fact, suppose that Bob obtains two copies of the qubits
   generated by Alice in the BB84 phase.  He may run a very simple
   attack:

   *  Measure each qubit of the first copy in the computational basis

   *  Measure each qubit of the second copy in the Hadamard basis

   *  Once Alice has revealed her true bases, Bob keeps the measurement
      outcomes obtained by measuring in the right basis

   Such a simple attack allows him to learn both messages with
   certainty.  Hence, if Alice receives the claim of a lost BB84 qubit,
   she must play pessimistically and refuse to re-send it.  Fortunately,
   in this scenario, Alice may get away with a simple counterattack:
   because the BB84 phase happens at an early stage, she may prepare a
   different random BB84 state and send it to Bob.  This preserves the



Li Calsi, et al.           Expires 17 May 2024                 [Page 11]

Internet-Draft          Quantum crypto difficulty          November 2023


   protocol’s correctness at no security cost.  Furthermore, re-
   preparing a random qubit comes with negligible overhead, thus
   preserving the protocol’s practicality.

4.  Conclusion

4.1.  Quantum teleportation

   Overall, in some cases, direct transmission of qubit is problematic
   because of its quantum characteristics, e.g., no cloning.  For some
   applications a transmission failure may cause an irrevocable damage.
   Even if a sender can retransmit a qubit in case of a failure , e.g.
   [Nikolopoulos1], this may bring forth a security breach.  We believe
   that the risks described above can be mitigated by sharing entangled
   pairs between a sender and a receiver over the (imperfect) link and
   then perform quantum teleportation procedure.  Usually, it’s easier
   to directly transmit a qubit in a known state than one in an unknown
   state.  Hence, since the EPR pairs that we wish to exchange have a
   known state, it is safe to assume they are technically more simple to
   transmit.  Although a problem during an entanglement swapping may
   arise, such failure can be recovered with enough trials.  Such a
   failure is, unlike other aforementioned failures, perfectly
   recoverable.  Moreover, entangled pairs can be stored in the form of
   a matter qubit [Childress].  Hence, the result of quantum computation
   can be directly transferred without going through transducer, thus
   reducing the chance of qubit losses.  Finally, direct transmission
   allows a man-in-the-middle to intercept a quantum state fairly
   easily.  If qubits are teleported rather than directly transmitted,
   such an attack is no longer feasible.  In fact, the man-in-the-middle
   can only intercept the two classical bits required to finalize the
   teleportation protocol.  However, such bits only provide information
   on how the receiver should transform their local state to obtain the
   input state, and are essentially meaningless to the attacker.  As
   [RFC9340] indicates, we may, in turn, create link-local entanglement
   between neighboring nodes, establish end-to-end entanglement with
   entanglement swapping, then perform distillation to improve the
   fidelity.  Using entangled pairs of high enough fidelity, we may use
   quantum teleportation to send even an irrecoverable quantum state.
   Teleportation is therefore a powerful tool, but it introduces new
   questions and problems.  For instance, using teleportation for
   cryptographic purposes not only requires correct pre-shared
   entanglement, but also trustworthy entangled states.  Entangled
   states should come with some form of cryptographically secure
   certificate proving that the received states are indeed entangled
   with the intended receiver.  Furthermore, for some crypto primitives,
   prescribing pre-shared entangled state leads to circular
   requirements.  In fact, if trustworthy pre-shared entanglement is
   required for authentication, then the two users must have already run



Li Calsi, et al.           Expires 17 May 2024                 [Page 12]

Internet-Draft          Quantum crypto difficulty          November 2023


   some form of authentication when sharing entanglement, else they have
   no guarantees of being entangled with the correct user.

4.2.  Security by design

   As argued above, some protocols are secure by design.  We have
   already cited the BBCS and Kanamori’s authentication protocol, but
   more are likely to exist.  For instance, repeating the same reasoning
   showing BBCS' security one may find a simple mitigation for BB84 QKD
   [Bennett].  These proposals base their security on randomness, either
   as a form of masking/encryption or because they send some random
   quantum states that do not encode secret information.  Security by
   design has lightweight requirements compared to teleportation, as it
   does not pose the problem of trustworthy entanglement sharing and
   storage.  However, it is considerably harder for cryptographers to
   design a quantum protocol that is inherently resilient to message
   losses.  Hence, in future applications, a hybrid use of both
   mitigations is advised.

5.  IANA Considerations

   This memo includes no request to IANA.

6.  Security Considerations

   This document do not introduce any new security considerations.

7.  References

7.1.  Informative References

   [RFC9340]  Kozlowski, W., Wehner, S., Van Meter, R., Rijsman, B.,
              Cacciapuoti, A. S., Caleffi, M., and S. Nagayama,
              "Architectural Principles for a Quantum Internet",
              RFC 9340, DOI 10.17487/RFC9340, March 2023,
              <https://www.rfc-editor.org/info/rfc9340>.

   [I-D.irtf-qirg-quantum-internet-use-cases]
              Wang, C., Rahman, A., Li, R., Aelmans, M., and K.
              Chakraborty, "Application Scenarios for the Quantum
              Internet", Work in Progress, Internet-Draft, draft-irtf-
              qirg-quantum-internet-use-cases-19, 16 October 2023,
              <https://datatracker.ietf.org/doc/html/draft-irtf-qirg-
              quantum-internet-use-cases-19>.

   [Kohl]     Kohl, P., "Optical characterisation of telecommunication
              wavelength quantum dots", Master’s Thesis, Technical
              University of Munich, 2023.



Li Calsi, et al.           Expires 17 May 2024                 [Page 13]

Internet-Draft          Quantum crypto difficulty          November 2023


   [Howell]   Howell, E.F., Daun, K.J., Siegel, R., and M.P. Meng¨u¸c,
              "Thermal radiation heat transfer, seventh ed.", 2021.

   [Zeuner]   Zeuner, K., "Semiconductor Quantum Optics at Telecom
              Wavelengths", Ph.D. thesis, KTH, 2020.

   [Portalupi]
              Portalupi, S.L., Jetter, M., and P. Michler, "InAs quantum
              dots grown on metamorphic buffers as non-classical light
              sources at telecom C-band", a review, Semiconductor
              Science and Technology 34, 2019.

   [Gruenenfelder]
              Grünenfelder, F., Sax, R., Boaron, A., and H. Zbinden,
              "The limits of multiplexing quantum and classical
              channels: Case study of a 2.5 GHz discrete variable
              quantum key distribution system", Applied Physics Letters
              119, 124001, 2021.

   [Fox]      Fox, M., "Quantum Optics: An Introduction", Master Series
              in Physics, Vol. 15 (Oxford University Press), 2006.

   [Taylor]   Taylor, J.R., "Optical Solitons: Theory and Experiment",
              1992.

   [Mueller]  Müller, K., "Lecture notes in photonic quantum
              technologies", summer semester, 2021.

   [Gillard]  Gillard, G., Griffiths, I.M., Ragunathan, G., Ulhaq, A.,
              McEwan, C., Clarke, E., and E.A. Chekhovich, "Fundamental
              limits of electron and nuclear spin qubit lifetimes in an
              isolated self-assembled quantum dot", npj Quantum
              Information 7, 2021.

   [Dusanowski]
              Dusanowski, Ł., Nawrath, C., Portalupi, S.L., Jetter, M.,
              Huber, T., Klembt, S., Michler, P., and S. Höfling,
              "Optical charge injection and coherent control of a
              quantum-dot spin-qubit emitting at telecom wavelengths",
              Nature Communications 13, 2022.

   [Nikolopoulos1]
              Nikolopoulos, G.M., "Applications of single-qubit
              rotations in quantum public-key cryptography", Physical
              Review A 77, 2008.






Li Calsi, et al.           Expires 17 May 2024                 [Page 14]

Internet-Draft          Quantum crypto difficulty          November 2023


   [Gottesman]
              Gottesman, D. and I. Chuang, "Quantum digital signatures",
              arXiv:quant-ph/0105032 [quant-ph], 2001.

   [Hong]     Hong, C.H., Heo, J., Jang, J.G., and D. Kwon, "Quantum
              identity authentication with single photon", Quantum
              Information Processing 16, 2017.

   [Kanamori] Kanamori, Y., Yoo, S.M., Gregory, D., and F. Sheldon, "On
              quantum authentication protocols", GLOBECOM ’05, 2005.

   [Wiesner]  Wiesner, S., "Conjugate coding", SIGACT News 15, 1983.

   [Bennett]  Bennett, B. and G. Brassard, "Quantum cryptography: Public
              key distribution and coin tossing", 1984.

   [Childress]
              Childress, L. and R. Hanson, "Diamond NV centers for
              quantum computing and quantum networks", MRS Bulletin
              volume 38, 2013.

   [Brassard] Bennett, C., Brassard, G., Crepeau, C., and M-H.
              Skubiszewska, "Practical quantum oblivious transfer",
              Advances in Cryptology — CRYPTO ’91, 1991.

Acknowledgements

   This work was financed by the DFG via grant NO 1129/2-1 (JN) and by
   the BMBF via grants 16KISQ039 (JHC), 16KISQ077 (DLC) and 16KISR026
   (PK).  The authors acknowledge the financial support by the Federal
   Ministry of Education and Research of Germany in the programme of
   “Souverän.  Digital.  Vernetzt.”. Joint project 6G-life, project
   identification number: 16KISK002

Authors' Addresses

   Davide Li Calsi
   TQSD Technische Universität München
   Theresienstraße 90
   80333 Munich
   Germany
   Email: davide.li-calsi@tum.de









Li Calsi, et al.           Expires 17 May 2024                 [Page 15]

Internet-Draft          Quantum crypto difficulty          November 2023


   Paul Kohl
   TQSD Technische Universität München
   Theresienstraße 90
   80333 Munich
   Germany
   Email: paul.kohl@tum.de


   JinHyeock Choi
   TQSD Technische Universität München
   Theresienstraße 90
   80333 Munich
   Germany
   Email: jin.choi@tum.de


   Janis Nötzel
   TQSD Technische Universität München
   Theresienstraße 90
   80333 Munich
   Germany
   Email: janis.noetzel@tum.de





























Li Calsi, et al.           Expires 17 May 2024                 [Page 16]