Internet DRAFT - draft-licalsi-quantum-crypto-difficulty
draft-licalsi-quantum-crypto-difficulty
Quantum Internet Research Group D. Li Calsi
Internet-Draft P. Kohl
Intended status: Informational JH. Choi
Expires: 17 May 2024 J. Nötzel
TQSD Technische Universität München
14 November 2023
On the difficulty of Quantum Cryptography in presence of packet losses
draft-licalsi-quantum-crypto-difficulty-01
Abstract
From the communication viewpoint, qubits are different from classical
bits. A qubit may be transmitted directly but it can’t be cloned or
measured without altering its state, so existing copy-and-resend
schemes can’t be used to handle a transmission failure. Moreover, in
some cases, the sender does not know the state of the transmitted
qubit, so a qubit loss may cause irrevocable damage. This draft
presents the causes of transmission failures, and analyses the
vulnerabilities of several crypto protocols that such defects may
bring forth. Thus, quantum teleportation is highly recommended for
certain applications.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 17 May 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
Li Calsi, et al. Expires 17 May 2024 [Page 1]
�
Internet-Draft Quantum crypto difficulty November 2023
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Problems of direct transmission . . . . . . . . . . . . . . . 3
2.1. Quantum information limit . . . . . . . . . . . . . . . . 3
2.2. Transmission limit . . . . . . . . . . . . . . . . . . . 4
2.2.1. Absorption due to Material Choice . . . . . . . . . . 4
2.2.2. Dispersion and Spectral Broadening . . . . . . . . . 6
2.2.3. Polarisation-dependency . . . . . . . . . . . . . . . 7
2.3. Transduction limit . . . . . . . . . . . . . . . . . . . 7
3. Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Attacks to public-key encryption and digital signature . 9
3.2. Attacks to authentication . . . . . . . . . . . . . . . . 10
3.3. Attacks to quantum money . . . . . . . . . . . . . . . . 11
3.4. Attacks to Oblivious Transfer . . . . . . . . . . . . . . 11
4. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. Quantum teleportation . . . . . . . . . . . . . . . . . . 12
4.2. Security by design . . . . . . . . . . . . . . . . . . . 13
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
7.1. Informative References . . . . . . . . . . . . . . . . . 13
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction
Despite our efforts to mitigate this phenomenon, real networks are
subject to packet losses. The problem is still present in classical
communication, where it causes disruptions to communications
requiring re-transmissions. The problem is a consequence of several
phenomena such as network congestion, strong channel noise, and
hardware/software faults. Quantum communication is much more
sensitive to noise than classical communication due to the physical
nature of the communication medium. Because of that, it is
reasonable to assume that data losses will eventually occur in real
quantum communication systems. While classically this is often
regarded as a threat to communication performance, in quantum
communications it also threatens the security of some protocols. In
Li Calsi, et al. Expires 17 May 2024 [Page 2]
�
Internet-Draft Quantum crypto difficulty November 2023
fact, several quantum cryptography protocols are provably secure
because attackers can only access a single copy of some target
quantum state and cannot clone quantum information. For instance,
the majority of QKD protocols assume that Alice and Bob exchange
qubits once and no retransmission is needed, although some qubits
might be lost. If we drop these assumptions, the security of such
protocols is threatened, although with varying degrees. While some
protocols can tolerate replicas of quantum states, others suffer much
more from these attacks, and could potentially be broken. The threat
is a consequence of the fact that losses and malicious man-in-the-
middle attacks are fundamentally indistinguishable. When some packet
is lost in classical or quantum networks, it is impossible to tell
whether that happened due to innocent errors or due to malicious
agents. While classical cryptography is agnostic to how many copies
of some message the attacker can access, (that is possessing m>1
copies of some message will not help the attacker) the same cannot be
claimed for most quantum cryptography protocols. In the following we
consider some cryptographical primitives using quantum states to
defend against attackers. We show attacks based on the presence of
data losses threatening their security or practicality, and discuss
possible mitigations.
2. Problems of direct transmission
2.1. Quantum information limit
Qubits may be directly transmitted by encoding them into a physical
medium, such as photons and sending them over a quantum channel, e.g.
an optical fiber. However, a qubit is more vulnerable to a link
failure than a classical bit, so direct transmission may cause some
serious, even irrevocable problem.
In fact quantum states often are rather fragile to environmental
noise, so a transmission failur in the direct link is more likely.
Furthermore, the qubit's state description and evolution is governed
by the laws of quantum mechanics, such as the quantum measurement
postulate and the no-cloning theorem. The latter entails the severe
constraint that it’s impossible to read and copy an arbitrary unknown
qubit without altering its state. Hence, the classical recovery
mechanisms such as copy-and-retransmission are often unfeasible.
In some quantum applications, e.g. BB84 QKD [Bennett] a sender may
know the state of the qubit to send, so, in case of a link failure it
can prepare and resend the same state. However, for some
applications this is not possible. For example, a bank may issue a
quantum banknote (using Wiesner’s scheme for quantum money [Wiesner])
to a user. If the user sends the banknote's qubits to the bank for
verification via direct transmission, and (some part of) the banknote
Li Calsi, et al. Expires 17 May 2024 [Page 3]
�
Internet-Draft Quantum crypto difficulty November 2023
is lost just once due to a link failure, then it cannot be recovered.
That is because the user has no idea of the state of the quantum
banknote, else he would be able to generate an arbitrarily high
number of copies and break the scheme.
Even when a retransmission is possible, that may result in a security
vulnerability. Several quantum cryptography protocols rely on the
characteristic that qubits can’t be copied. However, retransmission
may allow a malicious node to acquire a copy of the state. For
example, as we will see later, some Quantum Public Key scheme
[Nikolopoulos1], assumes only limited number of public keys are
distributed. An attacker may falsely claim a link failure and
acquire another copy of public key to compute the matching private
key.
2.2. Transmission limit
Transmission is limited by different phenomena in the real world. We
will focus on fibre optical networks here, as they are widely
employed commercially.
There are different mechanisms of loss which can occur in optical
fibres, resulting in insertion loss e.g. intrinsic absorption/
scattering, dispersion, absorption due to splicing/connections,
Radiation Induced Attenuation, and micro- and macrobends.
Additionally there is return loss caused by reflection of signal at
material interfaces. Polarisation can be another source of losses as
polarisation is not necessarily (perfectly) maintained in
transmission and also source and receiver may have a polarisation
dependence.
In theory one could use a single fibre to connect two endpoints
avoiding splicing and connections, and also use perfectly straight
fibre, resulting in no loss due to bends. Additionally radiation
induced attenuation due to cosmic radiation and the like cannot be
easily quantified. Thus we will focus here on intrinsic absorption,
dispersion and polarisation as they are more independent of a
specific implementation.
2.2.1. Absorption due to Material Choice
Optical fibres exhibit losses when light is transmitted through them
like any other material. Obviously optical fibres are engineered in
a way, s.t. losses of light are minimised, but some absorption is
intrinsic. If one looks at the intrinsic properties of the fibres it
is evident which wavelengths are advantageous. These wavelengths are
often employed in telecommunication applications. Generally fibre
optical networks use silica (SiO2) fibres with very little
Li Calsi, et al. Expires 17 May 2024 [Page 4]
�
Internet-Draft Quantum crypto difficulty November 2023
attenuation in the infrared (IR) range. The light with wavelengths
from 600 nm to 1800 nm exhibits low absorption in silica fibres.
[Kohl]
There are different local minima in those ranges, which are created
by different loss mechanisms in the fibres. With increasing
wavelength λ the elastical scattering on particles with diameter d ≪
λ is governed by the Rayleigh scattering cross-section Cs,λ ∝ 1/λ^4.
[Howell] This means increasing λ yields lower attenuation. This is
counteracted by the increasing absorption of IR by SiO2 with
increasing wavelength. Additionally, there is the OH– absorption
peak around ∼ 1440 nm. This results in the lowest attenuations in
the so-called O-band around ∼ 1310 nm and the so-called C-band around
∼ 1550 nm which includes the global minimum of attenuation. [Kohl]
The O-band is worth mentioning, because it includes the region for
zero wave packet dispersion, which minimises signal distortion due to
chromatic effects [Zeuner] [Portalupi] and also using the same fibre
for classical communication and quantum key distribution (QKD) via
Wavelength Division Multiplexing (WDM) works best for the O-band in
metropolitan area networks. [Gruenenfelder] This explains the choice
of wavelength bands used in telecommunication, but also shows that
still in the best case scenario there is absorption of around 0,2 dB/
km in commercial networks using the C-band. It would be possible to
consider hollow-core optical fibres to reduce absorption and achieve
an in general different behaviour, but those fibres are not widely
employed in commercial networks (yet?). Additionally, this does not
change the general principle that there always will be intrinsic
losses. In quantum communication applications encoding qubits e.g.
in the polarisation of single photons this loss mechanism may lead to
problems, as physical qubits may be lost in transmission. To
mitigate this, one would for example employ error correction
procedures which encode the information of one logical qubit in
multiple physical ones, where the number of physical qubits is high
enough to correct errors arising from missing photons due to
absorptive effects in transmission. On the other hand, encoding of
information into laser pulses in different time bins – i.e. arrival
times of photons – may not suffer as strongly from absorption. So in
summary – depending on the encoding of information into a physical
property of the sent photons – absorption may pose a significant
challenge.
Li Calsi, et al. Expires 17 May 2024 [Page 5]
�
Internet-Draft Quantum crypto difficulty November 2023
2.2.2. Dispersion and Spectral Broadening
Another fundamental effect which may be problematic in transmission
is dispersion – i.e. wavelength dependency of the refractive index in
a material. This may lead to broadening of a pulse with non-zero
spectral linewidth (non-zero linewidth is unavoidable in reality),
because the different frequencies the light is consisting of travel
with different velocities through the medium. This broadens the
pulse temporally.
Similarly there is also spectral broadening. Even atomic transitions
are not able to produce perfectly monochromatic light. Some
intrinsic effects produce a Lorentzian distribution of wavelengths in
the best case, while accounting for thermal effects produces a
Gaußian distribution. [Fox] This broadening might contribute to
losses due to wavelength-dependent efficiency of detectors. Also
absorption is wavelength dependent as shown above, thus it may also
lead to attenuation in this way. It is also obvious that a finite
energy pulse of light which broadens spectrally has to obey
conservation of energy, that means the same amount of energy has to
be spread over more wavelengths than before, implying that the energy
spreads as well, reducing the amplitude of the peak as a whole.
The problem with dispersion is the following: As quantum computation
and e.g. quantum repeaters with photons rely on two-photon
interference (Hong-Ou-Mandel effect), photons need to be
indistinguishable, i.e. identical in every respect. Dispersion now
introduces variation in the photon wavepacket impacting the success
rate of quantum operations. Especially if photons travel through a
different path dispersion will introduce some distinguishability,
which might prove fatal. [Portalupi] As mentioned before in the
O-band around 1310 nm photons exhibit zero wave packet dispersion in
SiO2 fibres. [Zeuner] Thus, depending on the requirements and
structure of a specific setup or implementation of protocol it may be
advisable to choose the C-band if dispersion effects can be mitigated
– e.g. if all photons traverse the same fibre or they do not have to
interfere, but have to travel longer distances – while choosing the
O-band in applications where dispersion might hinder interference.
The concept of soliton is worth mentioning in this context, as in
this case nonlinear effects and dispersion cancel. [Taylor] So if
one is able to generate solitons one is able to counteract the
effects of dispersion. This might be a route construct physical
systems circumventing this problem.
Li Calsi, et al. Expires 17 May 2024 [Page 6]
�
Internet-Draft Quantum crypto difficulty November 2023
2.2.3. Polarisation-dependency
Depending on application and encoding the polarisation of light is
instrumental in quantum cryptography (often QKD protocols use
polarisation encoding). Thus, it is important to note that in
transmission in a real fibre (even a polarisation maintaining (PM)
fibre) the polarisation is not maintained perfectly. This can be
measured via the polarisation extinction ratio (PER) given in [dB].
Thus over long distances it is possible that the polarisation state
of light is altered, which may result in loss of quantum information.
Additionally, many optical components have a polarisation dependence
with different efficiencies for the different polarisation states,
e.g. detectors may have a higher sensitivity for one polarisation
rather than the other, resulting in statistically skewed results.
In consequence one has to calculate the impact of all of these
effects in a given setup and ponder if this significantly impacts the
given system.
2.3. Transduction limit
Not only the transmission limits are a concern, but also the
transduction limits. Transduction limits would be the limiting
factors, which are not due to the actual losses in transmission, but
due to the losses which occur in the conversion from flying qubits to
stationary qubits and vice versa.
This is obviously highly dependent on the implementation of a given
system, but normally one uses photons as flying qubits, which have to
interface with a system used as a stationary qubit. These light-
matter interactions can be described by cavity quantum
electrodynamics (QED).
Typically in cavity QED one considers a matter Two-Level System (TLS)
in a resonator cavity. This matter system would then be the
stationary qubit and light entering the cavity to interact with the
matter TLS would be the flying qubit to be transduced. The complete
systems dynamics are determined by different properties: The emitter
decay rate γ is the rate of decay of the TLS into the cavity mode,
which is often approximated by the lifetime τ of the excited state in
the TLS via γ ≈ 1/τ. The cavity loss rate κ is the rate of photons
exiting the cavity, which is determined by the quality factor Q of
the resonator: κ ∝ 1/Q. Also very important is the coupling strength
g0 between TLS and photon, which is dependent on the mode volume V0
of the resonator: g0 ∝ √1/V0. [Mueller]
Li Calsi, et al. Expires 17 May 2024 [Page 7]
�
Internet-Draft Quantum crypto difficulty November 2023
The cavities built around the TLS can take different forms. There
are e.g. micropillar resonators which use the principle of the Fabry-
Pérot interferometer with Q ∼ 2000 and V0 = 5 · (λ/n)^3 where n is
the refractive index inside the cavity and λ is the wavelength of the
emitted light from the TLS, microsphere cavities with Q ∼ 8 · 10^9
and V0 ∼ 3000 μm^3, or photonic crystals with Q ∼ 13000 and V0 = 1,2
· (λ/n)^3. [Mueller] Those are some cavities which can be built
around the TLS according to ones requirements. Those TLS include for
example semiconductor quantum dots (QDs). It has been shown, that
InAs QDs can have electron spin lifetimes exceeding 1 s (albeit in
this case the QD was charged electrically). [Gillard] In case of
QDs, it has to be kept in mind that normally the spin coherence times
seem to be more on the order of tens of microseconds but they have
excellent optical properties which allow generation of spin-photon
entanglement efficiently. Other material systems like vacancy
centers in diamond exhibit spin coherence time of whole seconds but
with low emission efficiencies. [Dusanowski] So there seems to be a
trade-off between advantageous spin and photonic properties. Spin
decoherence also limits the lifetimes of stationary qubits apart from
the losses in transduction. With such information one could estimate
how good a flying qubit can be transduced to a stationary one and how
good the stationary qubit can be preserved.
3. Vulnerabilities
Several protocols in quantum cryptography found their security upon
(at least one of) two core assumptions:
* Bounded copies: adversaries have up to N copies of some quantum
state, with N depending on the cite protocol. In some cases, N =
1.
* Unknown State: despite holding one or more copies of some
state |ψ>, adversaries do lack information on what state they
hold.
Despite such assumptions being theoretically sound and convenient,
the limits presented in Section 2 jeopardize their validity. This
may lead to protocol-specific attacks, either leaking partial
information or completely breaking the protocol’s security or
usability. In the following, we explain how such a vulnerability may
result in an attack against popular quantum cryptographic protocols.
Li Calsi, et al. Expires 17 May 2024 [Page 8]
�
Internet-Draft Quantum crypto difficulty November 2023
3.1. Attacks to public-key encryption and digital signature
We start by considering the quantum public-key encryption scheme
devised by [Nikolopoulos1]. Such a protocol is a fit example, as it
bases its security on both the aforementioned assumptions. In fact,
it supposes an upper bound to the number of distributed public keys,
and that public key holders do not know which state they hold. If
one of these assumptions is broken, it is trivial to leak the private
key from the quantum public key.
We can compute the upper limit of N based on acceptable security
risk. Suppose that Alice generates m′ copies of her public key, with
m′ is less than N, and distributes them in a quantum network. Due to
the inherent limits of telecommunication, it is likely that some of
these quantum keys are lost. However, the cause for this loss is
quite tricky and could be one of the following:
* Benign faults: the quantum key is lost forever due to
unforeseeable hazards.
* Malicious attack: some attacker could fake a hazard and steal the
quantum key for future attacks.
The two situations are indistinguishable to Alice, as she does not
have a global view of what happens in the network. Therefore, Alice
has two options when some agent claims a public key loss:
* Optimism: Alice trusts the claim, i.e., she believes it was the
consequence of a benign fault. She then prepares one or more
copies of the public key, and re-transmits them.
* Pessimism: Alice does not trust the claim, as she fears it is the
result of a malicious attack. She will not replace the lost
quantum key.
A pessimistic policy works from a security viewpoint, but jeopardizes
the protocol's usability. In fact, if Alice misjudges and the loss
resulted from benign faults, then benign users will no longer be able
to encrypt a message for Alice, as they lack the public key to run
encryption. On the other hand, an optimistic policy guarantees
enough public key copies for every user, but may jeopardize the
protocol's security. Malicious users could exploit this policy to
collect enough public key copies, measure them, and find the private
key. A similar reasoning holds for the quantum digital signature
scheme by Gottesman and Chuang [Gottesman]. The latter distributes
quantum public keys obtained from a classical private key via a
classical-quantum one-way function. The one-way property follows
again from the bounded-copies assumption. What if one public key
Li Calsi, et al. Expires 17 May 2024 [Page 9]
�
Internet-Draft Quantum crypto difficulty November 2023
copy is lost? If Alice plays optimistically, malicious users can
exploit her trust to gather several public key copies. If such an
action is repeated over time, it can lead to information leakage and
possibly an inversion of the one-way function. On the other hand, if
Alice plays pessimistically, benign users who lost a public key due
to noise will be unable to verify signatures.
3.2. Attacks to authentication
In the following, we show how the phenomenon of data loss may
jeopardize the security of some authentication protocols. Hong et
al’s protocol [Hong] is based on measuring single photons for m
rounds, and implicitly makes the bounded-copies assumption. It is
assumed that Alice and Bob pre-share a classical secret key, and at
authentication time they verify that their keys are the same. For
this purpose Bob encodes two classical key bits into one state from
{|0⟩, |1⟩, |+⟩, |−⟩} according to pre-defined rules, then sends it to
Bob for verification. To prove the protocol’s security, they assume
that at authentication time Alice and Bob are able to send and
measure each photon once. Let us now assume that some losses occur
when Bob prepares a photon in position i in state |ψ_i> ∈
{|0⟩, |1⟩, |+⟩, |−⟩}. If Bob acts optimistically, he will prepare a
copy of state |ψ_i> and re-send it to Alice. The latter could
possibly happen m times, depending on the number of faults. This
allows malicious users to exploit this behavior and accumulate m
copies of state |ψ_i>, then use them to distinguish which of the four
possible states it is. This allows adversaries to leak the
corresponding key bits k_i. On the other hand, if Bob plays
pessimistically, he will not re-send state |ψ_i>. This scenario may
lead to security issues or impracticality depending on which policy
Alice takes. If Alice decides to skip that position, the protocol’s
security decreases, since attackers with a partial knowledge of the
shared key can still be successfully authenticated. The attacker may
simply claim that his qubit was lost, and still pass authentication.
On the other hand, if Alice is intransigent, she may just reject
Bob’s authentication attempt, and ask him to re-attempt later. While
that works fine when data losses are occasional accidents, curren and
future quantum technologies will likely undergo a loss rate such that
with a high probability one loss will occur in every protocol. This
implies that even an honest Bob will likely be unable to prove his
identity, as most authentication attempts will fail due to Alice’s
intransigent policy. Despite employing security measures such as
random decoy states and a thresholding mechanism to prevent an
exceedingly high number of lost states, such mechanisms do not
prevent all qubit-loss-based attacks, as they require restricting
assumptions to work, such as knowledge of the physical communication
link or passive adversaries.
Li Calsi, et al. Expires 17 May 2024 [Page 10]
�
Internet-Draft Quantum crypto difficulty November 2023
Other proposals are more resilient to lost qubits. Kanamori’s
protocol [Kanamori] uses a random session key ϕ to mask the
information on the classical pre-shared key. In case of a single
qubit, even if an attacker with no a prior knowledge intercepts it,
it can't extract any information on it, as they would only receive a
maximally-mixed state that is independent of the secret key.
3.3. Attacks to quantum money
Wiesner’s quantum money [Wiesner] also relies on the bounded-copies
and unknown-state assumptions. If one possesses several copies of
the same quantum note, one may use them to attack the scheme.
Specifically, they can use simple measurements and operations to
learn the note’s quantum state, and produce arbitrarily many copies.
Let's consider a quantum note with n qubits. If an attacker wants to
cheat with probability δ, it needs approximately m copies of the note
where m = -log_2(1-δ^(1/n)).
We remark that once the attack is repeated for all the n qubits, you
know all their bases and values, and may therefore forge as many
banknotes as you like. Now, suppose a user claims that a quantum
note was lost. If Alice acts optimistically and re-issues the
banknote, some attacker can exploit this to gather copies of the note
and later run the attack. On the other hand, Alice could act
pessimistically and refuse to re-issue the lost qubits. Although
this preserves the protocol’s security, it prevents benign users from
verifying the note in the future.
3.4. Attacks to Oblivious Transfer
The BBCS [Brassard] protocol is extremely sensitive to multicopy
attacks. In fact, suppose that Bob obtains two copies of the qubits
generated by Alice in the BB84 phase. He may run a very simple
attack:
* Measure each qubit of the first copy in the computational basis
* Measure each qubit of the second copy in the Hadamard basis
* Once Alice has revealed her true bases, Bob keeps the measurement
outcomes obtained by measuring in the right basis
Such a simple attack allows him to learn both messages with
certainty. Hence, if Alice receives the claim of a lost BB84 qubit,
she must play pessimistically and refuse to re-send it. Fortunately,
in this scenario, Alice may get away with a simple counterattack:
because the BB84 phase happens at an early stage, she may prepare a
different random BB84 state and send it to Bob. This preserves the
Li Calsi, et al. Expires 17 May 2024 [Page 11]
�
Internet-Draft Quantum crypto difficulty November 2023
protocol’s correctness at no security cost. Furthermore, re-
preparing a random qubit comes with negligible overhead, thus
preserving the protocol’s practicality.
4. Conclusion
4.1. Quantum teleportation
Overall, in some cases, direct transmission of qubit is problematic
because of its quantum characteristics, e.g., no cloning. For some
applications a transmission failure may cause an irrevocable damage.
Even if a sender can retransmit a qubit in case of a failure , e.g.
[Nikolopoulos1], this may bring forth a security breach. We believe
that the risks described above can be mitigated by sharing entangled
pairs between a sender and a receiver over the (imperfect) link and
then perform quantum teleportation procedure. Usually, it’s easier
to directly transmit a qubit in a known state than one in an unknown
state. Hence, since the EPR pairs that we wish to exchange have a
known state, it is safe to assume they are technically more simple to
transmit. Although a problem during an entanglement swapping may
arise, such failure can be recovered with enough trials. Such a
failure is, unlike other aforementioned failures, perfectly
recoverable. Moreover, entangled pairs can be stored in the form of
a matter qubit [Childress]. Hence, the result of quantum computation
can be directly transferred without going through transducer, thus
reducing the chance of qubit losses. Finally, direct transmission
allows a man-in-the-middle to intercept a quantum state fairly
easily. If qubits are teleported rather than directly transmitted,
such an attack is no longer feasible. In fact, the man-in-the-middle
can only intercept the two classical bits required to finalize the
teleportation protocol. However, such bits only provide information
on how the receiver should transform their local state to obtain the
input state, and are essentially meaningless to the attacker. As
[RFC9340] indicates, we may, in turn, create link-local entanglement
between neighboring nodes, establish end-to-end entanglement with
entanglement swapping, then perform distillation to improve the
fidelity. Using entangled pairs of high enough fidelity, we may use
quantum teleportation to send even an irrecoverable quantum state.
Teleportation is therefore a powerful tool, but it introduces new
questions and problems. For instance, using teleportation for
cryptographic purposes not only requires correct pre-shared
entanglement, but also trustworthy entangled states. Entangled
states should come with some form of cryptographically secure
certificate proving that the received states are indeed entangled
with the intended receiver. Furthermore, for some crypto primitives,
prescribing pre-shared entangled state leads to circular
requirements. In fact, if trustworthy pre-shared entanglement is
required for authentication, then the two users must have already run
Li Calsi, et al. Expires 17 May 2024 [Page 12]
�
Internet-Draft Quantum crypto difficulty November 2023
some form of authentication when sharing entanglement, else they have
no guarantees of being entangled with the correct user.
4.2. Security by design
As argued above, some protocols are secure by design. We have
already cited the BBCS and Kanamori’s authentication protocol, but
more are likely to exist. For instance, repeating the same reasoning
showing BBCS' security one may find a simple mitigation for BB84 QKD
[Bennett]. These proposals base their security on randomness, either
as a form of masking/encryption or because they send some random
quantum states that do not encode secret information. Security by
design has lightweight requirements compared to teleportation, as it
does not pose the problem of trustworthy entanglement sharing and
storage. However, it is considerably harder for cryptographers to
design a quantum protocol that is inherently resilient to message
losses. Hence, in future applications, a hybrid use of both
mitigations is advised.
5. IANA Considerations
This memo includes no request to IANA.
6. Security Considerations
This document do not introduce any new security considerations.
7. References
7.1. Informative References
[RFC9340] Kozlowski, W., Wehner, S., Van Meter, R., Rijsman, B.,
Cacciapuoti, A. S., Caleffi, M., and S. Nagayama,
"Architectural Principles for a Quantum Internet",
RFC 9340, DOI 10.17487/RFC9340, March 2023,
<https://www.rfc-editor.org/info/rfc9340>.
[I-D.irtf-qirg-quantum-internet-use-cases]
Wang, C., Rahman, A., Li, R., Aelmans, M., and K.
Chakraborty, "Application Scenarios for the Quantum
Internet", Work in Progress, Internet-Draft, draft-irtf-
qirg-quantum-internet-use-cases-19, 16 October 2023,
<https://datatracker.ietf.org/doc/html/draft-irtf-qirg-
quantum-internet-use-cases-19>.
[Kohl] Kohl, P., "Optical characterisation of telecommunication
wavelength quantum dots", Master’s Thesis, Technical
University of Munich, 2023.
Li Calsi, et al. Expires 17 May 2024 [Page 13]
�
Internet-Draft Quantum crypto difficulty November 2023
[Howell] Howell, E.F., Daun, K.J., Siegel, R., and M.P. Meng¨u¸c,
"Thermal radiation heat transfer, seventh ed.", 2021.
[Zeuner] Zeuner, K., "Semiconductor Quantum Optics at Telecom
Wavelengths", Ph.D. thesis, KTH, 2020.
[Portalupi]
Portalupi, S.L., Jetter, M., and P. Michler, "InAs quantum
dots grown on metamorphic buffers as non-classical light
sources at telecom C-band", a review, Semiconductor
Science and Technology 34, 2019.
[Gruenenfelder]
Grünenfelder, F., Sax, R., Boaron, A., and H. Zbinden,
"The limits of multiplexing quantum and classical
channels: Case study of a 2.5 GHz discrete variable
quantum key distribution system", Applied Physics Letters
119, 124001, 2021.
[Fox] Fox, M., "Quantum Optics: An Introduction", Master Series
in Physics, Vol. 15 (Oxford University Press), 2006.
[Taylor] Taylor, J.R., "Optical Solitons: Theory and Experiment",
1992.
[Mueller] Müller, K., "Lecture notes in photonic quantum
technologies", summer semester, 2021.
[Gillard] Gillard, G., Griffiths, I.M., Ragunathan, G., Ulhaq, A.,
McEwan, C., Clarke, E., and E.A. Chekhovich, "Fundamental
limits of electron and nuclear spin qubit lifetimes in an
isolated self-assembled quantum dot", npj Quantum
Information 7, 2021.
[Dusanowski]
Dusanowski, Ł., Nawrath, C., Portalupi, S.L., Jetter, M.,
Huber, T., Klembt, S., Michler, P., and S. Höfling,
"Optical charge injection and coherent control of a
quantum-dot spin-qubit emitting at telecom wavelengths",
Nature Communications 13, 2022.
[Nikolopoulos1]
Nikolopoulos, G.M., "Applications of single-qubit
rotations in quantum public-key cryptography", Physical
Review A 77, 2008.
Li Calsi, et al. Expires 17 May 2024 [Page 14]
�
Internet-Draft Quantum crypto difficulty November 2023
[Gottesman]
Gottesman, D. and I. Chuang, "Quantum digital signatures",
arXiv:quant-ph/0105032 [quant-ph], 2001.
[Hong] Hong, C.H., Heo, J., Jang, J.G., and D. Kwon, "Quantum
identity authentication with single photon", Quantum
Information Processing 16, 2017.
[Kanamori] Kanamori, Y., Yoo, S.M., Gregory, D., and F. Sheldon, "On
quantum authentication protocols", GLOBECOM ’05, 2005.
[Wiesner] Wiesner, S., "Conjugate coding", SIGACT News 15, 1983.
[Bennett] Bennett, B. and G. Brassard, "Quantum cryptography: Public
key distribution and coin tossing", 1984.
[Childress]
Childress, L. and R. Hanson, "Diamond NV centers for
quantum computing and quantum networks", MRS Bulletin
volume 38, 2013.
[Brassard] Bennett, C., Brassard, G., Crepeau, C., and M-H.
Skubiszewska, "Practical quantum oblivious transfer",
Advances in Cryptology — CRYPTO ’91, 1991.
Acknowledgements
This work was financed by the DFG via grant NO 1129/2-1 (JN) and by
the BMBF via grants 16KISQ039 (JHC), 16KISQ077 (DLC) and 16KISR026
(PK). The authors acknowledge the financial support by the Federal
Ministry of Education and Research of Germany in the programme of
“Souverän. Digital. Vernetzt.”. Joint project 6G-life, project
identification number: 16KISK002
Authors' Addresses
Davide Li Calsi
TQSD Technische Universität München
Theresienstraße 90
80333 Munich
Germany
Email: davide.li-calsi@tum.de
Li Calsi, et al. Expires 17 May 2024 [Page 15]
�
Internet-Draft Quantum crypto difficulty November 2023
Paul Kohl
TQSD Technische Universität München
Theresienstraße 90
80333 Munich
Germany
Email: paul.kohl@tum.de
JinHyeock Choi
TQSD Technische Universität München
Theresienstraße 90
80333 Munich
Germany
Email: jin.choi@tum.de
Janis Nötzel
TQSD Technische Universität München
Theresienstraße 90
80333 Munich
Germany
Email: janis.noetzel@tum.de
Li Calsi, et al. Expires 17 May 2024 [Page 16]
