Cite this Article
Garapo Kevin, Mafu Mhlambululi, Petruccione Francesco. Intercept-resend attack on six-state quantum key distribution over collective-rotation noise channels. Chinese Physics B, 2016, 25(7): 070303  
Permissions
Intercept-resend attack on six-state quantum key distribution over collective-rotation noise channels
Garapo Kevin1, †, , Mafu Mhlambululi2, Petruccione Francesco1, 3
Centre for Quantum Technology, School of Chemistry and Physics, University of KwaZulu-Natal, P/Bag X54001 Durban 4000, South Africa
Department of Physics and Astronomy, Botswana International University of Science and Technology, P/Bag 16, Palapye, Botswana
National Institute for Theoretical Physics (NITheP), KwaZulu-Natal, South Africa

 

† Corresponding author. E-mail: kevingarapo@gmail.com

Project supported by the South African Research Chair Initiative of the Department of Science and Technology and National Research Foundation.

Abstract
Abstract

We investigate the effect of collective-rotation noise on the security of the six-state quantum key distribution. We study the case where the eavesdropper, Eve, performs an intercept-resend attack on the quantum communication between Alice, the sender, and Bob, the receiver. We first derive the collective-rotation noise model for the six-state protocol and then parameterize the mutual information between Alice and Eve. We then derive quantum bit error rate for three intercept-resend attack scenarios. We observe that the six-state protocol is robust against intercept-resend attacks on collective rotation noise channels when the rotation angle is kept within certain bounds.

PACS: 03.67.Dd
Keyword:six states;quantum key distribution;security;collective-rotation noise
1. Introduction

Quantum key distribution (QKD) provides the only physically secure and proven method to exchange secret cryptographic keys between two parties, Alice and Bob,[1,2] through public communication channels. QKD guarantees that an eavesdropper, Eve, with full access to the communication channels and unbounded computational power is unable to extract useful information on secret keys exchanged.[2] Unlike the conjectured security of classical key distribution,[3,4] which rely on the implied difficulty of solving discrete logarithm and integer factorisation problems, the security of QKD is based on the fundamental laws of physics, for example, the no-cloning theorem[5] and the Heisenberg uncertainty principle.[68] This means that in principle QKD guarantees unconditional security in communication between legitimate users if perfectly implemented.[2]

Since Bennett and Brassard’s pioneering work of the BB84 protocol,[1] several QKD protocols have been proposed,[912] reviewed and implemented.[1328] Furthermore, these developments have led to commercialization of QKD.[29,30]

In security studies, the noise in the quantum channel requires scrutiny because an eavesdropper trying to avoid detection may disguise themselves as noise.[31] Precisely, the noise pattern of the channel can be controlled by an eavesdropper. A number of studies on the effect of noise on QKD have been published. For example, the security of the Bennett 1992 QKD against individual attack over a realistic channel,[32] and over a lossy and noisy channel.[33] Likewise, the effect of quantum noise on the achievable finite-key rates of the BB84 and the six-state protocols has also been presented in Ref. [34].

Photons are the best carriers of quantum information in current QKD set-ups and the majority of the commercial systems use optical fibre as the communication channel. However, optical fibres suffer from slow fluctuations in the birefringence, which can be modeled as collective noise.[31] Therefore, noise is highly unavoidable in the communication process. There are two main types of collective noise namely, collective-dephasing noise and collective-rotation noise. In general, noise poses a threat especially for QKD schemes that implement a polarization degree of freedom for encoding information. This is because the noise usually changes the fidelity of quantum states that carry quantum information and also allows an eavesdropper to disguise her disturbance as noise in the communication channel, thus reducing her detection probability. Only when the noise, i.e., error rates are acceptable can the legitimate parties use the quantum signals to generate a secret key. Otherwise, if the noise is too large, this results in a high error rate, therefore no secret key can be extracted. Collective noise is the noise that has the same effect on adjacent quantum systems. Several studies have been published on the effects of collective-dephasing and collective-rotation noises on quantum communication, see Refs. [35]–[39]. Given a qubit, collective-dephasing noise introduces phase in one of the two basis states. This phase, however, does not affect the statistics of measurement in the preparation basis. Collective-rotation noise, on the other hand, alters the statistics by introducing a probability of inverting one basis state into the other.

The aim of this study is to demonstrate the security bounds for the six-state QKD protocol,[11] which was designed to be more resistant to noise, when collective-rotation noise is present in the transmission channel. This article is arranged as follows. In Section 2, we give a brief description of the operation of the six-state QKD protocol. In Sections 3 and 4, we describe the scheme for collective noise rotation and analyze the effect of the noise on the operation of the protocol. We conclude the article in Section 5.

2. Six-state QKD protocol

The six-state protocol[40] is a more generalized version of the BB84 protocol,[1] in which information is randomly encoded in three bases: {|0〉, |1〉}, {|+〉, |−〉}, and {| + i〉,| − i〉} bases, where and . The six-state protocol is more symmetrical than the standard BB84 protocol because the three conjugate bases span the entire Bloch sphere, as shown in Fig. 1. The representation of the six states in the three conjugate bases is given in Table 1. Due to symmetry, other variants of the six-state protocol have been proposed and studied.[4144] The six-state protocol belongs to the class of prepare and measure schemes. It can be implemented by modern optical techniques without the requirement of a quantum computer.

Fig. 1. The six states spanning the Bloch sphere.
Table 1.

Representation of the six states in the three bases.

.

In the six-state protocol, Alice creates a random bit string and randomly selects one of the three bases, with equal probability p = 1/3, to encode each bit in the string. She sends the resultant qubit stream to Bob using a quantum channel. Bob randomly chooses, with probability 1/3, the basis in which he measures the state of each qubit in the stream. Bob’s observables are given by the following Pauli operators: σz, σx, and σy for the {|0〉, |1〉}, {|+〉, |−〉}, and {| + i〉,| − i〉} bases, respectively. Following Bob’s measurements, Alice communicates the random basis selection through an authenticated classical channel. They both discard measurements where Bob used a different basis, in a process called sifting, and apply classical post-processing techniques on the remaining events to distil a secret key.

The six-state QKD protocol has been studied under various scenarios since its proposal. Based on the optimal mutual information between sender and eavesdropper, it has been shown that the six-state scheme is safer against eavesdropping on single qubits than the one based on two conjugate bases.[40] A study of optimal eavesdropping strategies for the six-state QKD protocol has been made and the results show that this scheme is more secure against symmetric attacks than protocols using two-dimensional states.[45] Furthermore, incoherent and coherent eavesdropping strategies on the six-state protocol have been classified, and for a disturbance of 1/6, the optimal incoherent eavesdropping strategy reduces to the universal quantum-cloning machine.[46,47] One of the most important tasks in QKD is to prove the unconditional security of a protocol, i.e., security bounds in the case where Eve has unlimited power over the quantum channel. The unconditional security proof of the standard six-state scheme using only one-way classical communications has been presented. In this proof it was shown that the six-state scheme could be made secure up to an error rate of 12.7%.[18] Later, using the technique of two-way entanglement purification, the security proof against the most general attack has been derived. Based on this technique, it was shown that the six-state protocol could tolerate a bit error rate of 26.4%.[48] Moreover, the lower and upper bounds on the secret-key rate for six-state protocol use one-way classical communication.[15,16] The security bounds for the BB84 and the six-state protocols have been calculated using the smooth min-entropies obtained in Refs. [49] and [50]. Security bounds for the six-state protocol when implemented with finite resources under one-way post processing have been shown in Ref. [51]. An eavesdropping technique for the six-state protocol when Alice deliberately adds noise to the signal states before they leave her lab or in a realistic scenario where Eve cannot replace the noisy quantum channel by a noiseless one has been presented. It was found that addition of quantum noise makes quantum key distribution more robust against eavesdropping.[52]

3. Collective-rotation noise

The collective noise assumption states that if several qubits are transmitted simultaneously or they are close to each other spatially, the random unitaries or transformations of the noise on each qubit must be identical.[53] Various protocols have been studied under collective noise.[31,3537] Recently, studies on the effect of counter-clockwise and clockwise collective-rotation noise on the security of quantum key distribution have been reported in Refs. [54] and [55], respectively. We analyze the effect of clockwise collective-rotation noise in the channel represented by the following unitary rotation matrix:

where θ is a rotation angle characterizing the effect of the noise.

Collective rotation noise transforms the six states in the protocol as follows:

Collective-rotation noise introduces bit-flip errors in the {|0〉, |1〉} and {|+〉, |−〉} bases, and phase in the {| + i〉,| − i〉} basis. The weighted sum of the bit-flip errors gives the quantum bit error rate, which can be defined as the probability that a randomly selected qubit sent by Alice arrives flipped, that is, |0〉 as |1〉, |+〉 as |−〉, | + i〉 as | − i〉 and vice versa. According to Eqs. (2)–(7) the noise flips the states |0〉, |1〉, |+〉, |−〉 with probability sin2θ and | + i〉, | − i〉 with probability 0. As a result of Alice selecting and transmitting each of the six states with probability p = 1/6, the collective-rotation noise in the channel results in a quantum bit error rate given by

The QBER is an important parameter in quantum cryptography, it is used to investigate the security of QKD protocols. The QBER gives the ratio of signals for which Alice and Bob chose the same encoding but where Bob got a measurement outcome different from what Alice prepared.[2] It is customary to define a parameter ɛ = Q0 as the channel noise level.[25] We, however, choose not to attach any operational definition but rather use ɛ = Q0 = 2/3sin2θ to simplify expressions whenever it is convenient to do so. We note the periodic nature of Q0.

4. Security analysis

To perform an intercept-resend attack,[56] Eve randomly measures qubits sent by Alice in any one of the three bases. She then forwards, to Bob, qubits prepared in states corresponding to her measurement outcomes.[2] Given an ordered set S = {|0〉,|1〉,|+〉,|−〉,| + i〉,| − i〉} of the possible states of the qubits, the effect of Eve’s actions can be represented by the following probability transition matrix:

where the elements in the matrix can be interpreted as the conditional probabilities p(e|a) that Eve obtains a certain state given that Alice prepares a certain state. The joint probability p(a,e) that Alice prepares a state |ψA ∈ {|0〉,|1〉,|+〉,|−〉,| + i〉,| − i〉} and Eve obtains a state |ψE ∈ {|0〉,|1〉,|+〉,|−〉,| + i〉,| − i〉} is given by

where p(a) = 1/6 is the probability that Alice prepares a state |ψA ∈ {|0〉,|1〉,|+〉,|−〉,| + i〉,| − i〉} and p(e) = 1/6 is the probability that Eve obtains measurement outcomes corresponding to a state |ψE ∈ {|0〉,|1〉,|+〉,|−〉,| + i〉,| − i〉}. It follows that p(a|e) = p(e|a). The summary of the joint probabilities is given in Table 2. The amount of information Eve gains from each measurement is given by the mutual information

where

and

Table 2.

Summary of joint probabilities of Alice preparing certain states and Eve obtaining measurement outcomes corresponding to each of the six states on qubits sent by Alice.

.

To simplify Eq. (11), we let ɛ = 2/3sin2θ; implying that ɛ can take values in the interval [0, 2/3]. Substituting ɛ into Eq. (11), reduces the equation to the following:

The variation of mutual information I(A : E) with rotation angle θ is shown in Fig. 2.

Fig. 2. Variation of the mutual information between Alice and Eve (I(A : E)) as a function of the collective-rotation angle θ.

We analyze the following two intercept-resend strategies that could be employed by Eve.

Eve breaks the quantum channel between Alice and Bob and inserts both of her devices in between, as illustrated in Fig. 3(a).

Eve places her preparation device at a location close to, possibly inside, Bob’s lab and connects her measurement and preparation devices by a lossless classical channel,[56] as illustrated in Fig. 3(b).

Fig. 3. Schematics of the two intercept-resend attack strategies. Quantum channels are represented by continuous arrows, while dashed arrows represent lossless classical channels. Letters P and M denote preparation and measurement devices, respectively. (a) Eve breaks the quantum channel between Alice and Bob and inserts both of her devices in between. (b) Eve places her preparation device at a location close to, possibly inside, Bob’s lab and connects her measurement and preparation devices by a lossless classical channel.

The transition probability matrices describing the transition between the states prepared by Eve and the states obtained by Bob are given by

and

respectively. The matrix PA,B of the joint probabilities of Alice and Bob’s states is obtained as follows:

The summary of the joint probabilities is given in Table 3. For strategy (I), the elements in Table 3 are given by

Table 3.

Summary of the joint probabilities of Alice preparing certain states and Bob obtaining measurement outcomes corresponding to each of the six states, given an intercept-resent attack by Eve.

.

The terms c, d, g, and h in Table 3 go to zero during sifting. Therefore, the quantum bit error rate Q, after sifting, is given by

The variation of the quantum bit error rate Q with rotation angles θ and ϕ is shown in Fig. 4.

Fig. 4. Quantum bit error rate Q as a function of θ and ϕ.

In the special case where θ = ϕ, i.e., the noise in both channels is equal, the quantum bit error rate Q reduces to

By performing an attack outlined in strategy (II), Eve attempts to minimise her quantum “footprint" by substituting collective-rotation noise channel with a lossless classical channel. It turns out that the strategy does not improve her odds of not being detected, as shown in Fig. 5. To derive the quantum bit error rate Q2, we first compute the elements aj in Table 3 using Eq. (17), where the matrices PE|A and PB|E are obtained from Eqs. (9) and (16), respectively. The elements gj equate to the ones given in Eq. (22). However, the terms ad evaluate to the following:

The terms c, d, g, and h vanish during sifting. Therefore, the quantum bit error rate Q2 is given by

Fig. 5. Comparison of the variation of the quantum bit error rate Q with the rotation angle θ for the case where there is no eavesdropping (Q0), the case where the eavesdropper performs the attack outlined in strategy (I) (Q1) and the case where the eavesdropper performs the attack outlined in strategy (II) (Q2).

Alice and Bob attribute quantum bit error rate above a predetermined value to eavesdropping. From Fig. 5, a quantum bit error rate above 0.3333 indicates the possibility of eavesdropping, rendering the channel unsafe for cryptographic purposes. In practice, the channel quantum bit error rate is kept far below this threshold because the overall quantum bit error rate budget has to take into account all sources of error. For unconditional security this budget is capped at 12.6%, see Ref. [18] for the unconditional security proof of the six-state protocol, further suggesting that only collective-rotation noise channels with rotation angle (in radians)

where n is an integer and δ < 0.450 radians, are suitable for six-state quantum cryptography.

5. Conclusion

We have demonstrated how the six-state QKD protocol responds to collective-rotation noise. From the analysis, we note that the six-state protocol is robust against collective-rotation noise for small rotation angles. We attribute this result to the symmetry of the protocol. We also note that the third basis {| + i〉,| − i〉} is rotation invariant under collective-rotation noise thus reducing the quantum bit error rate. We recommend the six-state protocol for QKD implementations where collective-rotation noise is dominant in the communication channel.

Reference
1Bennett CBrassard G1984 Quantum Cryptography: Public Key Distribution and Coin Tossing, Proceedings of IEEE International Conference on Computers, Systems and Signal Processing Vol. 175 Bangalore, India
2Gisin NRibordy GTittel WZbinden H 2002 Rev. Mod. Phys. 74 145
3Diffie WHellman M E 1976 IEEE Trans. Inform. Theory 22 644
4Rivest R LShamir AAdleman L 1978 Commun. ACM 21 120
5Wootters W KZurek W H 1982 Nature 299 802
6Heisenberg W 1927 Zeitschrift für Physik 43 172
7Busch PHeinonen TLahti P 2007 Phys. Rep. 452 155
8Nielsen MChuang I2002Quantum Computation and Quantum Information
9Ekert A 1991 Phys. Rev. Lett. 67 661
10Bennett C H 1992 Phys. Rev. Lett. 68 3121
11Scarani VAcín ARibordy GGisin N 2004 Phys. Rev. Lett. 92 057901
12Lo H KMa XChen K 2005 Phys. Rev. Lett. 94 230504
13Mayers D1996Quantum Key Distribution and String Oblivious Transfer in Noisy Channels, Advances in Cryptology-CRYPTO’96Springer343357343–57
14Devetak IWinter A2005Distillation of Secret Key and Entanglement from Quantum States, Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences Vol. 461 (The Royal Society) 207235207–35
15Kraus BGisin NRenner R 2005 Phys. Rev. Lett. 95 80501
16Renner RGisin NKraus B 2005 Phys. Rev. 72 12332
17Shor P WPreskill J 2000 Phys. Rev. Lett. 85 441
18Lo H K2001Quantum Inf. Comput.181
19Tamaki KKoashi MImoto N 2003 Phys. Rev. Lett. 90 167904
20Scarani VBechmann-Pasquinucci HCerf NDušek MLütkenhaus NPeev M 2009 Rev. Mod. Phys. 81 1301
21Hughes R JMorgan G LPeterson C G 2000 J. Mod. Opt. 47 533
22Peev MPacher CAlléaume RBarreiro CBouda JBoxleitner WDebuisschert TDiamanti EDianati MDynes Jet al. 2009 New J. Phys. 11 075001
23Mirza APetruccione F 2010 JOSA B 27 A185
24Namekata NTakesue HHonjo TTokura YInoue S 2011 Opt. Express 19 10632
25Sasaki MFujiwara MIshizuka HKlaus WWakui KTakeoka MMiki SYamashita TWang ZTanaka Aet al. 2011 Opt. Express 19 10387
26Stucki DLegré MBuntschu FClausen BFelber NGisin NHenzen LJunod PLitzistorf GMonbaron Pet al. 2011 New J. Phys. 13 123001
27Zhao YQi BMa XLo H KQian L 2006 Phys. Rev. Lett. 96 070502
28Ma XQi BZhao YLo H K 2005 Phys. Rev. 72 012326
29http://www.idquantique.com
30http://www.magiqtech.com
31Xiu X MDong LGao Y JChi F 2009 Opt. Commun. 282 4171
32Tamaki KKoashi MImoto N 2003 Phys. Rev. 67 032310
33Tamaki KLütkenhaus N 2004 Phys. Rev. 69 032316
34Mertz MKampermann HShadman ZBruß D 2013 Phys. Rev. 87 042312
35Wang X B 2005 Phys. Rev. 72 050304
36Li X HDeng F GZhou H Y 2008 Phys. Rev. 78 022321
37Gu BPei SSong BZhong K 2009 Science in China Series G: Physics, Mechanics and Astronomy 52 1913
38Dong LXiu X MGao Y JChi F 2009 Opt. Commun. 282 1688
39Yang C WHwang T 2012 Int. J. Theor. Phys. 51 3941
40Bruß D 1998 Phys. Rev. Lett. 81 3018
41Phoenix S JBarnett S MChefles A 2000 J. Mod. Opt. 47 507
42Boileau JTamaki KBatuwantudawe JLaflamme RRenes J 2005 Phys. Rev. Lett. 94 40503
43Mafu MGarapo KPetruccione F 2014 Phys. Rev. 90 032308
44Senekane MMafu MPetruccione F 2015 J. Quantum Inf. Sci. 5 33
45Bruß DMacchiavello C 2002 Phys. Rev. Lett. 88 127901
46Bechmann-Pasquinucci HGisin N 1999 Phys. Rev. 59 4238
47Bourennane MKarlsson ABjörk G 2001 Phys. Rev. 64 012306
48Gottesman DLo H K 2003 IEEE Trans. Inf. Theory 49 457
49Renner R 2008 Inte. J. Quantum Inf. 6 1
50Cai RScarani V 2009 New J. Phys. 11 045024
51Scarani VRenner R 2008 Phys. Rev. Lett. 100 200501
52Shadman ZKampermann HMeyer TBruss D 2009 Int. J. Quantum Inf. 07 297
53Żukowski MZeilinger AHorne M AEkert A K 1993 Phys. Rev. Lett. 71 4287
54Li JChen Y HPan Z SSun F QLi NLi L L 2016 Acta Phys. Sin. 65 30302 (in Chinese)
55Li JPan ZZheng JSun FYe XYuan K 2015 Chin. J. Electron. 24 689
56Curty MLütkenhaus N 2005 Phys. Rev. 71 062301