Quantum authentication with key recycling

We show that a family of quantum authentication protocols introduced in [Barnum et al., FOCS 2002] can be used to construct a secure quantum channel and additionally recycle all of the secret key if the message is successfully authenticated, and recycle part of the key if tampering is detected. We give a full security proof that constructs the secure channel given only insecure noisy channels and a shared secret key. We also prove that the number of recycled key bits is optimal for this family of protocols, i.e., there exists an adversarial strategy to obtain all non-recycled bits. Previous works recycled less key and only gave partial security proofs, since they did not consider all possible distinguishers (environments) that may be used to distinguish the real setting from the ideal secure quantum channel and secret key resource.Comment: 38+17 pages, 13 figures. v2: constructed ideal secure channel and secret key resource have been slightly redefined; also added a proof in the appendix for quantum authentication without key recycling that has better parameters and only requires weak purity testing code

Attacks on quantum key distribution protocols that employ non-ITS authentication

We demonstrate how adversaries with unbounded computing resources can break Quantum Key Distribution (QKD) protocols which employ a particular message authentication code suggested previously. This authentication code, featuring low key consumption, is not Information-Theoretically Secure (ITS) since for each message the eavesdropper has intercepted she is able to send a different message from a set of messages that she can calculate by finding collisions of a cryptographic hash function. However, when this authentication code was introduced it was shown to prevent straightforward Man-In-The-Middle (MITM) attacks against QKD protocols. In this paper, we prove that the set of messages that collide with any given message under this authentication code contains with high probability a message that has small Hamming distance to any other given message. Based on this fact we present extended MITM attacks against different versions of BB84 QKD protocols using the addressed authentication code; for three protocols we describe every single action taken by the adversary. For all protocols the adversary can obtain complete knowledge of the key, and for most protocols her success probability in doing so approaches unity. Since the attacks work against all authentication methods which allow to calculate colliding messages, the underlying building blocks of the presented attacks expose the potential pitfalls arising as a consequence of non-ITS authentication in QKD-postprocessing. We propose countermeasures, increasing the eavesdroppers demand for computational power, and also prove necessary and sufficient conditions for upgrading the discussed authentication code to the ITS level.Comment: 34 page

Qubit-based Unclonable Encryption with Key Recycling

We re-visit Unclonable Encryption as introduced by Gottesman in 2003. We look at the combination of Unclonable Encryption and Key Recycling, while aiming for low communication complexity and high rate. We introduce a qubit-based prepare-and-measure Unclonable Encryption scheme with re-usable keys. Our scheme consists of a single transmission by Alice and a single classical feedback bit from Bob. The transmission from Alice to Bob consists entirely of qubits. The rate, defined as the message length divided by the number of qubits, is higher than what can be achieved using Gottesman's scheme. We provide a security proof based on the diamond norm distance, taking noise into account

Device-Independent Quantum Key Distribution with Local Bell Test

Device-independent quantum key distribution (DIQKD) in its current design requires a violation of Bell's inequality between two honest parties, Alice and Bob, who are connected by a quantum channel. However, in reality, quantum channels are lossy, and this can be exploited for attacks based on the detection loophole. Here, we propose a novel approach to DIQKD that overcomes this limitation. In particular, based on a combination between an entropic uncertainty relation and the Clauser-Horne-Shimony-Holt (CHSH) test, we design a DIQKD protocol where the CHSH test is carried out entirely in Alice's laboratory. Thus the loophole caused by channel losses is avoided.Comment: 11 pages, 2 figure

Quantum Cryptography Beyond Quantum Key Distribution

Quantum cryptography is the art and science of exploiting quantum mechanical effects in order to perform cryptographic tasks. While the most well-known example of this discipline is quantum key distribution (QKD), there exist many other applications such as quantum money, randomness generation, secure two- and multi-party computation and delegated quantum computation. Quantum cryptography also studies the limitations and challenges resulting from quantum adversaries---including the impossibility of quantum bit commitment, the difficulty of quantum rewinding and the definition of quantum security models for classical primitives. In this review article, aimed primarily at cryptographers unfamiliar with the quantum world, we survey the area of theoretical quantum cryptography, with an emphasis on the constructions and limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference