Foiling covert channels and malicious classical post-processing units in quantum key distribution

The existing paradigm for the security of quantum key distribution (QKD) suffers from two fundamental weaknesses. First, covert channels have emerged as an important threat and have attracted a lot of attention in security research in conventional information and communication systems. Covert channels (e.g. memory attacks) can fatally break the security of even deviceindependent quantum key distribution (DI-QKD), whenever QKD devices are re-used. Second, it is often implicitly assumed that the classical post-processing units of a QKD system are trusted. This is a rather strong assumption and is very hard to justify in practice. Here, we propose a new paradigm for the security of QKD that addresses these two fundamental problems. Specifically, we show that by using verifiable secret sharing and multiple optical devices and classical post-processing units, one could re-establish the security of QKD. Our techniques are rather general and they apply to both DI-QKD and non-DI-QKD.Ministerio de Economía y Competitividad | Ref. TEC2014-54898-RMinisterio de Economía y Competitividad | Ref. TEC2017-88243-

Simple security proof of twin-field type quantum key distribution protocol

Twin-field (TF) quantum key distribution (QKD) was conjectured to beat the private capacity of a point-to-point QKD link by using single-photon interference in a central measuring station. This remarkable conjecture has recently triggered an intense research activity to prove its security. Here, we introduce a TF-type QKD protocol which is conceptually simpler than the original proposal. It relies on the pre-selection of a global phase, instead of the post-selection of a global phase, which significantly simplifies its security analysis and is arguably less demanding experimentally. We demonstrate that the secure key rate of our protocol has a square-root improvement over the point-to-point private capacity, as conjectured by the original TF QKD.Ministerio de Economía y Competitividad | Ref. TEC2014-54898-RMinisterio de Economía y Competitividad | Ref. TEC2017-88243-

Implementation security in quantum key distribution

The problem of implementation security in quantum key distribution (QKD) refers to the difficulty of meeting the requirements of mathematical security proofs in real‐life QKD systems. Here, a succint review is provided on this topic, focusing on discrete‐variable QKD setups. Particularly, some of their main vulnerabilities and comments are disscused on possible approaches to overcome them.Agencia Estatal de Investigación | Ref. PID2020-118178RB-C21Xunta de GaliciaUniversidade de Vigo/CISU

Quantum key distribution with flawed and leaky sources

In theory, quantum key distribution (QKD) allows secure communications between two parties based on physical laws. However, most of the security proofs of QKD today make unrealistic assumptions and neglect many relevant device imperfections. As a result, they cannot guarantee the security of the practical implementations. Recently, the loss-tolerant protocol (K. Tamaki et al., Phys. Rev. A, 90, 052314, 2014) was proposed to make QKD robust against state preparation flaws. This protocol relies on the emission of qubit systems, which, unfortunately, is difficult to achieve in practice. In this work, we remove such qubit assumption and generalise the loss-tolerant protocol to accommodate multiple optical modes in the emitted signals. These multiple optical modes could arise, e.g., from Trojan horse attacks and/or device imperfections. Our security proof determines some dominant device parameter regimes needed for achieving secure communication and, therefore, it can serve as a guideline to characterise QKD transmitters. Furthermore, we compare our approach with that of H.-K. Lo et al. (Quantum Inf. Comput., 7, 431–458, 2007) and identify which method provides the highest secret key generation rate as a function of the device imperfections. Our work constitutes an important step towards the best practical and secure implementation for QKD.Ministerio español de Economía y Competitividad | Ref. TEC2014-54898-RMinisterio español de Economía y Competitividad | Ref. TEC2017-88243-RGovernment of Japan | Ref. JP18H05237 18H05237Government of Japan | Ref. JST-CREST JPMJCR 167

Quantum key distribution with setting-choice-independently correlated light sources

Despite the enormous theoretical and experimental progress made so far in quantum key distribution (QKD), the security of most existing practical QKD systems is not rigorously established yet. A critical obstacle is that almost all existing security proofs make ideal assumptions on the QKD devices. Problematically, such assumptions are hard to satisfy in the experiments, and therefore it is not obvious how to apply such security proofs to practical QKD systems. Fortunately, any imperfections and security-loopholes in the measurement devices can be perfectly closed by measurement-device-independent QKD (MDI-QKD), and thus we only need to consider how to secure the source devices. Among imperfections in the source devices, correlations between the sending pulses and modulation fluctuations are one of the principal problems, which unfortunately most of the existing security proofs do not consider. In this paper, we take into account these imperfections and enhance the implementation security of QKD. Specifically, we consider a setting-choice-independent correlation (SCIC) framework in which the sending pulses can present arbitrary correlations but they are independent of the previous setting choices such as the bit, the basis and the intensity settings. Within the framework of SCIC, we consider the dominant fluctuations of the sending states, such as the relative phases and the intensities, and provide a self-contained information-theoretic security proof for the loss-tolerant QKD protocol in the finite-key regime. We demonstrate the feasibility of secure quantum communication, and thus our work constitutes a crucial step towards guaranteeing the security of practical QKD systems.Grant-in-Aid for JSPS Fellows | Ref. KAKENHI N. JP17J04177MEXT/JSPS | Ref. KAKENHI N. JP18H05237Ministerio de Economía y Competitividad | Ref. TEC2014-54898-RJST-CREST | Ref. JPMJCR167

Practical decoy-state method for twin-field quantum key distribution

Twin-field (TF) quantum key distribution (QKD) represents a novel QKD approach whose principal merit is to beat the point-to-point private capacity of a lossy quantum channel, thanks to performing single-photon interference in an untrusted node. Indeed, recent security proofs of various TF-QKD type protocols have confirmed that the secret key rate of these schemes scales essentially as the square root of the transmittance of the channel. Here, we focus on the TF-QKD protocol introduced by Curty et al, whose secret key rate is nearly an order of magnitude higher than previous solutions. Its security relies on the estimation of the detection probabilities associated to various photon-number states through the decoy-state method. We derive analytical bounds on these quantities assuming that each party uses either two, three or four decoy intensity settings, and we investigate the protocol's performance in this scenario. Our simulations show that two decoy intensity settings are enough to beat the point-to-point private capacity of the channel, and that the use of four decoys is already basically optimal, in the sense that it almost reproduces the ideal scenario of infinite decoys. We also observe that the protocol seems to be quite robust against intensity fluctuations of the optical pulses prepared by the parties.Agencia Estatal de Investigación | Ref. TEC2017-88243-

Kryptographische Protokolle in der optischen Kommunikation

Die Quantenschluesselverteilung erlaubt zwei Parteien, typischerweise Alice und Bob, die Generierung eines sicheren Schluessels trotz der moeglichen technologischen Uebermacht eines Abhoereres (Eve), welcher mit den gesendeten Signalen interagiert. Verwendet man den generierten Schluessel zum Chiffrieren geheimer Nachrichten, so ermoeglicht die Quantenschluesselverteilung vorbehaltslos sichere Kommunikation zwischen Alice und Bob. In der experimentellen Realisierung unterscheidet man zwei verschiedene Phasen. In der ersten Phase wird ein effektiver Quantenzustand zwischen den beiden Parteien verteilt. Dadurch entstehen Korrelationen zwischen Alice und Bob, wobei jedoch auch versteckte Korrelationen zu Eve enthalten sein koennen. Alice und Bob verwenden eine festgelegte, teils beschraenkte, Mengen von Operatoren um die vorhandenen Korrelationen zu messen. Auf diese Weise erhalten beide jeweils klassische Messaresultate, die der gemeinsamen Wahrscheinlichkeitsverteilung P(A,B) folgen. In der zweiten Phase versuchen Alice und Bob mittels Kommunikation ueber einen oeffentlichen Kanal, einen sicheren Schluessel aus den beobachteten Daten P(A,B) zu destillieren. Diese oeffentliche Kommunikation verwendet bekannte Techniken wie Vorteilsselektion, Fehlerkorrektur um die beiden Datensaetze abzugleichen und Privatspaehrenverstaerkung um Eves Information zu entkoppeln. Eine der essentiellen Fragestellungen der Quantenschluesselverteilung besteht darin herauszufinden, welche korrelierten Daten P(A,B), die in der ersten Phase erzeugt werden, ueberhaupt eine sichere Schluesseldestillierung in der zweiten Phase erlauben. Die zur Zeit bekannten Sicherheitsbeweise der Quantenschluesselverteilung verwenden, neben den normalerweise festgelegten Signalzustaenden und Messoperatoren fuer Alice und Bob, ganz spezielle Kommunikationsprotokolle in der zweite Phase. Daraus resultieren bestimmte erreichbare Schluesselraten als Funktion der Distanz. Dennoch verwehrt diese Art der Beweisfuehrung die Moeglichkeit, durch vielleicht bessere klassische Kommunikation Techniken zu entwickeln, die zu einer groeßeren Reichweite oder zu einer hoeheren Schluesselrate fuehren koennten, bei gegebenen beobachteten Daten P(A,B). In dieser Arbeit beschaeftigen wir uns mit oberen Schranken der sicheren Schluesselrate die ausschließlich auf den beobachteten Daten P(A,B) und den verwendeten Messobservablen von Alice und Bob basieren. Diese Schranken sind unabhaengig von den gewaehlten Protokollen in der zweiten Phase. Eine notwendige Bedingung fuer den Erfolg der Schluesselverteilung ist, dass Sender und Empfaenger anhand ihrer Messdaten die Verschraenkung in dem effektiven Quantenzustand beweisen koennen. Andernfalls ist es unmoeglich einen sicheren Schluessel aus den Messdaten P(A,B) zu generieren, unabhaengig von den klassischen Protokollen in der zweiten Phase. Um den notwendigen Verschraenkungsnachweis zu liefern, verwenden wir Verschraenkungszeugen, die nur aus den zugaenglichen Messoperatoren aufgebaut werden. Diese Klasse von Verschraenkungszeugen bildet eine notwendige und hinreichende Bedingung fuer die Existenz von quantenmechanischen Korrelationen in den Daten P(A,B), sogar wenn der Quantenzustand nicht komplett rekonstruiert werden kann. Mittels dieser Werkzeuge haben wir verschiedene Modelle der Quantenschluesselverteilung untersucht, insbesondere verschiedenen Signalzust aende und unterschiedliche Detektionsanordnungen jeweils fuer den perfekten als auch den realistischen, imperfekten Fall. Dadurch erhaelt man eine fundamentale Grenze der Laenge einer moeglicherweise erfolgreichen Schluesselverteilung, als auch eine Grenze der die Schluesselrate, welche diese Techniken erlauben. Die erhaltenen oberen Schranken sind fixe Grenzen; vor allem kann man die Grenzen nicht durch bestimmte klassische Protokolle, welche in der zweiten Phase verwendet werden, verschieben.Quantum key distribution (QKD) is a technique that allows two parties (Alice and Bob) to generate a secret key despite the computational and technological power of an eavesdropper (Eve) who interferes with the signals. Together with the Vernam cipher, QKD can be used for unconditionally secure data transmission. In a typical realization of QKD one can distinguish two phases in order to generate a secret key. In the first phase, an effective bipartite quantum mechanical state is distributed between Alice and Bob. This state creates correlations between them and it might contain as well hidden correlations with Eve. Next, a (restricted) set of measurements is used by the legitimate users to measure these correlations. As a result, Alice and Bob obtain a classical joint probability distribution Pr(A,B) representing their measurement results. In the second phase, Alice and Bob use an authenticated public channel to process Pr(A,B) in order to obtain a secret key. This procedure involves, typically, classical post-processing techniques such as post-selection of data, error correction to reconcile the data, and privacy amplification to decouple the data from Eve. An essential question in QKD is to determinate which kind of correlated data Pr(A,B), generated in the first phase, enables Alice and Bob to extract a secret key at all from it during the second phase of the protocol. Security proofs for QKD usually fix Alice’s and Bob’s signal states and measurement devices and impose, additionally, the use of a particular classical communication protocol during the second phase of QKD. As a result, the obtained proofs can show certain achievable secret key rates as a function of the distance. These security proofs, however, leave open the possibility that the development of better proof techniques, or better classical post-processing protocols for the second phase of the QKD protocol, might lead to an increase of the covered distance and rate for a given Pr(A,B). In this thesis we search for ultimate upper bounds on QKD based exclusively on the classical correlations Pr(A,B) and on the knowledge of Alice’s and Bob’s physical devices, and not on the particular classical post-processing techniques used by the legitimate users during the second phase of QKD. In particular, we show that a necessary precondition for successful QKD is that sender and receiver can prove the presence of entanglement in the effective bipartite quantum state that is distributed between them. Otherwise no secret key can be obtained from Pr(A,B), independently of the classical communication protocol employed during the second phase. In order to deliver this entanglement proof one can use the class of entanglement witness operators that can be constructed from the available measurements results. This class of entanglement witnesses can be used to provide a necessary and sufficient condition for the existence of quantum correlations in Pr(A,B), even when a quantum state cannot be completely reconstructed. With these powerful tools we investigate the signal states and detection methods of both ideal and practical QKD schemes, and we obtain limitations of fundamental nature in the distance and secret key rate that can be achieved by these techniques. The upper bounds obtained cannot be shifted by any classical communication protocol used during the second phase of QKD

Long-distance device-independent quantum key distribution

Besides being a beautiful idea, device-independent quantum key distribution (DIQKD) is probably the ultimate solution to defeat quantum hacking. Its security is based on a loophole-free violation of a Bell inequality, which results in a very limited maximum achievable distance. To overcome this limitation, DIQKD must be furnished with heralding devices like, for instance, qubit amplifiers, which can signal the arrival of a photon before the measurement settings are actually selected. In this way, one can decouple channel loss from the selection of the measurement settings and, consequently, it is possible to safely post-select the heralded events and discard the rest, which results in a significant enhancement of the achievable distance. In this work, we investigate photonic-based DIQKD assisted by two main types of qubit amplifiers in the finite data block size scenario, and study the resources—particularly, the detection efficiency of the photodetectors and the quality of the entanglement sources—that would be necessary to achieve long-distance DIQKD within a reasonable time frame of signal transmission.Ministerio de Economía y Competitividad | Ref. TEC2014-54898-RMinisterio de Economía y Competitividad | Ref. TEC2017-88243-

Finite-key security analysis for quantum key distribution with leaky sources

Security proofs of quantum key distribution (QKD) typically assume that the devices of the legitimate users are perfectly shielded from the eavesdropper. This assumption is, however, very hard to meet in practice, and thus the security of current QKD implementations is not guaranteed. Here, we fill this gap by providing a finite-key security analysis for QKD which is valid against arbitrary information leakage from the state preparation process of the legitimate users. For this, we extend the techniques introduced by Tamaki "et al" (2016 "New J. Phys." 18 065008) to the finite-key regime, and we evaluate the security of a leaky decoy-state BB84 protocol with biased basis choice, which is one of the most implemented QKD schemes today. Our simulation results demonstrate the practicability of QKD over long distances and within a reasonable time frame given that the legitimate users' devices are sufficiently isolated.Ministerio de Economía y Competitividad | Ref. TEC2014-54898-

Decoy-state quantum key distribution with a leaky source

In recent years, there has been a great effort to prove the security of quantum key distribution (QKD) with a minimum number of assumptions. Besides its intrinsic theoretical interest, this would allow for larger tolerance against device imperfections in the actual implementations. However, even in this device-independent scenario, one assumption seems unavoidable, that is, the presence of a protected space devoid of any unwanted information leakage in which the legitimate parties can privately generate, process and store their classical data. In this paper we relax this unrealistic and hardly feasible assumption and introduce a general formalism to tackle the information leakage problem in most of existing QKD systems. More specifically, we prove the security of optical QKD systems using phase and intensity modulators in their transmitters, which leak the setting information in an arbitrary manner. We apply our security proof to cases of practical interest and show key rates similar to those obtained in a perfectly shielded environment. Our work constitutes a fundamental step forward in guaranteeing implementation security of quantum communication systems.Ministerio de Economía y Competitividad | Ref. TEC2014-54898-RXunta de Galicia | Ref. EM2014/03