QKD in Standard Optical Telecommunications Networks

To perform Quantum Key Distribution, the mastering of the extremely weak signals carried by the quantum channel is required. Transporting these signals without disturbance is customarily done by isolating the quantum channel from any noise sources using a dedicated physical channel. However, to really profit from this technology, a full integration with conventional network technologies would be highly desirable. Trying to use single photon signals with others that carry an average power many orders of magnitude bigger while sharing as much infrastructure with a conventional network as possible brings obvious problems. The purpose of the present paper is to report our efforts in researching the limits of the integration of QKD in modern optical networks scenarios. We have built a full metropolitan area network testbed comprising a backbone and an access network. The emphasis is put in using as much as possible the same industrial grade technology that is actually used in already installed networks, in order to understand the throughput, limits and cost of deploying QKD in a real network

Security of the Bennett 1992 quantum-key distribution against individual attack over a realistic channel

The security of two-state quantum key distribution against individual attack is estimated when the channel has losses and noises. We assume that Alice and Bob use two nonorthogonal single-photon polarization states. To make our analysis simple, we propose a modified B92 protocol in which Alice and Bob make use of inconclusive results and Bob performs a kind of symmetrization of received states. Using this protocol, Alice and Bob can estimate Eve's information gain as a function of a few parameters which reflect the imperfections of devices or Eve's disturbance. In some parameter regions, Eve's maximum information gain shows counter-intuitive behavior, namely, it decreases as the amount of disturbances increases. For a small noise rate Eve can extract perfect information in the case where the angle between Alice's two states is small or large, while she cannot extract perfect information for intermediate angles. We also estimate the secret key gain which is the net growth of the secret key per one pulse. We show the region where the modified B92 protocol over a realistic channel is secure against individual attack.Comment: 16 pages, 15 figure

The Case for Quantum Key Distribution

Quantum key distribution (QKD) promises secure key agreement by using quantum mechanical systems. We argue that QKD will be an important part of future cryptographic infrastructures. It can provide long-term confidentiality for encrypted information without reliance on computational assumptions. Although QKD still requires authentication to prevent man-in-the-middle attacks, it can make use of either information-theoretically secure symmetric key authentication or computationally secure public key authentication: even when using public key authentication, we argue that QKD still offers stronger security than classical key agreement.Comment: 12 pages, 1 figure; to appear in proceedings of QuantumComm 2009 Workshop on Quantum and Classical Information Security; version 2 minor content revision

Stronger security bounds for Wegman-Carter-Shoup authenticators

Abstract. Shoup proved that various message-authentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ɛ is a differential probability associated with h. Shoup’s result implies that if AES is secure then various state-of-the-art message-authentication codes of the form (n, m) ↦ → h(m) + AESk(n) are secure up to � 1/ɛ authenticated messages. Unfortunately, � 1/ɛ is only about 2 50 for some state-of-the-art systems, so Shoup’s result provides no guarantees for long-term keys. This paper proves that security of the same systems is retained up to √ #G authenticated messages. In a typical state-of-the-art system, √ #G is 2 64. The heart of the paper is a very general “one-sided ” security theorem: (n, m) ↦ → h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f. Keywords: mode of operation, authentication, MAC, Wegman-Carter, provable securit