An application of quantum communications is the transmission of qubits to create shared symmetric encryption keys in a process called Quantum Key Distribution (QKD). Contrary to public-private key encryption, symmetric encryption is safe from (quantum) computing attacks, i.e. it provides forward security and is thus attractive for secure communications. In this paper we argue that for free-space quantum communications, especially with satellites, if one assumes that man-in-the-middle attacks can be detected by classical channel monitoring techniques, simplified quantum communications protocols and hardware systems can be implemented that offer improved key rates. We term these protocols photon key distribution (PKD) to differentiate them from the standard QKD protocols. We identify three types of photon sources and calculate asymptotic secret key rates for PKD protocols and compare them to their QKD counterparts. Results show that PKD protocols have roughly a factor of two higher rates as only one measurement basis is used and due to the relaxed security assumptions can establish keys at very high losses whereas in QKD the privacy amplification process becomes prohibitive.
Key words: quantum communication; quantum cryptography; quantum key distribution; satellite QKD; access control; threat model; photon key distribution; PKD
Cryptographic key distribution is a major application of quantum communication. Such schemes typically use measurements of quantum states of photons shared between two remote parties to allow both sides to derive shared entropy that can be quantitatively assessed to be private. This shared entropy may be used as keying material for use as one time pads Vernam (1926) or as seed keys for symmetric encryption E. Roback (2001). Quantum Key Distribution relies on transmission of single photons so many photons must be distributed to generate a key over lossy channels. For shorter distances and metropolitan regions photons can be distributed between parties using optical fibres, but for global distances satellite-based nodes become more practical Bedington et al. (2017). For quantum communication from satellites, and other moving platforms, photons are distributed using free space optics (FSO).
Quantum key distribution schemes Gisin et al. (2002); Diamanti et al. (2016) have extremely strong security guarantees due to minimal assumptions on the capabilities of the technology available to potential eavesdroppers—essentially any attack permitted by the laws of physics is deemed possible. Although typically the two communicating parties must trust the QKD hardware within their control, they need not trust the optical channel between them because they can detect any attempt at eavesdropping and any man-in-the-middle attacks on the channel using statistical tests that are inherent to the QKD process. These tests require a fraction of the received photons to be discarded such that they cannot be used in the final keying material. This discarding arises in processes such as basis reconciliation, parameter estimation and privacy amplification. In many situations these discarded photons and slower key rates are a necessity for security e.g. in a metropolitan environment where QKD is performed over optical fibres which pass through many ducts and underground passages where, in principle, eavesdropping can take place.
For the case of satellite QKD (and other FSO delivery methods), where there is a direct line of sight, these measures seem to be harder to justify. To compromise the security of the link, other than disrupting it through denial-of-service attacks, an adversary would have to act as a man-in-the-middle. We argue that performing this attack for an optical link between a low earth orbit (LEO) satellite and ground station would be physically possible, but technically not feasible for most adversaries. It requires intercepting and re-sending a beam that is only a few metres across and rapidly tracking across the sky without being detected. Practical satellite-ground links employ dual tracking beacons to establish the required high accuracy pointing link, effectively providing a channel monitoring system. Additional hardware may be deployed to monitor the channel in other wavelengths, e.g. radar systems or thermal imaging cameras. Furthermore, space situational awareness has led to publicly accessible catalogues that provide ephemeris data of orbiting space objects which are frequently updated, making it possible to assess if any (publicly known) satellites can threaten the link in space. If users fear that their adversaries could have technologies which can covertly intercept the link they could of course use QKD; other users can relax their threat assumptions. In light of the above we thus focus only on passive eavesdroppers, attackers which cannot be detected by channel monitoring techniques. As we will show, using this updated threat model simplifies the key delivery protocol.
In this paper we term the simplified quantum communication schemes that address this scenario as ‘photon key distribution’ (PKD) so as to separate them from conventional QKD protocols. Some more recent QKD schemes, where the security proofs may not yet be completely agreed, may also prove to be somewhere on the PKD to QKD spectrum depending on the security assumptions they require. While most QKD schemes use two bases for encoding, in our PKD schemes only a single encoding basis is used since mixed bases are primarily a mechanism to detect man-in-the-middle attacks. This avoids the basis reconciliation sifting stage and so is more efficient in its use of photons.
Sasaki et al. have previously discussed the opportunity for simplified cryptography schemes that fall between QKD and laser communications Sasaki (2017). As they explain QKD (and PKD) fit within the wider field of physical layer security methods. These encompass such techniques as wiretap channels Wyner (1975) and radio frequency equivalents Poor and Schaefer (2017), to laser-based methods that actively quantify the amount of information an eavesdropper can receive Fujiwara et al. (2018). Our exploration of PKD here builds on the ideas put forward by Sasaki et al.
In this paper we look at the asymptotic secret key rates at high losses (i.e long distance free space links) for three QKD schemes using three different kinds of transmitter hardware, and compare this to three simplified PKD schemes that use similar hardware. The simplified schemes are primarily targeted at satellite applications and all assume that a covert man-in-the-middle attack has been assessed to be non-existent. As expected, they are all found to remain effective at higher losses than their QKD counterparts.
Table 1 shows a summary of the hardware types and corresponding QKD and PKD methods considered. Figure 1 shows a comparison of the quantum bit error rate (QBER) and bits per pulse achieved with these methods at increasing distances (losses). In this way the results can be presented independently of the pulse rate of any particular hardware setup. Although we use the term ’pulse’ here for straightforwardness of comparison, the SPDC sources we consider are operated by a continuous-wave pump, i.e. not pulsed, and produce photon pairs on a stochastic basis so ‘detection events’ would be the more appropriate term. Figures 1 (a) and (b) show that for QKD protocols (BB84, BBM92) there is a sharp drop off in key rate as losses increase. At high losses more key has to be discarded in privacy amplification than is available so the secure key rate drops to zero. This does not happen in the PKD equivalents as it is assumed that there are no active man-in-the-middle attacks, and so privacy amplification is only required for multi-photon pulses.
|Photon Source||QKD protocol||PKD encoding (example)|
|Weak coherent pulse (WCP)||Decoy state BB84||Pulse position modulation (PPM)|
|Ideal single photon source (SPS)||Single photon BB84||
(a) Key generation rate for Quantum Key Distribution (QKD) protocols: Decoy State BB84, BBM92, and BB84 using an ideal Single Photon Source (SPS).
(b) Key generation rate for photon key distribution (PKD) schemes: Pulse-position modulated (PPM) Photon Key Distribution (PKD), PKD with a heralded photon source, and PKD using an ideal SPS.
(c) Quantum Bit Error Rate (QBER) for QKD protocols.
(d) QBER for simplified PKD schemes.
The results are discussed in the sections below based on the different hardware types. General assumptions are that space-based detectors have 15,000 dark counts per second while ground-based detectors have 2,500 dark counts per second. This is based on pessimistic cases for single photon detectors before and after radiation damage Tan et al. (2013). Furthermore, ground-based detectors are assumed to have an additional 1,000 background counts per second due to scattered light entering the receiver. This is slightly more conservative than noise counts estimated in recent literature Bourgoin et al. (2013). All sources are assumed to have perfect visibility, e.g. for a SPDC source this means it is assumed to produce perfectly entangled states.
iii.1 Weak Coherent Pulse (WCP) source
Satellite-to-ground decoy state QKD using a Weak Coherent Pulse (WCP) source has conclusively been demonstrated on the Micius satellite in 2016 Liao et al. (2017) and the QUBE mission aims to demonstrate a WCP QKD system on a nanosatellite Haber et al. (2018). WCP sources are highly attenuated lasers which approximate a single photon state although multi-photon emissions are possible. We use the Micius source parameters as a realistic assumption in our model; on average our source emits 0.8 photons per pulse. For QKD it performs the decoy state BB84 protocol Ma et al. (2005) where it also emits decoy states of mean photon number 0.1, and operates at a ratio of 0.5: 0.25: 0.25 for signal, decoy and vacuum states.
For WCP PKD no decoy states are transmitted, only signal states with an optimised mean photon number of between 0.4701 and 0.4583 for losses of 20-70dB. These are assumed to be coupled to a modulator that enables pulse position modulation (PPM) to encode bits as early (bit 0) or late pulses (bit 1). Compared to polarisation encoding this also removes the requirement to synchronise polarisation reference frames which is especially convenient for then communicating to satellites.
iii.2 Spontaneous parametric down conversion (SPDC) photon pair source
For the QKD protocols considered here the SPDC photon pair source is assumed to be an entangled photon pair source performing the BBM92 protocol Bennett et al. (1992); Naughton et al. (2019). The Micius satellite demonstrated an entangled photon pair source in orbit Yin et al. (2017a, b) and the SpooQy-1 nanosatellite will demonstrate a miniaturised device in orbit in 2019 Grieve et al. (2018). The PKD protocols with this setup can use the same hardware or a simpler correlated (heralded) photon pair source, with unit visibility, such as the miniaturised device flown on the Galassia nanosatellite Tang et al. (2016). To avoid synchronising reference frames the two-state encoding could be in left and right hand circular polarisation.
Protocols using pair sources require two detections i.e. one of the pair must be detected at the source and the other of the pair detected at the receiver. The total detection efficiency at the source is assumed to be 25% (i.e. there is a system loss of -6dB). The main effect of this approach is that the Quantum Bit Error Rate (QBER) partly becomes a function of the accidental rate of coincident detection between the two detectors. This accidentals rate is given by Janossy (1944); Grieve et al. (2016), where and are the singles rates observed at the detectors, and the timing coincidence window.
In this study, we assume that the source is capable of producing photon pairs at a raw rate of per second into a single spatial mode, and that the timing resolution is , which are readily accessible Cao et al. (2018). This leads to a QBER that is between 3% and 4%; this QBER has a linear relationship with the timing window - faster electronics will lead to smaller QBER. An advantage of using photon pairs is that the probability of multi-photon emission is insignificant (similar to single photon sources), leading to a smaller percentage of the raw key being discarded in privacy amplification.
iii.3 Single photon source (SPS)
The SPS is assumed to be a perfect device that produces single photons on demand and never multi-photon pulses. For QKD this means it can perform the BB84 Bennett and Brassard (2014) protocol without any requirement for decoy states. For PKD it can even be encoded in wavelength giving a broad scope for multiplexing. In both cases the SPS has the highest rates. It should be noted that compared to the other technologies SPS devices are currently at low ‘technology readiness levels’ Vogl et al. (2019) or only work at cryogenic temperatures which means they are not a practical choice for deployment in space.
The PKD protocols have higher rates than the QKD protocols because eavesdroppers have no access to the channel and only ‘collective attacks’ are allowed. That means if there are no multi-photon emissions (i.e. not using the WCP source) no privacy amplification is required. PPM PKD suffers from multi-photon emissions so requires privacy amplification. In general the relaxed security assumptions increase key rates and allow for key generation at larger distances. Comparing between different hardware methods of PKD (or between different hardware methods of QKD) is less conclusive, since the ‘pulse’ rates of different implementations of the hardware will vary.
Iv Materials and Methods
The equation for PPM PKD is derived from the Devetak-Winter bound for collective attack for a simplified COW PPM scheme with decoys from appendix B of reference Branciard et al. (2007). All parts due to decoy are set to neutral, and an error correction term is added to the equation. The final key rate is thus
where is a privacy amplification term corresponding to the optimised mean photon number . is the detection efficiency, is the source frequency and is the transmissivity.
The approach presented in this paper can be applied to key distribution, not only when using satellites, but also in other types of FSO-based systems. For example, in ad-hoc networks where the transmitter and receiver can visually identify each other, it may be straightforward to assess the absence of a man-in-the-middle and use PKD type protocols to establish a secret key. If the possibility of man-in-the-middle attacks can be excluded or monitored by conventional means, then PKD protocols can allow for secure key distribution using quantum communication methods at increased losses using similar or simplified hardware. In a practical key distribution scenario, it is worthwhile to have a better specification of the threat model and to devote efforts in closing physical side-channels, rather than attempting to defeat a hypothetical quantum adversary. Finally, we remark that using QKD hardware it may be possible to switch to a PKD protocol when the channel is assessed to be free of active attacks, and thus increase key distribution rates.
We thank Charles Lim and Ignatius William Primaatmaja for their valuable feedback and suggestions.
A patent has been filed for the heralded source key distribution method.
Conceptualization: Robert Bedington, James A. Grieve and Alexander Ling; Data curation: Tom Vergoossen; Formal analysis: Tom Vergoossen; Funding acquisition: Alexander Ling; Investigation: Tom Vergoossen; Methodology: Tom Vergoossen; Project administration: Robert Bedington and Alexander Ling; Resources: Alexander Ling; Software: Tom Vergoossen; Supervision: Robert Bedington and Alexander Ling; Validation: Tom Vergoossen; Visualization: Tom Vergoossen; Writing – original draft: Tom Vergoossen and Robert Bedington; Writing – review and editing: Tom Vergoossen, Robert Bedington, James A. Grieve and Alexander Ling.
This work is partially supported by the National Research Foundation, Prime Minister’s Office, Singapore (under the Research Centres of Excellence programme and through Award No. NRF-CRP12-2013-02).
The following abbreviations are used in this manuscript:
QKD Quantum Key Distribution FSO Free Space Optics PKD Photon Key Distribution SPS Single Photon Source WCP Weak Coherent Pulse PPM Pulse Position Modulation BB84 Bennett Brassard 1984 (QKD protocol Bennett and Brassard (2014)) BBM92 Bennett Brassard Mermin 1992 (QKD protocol Bennett et al. (1992)) AES Advanced Encryption Standard QBER Quantum Bit Error Rate COW Coherent One Way (QKD protocol Branciard et al. (2007)) SKA Secret Key Agreement SPDC Spontaneous Parametric Down Conversion
- Vernam (1926) Vernam, G.S. Cipher Printing Telegraph Systems For Secret Wire and Radio Telegraphic Communications. Transactions of the American Institute of Electrical Engineers 1926, XLV, 295–301.
- E. Roback (2001) E. Roback, et al. Advanced encryption standard (AES). Technical Report 141, National Institute of Standards and Technology, Gaithersburg, MD, 2001.
- Bedington et al. (2017) Bedington, R.; Arrazola, J.M.; Ling, A. Progress in satellite quantum key distribution. npj Quantum Information 2017, 3, 30.
- Gisin et al. (2002) Gisin, N.; Ribordy, G.; Tittel, W.; Zbinden, H. Quantum cryptography. Reviews of Modern Physics 2002, 74, 145–195.
- Diamanti et al. (2016) Diamanti, E.; Lo, H.K.; Qi, B.; Yuan, Z. Practical challenges in quantum key distribution. npj Quantum Information 2016, 2, 16025.
- Sasaki (2017) Sasaki, M. Quantum networks: Where should we be heading? Quantum Science and Technology 2017, 2.
- Wyner (1975) Wyner, A.D. The Wire-Tap Channel. Bell System Technical Journal 1975, 54, 1355–1387.
- Poor and Schaefer (2017) Poor, H.V.; Schaefer, R.F. Wireless physical layer security. Proceedings of the National Academy of Sciences of the United States of America 2017, 114, 19–26.
- Fujiwara et al. (2018) Fujiwara, M.; Ito, T.; Kitamura, M.; Endo, H.; Tsuzuki, O.; Toyoshima, M.; Takenaka, H.; Takayama, Y.; Shimizu, R.; Takeoka, M.; Matsumoto, R.; Sasaki, M. Free-space optical wiretap channel and experimental secret key agreement in 7.8 km terrestrial link. Optics Express 2018, 26, 19513–19523.
- Tan et al. (2013) Tan, Y.C.; Chandrasekara, R.; Cheng, C.; Ling, A. Silicon avalanche photodiode operation and lifetime analysis for small satellites. Opt. Express 2013, 21, 16946–16954.
- Bourgoin et al. (2013) Bourgoin, J.P.; Meyer-Scott, E.; Higgins, B.L.; Helou, B.; Erven, C.; Hübel, H.; Kumar, B.; Hudson, D.; D’Souza, I.; Girard, R.; Laflamme, R.; Jennewein, T. A comprehensive design and performance analysis of low Earth orbit satellite quantum communication. New Journal of Physics 2013, 15, 023006.
- Liao et al. (2017) Liao, S.K.; Cai, W.Q.; Liu, W.Y.; Zhang, L.; Li, Y.; Ren, J.G.; Yin, J.; Shen, Q.; Cao, Y.; Li, Z.P.; Li, F.Z.; Chen, X.W.; Sun, L.H.; Jia, J.J.; Wu, J.C.; Jiang, X.J.; Wang, J.F.; Huang, Y.M.; Wang, Q.; Zhou, Y.L.; Deng, L.; Xi, T.; Ma, L.; Hu, T.; Zhang, Q.; Chen, Y.A.; Liu, N.L.; Wang, X.B.; Zhu, Z.C.; Lu, C.Y.; Shu, R.; Peng, C.Z.; Wang, J.Y.; Pan, J.W. Satellite-to-ground quantum key distribution. Nature 2017, 549, 43–47.
- Haber et al. (2018) Haber, R.; Garbe, D.; Schilling, K.; Rosenfeld, W. QUBE - A CubeSat for Quantum Key Distribution Experiments. Proceedings of the AIAA/USU Conference on Small Satellites 2018, 49.
- Ma et al. (2005) Ma, X.; Qi, B.; Zhao, Y.; Lo, H.K. Practical decoy state for quantum key distribution. Physical Review A - Atomic, Molecular, and Optical Physics 2005, 72, 1–15.
- Bennett et al. (1992) Bennett, C.H.; Brassard, G.; Mermin, N.D. Quantum cryptography without Bell’s theorem. Phys. Rev. Lett. 1992, 68, 557–559.
- Naughton et al. (2019) Naughton, D.; Bedington, R.; Barraclough, S.; Islam, T.; Griffin, D.; Smith, B. Design considerations for an optical link supporting intersatellite quantum key distribution. Optical Engineering 2019, 58, 1.
- Yin et al. (2017a) Yin, J.; Cao, Y.; Li, Y.H.; Liao, S.K.; Zhang, L.; Ren, J.G.; Cai, W.Q.; Liu, W.Y.; Li, B.; Dai, H.; Li, G.B.; Lu, Q.M.; Gong, Y.H.; Xu, Y.; Li, S.L.; Li, F.Z.; Yin, Y.Y.; Jiang, Z.Q.; Li, M.; Jia, J.J.; Ren, G.; He, D.; Zhou, Y.L.; Zhang, X.X.; Wang, N.; Chang, X.; Zhu, Z.C.; Liu, N.L.; Chen, Y.A.; Lu, C.Y.; Shu, R.; Peng, C.Z.; Wang, J.Y.; Pan, J.W. Satellite-based entanglement distribution over 1200 kilometers. Science 2017, 356, 1140–1144.
- Yin et al. (2017b) Yin, J.; Cao, Y.; Li, Y.H.; Ren, J.G.; Liao, S.K.; Zhang, L.; Cai, W.Q.; Liu, W.Y.; Li, B.; Dai, H.; Li, M.; Huang, Y.M.; Deng, L.; Li, L.; Zhang, Q.; Liu, N.L.; Chen, Y.A.; Lu, C.Y.; Shu, R.; Peng, C.Z.; Wang, J.Y.; Pan, J.W. Satellite-to-Ground Entanglement-Based Quantum Key Distribution. Physical Review Letters 2017, 119, 200501.
- Grieve et al. (2018) Grieve, J.A.; Bedington, R.; Tang, Z.; Chandrasekara, R.C.; Ling, A. SpooQySats: CubeSats to demonstrate quantum key distribution technologies. Acta Astronautica 2018, 151, 103–106.
- Tang et al. (2016) Tang, Z.; Chandrasekara, R.; Tan, Y.C.; Cheng, C.; Sha, L.; Hiang, G.C.; Oi, D.K.L.; Ling, A. Generation and Analysis of Correlated Pairs of Photons aboard a Nanosatellite. Physical Review Applied 2016, 5, 054022.
- Janossy (1944) Janossy, L. Rate of n-fold Accidental Coincidences. Nature 1944, 153, 165–165.
- Grieve et al. (2016) Grieve, J.a.; Chandrasekara, R.; Tang, Z.; Cheng, C.; Ling, A. Correcting for accidental correlations in saturated avalanche photodiodes. Optics Express 2016, 24, 3592.
- Cao et al. (2018) Cao, Y.; Li, Y.H.; Zou, W.J.; Li, Z.P.; Shen, Q.; Liao, S.K.; Ren, J.G.; Yin, J.; Chen, Y.A.; Peng, C.Z.; Pan, J.W. Bell Test over Extremely High-Loss Channels: Towards Distributing Entangled Photon Pairs between Earth and the Moon. Phys. Rev. Lett. 2018, 120, 140405.
- Bennett and Brassard (2014) Bennett, C.H.; Brassard, G. Quantum cryptography: Public key distribution and coin tossing. Theoretical Computer Science 2014, 560, 7–11.
- Vogl et al. (2019) Vogl, T.; Lecamwasam, R.; Buchler, B.C.; Lu, Y.; Lam, P.K. Space-compatible cavity-enhanced single-photon generation with hexagonal boron nitride. ArXiv 2019, p. 1902.03019.
- Ma et al. (2007) Ma, X.; Fung, C.H.F.; Lo, H.K. Quantum key distribution with entangled photon sources. Physical Review A 2007, 76, 012307.
- Branciard et al. (2007) Branciard, C.; Gisin, N.; Lutkenhaus, N.; Scarani, V. Zero-Error Attacks and Detection Statistics in the Coherent One-Way Protocol for Quantum Cryptography. Quant. Inf. Comput. 2007, 7, 639–664.