Security of Trusted Repeater Quantum Key Distribution Networks

Security of Trusted Repeater Quantum Key Distribution Networks

Louis Salvail, Momtchil Peev, Eleni Diamanti, Romain Alléaume,
Norbert Lütkenhaus, Thomas Länger

Université de Montréal, Montréal, Canada
Austrian Research Centers GmbH - ARC, Vienna, Austria
Laboratoire Charles Fabry de l’Institut d’Optique, Palaiseau, France
Telecom ParisTech & LTCI - CNRS, Paris, France
University Erlangen-Nuremberg, Erlangen, Germany
Institute for Quantum Computing, University of Waterloo, Waterloo, Canada

A Quantum Key Distribution (QKD) network is an infrastructure capable of performing long-distance and high-rate secret key agreement with information-theoretic security. In this paper we study security properties of QKD networks based on trusted repeater nodes. Such networks can already be deployed, based on current technology. We present an example of a trusted repeater QKD network, developed within the SECOQC project. The main focus is put on the study of secure key agreement over a trusted repeater QKD network, when some nodes are corrupted. We propose an original method, able to ensure the authenticity and privacy of the generated secret keys.

Keywords: quantum cryptography, quantum key distribution, QKD network, trusted repeater , secure key agreement, secret sharing

1 Introduction

Quantum Key Distribution (QKD), often called in a more general context Quantum Cryptography, is a technology that uses the properties of quantum mechanical systems in combination with information theory to achieve unconditionally secure distribution of secret keys. In the last years, the field has rapidly evolved in terms of both theoretical foundations and experimental implementations, with impressive results [1, 2, 3].

The use of QKD has been, until now, mostly limited to point-to-point communication scenarios: the goal being to allow two remote parties linked by a quantum channel and an authentic classical channel to share a common random binary string - a key - that remains unknown to a potential eavesdropper, and to achieve in practice the longest possible communication distance and the highest possible key generation rate. Despite the progress in this direction, the performance of stand-alone point-to-point QKD links will however remain intrinsically limited in terms of achievable distance and rate. Building QKD networks based on an ensemble of QKD links and intermediate nodes, could lift these limitations. The purpose of this paper is to discuss the security aspects of QKD networks whose deployment is feasible with current technology: trusted repeater QKD networks. The principle of such networks consists in using trusted repeater nodes as classical relays between QKD links. Indeed, provided that some level of trust can be granted to the network nodes, such networks can guarantee unconditionally secure key exchange between multiple users over potentially unlimited distances.

The material is organized as follows. Section 2 defines the setting of this work: key agreement based on Quantum Key Distribution. It introduces the cryptographic framework of Quantum Key Distribution, focusing on its most striking cryptographic feature: the ability to establish secret keys with information-theoretic security. Section 3 then describes the different possible types of QKD networks and presents an example of a trusted repeater QKD network: the Secoqc QKD network. Section 4 is then devoted to the full analysis of secure key agreement in a trusted repeater QKD network in the case when some nodes may be arbitrarily malicious (or corrupt). We propose a method allowing the communicating parties to ensure the authenticity of a generated secret key without compromising its privacy. We also discuss practical issues and provide a security analysis for this method. Finally, in Section 5, we summarize our results and discuss possible modifications in the model assumptions.

2 The Key Establishment Problem and Quantum Key Distribution

In this work, we regard QKD as a cryptographic primitive, that is as a low-level, universal cryptographic algorithm which can be used as a building block for creating highly complex, dedicated secure communication applications. In this sense, the task of QKD is key distribution (or to use the proper cryptographic term key establishment) between two legitimate parties at two distant locations.

Key Establishment [4] is a standard security task, which is solved either by sending the key from one party to the other over a channel assumed to be secure (key transport) or by applying methods allowing the two parties to generate a common secret key out of inputs provided by both parties (key agreement). Key establishment methods are based on protocols, including specific, locally executed, algorithmic steps and public communication. Assumptions on the intrinsic properties of the communication channels, the power of the adversary, or the resources available to the legitimate parties yield a variety of models, which depending on the methods applied offer different levels of security.

In Section 2.1 we introduce information-theoretic security - a security level, provided by QKD, which is also central to all protocols discussed in this paper. Section 2.2 gives a short overview of models allowing information-theoretic security followed by a detailed discussion of the crypto-properties of QKD, which are the corner stone of the subsequent constructions. Section 2.3 addresses then performance and applicability issues of typical realizations of this primitive and argues on the necessity of designing QKD networks.

2.1 Information-Theoretically Secure Key Agreement

It is beyond the scope of the current paper to address in detail all possible levels of security of key establishment models. We will be solely interested in the highest level of security, known as information-theoretic (or unconditional) security. The notion of information theoretic security (ITS), which is based on probability-theoretic statements, goes back to Shannon [5, 6]. This notion was first introduced in the context of a key agreement process by Wyner [7]. An exact definition depends on the precise model assumptions. Here we describe ITS key agreement in general terms (following  [8]) of the two underlying essential ingredients Authenticity and Privacy.

Two parties Alice and Bob perform a key establishment process, as a result of which they obtain the keys and respectively of length . We say that the key agreement is -secure if there exists a perfectly random, uniformly distributed key of length , for which

i. (Authenticity):

The probability that OR the key agreement process is terminated with notification of failure,

ii. (Privacy):

The information of the adversary Eve111Here the information of the adversary is symbolically meant in a generic sense. Strictly speaking mutual information is defined only in the sense of Shannon entropy, i.e. when the the knowledge of the adversary can be characterized by a probability distribution. See Section 2.2 for an adversary holding quantum information. is bounded by

whereby . The intuitive meaning of this definition is that security is achieved when the probability that Alice and Bob do not abort if the keys differ or that the adversary gets non-negligible information on the final key is at most . In other words, except with probability Alice and Bob generate an identical key, which is unknown to the eavesdropper. It is important to note here that ITS definitions and proofs, regard keys like , as random variables, depending on an input, which is different for different models. Keys shared finally by Alice and Bob are actually values of these random variables. For the sake of simplicity, we ignore this difference and use capitals in what follows.

2.2 QKD - an ITS Cryptographic Key Agreement Primitive

It is well known [6, 8] that no cryptographic method relying solely on computation and communication over insecure communication channels can ensure ITS key establishment. In any case additional resources given to Alice and Bob or alternatively assumptions limiting the information available to the eavesdropper are needed to this end. ITS key agreement is possible in a number of scenarios, based on bounded knowledge available to the adversary, due to e.g. intrinsic noise in the communication channel or limitations of the memory capacity of the adversary (see  [8] and references therein). Alternatively ITS key agreement can also be achieved as a consequence of the quantum nature of certain resources, e.g. a quantum communication channel (needed for QKD), or distributed entanglement (needed for quantum teleportation [9]), if such resources are available to the legitimate parties, as these can render unfeasible a number of eavesdropping activities. All methods in the discussed class additionally assume that classical communication channels are authentic, i.e. that the adversary is restricted to passive eavesdropping on these channels222As pointed out below, this additional assumption can be lifted by applying ITS message authentication schemes.. Recently it was found that all these methods can be formulated using a unified quantum approach [10], based on embedding the purely classical scenarios in an equivalent quantum framework.

Thus, from a logical point of view, QKD is just one of many methods enabling ITS key agreement. From a more technological perspective, QKD is currently by far the least restrictive approach. Indeed the eavesdropper is not limited by assumptions, while the additional resource required - stable quantum communication (transmission of light quanta over optical fibers or through free space) between Alice and Bob is already by no means a mere theoretical construction but rather an advanced engineering practice (see e.g. [11]). Simultaneously, real-time key agreement rates at distances below 100 km reach practically usable ranges [11, 12].

A QKD protocol generically includes two main activities: the legitimate parties communicate over a quantum channel to get correlated bit strings and perform post-processing over the public authentic channel to get identical secure keys or notified termination in case of technical problems or significant eavesdropping activity (see e.g. [3] for details). Different methods to get correlations and different types of post processing yield different QKD protocols. For a number of studied QKD protocols one can derive full security proofs, which lead to explicit expressions for the information-theoretically secure key generation rate (i.e. the length of the generated secure key per unit time). Among the several proof techniques that have been used in the past years, the most important ones rely on the uncertainty principle [13, 14, 15, 16], the correspondence between entanglement distillation and classical post-processing [17, 18], or information-theoretic notions and in particular smooth Renyi entropies [19, 20, 21]. The ultimate reason for ITS in this case is the fact that eavesdropping attempts by the adversary on the quantum channel, unavoidably modify quantum signals and leave signatures in form of error. The post-processing phase allows to eradicate the knowledge acquired by moderate eavesdropping or to recognize that information leakage is irreparable and terminate the protocol.

Information theoretic security as introduced in Section 2.1 above, ensures in general composability [22], which means that the security of the key is guaranteed regardless of the application it is used for: if an -secure key is used in a -secure task, the composed task would be -secure. The importance of this issue for QKD was recognized only recently [22].The problem was that initial security studies adopted a security definition which was not composable. Early security proofs defined QKD security by analogy with the classical version of the Privacy requirement in Section 2.1: The eavesdropper, who holds a quantum state , performs the measurement that maximizes her mutual information with the key . This defines the so-called accessible information , and the security criterion reads . This was shown to be not composable [23]. The main problem is that this definition of security assumes that the eavesdropper transforms her quantum state into a classical one during key agreement. In fact she can keep her quantum state and eventually use it to break a composed task when the QKD key is used later on. A definition that leads to composability for QKD requires a quantum reformulation of both ingredients (Authenticity and Privacy) of ITS. These can be embedded into a single composable requirement [22] utilizing trace-norm, , where is the completely mixed state on .

Composability of QKD key has many implications. The most immediate one is related to relaxing the assumption on availability of a public authentic channel. From a practical point of view this assumption is indeed too strong. Message modification on classical channels is a simple technical task. This would, however, allow the eavesdropper to easily mount man-in-the middle attacks by cutting both the classical and the quantum channels, introducing corresponding QKD quantum technology, and carrying out two QKD protocols, one with Alice pretending that she is Bob and one with Bob taking over the role of Alice. Fortunately, it is possible to give up the authenticity assumption by augmenting pure QKD with a message authentication scheme, which can guarantee integrity of classical communication with information-theoretic security. This is achieved by means of continuous usage of secret key in classical communication. In particular, each message is sent together with a hash value, where hashing is performed with a keyed hash function for each message whereby the function itself is chosen from some almost universal family of functions, which is indexed by the secret key [24, 25]. The rate of key generation of pure QKD is higher than the key usage for message authentication. Therefore, putting things together, QKD is an information-theoretically secure key agreement process, which needs a fixed (small) amount of pre-distributed initial secret key to start with. Due to composability, subsequent authentication of communication can be performed using part of the newly generated key333It is remarkable that the cryptographic key agreement primitive most widely used in current security practice - namely the Diffie-Hellman key agreement protocol [26], is also prone in its pure form to man-in-the-middle attacks and for this reason has to be augmented by additional measures..

2.3 QKD Links: Performance and Application Domains

Having clarified the security of QKD we turn to more practical issues like the connectivity it allows and its typical performance.

As far as connectivity is concerned it should be noted that QKD is intrinsically a point-to-point primitive (need for dedicated direct connection by a quantum channel, necessity of peer-to-peer key pre-sharing), and is thus suitable for key establishment in a closed community. Further it should be pointed out that, as a consequence of composability, if the QKD-generated key is used for an information-theoretically secure communication, provided by One Time Pad (OTP) encryption together with unconditionally secure authentication, then the composed protocol realizes an unconditionally secure channel - a point-to-point QKD link444A QKD link is realized by two quantum optics and processing devices - QKD devices - usually a sender and a receiver, deployed with Alice and Bob respectively, which generate key and optionally can perform simple key management and ITS encryption/authentication., which among other tasks, can be used for key transport as discussed in the subsequent section.

Figure 1: Typical profile of the rate versus distance curve for a single QKD link.

Performance on the other hand is given by the secret key generation rate , which is a characteristic function of distance depending on the QKD protocol and the specific implementation of a QKD link. This rate clearly varies from system to system but in general terms it follows the curve of Fig. 1. As shown in this figure, the logarithm of the rate of secret bit agreement initially falls at a given power of the channel attenuation (depending on the implemented QKD protocol), and features an exponential drop-off at long distances. In addition to reliability and stability, the performance of practical QKD systems is usually measured by the maximum communication distance they can reach, , and the secure key generation rate they can achieve at a useful range. The limiting factors vary greatly for different protocols and implementations and range from hardware-related problems such as the high dark count rates in typical single-photon counting detectors at telecommunication wavelengths to algorithmic issues such as the finite efficiency of error-correcting codes [3]. The distance at which direct QKD between two parties is possible is roughly limited to 100 km in optical fibers for current systems, with a possibility of reaching up to 200 km in the next few years, while the secret key generation rate is currently limited to a few tens or hundreds of kbit/s depending on the distance.

It is clear from the above discussion that QKD links suffer from intrinsic limitations: they cannot be operated over arbitrarily long distances and their use is restricted to point-to-point key exchange/secure communication between the two endpoints of the quantum channel. A natural question that arises then is what could be the application field of a technology with such characteristics. Obviously, QKD links can be directly used in an environment, in which highly secure communication is required between two parties over a relatively short distance. If information-theoretic secure communication is the target, it can be achieved at low rate (i.e. around 10-20 kbit/s). If broadband secure communication is needed instead, then unconditionally secure communication is out of reach at a reasonable cost. A highly secure point-to-point communication is still possible by combining a pair of QKD devices with high end symmetric encryptors (typically running the AES encoding scheme). In this case, the limit is set by the speed of encryption (around 10 Gbit/s) whereas the key is exchanged at a rate allowed by the QKD device-pair. It should be stressed that although the overall security offered by such QKD link-encryptors is no longer information-theoretic it greatly exceeds the one provided by any other currently existing method. Today, several QKD-based link encryptors are commercially available [12], but their range of applications in practical communication systems is inevitably rather limited. A better way to exploit the extremely high security standard offered by QKD and to extend the application range to long-distance and multiple-user key establishment is to combine several QKD links in order to form a QKD network. Indeed, as we will see in the next sections, a number of the aforementioned limitations of QKD links can be overcome when it is possible to achieve QKD-based unconditionally secure key agreement over a network [27, 28]. From this perspective the development of QKD network architectures appears as a necessary step in order to achieve effective integration of QKD into secure communication networks.

3 QKD Networks

We define a QKD network as an infrastructure for ITS key establishment, which relies on quantum resources available to the legitimate participants, while not imposing bounds on the eavesdropping capabilities of the adversary, and allows connectivity of parties that do not share a direct, fixed quantum channel. Optionally this infrastructure should also allow lifting the restrictions typical for stand alone QKD links - enable ITS key establishment over long distances (e.g. continental scale), increase and maximize the throughput capacity (the key generation rate) and ensure robustness against denial of service attacks and technical service break-downs.

The first proof-of-principle QKD network demonstrator, the “DARPA Quantum network”, was deployed between Harvard University, Boston University and BBN in 2004 [29, 30]. A highly integrated network demonstrator, developed within the framework of the integrated FP6 Project Secoqc, which ensures network-wide ITS key establishment, was deployed, tested, and demonstrated in Vienna [11].

3.1 Types of QKD Networks

The precise notion of ITS security depends on the particular QKD network model. For this reason we start by considering the different QKD network types. These have been known for a long time now and have been suggested already in  [31]. There are two principal approaches: a) quantum channel switching paradigm – creating an end-to-end quantum channel (or more generally distributing quantum resources) between Alice and Bob, or b) trusted repeater paradigm – transport of key over many intermediate nodes, which are (at least partially) trustworthy i.e. not infiltrated by the eavesdropper. The two approaches are essentially different and we shall discuss them one after the other.

3.1.1 QKD Networks With Quantum Channel Switching

Optically switched quantum networks: These are networks in which some classical optical function, like beam splitting, switching, multiplexing, demultiplexing, etc., can be applied to the quantum signals sent over the quantum channel. The interest in such optical networking capabilities in the context of QKD networks is that they allow going beyond the two-user QKD. Moreover, this can be done with current technology. Active optical switching can be thus used to allow the selective connection of any two parties with a direct quantum channel (the BBN DARPA quantum network contained an active 2-by-2 optical switch that could be used to actively switch between two network topologies). Optical functions can thus be used to realize multi-user QKD, and the intermediate sites do not need to be trusted, since quantum signals are transmitted over a quantum channel with no interruption from one end-user QKD device to the other one. In this sense the security analysis coincides with that for a stand-alone QKD link. This QKD network model can however not be used to extend the distance over which keys can be distributed. Indeed, the extra amount of optical losses introduced in the switching devices will in reality decrease the transmission capacity of quantum channels and thus the maximal key distribution distance. In addition, in a fully switched optical network any two parties have to share an initial secret to be able to start the key agreement process. So, overall, this type of networks are not scalable and thus suitable for long distance QKD. Instead, they can be used in local or metropolitan areas.

Quantum repeater based QKD networks: To be able to extend the distance over which quantum key distribution can be performed, it is necessary to fight against propagation losses that affect the quantum signals as they travel over the quantum channel. Quantum repeaters [32] can overcome the loss problem and can be used to distribute entanglement between any two parties and therefore effectively create an end-to-end quantum channel across the network. A quantum repeater based network can thus be seen as a “fully quantum” network. As intermediate network nodes do not get any information in the process of key generation, end-to-end unconditional security is guaranteed without the need to trust these nodes. In this sense the security analysis also coincides with that for a stand-alone QKD link. Quantum repeaters however rely on elaborated quantum operations and on quantum memories that cannot be realized with current technology. As discussed in [33], quantum nodes called quantum relays could also be used to extend the distance over which secure QKD can be performed555Both quantum repeaters and quantum relays are devices that allow to teleport qubits over several quantum channel segments, whereby entangled photons are distributed along the separate segments. The main difference between quantum repeaters (see [3] for a simple model of a quantum repeater) and quantum relays is that while in a quantum repeater received photons are kept in quantum memories in order to bring entangled pairs from adjacent segments in correspondence, in a quantum relay one waits for the event when all photons sent along the different segments are received - i.e. none is absorbed.. Quantum relays are simpler to implement than quantum repeaters since they don’t require quantum memories. However, even quantum relays have not yet been technically realized. Moreover, quantum relays would not allow secure QKD over arbitrary long distances.

3.1.2 Trusted Repeater QKD Networks

Trusted repeater QKD networks have been discussed in various contexts since the advent of Quantum cryptography. Below we give a more formal definition, which in turn simplifies the subsequent security analysis of such networks.

We define a QKD trusted repeater network as an infrastructure composed of QKD links, i.e. from a structural point of view pairs of QKD devices associated by a quantum and a classical communication channel, each link connecting two separate locations or nodes. A QKD trusted repeater network is then a connected graph, the vertices of which are nodes, and the edges - QKD links.

We assume further that initial secret keys are only shared between neighboring nodes (i.e. ones directly connected by a QKD link) and not between any arbitrary pair. This assumption ensures that the number of initial secrets to be shared scales (for wide area networks) with the number of network nodes and not with their square. This in turn largely simplifies the initialization of a QKD network and the adoption of additional nodes during operation.

QKD networks based on trusted key repeaters follow a simple principle: global key distribution is performed over a QKD path, i.e. a one-dimensional chain of trusted repeaters connected by QKD links, establishing a connection between two end nodes. Secret keys are forwarded, by unconditionally secure key transport along the QKD links of the path in a hop-by-hop fashion. (As mentioned above unconditionally secure transport over separate QKD-links is ensured by One Time Pad encryption and ITS authentication, both realized with a local QKD key.) End-to-end information-theoretic security is thus obtained between the end nodes, provided that all the intermediate nodes can be trusted, as these possess the full communicated information. The trusted nodes play thus the role of (classical) trusted repeaters. This architecture can be used to build a long-distance QKD network. The advantage of such quantum networks is that they rely on QKD for link key establishment, which guarantees that it is impossible to compromise the network key distribution by direct attacks on the links.

Trusted repeater QKD networks can be implemented with today’s technology since the nodes are essentially QKD devices plus classical memories and processing units placed within secure locations. This concept had been tested in the BBN QKD network and is also the basis of the Secoqc QKD network, which is exclusively based on the trusted repeater approach.

3.2 Security Framework and the Architecture Secoqc

In the trusted repeater paradigm one can differentiate between two basic security frameworks:

The first trust framework, already outlined above, is highly realistic and relevant for internal networks belonging to a spatially distributed entity such as an industrial, financial, governmental, or military institution, the backbone of a telecommunication provider, etc. This case is the main focus of Secoqc. The all-nodes-trusted assumption obviously leads to a straightforward cryptographic conclusion on the security of network connectivity. Together with the guarantee for an information-theoretically secure transport from node to node provided by the underlying QKD links it ensures unconditionally secure transport between Alice and Bob. Indeed in this case the eavesdropper is restricted to attacking the QKD links, which at best can result in a denial of service but not in a gain of any information on the (key) material which is securely transported. While this argument ultimately settles the security analysis in the current model, a practical network realization requires addressing a multitude of architectural tasks, which are of more applied nature. These tasks include:

  • How to design the architecture of network nodes so that they can provide a universal key distribution mechanism, while possibly integrating heterogeneous QKD links [34]? (Here heterogeneity is meant in terms of the background QKD protocol and device engineering.)

  • How to specify the peer-to-peer key transport protocols?

  • Which particular information-theoretically secure message authentication code to select for implementation?

  • How to design end-to-end network routing and transport protocols, taking into account the unconditionally secure nature of the transport [28]?

  • How to optimally plan the deployment of QKD networks, from a cost perspective, based on a study of the relation of cost and topology [44] ?

All of these issues have been at the core of the development work of Secoqc. They have been addressed by a broad interdisciplinary team, and important advances have been made in all mentioned areas666It should be noted that currently the results are only partially publicly available, as at present the project team continues the effort of preparing internal deliverables for final publication. Unpublished deliverables include: O. Maurhart, “Q3P: A Proposal”; M. Fitzi, “General Authentication Framework in QKD”; J. Bouda, et al., “SECOQC Node Keystore Module and Crypto Engine”; J. Bouda, et al.,“Encryption and Authentication in SECOQC”.. The outcome is a layered network model effectively decoupling all classical communication as well as the network and key transport functionality from the operation of the QKD devices. As a result, the Secoqc network involves the ability to integrate, by using standard interfaces, a completely heterogeneous physical layer consisting of different types of QKD devices from multiple providers with a homogeneous network-wide end-to-end key transport layer. The project has put in operation and tested a highly integrated prototype in the metropolitan fibre-ring of Siemens in the city of Vienna (see Fig. 2 for a schematic representation]. A public demonstration of this prototype took place October 8, 2008.

Figure 2: The Secoqc network prototype in Vienna - a sketch.

The second framework type assumes that a limited number of nodes are taken over by the adversary or corrupted. Obviously this framework is much more challenging from a cryptographic point of view. It is closely related to, although distinct from, a classical problem dedicated to the study of secure message transmission over untrusted networks [35]. In the latter model, it is assumed that any node of the network can be taken over by the adversary but the number of corrupted nodes is upper bounded by some threshold. Apart from the threshold, adversaries can be arbitrarily malicious or Byzantine. Any such adversary that can take over no more than nodes is called -bounded. In Section 4, we study the same problem for trusted repeater QKD networks, where some nodes are corrupted and Byzantine. We discuss an essential difference with respect to the classical case: a condition that protocols in the classical setting should satisfy is too strong when private links between neighbouring nodes are implemented using QKD.

It should be noted that this second framework is highly relevant for QKD networks owned by several, possibly competing entities, and mimics realistic telecom network settings. It requires further research and in particular addressing of all practically relevant tasks, already carried out in Secoqc for the case of all-node-trusted networks.

4 Secret-Key Agreement Over a QKD Network With Corrupted Nodes

In this section, we discuss privacy and authenticity of secret keys generated over a trusted repeater QKD network with some corrupted nodes. We look at how to characterize adversaries in this model and how to achieve security of the secret keys generated over the QKD network against these adversaries. We compare a QKD-network approach to the related classical problem of perfectly secure message transmission over untrusted networks. We provide a mean by which Alice and Bob can verify the authenticity of secret keys generated over a QKD network. This point was originally addressed in the unpublished Secoqc Deliverable  [36]. While the current paper has been in preparation two preprints with similar objectives  [37, 38] have been published. The approach of the authors is similar to the one presented here, but the techniques used to verify the authenticity of the keys are different. The advantage of our technique lies in its potential not only to differentiate between authentic and forged keys, but as discussed below, to help revealing malicious parties in some scenarios.

4.1 The Basic Setting

A straightforward strategy for Alice and Bob to generate a secret key unknown to any other single node in the network is to use two disjoint paths. The final key between Alice and Bob is a secret shared by these paths.

Figure 3: Example:Two paths between Alice and Bob.

Figure 3 shows an example where Alice and Bob will generate a secret key using the keys and , which are secret-keys generated on each path. Of course, the secret-key of each path is generated using point-to-point QKD and the standard hop-by-hop mechanism. The secret-key is secure and unknown to each path as long as the paths do not fully collaborate in a malicious way. It means that is secure only if users can trust at least one path out of the two. In general, if Alice and Bob generate a secret-key from paths then will be secure unless all paths are dishonest and collaborate. We denote by the set of all intermediary keys of length and we let where ’’ denotes the bitwise exclusive-or.

Notice that the point-of-view described above is relevant in practice when each path is owned by a single entity. In this case, nodes along a path do not have a life on their own but are rather representative of a single authority. When only one node misbehaves along a path, the entire path becomes dishonest. In this setting, paths are rather static since they correspond to physical authorities777This basic model was introduced in one of the first cryptography deliverables of Secoqc [39]..

4.2 Private Transmission Over Classical Untrusted Networks

We have informally discussed classical secure message transmission protocols in Section 2. A little bit more formally, perfectly secure message transmission protocols against -bounded adversaries, i.e. adversaries controlling no-more than nodes, should satisfy the two following properties:

Guaranteed Delivery:

No -bounded adversary can prevent Alice’s message to reach Bob, and


No -bounded adversary has access to more than a negligible amount of information about the message sent by Alice.

In this model, Dolev, Dwork, Waarts, and Yung[35] have shown the following with respect to one-way communication links. Links are said to be one-way if the connectivity graph of the network is a directed graph.

  1. When all communication links are one-way without feedback, they show that it is necessary and sufficient to have vertex disjoint directed paths from Alice to Bob. For any two nodes to be able to communicate privately, the network graph must be connected (sufficient and necessary condition).

  2. When all communication links (edges in the graph) are two-way, they show that vertex disjoint paths are necessary and sufficient for Alice and Bob. For any two nodes to be able to communicate privately, the network graph must be connected (sufficient and necessary).

Notice that privacy is more demanding than reliability since in order to have a private communication it is necessary to have a reliable one! More precisely, if in a point-to-point network an adversary can hack up to nodes then a vertex disjoint directed graph is sufficient for reliable communication alone.

This model has been generalized by Desmedt and Wang[40] where they consider the possibility of using some feedback channels. Feedback channels become possible when the connectivity graph of the network is not one-way directed outside all nodes. When feedback channels are vertex disjoint from the forward channels they show that:

  1. When there are directed disjoint paths from Alice to Bob, private message transmission is possible against -bounded adversaries where there are directed node disjoint paths from Bob to Alice. As mentioned above, these paths must also be node disjoint from the paths from Alice to Bob.

  2. When there are directed disjoint paths from Alice to Bob and directed paths from Bob to Alice (where as before paths from Alice to Bob and paths from Bob to Alice are node disjoint) it is possible to have private message transmission against -bounded adversaries.

These results were improved in [41] by giving necessary and sufficient conditions for private message transmission with feedback. Again for the case where the feedback channels are vertex disjoint from the forward channels, we have:

Theorem 1.[[41]] Assume there are directed node disjoint paths from Bob to Alice, vertex disjoint from the forward channels. Then a necessary and sufficient condition for private message transmission from Alice to Bob against any -bounded adversaries is that there are directed node disjoint paths from Alice and Bob.

Notice that all these results put serious restrictions on the number of available disjoint paths between the two parties who want to communicate privately. Without feedback, in order to protect against a mere 3 corrupted nodes, Alice and Bob must be able to communicate through 10 disjoint paths while if all connections are two-ways then 7 paths are required.

4.3 Differences with the QKD Setting

In this section we quickly and roughly discuss the main differences between the classical and the QKD (trusted repeater) setting for private communication on untrusted networks.

The most obvious difference between the two settings is that while in the classical case messages are transmitted, a QKD network is mainly concerned with key distribution. This difference is only cosmetic. It is easy to see that private message transmission implies the ability to distribute secret-keys and that the ability to distribute key implies the ability to send private messages. In other words, the functionalities achieved in both settings are equivalent.

Like for private classical message transmission, privacy of secret-keys generated through a QKD network can only be guaranteed if different paths do not overlap. If a corrupted node is part of all quantum paths between Alice and Bob then no private communication (or key) can possibly be established. Therefore and unless nodes taking place in more than one paths are incorruptible, we can focus on network architectures with non-overlapping paths.

While for classical private message transmissions point-to-point private communication is assumed between any neighboring nodes, in a QKD network no such assumption is required since private point-to-point communication is provided by QKD. It follows that all private message transmissions protocols and in particular the ones of [35, 40, 41] can be implemented using QKD to provide private point-to-point communications between neighboring nodes. Using these classical constructions would allow for key distribution and private communication against more general network architectures than the one depicted in Fig. 3. Moreover, when QKD is used to implement private point-to-point communication in the constructions of [35, 40] for instance, -bounded adversaries can in addition to controling any nodes, eavesdrop the classical communication between any other pair of nodes. If in addition the adversary eavesdrops the quantum channel then although it becomes possible to implement a denial of service attack888Too much eavesdropping on the quantum channel will cause two neighbouring nodes to abort the key generation. no information on a secret key successfully generated can be obtained.

Then, how come that the situation depicted in Fig. 3 allows for Alice and Bob to agree upon a secret against any -bounded adversaries while there are only disjoint paths in the network? This seems to do better than the necessary paths of [35]. The answer is that in the situation depicted, Alice’s and Bob’s keys were not required to be identical but only to be both unknown to the adversary. It is straightforward for one corrupted node to prevent Alice and Bob from agreeing on an identical key. Moreover, Alice and Bob will not be able to detect that they do not share a private key unless they already share an authentication key used to establish the correctness of a newly generated secret key. Unlike for the classical case described in Sect. 4.2, the rough setting described above does not address the problem of guaranteed delivery. This may have important consequences for the security of the architecture. Such weakness is not a desirable property for any network architecture providing privacy. However, guaranteed delivery seems to be asking for too much since QKD never guarantees successful key generation; a denial of service attack is always possible in principle.

This circumstance calls for a slightly weaker delivery condition in the QKD-network case in comparison to the fully classical setting. Instead of guaranteed delivery, it is more appropriate to require either an authentic delivery to both parties (the keys of Alice and Bob coincide and they know it) or a notification of network failure. More formally we require a delivery condition which is analogous to an ITS end-to-end key establishment between two arbitrary nodes (Alice and Bob) over the network.


Any two parties Alice and Bob can send classical messages between them in a way that will either guarantee delivery and therefore or lead to a notification of a network failure. This is weaker than the guaranteed delivery criterion discussed in Section 4.2.


No adversary has information about neither nor generated by Alice and Bob during key generation. In particular, when the adversary has no information about the secret key.

Notice that for the sake of clarity we have deliberately simplified the definition by omitting the notation although we keep it in mind.

4.4 Achieving Privacy and Authenticity in QKD-Networks

In order to achieve both authenticity and privacy in a QKD-network, it must satisfy conditions similar to the ones we have seen in Theorem 1. In particular, two parties who want to exchange a secret-key do not in general share an authentication key. It follows that testing the authenticity of a newly generated secret-key must be performed by transferring an authentication tag through a network where some nodes are corrupt. We shall see in the following that authenticity is guaranteed against any ()–bounded adversary if there are disjoint paths. Security of the resulting secret-key is also guaranteed against ()–bounded adversaries according the security criterion of Sect. 4.3 while it is guaranteed against any ()–bounded adversaries according a more stringent privacy criterion that we introduce in Sect. 4.4.1. This is in any case better than the constructions discussed in Sect. 4.2 that, while satisfying the stronger security notion of guaranteed delivery, are secure against –bounded adversaries only if disjoint channels are available.

Let us get back to authenticity and privacy of the secret-keys generated in a QKD-network.

4.4.1 Privacy

What do we mean when we say that a key obtained by Alice and Bob is private? It is certainly not completely private since keys are also known to an adversary controlling all paths. Even if one path is not under the control of the adversary, Alice and Bob do not want their keys to be known by any node along a honest path. In other words, trusted nodes should never get any information about secret keys generated through them999Consider an honest path between Alice and Bob belonging e.g. to an organization related to them. It could happen that Alice and Bob want to share sensitive information about the organization of this very path. Even if by definition the path is honest and always properly executes the communication protocol, it could still be curious. Obviously in many cases, as the one just outlined, Alice and Bob would prefer that their communication remains private, i.e. unknown to the path..

Remember how secret keys are generated when Alice and Bob are connected through disjoint paths . Let and be Alice’s and Bob’s secret key respectively obtained from path , using QKD between neighbors. Alice and Bob then set their secret key as:

When no adversary acts actively, the key generation is such that for all and therefore .

Notice that any –bounded adversary can only learn keys and/or if is under the control of . This is guaranteed by the privacy of QKD between neighboring nodes. Let be the set of paths under the control of . Since is –bounded we have that . By construction, any and with is completely unknown to . It follows that both final keys and are unknown to as soon as . Let us be more precise. Keys of length generated by QKD between honest neighbors are guaranteed to be –private against any third party. (In Section 2 we have already pointed out that a key is –private if given the state of the adversary, is –indistinguishable from a random –bit string.) Keys and must therefore be –private against any ()–bounded adversary . In other words,

Lemma 1. Let and be such that and have been generated through disjoint paths where is –private and satisfies when is a honest path. Then, is –private against any ()–bounded adversary but not necessarily such that .

As stated in the above lemma, can certainly prevent Alice and Bob from generating . It suffices for one adversarial node to make its neighboring node to believe they share a key while in fact they don’t. It is sufficient for to send classical messages different from what is expected in order for . Although such attack will not allow to learn anything about and , it ensures that no secure transmission can take place between Alice and Bob even though they are not aware of this fact.

The authenticity of and should therefore be checked upon all new key generations.

Another important point regarding privacy is the following. Suppose an adversary controls paths . The honest path without behaving dishonestly could be able to determine Alice and Bob’s secret key if the adversary decided the broadcast . Moreover, a dishonest path could be tempted to publish all information they gather in order to implement a denial of service attack. Publishing this information means that honest-but-curious paths would be able to decipher any communication between the end users. This could deter users to use their keys. It would therefore be desirable to enhance privacy against honest-but-curious paths this way.

Privacy Against Honest-but-Curious Paths:

Privacy is guaranteed against honestly behaving paths that happen to learn information from adversarial paths posting their secret information. Privacy in this case can be enforced simply by having at least honest (but maybe curious) disjoint paths.

Clearly, if two paths are honest (but curious) and even in the case when the adversary publishes everything she knows, none of the curious but otherwise honest path learns anything about the secret key. This follows since the secret key is shared among two honest parties who therefore never publish any of their private information.

4.4.2 Authenticity

As mentioned above, in a QKD-network it is desirable to pre-distribute authentication keys only for point-to-point connections. This choice limits drastically the complexity of initial key distribution phase required before key material can start being generated. It follows that in this model, Alice and Bob do not necessarily have an authentic channel they could use for testing the authenticity of a newly generated key. As discussed in the previous subsection, it is important for any pair of users to be able to guarantee the authenticity of a newly generated secret key even though they don’t have access to an authentic channel between them.

It follows that authentication tags must be sent through channels that may be under the control of the adversary. The key authentication process must guarantee that Alice concludes that if and only if Bob concludes that . Clearly, we also want that when Alice and Bob identify this case with success.

There are different methods to get this working. Suppose Alice and Bob have generated keys and respectively where both are –bit strings. They now want to establish the authenticity of their respective key. This process should work when any paths out of disjoint paths are under the control of the adversary . That is, the authenticity or non-authenticity of a secret key should be guaranteed against -bounded adversaries.

Remember from Section 4.4.1 that over disjoint paths, no -bounded adversary for gets to know anything about both and . It suggests to use part of and to authenticate and through the disjoint paths from which each partial keys and has been generated.

This can be done as shown in the following example.

4.5 Example of a Simple QKD-Network

For simplicity, let us get back to the example of Figure 3 where Alice and Bob use two non-overlapping paths and to perform a key exchange. In this case, the secret key and must be authenticated and acknowledged even when or is under the control of the adversary. From privacy however, when Alice and Bob happen to have they in fact have an authenticated channel between them. Assume that is the tag of a message authentication code for message under secret key . Suppose also that can be used to authenticate two messages securely against impersonation even if both tags have been computed with the same key .

One simple way to proceed in order to verify that in this scenario is as follows.

  • Alice and Bob pick the first bits of their respective keys denoted by and . Alice and Bob set and respectively.

  • Alice picks random , for where and are security parameters. Alice then sets where ‘‘ denotes the inner product mod .

  • Alice sends to Bob together an authentication tag:

    The transmission of is made through paths and (that is through all paths).

  • Let and be the message received from path and respectively. Bob, upon reception of , verifies that


Since for chosen at random in , when

it follows that if then Bob will observe at least one such that except with probability . When Bob verifies that is well formed and that for each , then he outputs . Notice that when and one is a properly authenticated transmission of then Bob can still set in addition to identify that path is dishonest. Otherwise, when and are not properly authenticated with key , Bob outputs . Bob also outputs if he finds at least one , such that . Bob then authenticates the output by computing the tag

As for Alice’s transmission, Bob sends through each path and . Alice receives and from and respectively. If neither nor is properly authenticated with session key then Alice concludes that . If Bob has determined that then is a properly authenticated message with key and can therefore be checked by Alice. Since at least one of or is honest, Alice will get Bob’s message in or (or both!) and this can be checked since messages are authenticated. This means that if either or misbehaves during the transmission of then Alice will be able to identify the dishonest path. It follows that when Bob concludes then Alice reaches the same conclusion. Moreover, when Alice also determines it since no message among and is properly authenticated since and since is a secure authentication scheme. Notice that no adversary (controlling one path in this case and paths when there are disjoint paths) can forge an authenticated message since from the discussion of Section 4.4.1, the adversary has no information about neither nor and therefore neither nor .

4.6 Providing Secret Key Authenticity

In this section, we describe how Alice and Bob can determine the authenticity of a newly generated secret key given that they use a secret-key generation over disjoint paths . We assume that denotes the authentication tag of message using key . For simplicity, we also assume that is secure against impersonation even given two messages-tags pairs authenticated with the same key. These schemes are easy to construct and we will discuss this point in Section 4.9. In the following, we denote by the probability of successful impersonation even after having seen two pairs message-tag.

Now, we have to make an assumption about the behavior of honest paths. When Alice sends a message to Bob through honest path , is sent from node-to-node until it reaches Bob. Each transmission between neighboring nodes and is authenticated. An adversary however could, in theory, prevent from reaching . If this is the case, Alice could be unaware of Bob’s status since she never received his last message. This suggests to consider quantum networks where

Any classical message from neighboring nodes to along a honest path will eventually reach . (2)

The reason why this assumption does not seem to be too strong is the following. Any neighboring nodes and share an authentication key. They can therefore use any network connecting them in order to transmit authenticated information. Although possible, it is unlikely that an adversary can succeed in preventing and from communicating forever. In practice, the internet can almost be considered as a network where information between parties is always delivered. Notice also that if messages between neighboring nodes cannot be delivered then the privacy of keys will never be compromised but only the agreement between the end users upon whether their respective keys are identical is.

The following procedure generalizes the approach described in Section 4.5 to the case where the number of channels is arbitrary. We shall prove in the following that this scheme provides a secure way of verifying the authenticity of the secret keys under assumption (2).

  1. Public information: , (security parameter for the probabilistic test of ), and (the key size for a public MAC), and (number of disjoint paths).

  2. Alice sets , and and similarly Bob sets , and .

  3. Alice picks random -bit strings for . She forms the -bit string where ‘‘ denotes string concatenation. She computes the tag associated to :

  4. Alice sends copies of to Bob through each path . Along each path , is transmitted from point to point in an authentic way using the authentication key shared between neighbors.

  5. Bob collects all messages received from paths . Bob locates one such that and . If such cannot be found then Bob sets . Otherwise, Bob verifies that for . If this is not the case then otherwise Bob sets .

  6. Bob sends where through each path the same way as Alice did it for . Let be all messages received through each path .

  7. Alice verifies that for some , where and . If it is not the case then she sets , otherwise she sets .

  8. final step:

    • If Bob accepts key as a newly authenticated secret key with Alice. Otherwise, is discarded.

    • If then Alice accepts key as a newly authenticated secret key with Bob. Otherwise, is discarded.

Notice that it is important that at least one copy of both and eventually reaches its intended receiver. Otherwise, Bob after detecting could leave Alice unaware of this fact if the adversary prevent message from ever reaching Alice untampered with. In this case Alice would conclude that Bob observed . Under assumption 2 however, it is guaranteed that Alice and Bob agree on the output of the authentication process. Moreover, when is agreed upon by Alice and Bob then except with vanishingly small probability. Before proving this, let’s denote by the function that returns 1 if and otherwise where and are bit strings. We’re now ready to prove the correctness of the key authentication process.

Lemma 2. Assume Alice and Bob have generated –private secret keys and through disjoint paths , and under assumption (2). The secret key authentication process results in


Proof. Suppose first that and are uniform and random from any –bounded adversary. This happens with probability at least by definition of –privacy.

Second, suppose that . By assumption (2), there exists at least one such that and . The probability that is no more than the probability that one impersonation of adversary succeeds. By definition of the impersonation probability for the scheme, we have


since the adversary is ()–bounded. Upon successful delivery of , Bob always sets since the equality test never gets it wrong when . Bob’s message to Alice will also be received as such by the same probability as defined in (4). It follows that,


Third, assume that . As when , Bob will successfully receive except with probability . Either Bob manages to find such that and or not. If not then by assumption 2 it follows that and Bob will set . By the argument that lead to (5) we have,


Finally, suppose that there exists such that and . Except with probability at most it is the case that . In particular, it means that Bob knows and for all . Provided , Bob will determine this fact except with probability . Using the same argument as the one that lead to (5), we get


Putting (5), (6), and (7) together leads to (3) after an extra multiplicative factor of is added since the analysis above holds when and are uniform and random from the adversary’s point of view which happens with probability .

4.7 Recovery from Privacy Losses

Lemma 2 tells us that results of both parties coincide and represent the answer to the question except with negligible probability. What the theorem does not tell us is how much privacy is preserved by the authentication process. In particular, all parity checks leaks bit of information about the key to the adversary. How do Alice and Bob get rid of this extra leakage? One way to do it would be to use privacy amplification but this seems an overkill. Using the interpretation of –privacy, Alice and Bob can do better without the need to agree upon a random hashing function or to communicate. That is, privacy amplification can be performed by a deterministic process.

Let us describe what Alice would do to remove the information on leaked by the parity check sent to Bob during the authentication process. Suppose furthermore that the original was –private toward any ()–bounded adversary as guaranteed by Lemma 1. The following procedure gets rid of all extra information leaked during the key-authentication process provided it was successful.

  1. Let be the set of parity checks sent by Alice to Bob during the key authentication process. Suppose the process was successful (i.e. ) was initially run upon an –private key . The following produces a final –private secret key .

  2. Set the set of trashed bits to be initially empty .

  3. For each do:

    1. Find the smallest such that such that .

    2. If such exists then otherwise do nothing.

  4. Set (i.e. in other words, we remove from all positions ).

Bob can certainly perform the exact same procedure on his side since he knows upon . Clearly, if then and is shorter than and by at most -bits. This is optimal since bits of information about (and !) are disclosed by the key authentication process.

Lemma 3. The deterministic privacy amplification procedure described above when run upon key that were initially (before the parity checks were revealed) –private produces an –private final secret-key .

Proof. Let be the keys agreed upon after the key authentication process was successful. Suppose that is really uniform and random from the adversary’s point of view. Then, each time a new bit at position is removed at Step 3b when inspecting all bits in the remaining positions remain uniformly distributed given . If such a position cannot be found then obviously does not leak any extra information about since all bits (which are uniform and random) involved in the new parity check have already been removed from .

In fact is not uniform and random from the adversary’s point of view but rather –private. However, except with probability , really behaves like a uniform and random key from the adversary’s perspective. It follows that except with probability , the deterministic privacy amplification process produces a uniform and random key against the adversary. It follows that is -private.

We shall call this privacy amplification scheme deterministic privacy amplification since it is deterministic and does not involve any communication between Alice and Bob.

4.8 Putting Things Together

We are now ready to provide the final statement regarding the key authentication scheme described in the previous sections. By key authentication process we loosely mean the procedures described in Sections 4.6 and 4.7. That is, it includes the deterministic privacy amplification procedure run independently by Alice and Bob after the authentication process described in Sect. 4.6 has resulted in a success: .

Theorem 2. Let and be the final secret keys generated after key authentication and deterministic privacy amplification as described above upon initial –private . Suppose the MAC used during key-authentication has impersonation probability at most even given two message-tag pairs authenticated with the same key. Then, against any ()–bounded adversary we have,

and and is –private. If in addition the adversary is ()–bounded then the final secret key remains private the same way against honest-but-curious paths.

Proof. The only thing that does not directly follows from Lemma 2 and 3 is the statement about the privacy of and . Privacy only makes sense when . When this applies however the final secret-key is –private as it was shown in Lemma 3. The result follows immediately.

4.9 What MAC to Use?

Any authentication scheme with small enough impersonation probability can be used by Alice when she sends . The authentication schemes used in Secoqc follow [42, 43]. These authentication schemes can also be used for key-authentication. However, the impersonation probability should hold even given two message-tag pairs generated using the same key.

This can be achieved the obvious way by setting and in the key authentication process. Alice authenticates message with sub-key which Bob verifies with sub-key . Bob’s message is authenticated with sub-key while Alice verifies with sub-key . Clearly, if the scheme has impersonation probability at most given one message-tag pair then this way of authenticating as impersonation probability at most against two message-tag pairs generated with the same key. There are many other ways of building MACs suitable for our application[24]. The one mentioned above is probably the simplest but certainly not the best one in terms of key size.

5 Conclusions

In this paper we have reviewed the concept of a QKD network and have discussed different models of QKD networks. We have in particular focused on trusted repeater networks and have studied the case when part of the nodes are not to be trusted and could be arbitrarily malicious. We have shown how to ensure that Alice and Bob share identical and private keys after key generation over the network. We suppose that Alice and Bob do not share key material to start with. They only share keys with their direct neighbours. However, we suppose that classical messages through honest paths are eventually delivered to their intended recipient (assumption (2)).

We conclude that secret keys can be generated through disjoint paths in a private and authentic way against ()–bounded adversaries and against ()–bounded adversaries with honest-but-curious paths.

It should be noted that assumption (2) can be relaxed further without undesirable consequences for the security of the key authentication process. It suffices for only one honest path to eventually deliver classical information to the intended receiver. This does not modify by any means neither the protocol nor its security analysis. Indeed, an honest path will always allow parties to agree upon the authenticity of the secret key. Only one properly authenticated message from Alice to Bob and one from Bob to Alice is sufficient to assess the equality of both keys. Otherwise, if the keys are different then both parties will anyway conclude that keys do not match.


Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description