Finite-key security analysis of quantum cryptographic protocols

  1. WANG, WEILONG
Dirixida por:
  1. Marcos Curty Alonso Director

Universidade de defensa: Universidade de Vigo

Fecha de defensa: 15 de marzo de 2019

Tribunal:
  1. Vicente Martín Ayuso Presidente/a
  2. Juan Carlos García Escartín Secretario/a
  3. Mónica Fernández Barciela Vogal
Departamento:
  1. Teoría do sinal e comunicacións

Tipo: Tese

Resumo

Cryptography is now playing a significant role in our modern life, especially in the areas of online shopping, computer passwords, and secure communications. There are two main branches of modern cryptography: public-key cryptography and symmetric-key cryptography. The security of public-key cryptography relies mainly on the computational complexity of solving hard mathematical problems and thus, it is not information-theoretically secure. On the other hand, there exit some symmetric-key encryption schemes which have been proven information-theoretically secure. For example, the one-time pad has been proven to be the only encryption scheme that can provide perfect secrecy up to now. However, its main drawback is that it requires the use of a pre-shared perfectly random key at least as long as the message to be sent. As a result, the one-time pad is unpractical for wide application. Quantum cryptography, on the other hand, exploits fundamental laws of quantum mechanics, such as the Heisenberg's uncertainty principle and the no-cloning theorem, to accomplish cryptographic tasks. The advantage of some quantum cryptographic protocols is that the security does not rely on the limitation of an eavesdropper's computational power as in classical cryptography but it is guaranteed by quantum physics. Therefore, quantum cryptography can provide long term security independently of technological advances. There have been various quantum cryptographic protocols, among which quantum key distribution (QKD) is the most widely implemented. QKD allows two distant users (Alice and Bob) to generate a perfectly random secret key given an initially shared shorter key. The users can further apply this key to perform secure communication in combination with classical cryptographic techniques, like the aforementioned one-time pad encryption. In principle, QKD is information-theoretically secure and commonly it is termed to be “unconditionally secure”. This is the case since it is secure against an eavesdropper who is able to perform arbitrary operations, allowed by quantum physics, on the quantum signals and has unlimited computational power. In recent years, QKD has been experimentally demonstrated at long distance, and several companies now offer commercial QKD systems and QKD-related hardware. Existing QKD networks show the potential capacity for commercial application of QKD. Very recently, experimental satellite-to-ground demonstrations have extensively enlarged the communication distance and coverage area of QKD. Beyond QKD, there are other types of quantum cryptographic protocols, such as quantum digital signatures (QDSs), quantum oblivious transfer, quantum coin flipping, quantum bit commitment, and quantum secret sharing. Among all these protocols, QDSs have been extensively studied in recent years both in theory and in experiment. In principle, a digital signature scheme guarantees the authenticity and the transferability of digital messages and documents. QDSs have been proven information-theoretically secure given that the parties pre-share some keys for authentication purposes. QDS is another important practical application of quantum cryptography that is worth further investigation. Since the proposal of the first QKD protocol in 1984, there have been a variety of security proofs for quantum cryptography. In most of these security proofs, there are several assumptions, such as: • There is no unwanted information leakage from Alice’s and Bob’s labs; • Alice has a single-photon source; • The efficiency of Bob's detectors is basis independent; • The quantum state can be perfectly prepared as the users expect. However, these assumptions might not always be fulfilled in practical systems. As a result, there is a big gap between theoretical security and implementation security in quantum cryptographic protocols. For example, it is very challenging to build practical single-photon sources. Instead, attenuated laser pulses are used as an alternative option in most QKD implementations. These laser pulses contain multi-photon components which open a loophole for the eavesdropper to launch the so-called photon number splitting (PNS) attack. Besides, there exist various quantum hacking attacks targeted on other imperfections of practical QKD systems. Some of the attacks have been demonstrated on either commercial systems or research systems, and others have been proposed only in theory. For example, many hacking attacks have demonstrated that the detectors are the main threat of practical QKD systems. There are several kinds of countermeasures to these hacking attacks. The simplest one is that after finding a loophole, one can just fix the systems by putting a “patch”. However, this cannot guarantee the security of a system against unknown loopholes. A more sophisticated countermeasure is to build a theoretical model which perfectly characterizes the behaviour of practical systems and then develop security proof techniques that can incorporate this information. Unfortunately, this method is too difficult to realize. The last one is the device-independent (DI) quantum cryptography where the security can be proven without requiring any knowledge of the inner behaviours of the quantum devices. Nevertheless, it is rather demanding to implement with state-of-the-art technology. Another way to guarantee the implementation security is to make more relaxed assumptions, which can be easier to satisfy in practice, and then prove the security with these assumptions. Inspired by this idea, there are a number of methods and proposals: the decoy-state method which can guarantee the security of QKD with practical weak coherent pulses against the PNS attack; the measurement-device-independent (MDI) quantum cryptography which removes all the detection side-channels; and the security analysis with a leaky source which proves the security of QKD in the presence of information leakage from Alice’s lab. The main goal of this thesis is to analyze the finite-key security of quantum cryptographic protocols from a practical point of view by relaxing some of the assumptions in the security proofs. As mentioned above, in most QKD security proofs, it is assumed that the users’ devices are perfectly shielded from the external environment and thus, there is no unwanted information leaked to the outside. However, this assumption is very difficult to ensure in practice. The security of QKD with information leakage in the asymptotic regime has been analyzed recently in. The security of QKD with information leakage from the phase modulator (PM) is evaluated. The information leakage from the PM may leak partial information about Alice's basis choice, which means that the states going out of Alice's transmitter are basis dependent. In this case, the security can be analyzed by using the idea of a quantum coin. Another work provides a more general formalism to analyze the security of QKD in the presence of arbitrary information leakage from the PM and the intensity modulator (IM). This formalism makes it possible to evaluate the amount of isolation needed to obtain a certain performance of QKD. However, both analyses consider the asymptotic case where Alice sends an infinite number of pulses. As a consequence, they cannot be directly applied to real-life QKD implementations where Alice can send only a finite number of pulses to Bob. In this thesis, we fill this gap by extending the general formalism to the finite-key regime. More precisely, we present a method to estimate the relevant parameters for the secret key rate in the presence of information leakage from both the IM and PM by taking into account the statistical fluctuations due to the finite-size effect. For this, we first make some reasonable assumptions of the user's devices and define a decoy-state BB84 protocol. The protocol has a fixed number of total rounds and considers a non-iterative sifting strategy to protect it against the sifting attack. We remark that this protocol has an unusual “ random data post-selection”' step where Alice randomly selects part of her data for the next steps and discards the other part. Although this additional step decreases the efficiency of the protocol, it is unavoidable to estimate the phase error rate in the presence of information leakage from the PM by using the quantum coin idea. Next, we show how to estimate the relevant parameters considering the effect of information leakage from the IM and PM in the finite-key regime, respectively. In particular, we assume that the information leakage is caused by an active Trojan-horse attack (THA) launched by Eve. Note, however, that our analysis can be adapted to any type of information leakage. Moreover, due to this information leakage, the random variables in different rounds of the protocol may be correlated. Therefore, we apply Azuma's inequality to handle the finite-size effect and guarantee security against general coherent attacks. By performing a THA against the IM, Eve could obtain some information about Alice's intensity setting choice in each round of the protocol. As a consequence, a key assumption of the decoy-state method is violated and the typical procedure to estimate the relevant parameters needs to be modified. Note that, the “random data post-selection” step of the protocol is not necessary for analyzing the information leakage from the IM. By applying the trace distance argument, we can first derive mathematical relations between the expected numbers of events arising from Alice's different intensity settings. Then, thanks to Azuma’s inequality, we are able to relate these expected numbers to the actually observed numbers with some bounded deviation terms. This provides some linear constraints on the relevant parameters to be estimated. Finally, these parameters can be estimated, for instance, by using linear programming or other optimization techniques given the constraints obtained from the previous step. On the other hand, the information leakage from the PM renders the outgoing states from Alice's transmitter basis dependent and thus, Eve could know partial information about Alice's basis choice by performing a THA. Here, we analyze the security of QKD with basis dependent states by applying the quantum coin idea. That is, we present a method to estimate the phase error rate with information leakage from the PM in the finite-key regime and now the “random data post-selection” step is necessary. To do this, we first consider a fictitious single-photon protocol and apply the quantum coin idea to this fictitious scenario. In so doing, we derive a non-linear constraint on the expected number of phase errors. Then we show the equivalence of this fictitious protocol to an actual single-photon BB84 protocol and obtain a non-linear constraint on the actual number of phase errors. Finally, it is straightforward to adapt the analysis to the practical decoy-state BB84 protocol and to obtain an upper bound on the phase error rate by using some non-linear optimization techniques. To quantitatively show the effect of our analysis, we simulate the secret key rate in three particular examples of possible THA. The simulation results demonstrate the feasibility of long-distance decoy-state QKD given that there is sufficient isolation of the source. Moreover, given a certain value of the isolation, we find that the effect of information leakage on the secret key rate is amplified when the total number of pulses sent by Alice decreases. Also, the finite-size effect on the secret key rate becomes more obvious if the amount of information leakage increases. The detectors are arguably the weakest part, which is vulnerable to quantum hacking attacks, of practical QKD systems. MDI-QKD has been proposed to remove all the detection side-channels in QKD systems. Combined with the decoy-state method, the secure key rate of MDI-QKD is comparable to that of standard QKD protocols. Thanks to its balance between security and feasibility, MDI-QKD has attracted great attention and been widely experimentally demonstrated in recent years. Nevertheless, in MDI-QKD protocols, there is still the assumption that Alice’s and Bob's devices do not leak any unexpected information out of their security zones. Although MDI-QKD can always work without characterizing the measurement devices, there is no guarantee that no unwanted information is leaked from Alice’s and Bob's devices in practice. Following the same idea of the analysis for the information leakage problem in standard decoy-state QKD systems, we propose a finite-key security analysis for MDI-QKD with leaky sources. More precisely, we present a method to estimate the relevant parameters for the secret key rate in the presence of information leakage from both the IM and PM by taking into account the statistical fluctuations due to the finite-size effect. Like the analysis for the standard decoy-state QKD, in the finite-key security analysis for MDI-QKD there is also an additional post-processing step where Alice and Bob need to sacrifice part of their data associated with the estimation of the phase error rate in the presence of information leakage from the PM so that the security proof can go through. And to deal with the statistical fluctuations in the random variables, which could be correlated with each other in different rounds of the protocol, we apply Azuma's inequality. To show the effect of our analysis, we analyze a symmetric three-intensity decoy-state MDI-QKD protocol as an example and consider that the information leakage is due to an active THA by Eve. Then we simulate the secret key rates in three practical cases of THA in the finite-key regime. Our results show that compared with the standard decoy-state QKD, MDI-QKD is much more sensitive to information leakage. That is, to obtain a certain performance, the maximum amount of information leakage in MDI-QKD has to be much smaller than the one in the standard QKD. The main reason for this behavior is that in MDI-QKD there are two leaky sources (one from Alice and one from Bob) instead of only one source as is the case in the standard decoy-state QKD scheme. Besides, we find that in the “random data post-selection” step, it is necessary to sacrifice a bigger proportion of Alice and Bob’s data in MDI-QKD protocol. Thus, to implement the MDI-QKD protocol, both Alice and Bob should carefully isolate their devices from the external environment to guarantee the security of the system. And it is possible to distill secure keys from leaky sources within a reasonable time frame given that Alice's and Bob's sources are sufficiently isolated. Beyond QKD, quantum digital signature (QDS) is another important application of quantum cryptography, which is information-theoretically secure given that Alice and Bob have some pre-shared secret keys. In recent years, QDS has been widely studied both in theory and in practice and it is promising that practical QDS applications are on the way. Despite the great progress of QDS, its implementation security is a big concern, as that of practical QKD systems. Thanks to the idea of MDI-QKD, a MDI-QDS scheme has been proposed to remove all the detection side-channels from QDS protocols. This MDI-QDS protocol has been experimentally demonstrated over a metropolitan network. In the experiment, we manage to successfully sign a binary message between three parties with an information-theoretical security level of 10-7. In this thesis, we mainly focus on the finite-key security analysis of this MDI-QDS experiment. The complete MDI-QDS protocol implemented in this work consists of two main parts: a MDI-QKD protocol and a MDI-QDS scheme with three parties: a signer (Alice) and two recipients (Bob and Charlie). The MDI-QKD protocol is implemented between two recipients to let them share a secret key. Then, they can use this key for encrypting the interchanged message between them in the MDI-QDS scheme. Given the data obtained in the MDI-QKD experiment, we modify the definition of the observed data in the X basis by including the additional basis mismatched events associated with vacuum states. In so doing, we improve the finite-size data estimation and thus, the resulting length of the secret key with a certain security level. The MDI-QDS scheme has two stages: the distribution stage and the messaging stage. In the distribution stage, Alice separately performs a MDI key generation protocol (MDI-KGP) to first share correlated bit strings with Bob and Charlie, respectively. Then, they need to randomly select half of their bits and interchange them together with the information of the positions where the selected bits lie in the bit string, in a fully secret way. In the messaging stage, Alice sends the signed message as well as the signature to one recipient (say Bob). Bob examines whether this message is from Alice by checking the number of errors between the signature bits and his own bits. Then, Bob can further prove to Charlie that he received the signed message from Alice, and Charlie can decide whether he should accept it by doing a similar check on the bit string sent by Bob. To estimate the security parameter of the MDI-QDS scheme, we modify the estimation method for some parameters such that the security level of the complete protocol can be improved compared to the original proposal. Note that the secret key distilled in the MDI-QKD protocol is used for encryption in the distribution stage of the MDI-QDS scheme. Therefore, the security level of the complete protocol cannot be higher than the security level of the key. In order to obtain the optimal security level of the experiment, the best one can do is to let the security parameters of the MDI-QDS scheme have the same order of magnitude. Given all the experimentally observed data, one should do a global optimization on all the security parameters of the MDI-QDS scheme to achieve the optimal security level. Finally, we improve the estimation method for some security parameters and distill a key of 4724819 bits with a security level of 10-7. In this thesis, we mainly focus on the the finite-key security analysis of quantum cryptographic protocols by relaxing some assumptions which cannot always be satisfied in practice. More precisely, we analyze the finite-key security of the standard decoy-state QKD protocol with a leaky source, a MDI-QKD protocol with leaky sources and a MDI-QDS experiment. The finite-key techniques for estimating the parameters of QKD and MDI-QKD in the presence of information leakage in this thesis can be directly applied to any type of QKD protocols implemented in practical systems and they can be improved by considering methods other than the quantum coin idea such that the additional “random data post-selection” step can be removed if it is possible. Besides, the efficiency of the current experimental MDI-QDS scheme can be further improved by applying a more efficient MDI-QKD protocol with a full parameter optimization and increasing the system clock rate. All these results provide good references for experimentalists to implement these quantum cryptographic protocols from a practical point of view.