On the performance of quantum cryptographic protocols ... - IEEE Xplore

2015 International Conference on Communication, Information India

&

Computing Technology (ICCICT), Jan. 16-17, Mumbai,

On the performance of quantum cryptographic protocols SARG04 and KMB09 Minai Lopes Research Scholar Department of Electronics Engineering VJTI, Murnbai Email: [email protected]

Abstract-Since the first protocol, proposed by Benette and Brassard in

1984 (BB84), the Quantum Cryptographic(QC)

protocols has been studied widely in recent years. It is observed that most of the later QC protocols are variants of BB84 with the intention of addressing one or more problems incurred during the practical implementation of BB84 protocol. Amongst many candidates, SARG04 provides robust performance for the weak coherent pulse implementation of QC. Another follower proto­ col, KMB09 provides improvement in quantum communication distance between Alice and Bob (the classical communicating par­ ties). Both these protocols are chosen to compete, as they found to be a suitable choice for incorporating QC in existing wireless technology. In this paper we present the performance analysis of these two protocols with respect to protocol efficiency, Quantum Bit Error Rate (QBER) and robustness against eavesdropping.

Index

Terms-Quantum

Cryptography,

QKD,

QBER,

SARG04, KMB09

I.

INTRODUCT ION

Quantum Cryptography [1] or Quantum key Distribution (QKD) is the most mature field of quantum information pro­ cessing in theoretical as well as experimental advances. Since its evolution it is believed that Quantum Key Distribution is unconditionally secure and is implementable with available technology. Thus many research groups have contributed to­ wards theoretical security proofs and practical implementa­ tions of QKD giving a clear bifurcation of this research area. Unfortunately, the truly practical implementation of QKD is far more challenging compared to its idealized theoretical security proofs. Indeed, there are efforts made to blend the security proofs to prove the security of practical implemen­ tation prototypes [2], the practical applicability of QKD also needs to be explored. One approach to this is to find the scope of QKD in already existing technological scenarios.Recently it is proved that QKD protocols can be incorporated with wireless networks to improve their security [3]. All these requirements gives rise to theoretical as well as practical performance analysis of QKD protocols. This paper aims at testing the practical usability of two recent and widely used candidate protocols developed by V Scarani et. al. named SARG04 [4] and Muhammad Mubasir Khan et. al. named KMB09 [5] keeping in mind the goal discussed above. It is seen that SARG04 is robust against Photon Number Splitting (PNS) attack [6], one of the vulnerability of QKD due 97S-1-4799-5522-0/15/$3l.00 ©2015 IEEE

Dr. Nisha Sarwade Associate Professor Department of Electronics Engineering VJTI, Mumbai Email: [email protected]

to limitations and unavailability of photon sources. The ideal QKD implementations expects the use of single photons as the input. But with current technology, the most practical and easily available photon sources are weak coherent pulses or attenuated laser pulses. These pulses contains sometimes more than one photon. The Eavesdropper, Eve can take advantage of such multiphoton pulses by extracting and storing the extra photons and blocking all the single photon pulses without introducing any error in the communication. SARG04 provides a subtle protection against such attack without expecting any change in the experimental setups already established for BBS4 protocol. Due to this reason SARG04 claims a strong candidature for practical QKD set ups in future. However, the disadvantage of SARG04 is that it has lower key rate and a shorter secure distance in realistic settings [7]. KMB09 on other hand claims the long-distance quantum communication with high error rate.This protocol uses similar experimentation regime as that of BBS4 and SARG04. The notable differentiation is in photon encoding and the classical post processing phase. The novelty of this protocol is the introduction of'Index Transmission Error Rate' (ITER) along with the Bit Error Rate (BER) as a performance parameter. It is observed that the ITER increases significantly for higher dimensional photon states. This allows for more noise tolerance in the transmission line, thereby increasing the possible QKD distance. KMB09, on contrary to BBS4 and SARG04, uses all vectors of one basis to encode the same bit. Moreover, a bit can be transmitted only when Alice and Bob use different bases. There are five sections in this paper. In section 2, we intro­ duce the working of SARG04 and KMB09 in detail through an example. In section 3, we will evaluate the performance of these protocols through coding. Section 4 will compare the performance of our selected protocols for application specific conditions. In section 5, we will summarize and conclude our results. II.

P ROTOCOL

D ESIGN

The customary requirement of any quantum cryptographic protocol is the availability of basic QKD model as discussed in [S]. These protocols includes quantum transmission followed

2015 International Conference on Communication, Information India

&

Computing Technology (ICCICT), Jan. 16-17, Mumbai,

by classical pre-processing. The discussion in this section as­ sumes working of SARG04 and KMB09 protocols under ideal conditions i.e. no eavesdropping and no quantum transmission errors.

the protocol can withstand the PNS attack. SARG04 has a Bit Error Rate of almost 75%, but it intimates an important conclusion that, at the cost of the rate of the data transfer, one can improve the resistance against the PNS attack.

SARG04 protocol is designed for combating Photon Num­ ber Splitting attack caused due to realistic photon sources used in QKD implementations.The protocol uses two non­ orthogonal bases as shown in figure l.

KMB09 is also a'prepare and measure' type of the quantum cryptographic protocol. To start with, Alice first prepares the photons in certain states and sends them to Bob. As stated before KMB09 also use two sets of basis as shown in figure 2. Note that the vector representation is using poincare sphere and no conditions have been posed on the states of e and f except that they should form a basis. This gives lot of flexibility for maximizing the relevant minimum error rate introduced by Eve.

B. The KMB09 protocol

A. The SARG04 Protocol

Basis 'a'

,/ '\

Basis

�

It

I

e2

'b'

e1

,

Basis'e'

Figure I. Basis for SARG04 [8]

As in 'prepare and measure' type of protocol, Alice first chooses between these two basis randomly and prepares her photons for communication. In reconciliation phase but, she revels the random states that she has used to prepare her photons. These states are relevant from the figure 1 and also can be defined as, Aw,w'

=

{

I )}

' Iwx) , w z

,

'

with w, w

E

{+, -}

I

f2

=

=

(COS�) CO�� ) Stn�' 11)a (-Stn� (sin'?; ) l ) (stn-n ) COS2 =

-co 'l 2

, Ib

Basis If' fl

=

The non satisfaction of Eq.(2) imply that, if the superpo­ sition of vectors of any of these basis is zero. i.e·1 (Obllb) I I(Oalla)1 0, the PNS attack is possible. For SARG04 these pairs of basis are given as, (refer Figure 1)

=

�

,

Here basis 'e' is used for coding '0' and basis 'f' is used for coding '1'. The states of these basis are differentiated by the index' i' (eg. ei and fi), where i 1, ...., N. For simplicity we assume N 2 here. The protocol can be easily extended for the basis having more than two states (N > 2). Alice can now select randomly between these four states to code her photons. At the receiving side, Bob measures the incoming photons in a randomly chosen basis. In order to establish the strong correlation between Alice and Bob's data, Alice needs to reveal some information via classical communication. The novelty of this protocol lies here that Alice announces only the index i of the respective basis state she has used for coding her photon. This does not deduce any information about the key as states lei)and I fi)with the same index i encode different bits. Now Bob needs to interpret his measurement outcome with the information provided by Alice (the indices).This can be done by using a table similar to table I. The parameters Qij and (3ij in the table assume three different values, '0', '1', or 'x' and are interpreted as whether Bob obtained '0', '1', or no bit transmission. Now if Alice sends photon prepared in leI) indicating transmission of '0'. The value of Qll o and (311 1to confuse Eve. But for more security the value of Qii and (3ii is chosen to be 'x', assuring that Bob ignores the cases where his measured state has the same index i as announced by Alice. Moreover, if Alice announces 'i l' and Bob measures I fj )with j� 1, then he knows surely that she

(1)

(2)

u

lOb)

,

=

C�:D � C�:D

=

"

" "

Figure 2. Basis for KMB09

Where, I±x) code for 0 and I±z) code for l. SARG04 achieves the robustness against PNS attack through the proper choice of non orthogonal basis. In general the requirement for choosing these vector configuration is that the vectors are not related via a unitary transformation. It is proved that when this condition is satisfied, Eve cannot per­ form the obvious filtering as in PNS attack [9].This condition can be given as,

10 a)

�

,

(3)

. T}

=

=

=

(4)

It can be easily demonstrated that, the superposItlOns for -cosT}, I(Oalla)1 SARG04 yields,I(Obllb)1 cosT}, so that =

978-1-4799-5522-0/15/$3l.00 ©2015 IEEE

=

=

2

2015 International Conference on Communication, Information India

&

Computing Technology (ICCICT) Jan. 16-17, Mumba'1, '

INTERPRETATION TABLE FOR BOB [5] Table I

States measured by Bob

Index announced by Alice

2

lei)

le2)

leN)

1M

1M

liN)

Ql1

Q12

Q1N

f311

f312

f31N

Q21

Q22

Q2N

f321

f322

f32N

N

f3NN

III.

prepared her photon in lei). Analogously, if Alice announces 'i =1' and Bob measures lej) with 'j -II', then he knows that Alice prepared IiI). Therefore Alice and Bob need to choose alj 1and (3lj 0 for all j -I1. Thus KMB09 assures of unambiguous state discrimination when Alice and Bob choose either different basis or their indices do not match. 1) The ITER: In above explanation it is important to note that i denotes the index of the photon prepared by Alice and j is the index of the basis vector measured by Bob. The index transmission strategy of this protocol introduces an error , known as 'Index Transmission error (ITE) . An ITE occurs when a photon prepared in lei)(IJ;)) is measured at Bob's end as lej)(I!j)) with i -I j. For better understanding of Index Transmission Error Rate (ITER), table II shows the working of KMB09 for N =2. In table II, Alice first choose the random bits and prepares her photons to encode 1 and 0, by choosing the random bases (el, e2, iI, h) from figure 2. She sends this photons to Bob through the quantum channel. Bob measures these photons by choosing random bases and keeps his measurements. Alice now starts classical communication by sending the indices of the states of her photons. As a last step, Bob needs to interpret his measurements. For this he needs to use an interpretation table as shown in table I. For N 2, Bob's table reduces to table III. =

RESULT S

In this section we will discuss performance of both the protocols under study. The simulation for these protocols is done using MATLAB software. For simplicity, the value of number of states for each basis, 'N' is chosen as '2'. The results are obtained from numerical simulation which randomly generates 2500 asand bsand fs and es. The bit rate used is lOKB, which can be extended to any higher value. In SARG04, the QBER is contributed by two factors, first the instances when Alice and Bob choose different basis and second when the pair of states announced by Alice is correlated with Bob's measurement outcome. Figure 3 shows the average 'Quantum Bit Error Rate' for SARG04. The average QBER for N = 2 is approximately 75 %. This is higher than 50% for the BB84 protocol. The high BER is due to the two levels of randomness added by the protocol, one for choosing the state for photon preparation and one where Alice announces the non-orthogonal state in the sifting procedure.

=

The range of QBER for SARG04 is 73. 12 to 76.56 77 ,-----��--�----����-----,

=

BOB'S INTERPRETATION TABLE FOR N =2 Table III

Index Announced by Alice

2

States measured by Bob

x

x x

o

o x Random selection of Basis

Bob's results include QBER and ITER which can be easily filtered. The example clearly show the instances where index transmission error occurs. It is also evident that KMB09 has very low bit transmission rate (low efficiency) . But the payoff for the corresponding loss is relatively high error rate in presence of an eavesdropper. 978-1-4799-5522-0/15/$3l.00 ©2015 IEEE

Figure 3. QBER for SARG04

The distinct feature of KMB09 is that it divides the total quantum error rate in two parameters, the classical QBER and 3

2015 International Conference on Communication, Information India

&

Computing Technology (ICCICT), Jan. 16-17, Mumbai,

WORKING OF KMB09 Table II

index'i'

Bob now verify his index's with the one announced by Alice using table II

resulting to ITER Bit received correctly

Our results can thus be verified to give the value of approximately 25% for N 2. Also it is quoted that the bit rate of KMB09 is same as that of its ITER. This can be verified from table II. The bit transmission rate obtained here is 5/20 25%.

an ITER. It is important to note that a key bit is obtained when the index j of the state measured by Bob and the index i of the state prepared by Alice are different. Hence a quantum bit error occurs when Bob measures lej ) (Ih)), while Alice prepared l ei ) (1M) with i "I j. Figure 4 plots the QBER range for KMB09. The average QBER is approximately 50%. It is quoted in [5] that this value of QBER for N 2 is the highest minimum QBER value. For higher values of N, the QBER degrades with nominal rate.

=

=

The range of ITER is 23.25 to 26.66 27 .---�--�---,

=

The range of Q8ER for KMB09 is 48,15 to 51.8 52 ,--�--�--_, 0: W

t:

0: W OJ

Iterations

Figure 5. ITER for KMB09

IV.

herations

The purpose of our work is to analyze the feasibility of using above protocols with existing wireless transmission technology, for improved security. As it is known that quantum cryptography provides unconditional security through the use of quantum principles [10]. This feature of QC can be utilized for solving the extensively discussed problems of security in wireless medium [11], [12], [13], [14]. Table IV summarize the performance of our candidate protocols with respect to some features that we expect be useful in case of wireless transmissions.

Figure 4. QBER for KMB09

As discussed in section II-B1, the index transmission error occurs when both Alice and Bob choose same basis but differ­ ent index. It can be seen from Figure 5, that the average value of ITER for KMB09 is near about 24.95%. The theoretical value of ITER is given by the equation (5) [5]. (5) 978-1-4799-5522-0/15/$31.00 ©2015 IEEE

P ERFORMANCE ANALYSIS

4

2015 International Conference on Communication, Information India

V.

,

KMB09

Prepare and Measure

Prepare and Measure

Choice of Basis

Pair of non-orthogonal states

Protocol design goal

aims towards combating PNS attack

Photon Source requirements

parametric down conversion crystal or weak laser pulses can be used.

Bit Error rate

�75% [Fig. 3]

Transmission Distance

144 km free space link is possible [171

expects single photon sources. �50% [Fig. 4], but adds ITER of �25% [Fig. 5] claims to increase the distance by allowing more noise tolerance.

25%

25%

Robustness against eavesdropping

inherently robust against photon number splitting and Theoretically tested to be secure [15] , [18]

Theoretically stated to survive intercept-resend attack. [5]

,

__

=

REFERENCES

The advantage of SARG04 is, it is designed to work with realistic photon sources and the existing QKD set ups. On the other hand, KMB09 assumes the availability of single photon sources and no practical test set ups are available.The design goal of KMB09 is to increase the quantum communication distance along with the strong eavesdropping detection. The practical security testing of both the protocols is absent. The available literature specify only the mathematical proofs of their security against an intercept-resend attack, claiming the 978-1-4799-5522-0/15/$3l.00 ©2015 IEEE

_

=

Mutually unbiased bases, number of states 'N' can very. aim towards increasing the transmission distance without intermediate nodes.

Transmission rate

_,

=

Table IV

SARG04

C ONCLUSIONS

This paper, have taken a novel approach of comparing the performance of a widely used quantum cryptographic proto­ col, SARG04 and a recently proposed KMB09 protocol, for wireless transmission framework. In section II, it is observed that both the protocols use similar encoding bases (the number of states per basis 'N' can vary). The difference is, SARG04 uses its states of 'a' ('b') basis for encoding O's and 1's with equal probability, where as KMB09 use its all e-states encoding a '0' and all J-states encoding a '1'. In SARG04 protocol, Alice needs to announce which one of the four set of states A++ A+ A + A she used, while in KMB09 she only announce either 'i l'or 'i 2' .Thus we can conclude that SARG04 bares more redundancy than KMB09 in reconciliation phase of the protocol. In section III, two performance parameters namely QBER and ITER are determined for these protocols. For a case of N 2, these protocols essentially gives equivalent performance for transmission rate and Bit Error Rate. However reference [5] claims that, in KMB09, for higher dimensions, the minimum ITER increases rapidly. This increase allows a better detection of eavesdropping even when channel noise is high. The in­ creased noise tolerance thereby allows increase in transmission distance between Alice and Bob. Although KMB09 provides comparable transmission rate, the main disadvantage is its single photon source requirement. Where as SARG04 use available, realistic photon sources and thus can be deployed using existing quantum key distribution networks without any modifications. But from the above analysis we can conclude that, similar to SARG04, even KMB09 satisfy the condition in equation.2 of superposition of bases. Thus if implemented using multiphoton sources, KMB09 too can withstand the PNS attack. In summary, the above two protocols serves the purpose of providing quantum cryptographic security in wireless trans­ mission with equal transmission rate and security. Moreover, it was observed that the implementation of KMB09 was simple compared to SARG04. This difference is due to a redundancy in SARG04 protocol. As a future work it can be suggested that KMB09 can be tested to satisfy the necessary condition for resisting the PNS attack, thus proving its feasibility with realistic photon sources.

PERFORMANCE COMPARISON OF TWO PROTOCOLS

Type of protocol

Computing Technology (ICCICT), Jan. 16-17, Mumbai,

security against this attack as a strong indication for the general security of any cryptographic protocol.

Quantum cryptographic protocol design have evolved around three methods, a) prepare and measure - where the sender prepares the photons to follow some polarization and the receiver measures the polarization. b) Entangled based - here the source is an entangled photon emitter and these photons travel towards each communicating party.c) Decoy state method - here the parties use additional photon states of different properties (e.g. intensity) for detection of Eve. SARG04 and KMB09 both use the simple prepare and mea­ sure protocol design. However implementation of SARG04 with other methods too is reported [15], [16]. It is been observed that BB84 is weak against PNS attack due to the orthogonality of its bases. This is due to the fact that whenever Eve stores a photon, she gets complete information after the sifting phase as she just needs to discriminate between the two eigenstates of the revealed bases. Thus both the protocols use non-orthogonal bases to satisfy (eilh) f= O. The bit error rate for SARG04 is 75% with the transmission rate of only 25% [8]. But this degradation in efficiency is compensated by the better intrusion detection. KMB09 also provides only 25% of key transmission rate, but on the payoff of high error rate in the presence of an eavesdropper.

Performance Parameters

&

[1] N. Gisin,G. Ribordy,W. Tittel,and H. Zbinden, "Quantum cryptogra­ phy," Reviews of modern physics, vol. 74, no. 1,p. 145, 2002. [2] D. Gottesman,H.-K. Lo,N. LuILtkenhaus,and J. Preskill,"Security of quantum key distribution with imperfect devices," in Information T heory, 2004. ISIT 2004. Proceedings. International Symposium on, p. 136, IEEE. [3] X. Huang, S. Wijesekera,and D. Sharma, "Implementation of quantum key distribution in wi-Ii (ieee 802.11) wireless networks," in Advanced Communication Technology, 2008. Conference on,

5

ICACT 2008.

vol. 2, pp. 865-870, IEEE,2008.

10th International

2015 International Conference on Communication, Information India [4] V. Scarani,A. Acin,G. Ribordy,and N. Gisin,"Quantum cryptography protocols robust against photon number splitting attacks for weak laser pulse implementations," Physical Review Letters, vol. 92, no. 5, p. 057901,2004. [5] M. M. Khan,M. Murphy,and A. Beige,"High error-rate quantum key distribution for long-distance communication," New Journal of Physics, vol. II, no. 6,p. 063043,2009. [6] G. Brassard,N. LUtkenhaus, T. Mor, and B. C. Sanders, "Limitations on practical quantum cryptography," Physical Review Letters, vol. 85, no. 6,p. 1330,2000. [7] C.-H. F. Fung,K. Tamaki,and H.-K. Lo,"Performance of two quantum­ key-distribution protocols," Physical Review A, vol. 73,no. 1,p. 012337, 2006. [8] M. Lopes and N. Sarwade, "Cryptography from quantum mechanical viewpoint," International Journal on Cryptography and Information Security, vol. 4,no. 2, pp. 13-25. [9] D. Kronberg and S. Molotkov, "Robustness of quantum cryptography: Sarg04 key-distribution protocol," Laser physics, vol. 19,no. 4,pp. 884893,2009. [10] V. Scarani,H. Bechmann-Pasquinucci,N. J. Cerf,M. Dusek,N. LUtken­ haus,and M. Peev,"The security of practical quantum key distribution," Reviews of modern physics, vol. 81,no. 3,p. 1301,2009. [11] H. Boland and H. Mousavi, "Security issues of the ieee 802.11 b wireless lan," in Electrical and Computer Engineering, 2004. Canadian Conference on, vol. 1,pp. 333-336,IEEE,2004. [12] J.-C. Chen,M.-C. Jiang,and Y-w. Liu,"Wireless Ian security and ieee 802.11 i," Wireless Communications, IEEE, vol. 12, no. 1, pp. 27-36, 2005. [13] J. Hasan, "Security issues of ieee 802.16 (wimax)," in Australian Information Security Management Conference, p. 71,2006. [14] c.-T. Huang and J. M. Chang,"Responding to security issues in wimax networks," IT Professional, vol. 10, no. 5,pp. 15-21,2008. [15] C. Branciard, N. Gisin, B. Kraus, and V. Scarani, "Security of two quantum cryptography protocols using the same four qubit states," Physical Review A, vol. 72,no. 3, p. 032301,2005. [16] S. Ali and M. Wahiddin,"Fiber and free-space practical decoy state qkd for both bb84 and sarg04 protocols," The European Physical Journal D­ Atomic, Molecular, Optical and Plasma Physics, vol. 60,no. 2,pp. 405410,2010. [17] T. Schmitt-Manderbach,H. Weier,M. FUrst,R. Ursin,F. Tiefenbacher, T. Scheidl, J. Perdigues, Z. Sodnik, C. Kurtsiefer, J. G. Rarity, et ai., "Experimental demonstration of free-space decoy-state quantum key distribution over 144 km," Physical Review Letters, vol. 98, no. 1, p. 010504,2007. [18] C.-H. F. Fung, K. Tamaki,and H.-K. Lo,"On the performance of two protocols: Sarg04 and bb84," arXiv preprint quant-phl0510025, 2005.

978-1-4799-5522-0/15/$3l.00 ©2015 IEEE

6

&

Computing Technology (ICCICT), Jan. 16-17, Mumbai,