Attacks on quantum key distribution protocols that employ non-ITS authentication

We demonstrate how adversaries with large computing resources can break quantum key distribution (QKD) protocols which employ a particular message authentication code suggested previously. This authentication code, featuring low key consumption, is not information-theoretically secure (ITS) since for each message the eavesdropper has intercepted she is able to send a different message from a set of messages that she can calculate by finding collisions of a cryptographic hash function. However, when this authentication code was introduced, it was shown to prevent straightforward man-in-the-middle (MITM) attacks against QKD protocols. In this paper, we prove that the set of messages that collide with any given message under this authentication code contains with high probability a message that has small Hamming distance to any other given message. Based on this fact, we present extended MITM attacks against different versions of BB84 QKD protocols using the addressed authentication code; for three protocols, we describe every single action taken by the adversary. For all protocols, the adversary can obtain complete knowledge of the key, and for most protocols her success probability in doing so approaches unity. Since the attacks work against all authentication methods which allow to calculate colliding messages, the underlying building blocks of the presented attacks expose the potential pitfalls arising as a consequence of non-ITS authentication in QKD post-processing. We propose countermeasures, increasing the eavesdroppers demand for computational power, and also prove necessary and sufficient conditions for upgrading the discussed authentication code to the ITS level.

[1]  Jörn Müller-Quade,et al.  Composability in quantum cryptography , 2009, ArXiv.

[2]  David P. DiVincenzo,et al.  Quantum information and computation , 2000, Nature.

[3]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[4]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[5]  Norbert Lütkenhaus,et al.  ESTIMATES FOR PRACTICAL QUANTUM CRYPTOGRAPHY , 1999 .

[6]  Masahito Hayashi,et al.  Exponential Decreasing Rate of Leaked Information in Universal Random Privacy Amplification , 2009, IEEE Transactions on Information Theory.

[7]  Debbie W. Leung,et al.  The Universal Composable Security of Quantum Key Distribution , 2004, TCC.

[8]  Victor Shoup,et al.  On Fast and Provably Secure Message Authentication Based on Universal Hashing , 1996, CRYPTO.

[9]  Robert König,et al.  Universally Composable Privacy Amplification Against Quantum Adversaries , 2004, TCC.

[10]  M. Ben-Or,et al.  General Security Definition and Composability for Quantum & Classical Protocols , 2004, quant-ph/0409062.

[11]  Jan-AAke Larsson,et al.  Security of Authentication with a Fixed Key in Quantum Key Distribution , 2011 .

[12]  Gilles Brassard,et al.  Experimental Quantum Cryptography , 1990, EUROCRYPT.

[13]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[14]  Jürgen Bierbrauer,et al.  Universal Hashing and Geometric Codes , 1997, Des. Codes Cryptogr..

[15]  Thomas Johansson,et al.  On the Relation between A-Codes and Codes Correcting Independent Errors , 1994, EUROCRYPT.

[16]  G. Gilbert,et al.  Practical Quantum Cryptography: A Comprehensive Analysis (Part One) , 2000, quant-ph/0009027.

[17]  M. Peev,et al.  A NOVEL PROTOCOL-AUTHENTICATION ALGORITHM RULING OUT A MAN-IN-THE MIDDLE ATTACK IN QUANTUM CRYPTOGRAPHY , 2004 .

[18]  Douglas R. Stinson Universal Hashing and Authentication Codes , 1991, CRYPTO.

[19]  Richard Taylor,et al.  An Integrity Check Value Algorithm for Stream Ciphers , 1993, CRYPTO.

[20]  Aysajan Abidin,et al.  New Universal Hash Functions , 2011, WEWoRC.

[21]  Christopher Portmann,et al.  Key Recycling in Authentication , 2012, IEEE Transactions on Information Theory.

[22]  Fibirova Jana,et al.  Profit-Sharing – A Tool for Improving Productivity, Profitability and Competitiveness of Firms? , 2013 .

[23]  A. W. Roscoe,et al.  New combinatorial bounds for universal hash functions , 2009, IACR Cryptol. ePrint Arch..

[24]  Bert den Boer A Simple and Key-Economical Unconditional Authentication Scheme , 1993, J. Comput. Secur..

[25]  Thomas Beth,et al.  Cryptanalysis of a practical quantum key distribution with polarization-entangled photons , 2005, Quantum Inf. Comput..

[26]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[27]  Gilles Brassard,et al.  Quantum cryptography: Public key distribution and coin tossing , 2014, Theor. Comput. Sci..

[28]  Kurt Mehlhorn,et al.  Randomized and deterministic simulations of PRAMs by parallel machines with restricted granularity of parallel memories , 1984, Acta Informatica.

[29]  A R Dixon,et al.  Field test of quantum key distribution in the Tokyo QKD Network. , 2011, Optics express.

[30]  Thomas Johansson,et al.  On Families of Hash Functions via Geometric Codes and Concatenation , 1993, CRYPTO.

[31]  Christoph Pacher,et al.  RESPONSE TO "VULNERABILITY OF 'A NOVEL PROTOCOL-AUTHENTICATION ALGORITHM RULING OUT A MAN-IN-THE-MIDDLE ATTACK IN QUANTUM CRYPTOGRAPHY' " , 2009 .

[32]  V. Scarani,et al.  The security of practical quantum key distribution , 2008, 0802.4155.

[33]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[34]  Jan-AAke Larsson,et al.  Vulnerability of "A Novel Protocol-Authentication Algorithm Ruling out a Man-in-the-Middle Attack in Quantum Cryptography" , 2008, 0810.5050.