Abstract

Cryptography is crucial to communication security. In 1984, a well-known QKD (quantum key distribution) protocol, BB84, was published by Bennett and Brassard. The BB84 Protocol was followed by the QKD protocols published by Ekert (1991) (E91) and Bennett (1992) (B92). Some authors proved security of the theoretical QKD protocols in different theoretical frameworks by defining security of QKD protocols differently. My argument is that the previous proofs of security are neither unique nor exhaustive for each theoretical QKD protocol, which means that proof of security of the theoretical QKD protocols has not been completed or achieved. The non-uniqueness and the non-exhaustiveness of the proofs will lead to more proofs. However, a coming “proof” of security of the theoretical QKD protocols is possible to be a disproof. The research by quantum mechanics in this paper disproves security of the theoretical QKD protocols, by establishing the theoretical framework of quantum mechanical proof, defining security of QKD protocols, establishing the quantum state of the final key of the theoretical protocols from their information leakages, and applying Grover’s fast quantum mechanical algorithm for database search to the quantum state of the final key to result in the Insecurity Theorem. This result is opposite to those of the previous proofs where the theoretical QKD protocols were secure. It is impossible for Alice and Bob to protect their communications from information leakage by stopping or canceling the protocols. The theoretical QKD keys are conventional and basically insecure. Disproof of security of the theoretical QKD protocols is logical.

Keywords

Quantum Mechanics, Quantum Cryptography, Quantum Computation, Security, Proof

Share and Cite:

1. Introduction

Cryptography is crucial to communication security. In 1984, a well-known QKD (quantum key distribution) protocol, BB84, was published by Bennett and Brassard [1]. The BB84 Protocol was followed by the QKD protocols published by Ekert in 1991 (E91) and Bennett in 1992 (B92) [2] [3].

Some authors (E. Biham, M. Boyer, P.O. Boykin, T. Mor and V. Roychowdhury; P. W. Shor and J. Preskill; D. Mayers; D. Gottesman and H.-K. Lo; H.-K. Lo, H. F. Chau and M. Ardehali; R. Renner, N. Gisin and B. Kraus; M. Boyer, R. Liss and T. Mor; H.-Y. Su) proved security of BB84 [4] - [13], others (Q. Zhang and C.-j. Tang; K. Tamaki, M. Koashi and N. Imoto; K. Tamaki and N. Lütkenhaus; K.Tamaki, N. Lütkenhaus, M. Koashi and J. Batuwantudawe; M. Lucamarini, G. D. Giuseppe and K. Tamaki) proved security of B92 [14] - [19], in different theoretical frameworks by defining security of QKD protocols differently.

My argument is that the authors understand security of QKD with different perspectives, and the previous proofs of security are neither unique nor exhaustive for each theoretical QKD protocol, which means that proof of security of the theoretical QKD protocols has not been completed or achieved. On the other hand, it is possible, from the non-uniqueness and non-exhaustiveness of proofs of security of QKD, that the theoretical QKD protocols will be proved insecure in an updated theoretical framework with an updated definition of security. For insecurity, one proof is enough.

Quantum mechanics is applied to variant research fields. For example, Stanisław Olszewski examines the time intervals characteristic for the quantum emission process, partly on the basis of the Ehrenfest treatment of the adiabatic invariants and partly with the aid of a study of the mechanical properties of electrons entering the simple quantum systems [20]. Shiro Ishikawa proposes the understanding of Wittgenstein’s picture theory in the framework of quantum language (or, “measurement theory”, “the linguistic Copenhagen interpretation of quantum mechanics”, “the quantum mechanical worldview”) [21].

Quantum computation holds much promise to break cryptosystems. In 1994, Shor published an algorithm for quantum computation of factoring [22], which can be used for breaking keys of conventional RSA public-key cryptosystems efficiently [22] [23] [24] [25]. In 1996, Grover published a fast quantum mechanical algorithm for database search [26], which can be used for efficient breaking of keys of conventional encryption systems such as Data Encryption Standard (DES) cipher [24] - [30]. The success of quantum computation forces us to ask: Are quantum key distribution protocols secure, encountering powerful quantum computation?

In this research Grover’s fast quantum mechanical algorithm for database search is applied to disprove security of the theoretical quantum key distribution protocols [26] [27]. The security of QKD protocols is defined in the theoretical framework of quantum mechanical proof established in this paper. The quantum state of the final key of the theoretical QKD protocols, which is based on the information leakages to Eve, the adversary, is established. Grover’s fast quantum mechanical algorithm for database search is applied to the quantum state of the final key to result in the Insecurity Theorem [26] [27].

From the previous proofs the theoretical QKD protocols, free of quantum computation attack, are secure, while my research concludes, from quantum mechanics, that the theoretical QKD protocols are insecure.

BB84, E91 and B92 are the theoretical and fundamental QKD protocols. Their insecurity implies that all QKD protocols developed following their model are insecure, and the strategy or direction of the quantum cryptography based on QKD should be adjusted.

Discussions are given.

2. The Theoretical Framework of Quantum Mechanical Proof

The theoretical framework of quantum mechanical proof in this paper consists of the theoretical QKD protocols, Grover’s fast quantum mechanical algorithm for database search and the rules of mathematical inference in quantum mechanics.

The variables in the framework are listed as:

k_i: the bit string of the i-th component of the quantum state of the final key;

p_j: the bit string of the j-th component of the quantum state of the plain-text;

k_s: the bit string of the key, whose value is set by Alice;

p_t: the bit string of the plain-text, whose value is set by Alice;

C: the bit string of the cypher-text produced by Alice’s encryption.

3. The Definition of Security of QKD Protocols

A QKD (quantum key distribution) protocol is secure if and only if its final key cannot be deduced from the information leakage of the protocol.

4. Insecurity Theorem of the Theoretical QKD Protocols

The theoretical QKD protocols, BB84, E91 and B92, are insecure in the theoretical framework of quantum mechanical proof in this paper.

5. Proof of Insecurity Theorem of the Theoretical QKD Protocols

5.1. Leakage of the Key-Length of BB84

After the “public discussion” of BB84 Protocol, the “remaining shared secret bits”, announced or leaked over the public channel, are used as the final key [1]. Thus, Eve, the adversary, overhears the “public exchange of messages” between Alice and Bob, and counts the “remaining shared secret bits” for n, the number of the bits of the final key.

5.2. Leakage of the Key-Length of E91

Eve, the adversary, overhears the legitimate users’ public announcements, neither disturbing the quantum channel nor violating the requirement of quantum mechanics, to know n, the number of the bits of the final key, by counting the measurements or the orientations of the analyzers within the second group, which Alice and Bob used the same orientation of their analyzers for and publicly announced or leaked [2].

5.3. Leakage of the Key-Length of B92

1) Detecting the key-length of EPR and non-EPR key distribution system by Eve:

For “EPR and non-EPR key distribution” system [3], Eve repeats for k times to eavesdrop on Alice and Bob’s public test in Step 9 and Step 10 of the system [3], and detects the key-length by counting the bits of the final secret key after the k repeated tests, without disturbing the quantum channel.

2) A scheme of “interferometric quantum key distribution using two non-or-thogonal low-intensity coherent states” is proposed [3]. According to the scheme, “Alice would randomly send red and green flashes of < 1 photon intensity, and Bob would publicly report which flashes he saw, but not their colors, which would constitute the secret key.” [3]

My argument is that it is unnecessary for Eve to “see” the same subset of flashes. She can seize the knowledge of the key-length by eavesdropping on Bob’s public report and counting the subset flashes seen by Bob.

5.4. Quantum State of the Final Key

The leakage of the lengths of the final keys of BB84, E91 and B92 discussed in Sections 5.1 - 5.3 results in the establishment, in terms of quantum mechanics, of $|K\rangle$, superposition of N (N = 2ⁿ) states of $|k_i\rangle$ (of n bits), as the quantum state of the final key.

$\begin{array}{c}|K\rangle =\frac{1}{\sqrt{2}}\left(|0\rangle +|1\rangle \right)\otimes \frac{1}{\sqrt{2}}\left(|0\rangle +|1\rangle \right)\otimes \cdot \cdot \cdot \otimes \frac{1}{\sqrt{2}}\left(|0\rangle +|1\rangle \right)\\ =\frac{1}{\sqrt{2^n}}\left(|00\cdot \cdot \cdot 0\rangle +|00\cdot \cdot \cdot 1\rangle +\cdot \cdot \cdot +|11\cdot \cdot \cdot 1\rangle \right)\\ =\frac{1}{\sqrt{N}}{\displaystyle \underset{i=0}{\overset{N-1}{\sum }}|k_i\rangle }\end{array}$ (1)

where n is the number of the bits of the final key of any one of BB84, E91 and B92. Equation (1) and the analysis below in Section 5 are valid for any one of BB84, E91 and B92 protocols.

5.5. OTP Encryption Algorithm

Bennett and Brassard declare that “If the transmission has not been disturbed, they agree to use these shared secret bits in the well-known way as a one-time pad to conceal the meaning of subsequent meaningful communications, or for other cryptographic applications (e.g. authentication tags) requiring shared secret random information.” [1]. This declaration defines and publishes the encryption algorithm of QKD protocols: one-time pad encryption algorithm (OTP) [31].

5.6. Quantum State of the Plain-Text

The length (the number of the bits) of the plain-text is n, equal to the length of the key, because the encryption algorithm of QKD is OTP encryption algorithm [31]. Therefore, the quantum state of the plain-text is

$\begin{array}{c}|P\rangle =\frac{1}{\sqrt{2}}\left(|0\rangle +|1\rangle \right)\otimes \frac{1}{\sqrt{2}}\left(|0\rangle +|1\rangle \right)\otimes \cdot \cdot \cdot \otimes \frac{1}{\sqrt{2}}\left(|0\rangle +|1\rangle \right)\\ =\frac{1}{\sqrt{2^n}}\left(|00\cdot \cdot \cdot 0\rangle +|00\cdot \cdot \cdot 1\rangle +\cdot \cdot \cdot +|11\cdot \cdot \cdot 1\rangle \right)\\ =\frac{1}{\sqrt{N}}{\displaystyle \underset{j=0}{\overset{N-1}{\sum }}|p_j\rangle }\end{array}$ (2)

5.7. Encryption

After the protocol is implemented, Alice encrypts her plain-text by the operation

$\text{E}\left(k_s,p_t\right)=C\left(0\le s\le N-1,0\le t\le N-1\right)$ (3)

where E is the OTP (one-time pad) encryption algorithm, k_s is the bit string of $|k_s\rangle$, the key, p_t is the bit string of $|p_t\rangle$, the plain-text, C is the cipher-text. Then she sends the cipher-text and the encryption algorithm (for Bob’s decryption) to Bob during the communication between them.

5.8. Decryption

Bob receives the cypher-text and the encryption algorithm sent by Alice to him, and establishes his decryption equation

$\text{E}\left(k_s,p_j\right)=C\left(0\le s\le N-1,0\le j\le N-1\right)$, (4)

where E is the OTP (one-time pad) encryption algorithm, k_s is the bit string of $|k_s\rangle$, the key, p_j is the bit string of $|p_j\rangle$, C is the cipher-text.

Bob’s decryption is to solve the decryption equation, Equation (4), to find the plain-text $|p_t\rangle$.

It is obvious that there exists at least one solution of Equation (4) because of Alice’s encrypting (Equation (3)). It is obvious that solution of Equation (4) is required to be unique for successful communication between Alice and Bob.

Solving Equation (4) is to search $|P\rangle$ (expressed by Equation (2)) for the $|p_j\rangle$ whose bit string, p_j, satisfies Equation (4). Bob prefers using Grover’s fast quantum mechanical algorithm for database search because Grover’s quantum searching algorithm is optimal [32]. Bob’s decryption, which needs $O\left(\sqrt{N}\right)$ Grover’s iterations, is presented in Appendix 1 of this paper.

5.9. Key-Equation

Eve intercepts the cipher-text and the encryption algorithm sent by Alice to Bob.

For Eve, if $|k_i\rangle$ is the key and $|p_j\rangle$ is the plain-text, they satisfy

$\text{E}\left(k_i,p_j\right)=C\left(\text{0}\le i\le N-1,0\le j\le N-1\right)$ (5)

where E is the OTP encryption algorithm, k_i is the bit string of $|k_i\rangle$, p_j is the bit string of $|p_j\rangle$, C is the cipher-text. Equation (5) is the key-equation.

5.10. Uniqueness of Solution

It is obvious that there exists at least one couple of k_i and p_j that satisfies Equation (5) because of Alice’s encrypting (Equation (3)). Furthermore, multiplicity of solution of Equation (5), if any, can result in multiplicity of solution of Equation (4) because of $|k_s\rangle \in \left\{|k_i\rangle |\left(0\le i\le N-1\right)\right\}$. Then logically, uniqueness of solution of Equation (4) can result in uniqueness of solution of Equation (5). And so, if communication between Alice and Bob is successful, solution of the key-equation Equation (5) can be unique.

5.11. Searching by Grover’s Fast Quantum Mechanical Algorithm

Eve searches the quantum state of the secrete key (Equation (1)) for the key by Grover’s fast quantum mechanical algorithm for database search. She succeeds as the communication between Alice and Bob is successful and solution of the key-equation is unique:

1) Defining a function $f\left(k_i,p_j\right)$ (using the key-equation Equation (5)):

$f\left(k_i,p_j\right)=\{\begin{array}{l}\text{1,}\text{E}\left(k_i,p_j\right)=C\\ \text{0,}\text{E}\left(k_i,p_j\right)\ne C\end{array}$ (6)

2) Repeating the following operations (a) and (b) for $O\left(\sqrt{N}\right)$ times (Grover Iteration) [26] [27]:

a) Applying the oracle operation [26] [27]:

$|k_i\rangle \stackrel{O}{\to }{\left(-1\right)}^{f\left(k_i,p_j\right)}|k_i\rangle$, (7)

where $f\left(k_i,p_j\right)$ is the function defined by Equation (6).

b) Performing Grover operation (in terms of inversion about average operation)

$D|K\rangle$, (8)

where the diffusion transform D can be implemented as

$D=WRW$, (9)

where W is the Walsh-Hadamard Transform Matrix and R is the phase rotation matrix [26] [27].

3) Measuring the resulting state of $|K\rangle$ results in $|k_s\rangle$, the secrete key, with a probability of $O\left(1\right)$ [26] [27].

5.12. Proved Insecurity Theorem of the Theoretical QKD Protocols

From the inference of Section 5, the result of Section 5.11 and the definition of security of QKD protocols suggested in Section 3, the Insecurity Theorem of the theoretical QKD protocols suggested in Section 4 is proved.

6. Discussions

1) An alternative approach to establishing of the quantum state of the final key, Equation (1), and the quantum state of the plain-text, Equation (2), is open to Eve. Eve intercepts the cypher-text sent by Alice to Bob and counts its bits forn, then establishes Equation (1), wheren is the key-length, and Equation (2), where n is the number of the bits of the plain-text, because the encryption algorithm of QKD is one-time pad (OTP) encryption algorithm [1] [31] and the three bit numbers (of the key, the plain-text and the cypher-text) are identical (n). This is a shortcut approach.

2) Bob’s $O\left(\sqrt{N}\right)$ Grover’s iterations are completed within a period of time decided by him, no matter how big $N\left(N<\infty \right)$ is, if and only if computing speed of quantum computation is unlimited.

Eve’s $O\left(\sqrt{N}\right)$ Grover’s iterations (of Equation (7) and Equation (8)) are completed within a period of time decided by her, no matter how big $N\left(N<\infty \right)$ is, if and only if computing speed of quantum computation is unlimited.

Quantum computers perform any operations allowed by quantum mechanics. Quantum computation is, in principle, of unlimited computational power (unlimited computing speed), because no limit of computing speed is possible to be defined or proved by the fundamental principles of quantum mechanics (superposition, uncertainty and entanglement) that quantum computation is based on.

Thus, the unlimited computing speed of quantum computation guarantees that both the communication between Alice and Bob and Eve’s searching for the key are successful.

3) It is obvious that it is impossible for Alice and Bob to detect Eve’s activities because the quantum transmission between them is not disturbed by Eve’s operations of eavesdropping and quantum computation. Thus, it is impossible for Alice and Bob to protect their communications from information leakage by stopping or canceling the protocols.

4) The theoretical QKD keys are conventional ones because they are constructed by conventional bits. Therefore, the essential difficulty of the theoretical QKD protocols is that the theoretical QKD keys are basically insecure. Disproof of security of the theoretical QKD protocols is logical.

7. Conclusion

This research, based on quantum mechanics and quantum computation, proves that the theoretical QKD protocols, BB84, E91 and B92, are insecure in the theoretical framework of quantum mechanical proof in this paper. This result is opposite to those of the previous proofs where BB84 and B92 QKD protocols were secure. The information leakage of the theoretical QKD protocols is unavoidable because the quantum transmission of the protocols is not disturbed by Eve’s operations. The keys of the theoretical QKD protocols are conventional ones of conventional bits and basically insecure. The Insecurity Theorem of the theoretical QKD protocols proved in this paper is a logical result. The insecurity of the theoretical and fundamental QKD protocols implies that all QKD protocols developed following their model (featured by a quantum channel, a conventional channel, a conventional key and OTP encryption) are insecure, and the strategy or direction of the quantum cryptography based on QKD should be adjusted, that will stimulate more topics to be studied in the quantum information field.

Acknowledgements

I thank Jin Zhao for her suggestions for this manuscript.

Appendix 1

Bob searches the quantum state of the plain-text (Equation (2)) for the plain-text by Grover’s fast quantum mechanical algorithm for database search. He succeeds as solution of the decryption equation is unique for successful communication between Alice and him:

A) Defining a function $g\left(k_s,p_j\right)$ (using the decryption equation, Equation (4)):

$g\left(k_s,p_j\right)=\{\begin{array}{l}\text{1,}\text{E}\left(k_s,p_j\right)=C\\ \text{0,}\text{E}\left(k_s,p_j\right)\ne C\end{array}$ (10)

B) Repeating the following operations (a) and (b) for $O\left(\sqrt{N}\right)$ times (Grover Iteration) [26] [27]:

a) Applying the oracle operation [26] [27]:

$|p_j\rangle \stackrel{O}{\to }{\left(-1\right)}^{g\left(k_s,p_j\right)}|p_j\rangle$, (11)

where $g\left(k_s,p_j\right)$ is the function defined by Equation (10).

b) Performing Grover operation (in terms of inversion about average operation)

$D|P\rangle$, (12)

where the diffusion transform D can be implemented as

$D=WRW$, (13)

where W is the Walsh-Hadamard Transform Matrix and R is the phase rotation matrix [26] [27].

C) Measuring the resulting state of $|P\rangle$ results in $|p_t\rangle$, the plain-text, with a probability of $O\left(1\right)$ [26] [27].

Appendix 2: Example

Suppose the OTP encryption algorithm used by Alice is XOR [33], then we have the information flow in FigureA1.

Conflicts of Interest

The author declares no conflicts of interest.

References