]>
On the difficulty of Quantum Cryptography in presence of packet losses
TQSD Technische Universität München
Theresienstraße 90
Munich
80333
Germany
davide.licalsi@tum.de
TQSD Technische Universität München
Theresienstraße 90
Munich
80333
Germany
paul.kohl@tum.de
TQSD Technische Universität München
Theresienstraße 90
Munich
80333
Germany
jin.choi@tum.de
TQSD Technische Universität München
Theresienstraße 90
Munich
80333
Germany
janis.noetzel@tum.de
General
Quantum Internet Research Group
keyword
From the communication viewpoint, qubits are different
from classical bits. A qubit may be transmitted directly but it can’t
be cloned or measured without altering its state, so existing copyandresend
schemes can’t be used to handle a transmission failure.
Moreover, in some cases, the sender does not know the state of the transmitted
qubit, so a qubit loss may cause irrevocable damage. This draft
presents the causes of transmission failures, and analyses the
vulnerabilities of several crypto protocols that such defects
may bring forth. Thus, quantum teleportation is highly recommended
for certain applications.
Introduction
Despite our efforts to mitigate this phenomenon, real
networks are subject to packet losses. The problem is still
present in classical communication, where it causes disruptions
to communications requiring retransmissions.
The problem is a consequence of several phenomena
such as network congestion, strong channel noise, and hardware/software faults.
Quantum communication is much more sensitive to noise than classical
communication due to the physical nature of the communication medium.
Because of that, it is reasonable to assume that data losses will eventually
occur in real quantum communication systems.
While classically this is often regarded as a threat to communication performance,
in quantum communications it also threatens the security
of some protocols. In fact, several quantum cryptography
protocols are provably secure because attackers
can only access a single copy of some target quantum state and
cannot clone quantum information. For instance,
the majority of QKD protocols assume that Alice and Bob exchange qubits once and no
retransmission is needed, although some qubits might be
lost. If we drop these assumptions, the security of such
protocols is threatened, although with varying degrees.
While some protocols can tolerate replicas of quantum
states, others suffer much more from these attacks, and
could potentially be broken. The threat is a consequence
of the fact that losses and malicious maninthemiddle attacks
are fundamentally indistinguishable. When some
packet is lost in classical or quantum networks, it is impossible to tell
whether that happened due to innocent errors or due to
malicious agents. While classical cryptography is agnostic to how many copies of
some message the attacker can access, (that is possessing
m>1 copies of some message will not help the attacker)
the same cannot be claimed for most quantum cryptography protocols.
In the following we consider some cryptographical
primitives using quantum states to defend
against attackers. We show attacks based on the presence
of data losses threatening their security or practicality,
and discuss possible mitigations.
Problems of direct transmission
Quantum information limit
Qubits may be directly transmitted
by encoding them into a physical medium, such as photons
and sending them over a quantum channel, e.g. an optical fiber.
However, a qubit is more vulnerable to a link failure than a classical bit,
so direct transmission may cause some serious, even irrevocable problem.
In fact quantum states often are rather fragile to environmental noise, so a transmission failur in the direct link is more likely.
Furthermore, the qubit's state description and evolution is governed by the laws of quantum mechanics,
such as the quantum measurement postulate and the nocloning theorem.
The latter entails the severe constraint that it’s impossible
to read and copy an arbitrary unknown qubit without altering its state.
Hence, the classical recovery mechanisms such as copyandretransmission
are often unfeasible.
In some quantum applications, e.g. BB84 QKD
a sender may know the state of the qubit to send,
so, in case of a link failure it can prepare and resend the same state.
However, for some applications this is not possible.
For example, a bank may issue a quantum banknote
(using Wiesner’s scheme for quantum money ) to a user.
If the user sends the banknote's qubits to the bank for verification via direct transmission,
and (some part of) the banknote is lost just once due to a link failure, then it cannot be recovered.
That is because the user has no idea of the state of the quantum banknote, else he
would be able to generate an arbitrarily high number of copies and break the scheme.
Even when a retransmission is possible, that may result in a security vulnerability.
Several quantum cryptography protocols rely on the characteristic that qubits can’t be copied.
However, retransmission may allow a malicious node to acquire a copy of the state.
For example, as we will see later, some Quantum Public Key scheme ,
assumes only limited number of public keys are distributed. An attacker may falsely claim a link failure
and acquire another copy of public key to compute the matching private key.
Transmission limit
Transmission is limited by different phenomena in the real world.
We will focus on fibre optical networks here, as they are widely employed commercially.
There are different mechanisms of loss which can occur in optical fibres, resulting in insertion loss e.g.
intrinsic absorption/scattering,
dispersion,
absorption due to splicing/connections,
Radiation Induced Attenuation, and
micro and macrobends.
Additionally there is return loss caused by reflection of signal at material interfaces.
Polarisation can be another source of losses as polarisation is not necessarily (perfectly) maintained in
transmission and also source and receiver may have a polarisation dependence.
In theory one could use a single fibre to connect two endpoints avoiding splicing and connections, and also use
perfectly straight fibre, resulting in no loss due to bends.
Additionally radiation induced attenuation due to cosmic radiation and the like cannot be easily quantified.
Thus we will focus here on intrinsic absorption, dispersion and polarisation as they are more independent of
a specific implementation.
Absorption due to Material Choice
Optical fibres exhibit losses when light is transmitted through them like any other material.
Obviously optical fibres are engineered in a way, s.t. losses of light are minimised, but some absorption is
intrinsic. If one looks at the intrinsic properties of the fibres it is evident which wavelengths are
advantageous. These wavelengths are often employed in telecommunication applications. Generally fibre optical
networks use silica (SiO2) fibres with very little attenuation in the infrared (IR) range. The light with
wavelengths from 600 nm to 1800 nm exhibits low absorption in silica fibres.
There are different local minima in those ranges, which are created by different loss mechanisms in the fibres.
With increasing wavelength λ the elastical scattering on particles with diameter d ≪ λ is governed by the Rayleigh
scattering crosssection Cs,λ ∝ 1/λ^4. This means increasing λ yields lower attenuation.
This is counteracted by the increasing absorption of IR by SiO2 with increasing wavelength. Additionally, there is
the OH– absorption peak around ∼ 1440 nm. This results in the lowest attenuations in the socalled Oband around
∼ 1310 nm and the socalled Cband around ∼ 1550 nm which includes the global minimum of attenuation.
The Oband is worth mentioning, because it includes the region for zero wave packet dispersion, which minimises signal
distortion due to chromatic effects and also using the same
fibre for classical communication and quantum key distribution (QKD) via Wavelength Division Multiplexing (WDM)
works best for the Oband in metropolitan area networks. This explains the choice
of wavelength bands used in telecommunication, but also shows that still in the best case scenario there is
absorption of around 0,2 dB/km in commercial networks using the Cband. It would be possible to consider
hollowcore optical fibres to reduce absorption and achieve an in general different behaviour, but those fibres
are not widely employed in commercial networks (yet?). Additionally, this does not change the general principle that
there always will be intrinsic losses. In quantum communication applications encoding qubits e.g. in the polarisation
of single photons this loss mechanism may lead to problems, as physical qubits may be lost in transmission. To
mitigate this, one would for example employ error correction procedures which encode the information of one logical
qubit in multiple physical ones, where the number of physical qubits is high enough to correct errors arising from
missing photons due to absorptive effects in transmission. On the other hand, encoding of information into laser
pulses in different time bins – i.e. arrival times of photons – may not suffer as strongly from absorption. So in
summary – depending on the encoding of information into a physical property of the sent photons – absorption may
pose a significant challenge.
Dispersion and Spectral Broadening
Another fundamental effect which may be problematic in transmission is dispersion – i.e. wavelength dependency of
the refractive index in a material. This may lead to broadening of a pulse with nonzero spectral linewidth
(nonzero linewidth is unavoidable in reality), because the different frequencies the light is consisting of travel
with different velocities through the medium. This broadens the pulse temporally.
Similarly there is also spectral broadening. Even atomic transitions are not able to produce perfectly monochromatic
light. Some intrinsic effects produce a Lorentzian distribution of wavelengths in the best case, while accounting for
thermal effects produces a Gaußian distribution. This broadening might contribute to losses due
to wavelengthdependent efficiency of detectors. Also absorption is wavelength dependent as shown above, thus it may
also lead to attenuation in this way. It is also obvious that a finite energy pulse of light which broadens spectrally
has to obey conservation of energy, that means the same amount of energy has to be spread over more wavelengths than
before, implying that the energy spreads as well, reducing the amplitude of the peak as a whole.
The problem with dispersion is the following: As quantum computation and e.g. quantum repeaters with photons rely on
twophoton interference (HongOuMandel effect), photons need to be indistinguishable, i.e. identical in every respect.
Dispersion now introduces variation in the photon wavepacket impacting the success rate of quantum operations.
Especially if photons travel through a different path dispersion will introduce some distinguishability, which might
prove fatal. As mentioned before in the Oband around 1310 nm photons exhibit zero wave
packet dispersion in SiO2 fibres. Thus, depending on the requirements and structure of a
specific setup or implementation of protocol it may be advisable to choose the Cband if dispersion effects can be
mitigated – e.g. if all photons traverse the same fibre or they do not have to interfere, but have to travel longer
distances – while choosing the Oband in applications where dispersion might hinder interference. The concept of
soliton is worth mentioning in this context, as in this case nonlinear effects and dispersion cancel.
So if one is able to generate solitons one is able to counteract the effects of dispersion. This might be a route
construct physical systems circumventing this problem.
Polarisationdependency
Depending on application and encoding the polarisation of light is instrumental in quantum cryptography (often QKD
protocols use polarisation encoding). Thus, it is important to note that in transmission in a real fibre (even a
polarisation maintaining (PM) fibre) the polarisation is not maintained perfectly. This can be measured via the
polarisation extinction ratio (PER) given in [dB]. Thus over long distances it is possible that the polarisation
state of light is altered, which may result in loss of quantum information. Additionally, many optical components
have a polarisation dependence with different efficiencies for the different polarisation states, e.g. detectors may
have a higher sensitivity for one polarisation rather than the other, resulting in statistically skewed results.
In consequence one has to calculate the impact of all of these effects in a given setup and ponder if this significantly
impacts the given system.
Transduction limit
Not only the transmission limits are a concern, but also the transduction limits. Transduction limits would be the limiting
factors, which are not due to the actual losses in transmission, but due to the losses which occur in the conversion from
flying qubits to stationary qubits and vice versa.
This is obviously highly dependent on the implementation of a given system, but normally one uses photons as flying qubits,
which have to interface with a system used as a stationary qubit. These lightmatter interactions can be described by cavity
quantum electrodynamics (QED).
Typically in cavity QED one considers a matter TwoLevel System (TLS) in a resonator cavity. This matter system would then
be the stationary qubit and light entering the cavity to interact with the matter TLS would be the flying qubit to be
transduced. The complete systems dynamics are determined by different properties: The emitter decay rate γ is the rate of
decay of the TLS into the cavity mode, which is often approximated by the lifetime τ of the excited state in the TLS via
γ ≈ 1/τ. The cavity loss rate κ is the rate of photons exiting the cavity, which is determined by the quality factor Q of
the resonator: κ ∝ 1/Q. Also very important is the coupling strength g0 between TLS and photon, which is dependent on the
mode volume V0 of the resonator: g0 ∝ √1/V0.
The cavities built around the TLS can take different forms. There are e.g. micropillar resonators which use the principle
of the FabryPérot interferometer with Q ∼ 2000 and V0 = 5 · (λ/n)^3 where n is the refractive index inside the cavity and
λ is the wavelength of the emitted light from the TLS, microsphere cavities with Q ∼ 8 · 10^9 and V0 ∼ 3000 μm^3, or
photonic crystals with Q ∼ 13000 and V0 = 1,2 · (λ/n)^3. Those are some cavities which can be built
around the TLS according to ones requirements. Those TLS include for example semiconductor quantum dots (QDs). It has been
shown, that InAs QDs can have electron spin lifetimes exceeding 1 s (albeit in this case the QD was charged electrically).
In case of QDs, it has to be kept in mind that normally the spin coherence times seem to be more on
the order of tens of microseconds but they have excellent optical properties which allow generation of spinphoton entanglement
efficiently. Other material systems like vacancy centers in diamond exhibit spin coherence time of whole seconds but with low
emission efficiencies. So there seems to be a tradeoff between advantageous spin and photonic
properties. Spin decoherence also limits the lifetimes of stationary qubits apart from the losses in transduction. With such
information one could estimate how good a flying qubit can be transduced to a stationary one and how good the stationary qubit
can be preserved.
Vulnerabilities
Several protocols in quantum cryptography found their
security upon (at least one of) two core assumptions:
 Bounded copies: adversaries have up to N copies
of some quantum state, with N depending on the
cite protocol. In some cases, N = 1.
 Unknown State: despite holding one or more copies of some state ψ>,
adversaries do lack information on what state they hold.
Despite such assumptions being theoretically sound and convenient,
the limits presented in Section 2 jeopardize their validity.
This may lead to protocolspecific attacks,
either leaking partial information
or completely breaking the protocol’s security or usability.
In the following, we explain how such a vulnerability may result in
an attack against popular quantum cryptographic protocols.
Attacks to publickey encryption and digital signature
We start by considering the quantum publickey encryption scheme
devised by .
Such a protocol is a fit example, as it bases its security on both the aforementioned assumptions.
In fact, it supposes an upper bound to the number of distributed public keys,
and that public key holders do not know which state they hold.
If one of these assumptions is broken, it is trivial to leak the private key
from the quantum public key.
We can compute the upper limit of N based on acceptable security risk.
Suppose that Alice generates m′ copies of her public key, with m′ is less than N,
and distributes them in a quantum network.
Due to the inherent limits of telecommunication,
it is likely that some of these quantum keys are lost.
However, the cause for this loss is quite tricky and could be one of the following:
 Benign faults: the quantum key is lost forever due to unforeseeable hazards.
 Malicious attack: some attacker could fake a hazard and steal the quantum key for future attacks.
The two situations are indistinguishable to Alice, as
she does not have a global view of what happens in the
network. Therefore, Alice has two options when some
agent claims a public key loss:
 Optimism: Alice trusts the claim, i.e., she believes
it was the consequence of a benign fault. She then
prepares one or more copies of the public key, and
retransmits them.
 Pessimism: Alice does not trust the claim, as she
fears it is the result of a malicious attack. She will
not replace the lost quantum key.
A pessimistic policy works from a security viewpoint, but jeopardizes the protocol's usability.
In fact, if Alice misjudges and the loss resulted from benign faults, then
benign users will no longer be able to encrypt a message for Alice,
as they lack the public key to run encryption. On the other hand, an
optimistic policy guarantees enough public key copies for every user,
but may jeopardize the protocol's security.
Malicious users could exploit this policy to collect enough public key
copies, measure them, and find the private key.
A similar reasoning holds for the quantum digital signature scheme
by Gottesman and Chuang . The latter distributes quantum public keys obtained
from a classical private key via a classicalquantum oneway function.
The oneway property follows again from the boundedcopies assumption.
What if one public key copy is lost? If Alice
plays optimistically, malicious users can exploit her trust
to gather several public key copies. If such an action is repeated over time,
it can lead to information leakage and
possibly an inversion of the oneway function. On the
other hand, if Alice plays pessimistically, benign users
who lost a public key due to noise will be unable to
verify signatures.
Attacks to authentication
In the following, we show how the phenomenon of data
loss may jeopardize the security of some authentication
protocols. Hong et al’s protocol is based on measuring
single photons for m rounds, and implicitly makes the
boundedcopies assumption. It is assumed that Alice and Bob
preshare a classical secret key, and at authentication time they verify that
their keys are the same. For this purpose Bob encodes two classical key bits into
one state from {0⟩, 1⟩, +⟩, −⟩} according to predefined rules, then sends it to Bob for verification.
To prove the protocol’s security, they assume that at
authentication time Alice and Bob are able to send and
measure each photon once. Let us now assume that some
losses occur when Bob prepares a photon in position i in
state ψ_i> ∈ {0⟩, 1⟩, +⟩, −⟩}. If Bob acts optimistically,
he will prepare a copy of state ψ_i> and resend it to Alice.
The latter could possibly happen m times, depending on the number of faults.
This allows malicious users to exploit this behavior and accumulate m copies
of state ψ_i>, then use them to distinguish which of the four possible states it is.
This allows adversaries to leak the corresponding key bits k_i.
On the other hand, if Bob plays pessimistically, he will not resend state ψ_i>.
This scenario may lead to security issues or impracticality depending
on which policy Alice takes. If Alice decides to skip that position,
the protocol’s security decreases, since attackers with a partial knowledge
of the shared key can still be successfully authenticated.
The attacker may simply claim that his qubit was lost, and still pass authentication.
On the other hand, if Alice is intransigent, she may just reject Bob’s authentication attempt,
and ask him to reattempt later. While that works fine when data losses are occasional accidents,
curren and future quantum technologies will likely undergo a loss rate such
that with a high probability one loss will occur in every protocol.
This implies that even an honest Bob will likely be unable to prove his identity,
as most authentication attempts will fail due to Alice’s intransigent policy.
Despite employing security measures such as random decoy states and
a thresholding mechanism to prevent an exceedingly high number of lost
states, such mechanisms do not prevent all qubitlossbased attacks,
as they require restricting assumptions to work, such as knowledge of
the physical communication link or passive adversaries.
Other proposals are more resilient to lost qubits.
Kanamori’s protocol uses a random session key ϕ
to mask the information on the classical preshared key.
In case of a single qubit, even if an attacker with no a prior knowledge
intercepts it, it can't extract any information on it, as they would only
receive a maximallymixed state that is independent of the secret key.
Attacks to quantum money
Wiesner’s quantum money also relies on the
boundedcopies and unknownstate assumptions. If one
possesses several copies of the same quantum note, one
may use them to attack the scheme. Specifically, they
can use simple measurements and operations to learn
the note’s quantum state, and produce arbitrarily many copies.
Let's consider a quantum note with n qubits.
If an attacker wants to cheat with probability δ,
it needs approximately m copies of the note where m = log_2(1δ^(1/n)).
We remark that once the attack is repeated for all the
n qubits, you know all their bases and values, and may
therefore forge as many banknotes as you like.
Now, suppose a user claims that a quantum note was lost.
If Alice acts optimistically and reissues the banknote,
some attacker can exploit this to gather copies of the note and
later run the attack. On the other hand, Alice could act
pessimistically and refuse to reissue the lost qubits.
Although this preserves the protocol’s security, it prevents
benign users from verifying the note in the future.
Attacks to Oblivious Transfer
The BBCS protocol is extremely sensitive to multicopy attacks.
In fact, suppose that Bob obtains two copies of the qubits generated by Alice in the BB84 phase.
He may run a very simple attack:

Measure each qubit of the first copy in the computational basis

Measure each qubit of the second copy in the Hadamard basis

Once Alice has revealed her true bases, Bob keeps
the measurement outcomes obtained by measuring
in the right basis
Such a simple attack allows him to learn both messages with certainty.
Hence, if Alice receives the claim of a lost BB84 qubit,
she must play pessimistically and refuse to resend it.
Fortunately, in this scenario, Alice may get away with a simple counterattack:
because the BB84 phase happens at an early stage,
she may prepare a different random BB84 state and send it to Bob.
This preserves the protocol’s correctness at no security cost.
Furthermore, repreparing a random qubit comes
with negligible overhead, thus preserving the protocol’s practicality.
Conclusion
Quantum teleportation
Overall, in some cases, direct transmission of qubit is problematic
because of its quantum characteristics, e.g., no cloning.
For some applications a transmission failure may cause an irrevocable damage.
Even if a sender can retransmit a qubit in case of a failure
, e.g. ,
this may bring forth a security breach.
We believe that the risks described above can be mitigated
by sharing entangled pairs between a sender and a receiver over the (imperfect) link
and then perform quantum teleportation procedure.
Usually, it’s easier to directly transmit a qubit in a known state
than one in an unknown state. Hence, since the EPR pairs that we
wish to exchange have a known state, it is safe to assume they are
technically more simple to transmit.
Although a problem during an entanglement swapping may arise,
such failure can be recovered with enough trials. Such a failure is,
unlike other aforementioned failures, perfectly recoverable.
Moreover, entangled pairs can be stored in the form of a matter qubit
. Hence, the result of quantum computation
can be directly transferred without going through transducer, thus
reducing the chance of qubit losses.
Finally, direct transmission allows a maninthemiddle to intercept
a quantum state fairly easily. If qubits are teleported rather than directly
transmitted, such an attack is no longer feasible. In fact, the maninthemiddle
can only intercept the two classical bits required to finalize
the teleportation protocol. However, such bits only provide information
on how the receiver should transform their local state to
obtain the input state, and are essentially meaningless to the attacker.
As indicates, we may, in turn,
create linklocal entanglement between neighboring nodes,
establish endtoend entanglement with entanglement swapping,
then perform distillation to improve the fidelity.
Using entangled pairs of high enough fidelity,
we may use quantum teleportation to send even an irrecoverable quantum state.
Teleportation is therefore a powerful tool, but it introduces new
questions and problems. For instance, using teleportation for cryptographic
purposes not only requires correct preshared entanglement, but also
trustworthy entangled states. Entangled states should come with some form
of cryptographically secure certificate proving that the received
states are indeed entangled with the intended receiver.
Furthermore, for some crypto primitives, prescribing preshared entangled state
leads to circular requirements. In fact, if trustworthy preshared entanglement
is required for authentication, then the two users must have already run
some form of authentication when sharing entanglement, else they have no
guarantees of being entangled with the correct user.
Security by design
As argued above, some protocols are secure by design. We have already cited
the BBCS and Kanamori’s authentication protocol, but more are likely to exist.
For instance, repeating the same reasoning showing BBCS' security one may
find a simple mitigation for BB84 QKD . These proposals base their security
on randomness, either as a form of masking/encryption or because they send
some random quantum states that do not encode secret information.
Security by design has lightweight requirements compared to teleportation,
as it does not pose the problem of trustworthy entanglement sharing and storage.
However, it is considerably harder for cryptographers to design a quantum protocol
that is inherently resilient to message losses. Hence, in future applications, a hybrid
use of both mitigations is advised.
IANA Considerations
This memo includes no request to IANA.
Security Considerations
This document do not introduce any new security considerations.
References
Informative References
Optical characterisation of telecommunication wavelength quantum dots
Master’s Thesis, Technical University of Munich
Thermal radiation heat transfer, seventh ed.
Semiconductor Quantum Optics at Telecom Wavelengths
Ph.D. thesis, KTH
InAs quantum dots grown on metamorphic buffers as nonclassical light sources at telecom Cband
a review, Semiconductor Science and Technology 34
The limits of multiplexing quantum and classical channels: Case study of a 2.5 GHz discrete variable quantum key distribution system
Applied Physics Letters 119, 124001
Quantum Optics: An Introduction
Master Series in Physics, Vol. 15 (Oxford University Press)
Optical Solitons: Theory and Experiment
Lecture notes in photonic quantum technologies
summer semester
Fundamental limits of electron and nuclear spin qubit lifetimes in an isolated selfassembled quantum dot
npj Quantum Information 7
Optical charge injection and coherent control of a quantumdot spinqubit emitting at telecom wavelengths
Nature Communications 13
Applications of singlequbit rotations in quantum publickey cryptography
Physical Review A 77
Quantum digital signatures
arXiv:quantph/0105032 [quantph]
Quantum identity authentication with single photon
Quantum Information Processing 16
On quantum authentication protocols
GLOBECOM ’05
Conjugate coding
SIGACT News 15
Quantum cryptography: Public key distribution and coin tossing
Diamond NV centers for quantum computing and quantum networks
MRS Bulletin volume 38
Practical quantum oblivious transfer
Advances in Cryptology — CRYPTO ’91
Acknowledgements
This work was financed by the DFG via grant NO 1129/21 (JN) and by the BMBF via grants 16KISQ039 (JHC), 16KISQ077 (DLC) and 16KISR026 (PK). The authors acknowledge the financial support by the Federal Ministry of Education and Research of Germany in the programme of “Souverän. Digital. Vernetzt.”. Joint project 6Glife, project identification number: 16KISK002