]> TQSD Technische Universität München

Theresienstraße 90 Munich 80333 Germany davide.li-calsi@tum.de

TQSD Technische Universität München

Theresienstraße 90 Munich 80333 Germany paul.kohl@tum.de

TQSD Technische Universität München

Theresienstraße 90 Munich 80333 Germany jin.choi@tum.de

TQSD Technische Universität München

Theresienstraße 90 Munich 80333 Germany janis.noetzel@tum.de

General Quantum Internet Research Group keyword From the communication viewpoint, qubits are different from classical bits. A qubit may be transmitted directly but it can’t be cloned or measured without altering its state, so existing copy-and-resend schemes can’t be used to handle a transmission failure. Moreover, in some cases, the sender does not know the state of the transmitted qubit, so a qubit loss may cause irrevocable damage. This draft presents the causes of transmission failures, and analyses the vulnerabilities of several crypto protocols that such defects may bring forth. Thus, quantum teleportation is highly recommended for certain applications.

Introduction Despite our efforts to mitigate this phenomenon, real networks are subject to packet losses. The problem is still present in classical communication, where it causes disruptions to communications requiring re-transmissions. The problem is a consequence of several phenomena such as network congestion, strong channel noise, and hardware/software faults. Quantum communication is much more sensitive to noise than classical communication due to the physical nature of the communication medium. Because of that, it is reasonable to assume that data losses will eventually occur in real quantum communication systems. While classically this is often regarded as a threat to communication performance, in quantum communications it also threatens the security of some protocols. In fact, several quantum cryptography protocols are provably secure because attackers can only access a single copy of some target quantum state and cannot clone quantum information. For instance, the majority of QKD protocols assume that Alice and Bob exchange qubits once and no retransmission is needed, although some qubits might be lost. If we drop these assumptions, the security of such protocols is threatened, although with varying degrees. While some protocols can tolerate replicas of quantum states, others suffer much more from these attacks, and could potentially be broken. The threat is a consequence of the fact that losses and malicious man-in-the-middle attacks are fundamentally indistinguishable. When some packet is lost in classical or quantum networks, it is impossible to tell whether that happened due to innocent errors or due to malicious agents. While classical cryptography is agnostic to how many copies of some message the attacker can access, (that is possessing m>1 copies of some message will not help the attacker) the same cannot be claimed for most quantum cryptography protocols. In the following we consider some cryptographical primitives using quantum states to defend against attackers. We show attacks based on the presence of data losses threatening their security or practicality, and discuss possible mitigations.

Problems of direct transmission

Quantum information limit Qubits may be directly transmitted by encoding them into a physical medium, such as photons and sending them over a quantum channel, e.g. an optical fiber. However, a qubit is more vulnerable to a link failure than a classical bit, so direct transmission may cause some serious, even irrevocable problem. In fact quantum states often are rather fragile to environmental noise, so a transmission failur in the direct link is more likely. Furthermore, the qubit's state description and evolution is governed by the laws of quantum mechanics, such as the quantum measurement postulate and the no-cloning theorem. The latter entails the severe constraint that it’s impossible to read and copy an arbitrary unknown qubit without altering its state. Hence, the classical recovery mechanisms such as copy-and-retransmission are often unfeasible. In some quantum applications, e.g. BB84 QKD a sender may know the state of the qubit to send, so, in case of a link failure it can prepare and resend the same state. However, for some applications this is not possible. For example, a bank may issue a quantum banknote (using Wiesner’s scheme for quantum money ) to a user. If the user sends the banknote's qubits to the bank for verification via direct transmission, and (some part of) the banknote is lost just once due to a link failure, then it cannot be recovered. That is because the user has no idea of the state of the quantum banknote, else he would be able to generate an arbitrarily high number of copies and break the scheme. Even when a retransmission is possible, that may result in a security vulnerability. Several quantum cryptography protocols rely on the characteristic that qubits can’t be copied. However, retransmission may allow a malicious node to acquire a copy of the state. For example, as we will see later, some Quantum Public Key scheme , assumes only limited number of public keys are distributed. An attacker may falsely claim a link failure and acquire another copy of public key to compute the matching private key.

Transmission limit Transmission is limited by different phenomena in the real world. We will focus on fibre optical networks here, as they are widely employed commercially. There are different mechanisms of loss which can occur in optical fibres, resulting in insertion loss e.g. intrinsic absorption/scattering, dispersion, absorption due to splicing/connections, Radiation Induced Attenuation, and micro- and macrobends. Additionally there is return loss caused by reflection of signal at material interfaces. Polarisation can be another source of losses as polarisation is not necessarily (perfectly) maintained in transmission and also source and receiver may have a polarisation dependence. In theory one could use a single fibre to connect two endpoints avoiding splicing and connections, and also use perfectly straight fibre, resulting in no loss due to bends. Additionally radiation induced attenuation due to cosmic radiation and the like cannot be easily quantified. Thus we will focus here on intrinsic absorption, dispersion and polarisation as they are more independent of a specific implementation.

Absorption due to Material Choice Optical fibres exhibit losses when light is transmitted through them like any other material. Obviously optical fibres are engineered in a way, s.t. losses of light are minimised, but some absorption is intrinsic. If one looks at the intrinsic properties of the fibres it is evident which wavelengths are advantageous. These wavelengths are often employed in telecommunication applications. Generally fibre optical networks use silica (SiO2) fibres with very little attenuation in the infrared (IR) range. The light with wavelengths from 600 nm to 1800 nm exhibits low absorption in silica fibres. There are different local minima in those ranges, which are created by different loss mechanisms in the fibres. With increasing wavelength λ the elastical scattering on particles with diameter d ≪ λ is governed by the Rayleigh scattering cross-section Cs,λ ∝ 1/λ^4. This means increasing λ yields lower attenuation. This is counteracted by the increasing absorption of IR by SiO2 with increasing wavelength. Additionally, there is the OH– absorption peak around ∼ 1440 nm. This results in the lowest attenuations in the so-called O-band around ∼ 1310 nm and the so-called C-band around ∼ 1550 nm which includes the global minimum of attenuation. The O-band is worth mentioning, because it includes the region for zero wave packet dispersion, which minimises signal distortion due to chromatic effects and also using the same fibre for classical communication and quantum key distribution (QKD) via Wavelength Division Multiplexing (WDM) works best for the O-band in metropolitan area networks. This explains the choice of wavelength bands used in telecommunication, but also shows that still in the best case scenario there is absorption of around 0,2 dB/km in commercial networks using the C-band. It would be possible to consider hollow-core optical fibres to reduce absorption and achieve an in general different behaviour, but those fibres are not widely employed in commercial networks (yet?). Additionally, this does not change the general principle that there always will be intrinsic losses. In quantum communication applications encoding qubits e.g. in the polarisation of single photons this loss mechanism may lead to problems, as physical qubits may be lost in transmission. To mitigate this, one would for example employ error correction procedures which encode the information of one logical qubit in multiple physical ones, where the number of physical qubits is high enough to correct errors arising from missing photons due to absorptive effects in transmission. On the other hand, encoding of information into laser pulses in different time bins – i.e. arrival times of photons – may not suffer as strongly from absorption. So in summary – depending on the encoding of information into a physical property of the sent photons – absorption may pose a significant challenge.

Dispersion and Spectral Broadening Another fundamental effect which may be problematic in transmission is dispersion – i.e. wavelength dependency of the refractive index in a material. This may lead to broadening of a pulse with non-zero spectral linewidth (non-zero linewidth is unavoidable in reality), because the different frequencies the light is consisting of travel with different velocities through the medium. This broadens the pulse temporally. Similarly there is also spectral broadening. Even atomic transitions are not able to produce perfectly monochromatic light. Some intrinsic effects produce a Lorentzian distribution of wavelengths in the best case, while accounting for thermal effects produces a Gaußian distribution. This broadening might contribute to losses due to wavelength-dependent efficiency of detectors. Also absorption is wavelength dependent as shown above, thus it may also lead to attenuation in this way. It is also obvious that a finite energy pulse of light which broadens spectrally has to obey conservation of energy, that means the same amount of energy has to be spread over more wavelengths than before, implying that the energy spreads as well, reducing the amplitude of the peak as a whole. The problem with dispersion is the following: As quantum computation and e.g. quantum repeaters with photons rely on two-photon interference (Hong-Ou-Mandel effect), photons need to be indistinguishable, i.e. identical in every respect. Dispersion now introduces variation in the photon wavepacket impacting the success rate of quantum operations. Especially if photons travel through a different path dispersion will introduce some distinguishability, which might prove fatal. As mentioned before in the O-band around 1310 nm photons exhibit zero wave packet dispersion in SiO2 fibres. Thus, depending on the requirements and structure of a specific setup or implementation of protocol it may be advisable to choose the C-band if dispersion effects can be mitigated – e.g. if all photons traverse the same fibre or they do not have to interfere, but have to travel longer distances – while choosing the O-band in applications where dispersion might hinder interference. The concept of soliton is worth mentioning in this context, as in this case nonlinear effects and dispersion cancel. So if one is able to generate solitons one is able to counteract the effects of dispersion. This might be a route construct physical systems circumventing this problem.

Polarisation-dependency Depending on application and encoding the polarisation of light is instrumental in quantum cryptography (often QKD protocols use polarisation encoding). Thus, it is important to note that in transmission in a real fibre (even a polarisation maintaining (PM) fibre) the polarisation is not maintained perfectly. This can be measured via the polarisation extinction ratio (PER) given in [dB]. Thus over long distances it is possible that the polarisation state of light is altered, which may result in loss of quantum information. Additionally, many optical components have a polarisation dependence with different efficiencies for the different polarisation states, e.g. detectors may have a higher sensitivity for one polarisation rather than the other, resulting in statistically skewed results. In consequence one has to calculate the impact of all of these effects in a given setup and ponder if this significantly impacts the given system.

Transduction limit Not only the transmission limits are a concern, but also the transduction limits. Transduction limits would be the limiting factors, which are not due to the actual losses in transmission, but due to the losses which occur in the conversion from flying qubits to stationary qubits and vice versa. This is obviously highly dependent on the implementation of a given system, but normally one uses photons as flying qubits, which have to interface with a system used as a stationary qubit. These light-matter interactions can be described by cavity quantum electrodynamics (QED). Typically in cavity QED one considers a matter Two-Level System (TLS) in a resonator cavity. This matter system would then be the stationary qubit and light entering the cavity to interact with the matter TLS would be the flying qubit to be transduced. The complete systems dynamics are determined by different properties: The emitter decay rate γ is the rate of decay of the TLS into the cavity mode, which is often approximated by the lifetime τ of the excited state in the TLS via γ ≈ 1/τ. The cavity loss rate κ is the rate of photons exiting the cavity, which is determined by the quality factor Q of the resonator: κ ∝ 1/Q. Also very important is the coupling strength g0 between TLS and photon, which is dependent on the mode volume V0 of the resonator: g0 ∝ √1/V0. The cavities built around the TLS can take different forms. There are e.g. micropillar resonators which use the principle of the Fabry-Pérot interferometer with Q ∼ 2000 and V0 = 5 · (λ/n)^3 where n is the refractive index inside the cavity and λ is the wavelength of the emitted light from the TLS, microsphere cavities with Q ∼ 8 · 10^9 and V0 ∼ 3000 μm^3, or photonic crystals with Q ∼ 13000 and V0 = 1,2 · (λ/n)^3. Those are some cavities which can be built around the TLS according to ones requirements. Those TLS include for example semiconductor quantum dots (QDs). It has been shown, that InAs QDs can have electron spin lifetimes exceeding 1 s (albeit in this case the QD was charged electrically). In case of QDs, it has to be kept in mind that normally the spin coherence times seem to be more on the order of tens of microseconds but they have excellent optical properties which allow generation of spin-photon entanglement efficiently. Other material systems like vacancy centers in diamond exhibit spin coherence time of whole seconds but with low emission efficiencies. So there seems to be a trade-off between advantageous spin and photonic properties. Spin decoherence also limits the lifetimes of stationary qubits apart from the losses in transduction. With such information one could estimate how good a flying qubit can be transduced to a stationary one and how good the stationary qubit can be preserved.

Vulnerabilities Several protocols in quantum cryptography found their security upon (at least one of) two core assumptions:

• Bounded copies: adversaries have up to N copies of some quantum state, with N depending on the cite protocol. In some cases, N = 1.
• Unknown State: despite holding one or more copies of some state |ψ>, adversaries do lack information on what state they hold.

Despite such assumptions being theoretically sound and convenient, the limits presented in Section 2 jeopardize their validity. This may lead to protocol-specific attacks, either leaking partial information or completely breaking the protocol’s security or usability. In the following, we explain how such a vulnerability may result in an attack against popular quantum cryptographic protocols.

Attacks to public-key encryption and digital signature We start by considering the quantum public-key encryption scheme devised by . Such a protocol is a fit example, as it bases its security on both the aforementioned assumptions. In fact, it supposes an upper bound to the number of distributed public keys, and that public key holders do not know which state they hold. If one of these assumptions is broken, it is trivial to leak the private key from the quantum public key. We can compute the upper limit of N based on acceptable security risk. Suppose that Alice generates m′ copies of her public key, with m′ is less than N, and distributes them in a quantum network. Due to the inherent limits of telecommunication, it is likely that some of these quantum keys are lost. However, the cause for this loss is quite tricky and could be one of the following:

• Benign faults: the quantum key is lost forever due to unforeseeable hazards.
• Malicious attack: some attacker could fake a hazard and steal the quantum key for future attacks.

The two situations are indistinguishable to Alice, as she does not have a global view of what happens in the network. Therefore, Alice has two options when some agent claims a public key loss:

• Optimism: Alice trusts the claim, i.e., she believes it was the consequence of a benign fault. She then prepares one or more copies of the public key, and re-transmits them.
• Pessimism: Alice does not trust the claim, as she fears it is the result of a malicious attack. She will not replace the lost quantum key.

A pessimistic policy works from a security viewpoint, but jeopardizes the protocol's usability. In fact, if Alice misjudges and the loss resulted from benign faults, then benign users will no longer be able to encrypt a message for Alice, as they lack the public key to run encryption. On the other hand, an optimistic policy guarantees enough public key copies for every user, but may jeopardize the protocol's security. Malicious users could exploit this policy to collect enough public key copies, measure them, and find the private key. A similar reasoning holds for the quantum digital signature scheme by Gottesman and Chuang . The latter distributes quantum public keys obtained from a classical private key via a classical-quantum one-way function. The one-way property follows again from the bounded-copies assumption. What if one public key copy is lost? If Alice plays optimistically, malicious users can exploit her trust to gather several public key copies. If such an action is repeated over time, it can lead to information leakage and possibly an inversion of the one-way function. On the other hand, if Alice plays pessimistically, benign users who lost a public key due to noise will be unable to verify signatures.

Attacks to authentication In the following, we show how the phenomenon of data loss may jeopardize the security of some authentication protocols. Hong et al’s protocol is based on measuring single photons for m rounds, and implicitly makes the bounded-copies assumption. It is assumed that Alice and Bob pre-share a classical secret key, and at authentication time they verify that their keys are the same. For this purpose Bob encodes two classical key bits into one state from {|0⟩, |1⟩, |+⟩, |−⟩} according to pre-defined rules, then sends it to Bob for verification. To prove the protocol’s security, they assume that at authentication time Alice and Bob are able to send and measure each photon once. Let us now assume that some losses occur when Bob prepares a photon in position i in state |ψ_i> ∈ {|0⟩, |1⟩, |+⟩, |−⟩}. If Bob acts optimistically, he will prepare a copy of state |ψ_i> and re-send it to Alice. The latter could possibly happen m times, depending on the number of faults. This allows malicious users to exploit this behavior and accumulate m copies of state |ψ_i>, then use them to distinguish which of the four possible states it is. This allows adversaries to leak the corresponding key bits k_i. On the other hand, if Bob plays pessimistically, he will not re-send state |ψ_i>. This scenario may lead to security issues or impracticality depending on which policy Alice takes. If Alice decides to skip that position, the protocol’s security decreases, since attackers with a partial knowledge of the shared key can still be successfully authenticated. The attacker may simply claim that his qubit was lost, and still pass authentication. On the other hand, if Alice is intransigent, she may just reject Bob’s authentication attempt, and ask him to re-attempt later. While that works fine when data losses are occasional accidents, curren and future quantum technologies will likely undergo a loss rate such that with a high probability one loss will occur in every protocol. This implies that even an honest Bob will likely be unable to prove his identity, as most authentication attempts will fail due to Alice’s intransigent policy. Despite employing security measures such as random decoy states and a thresholding mechanism to prevent an exceedingly high number of lost states, such mechanisms do not prevent all qubit-loss-based attacks, as they require restricting assumptions to work, such as knowledge of the physical communication link or passive adversaries. Other proposals are more resilient to lost qubits. Kanamori’s protocol uses a random session key ϕ to mask the information on the classical pre-shared key. In case of a single qubit, even if an attacker with no a prior knowledge intercepts it, it can't extract any information on it, as they would only receive a maximally-mixed state that is independent of the secret key.

Attacks to quantum money Wiesner’s quantum money also relies on the bounded-copies and unknown-state assumptions. If one possesses several copies of the same quantum note, one may use them to attack the scheme. Specifically, they can use simple measurements and operations to learn the note’s quantum state, and produce arbitrarily many copies. Let's consider a quantum note with n qubits. If an attacker wants to cheat with probability δ, it needs approximately m copies of the note where m = -log_2(1-δ^(1/n)). We remark that once the attack is repeated for all the n qubits, you know all their bases and values, and may therefore forge as many banknotes as you like. Now, suppose a user claims that a quantum note was lost. If Alice acts optimistically and re-issues the banknote, some attacker can exploit this to gather copies of the note and later run the attack. On the other hand, Alice could act pessimistically and refuse to re-issue the lost qubits. Although this preserves the protocol’s security, it prevents benign users from verifying the note in the future.

Attacks to Oblivious Transfer The BBCS protocol is extremely sensitive to multicopy attacks. In fact, suppose that Bob obtains two copies of the qubits generated by Alice in the BB84 phase. He may run a very simple attack:

• Measure each qubit of the first copy in the computational basis
• Measure each qubit of the second copy in the Hadamard basis
• Once Alice has revealed her true bases, Bob keeps the measurement outcomes obtained by measuring in the right basis

Such a simple attack allows him to learn both messages with certainty. Hence, if Alice receives the claim of a lost BB84 qubit, she must play pessimistically and refuse to re-send it. Fortunately, in this scenario, Alice may get away with a simple counterattack: because the BB84 phase happens at an early stage, she may prepare a different random BB84 state and send it to Bob. This preserves the protocol’s correctness at no security cost. Furthermore, re-preparing a random qubit comes with negligible overhead, thus preserving the protocol’s practicality.

Conclusion

Quantum teleportation Overall, in some cases, direct transmission of qubit is problematic because of its quantum characteristics, e.g., no cloning. For some applications a transmission failure may cause an irrevocable damage. Even if a sender can retransmit a qubit in case of a failure , e.g. , this may bring forth a security breach. We believe that the risks described above can be mitigated by sharing entangled pairs between a sender and a receiver over the (imperfect) link and then perform quantum teleportation procedure. Usually, it’s easier to directly transmit a qubit in a known state than one in an unknown state. Hence, since the EPR pairs that we wish to exchange have a known state, it is safe to assume they are technically more simple to transmit. Although a problem during an entanglement swapping may arise, such failure can be recovered with enough trials. Such a failure is, unlike other aforementioned failures, perfectly recoverable. Moreover, entangled pairs can be stored in the form of a matter qubit . Hence, the result of quantum computation can be directly transferred without going through transducer, thus reducing the chance of qubit losses. Finally, direct transmission allows a man-in-the-middle to intercept a quantum state fairly easily. If qubits are teleported rather than directly transmitted, such an attack is no longer feasible. In fact, the man-in-the-middle can only intercept the two classical bits required to finalize the teleportation protocol. However, such bits only provide information on how the receiver should transform their local state to obtain the input state, and are essentially meaningless to the attacker. As indicates, we may, in turn, create link-local entanglement between neighboring nodes, establish end-to-end entanglement with entanglement swapping, then perform distillation to improve the fidelity. Using entangled pairs of high enough fidelity, we may use quantum teleportation to send even an irrecoverable quantum state. Teleportation is therefore a powerful tool, but it introduces new questions and problems. For instance, using teleportation for cryptographic purposes not only requires correct pre-shared entanglement, but also trustworthy entangled states. Entangled states should come with some form of cryptographically secure certificate proving that the received states are indeed entangled with the intended receiver. Furthermore, for some crypto primitives, prescribing pre-shared entangled state leads to circular requirements. In fact, if trustworthy pre-shared entanglement is required for authentication, then the two users must have already run some form of authentication when sharing entanglement, else they have no guarantees of being entangled with the correct user.

Security by design As argued above, some protocols are secure by design. We have already cited the BBCS and Kanamori’s authentication protocol, but more are likely to exist. For instance, repeating the same reasoning showing BBCS' security one may find a simple mitigation for BB84 QKD . These proposals base their security on randomness, either as a form of masking/encryption or because they send some random quantum states that do not encode secret information. Security by design has lightweight requirements compared to teleportation, as it does not pose the problem of trustworthy entanglement sharing and storage. However, it is considerably harder for cryptographers to design a quantum protocol that is inherently resilient to message losses. Hence, in future applications, a hybrid use of both mitigations is advised.

IANA Considerations This memo includes no request to IANA.

Security Considerations This document do not introduce any new security considerations.

References Informative References Master’s Thesis, Technical University of Munich Ph.D. thesis, KTH a review, Semiconductor Science and Technology 34 Applied Physics Letters 119, 124001 Master Series in Physics, Vol. 15 (Oxford University Press) summer semester npj Quantum Information 7 Nature Communications 13 Physical Review A 77 arXiv:quant-ph/0105032 [quant-ph] Quantum Information Processing 16 GLOBECOM ’05 SIGACT News 15 MRS Bulletin volume 38 Advances in Cryptology — CRYPTO ’91

Acknowledgements This work was financed by the DFG via grant NO 1129/2-1 (JN) and by the BMBF via grants 16KISQ039 (JHC), 16KISQ077 (DLC) and 16KISR026 (PK). The authors acknowledge the financial support by the Federal Ministry of Education and Research of Germany in the programme of “Souverän. Digital. Vernetzt.”. Joint project 6G-life, project identification number: 16KISK002