Quantum Information Processing

, Volume 15, Issue 1, pp 327–362 | Cite as

Attacks on quantum key distribution protocols that employ non-ITS authentication

  • C. PacherEmail author
  • A. Abidin
  • T. Lorünser
  • M. Peev
  • R. Ursin
  • A. Zeilinger
  • J.-Å. Larsson


We demonstrate how adversaries with large computing resources can break quantum key distribution (QKD) protocols which employ a particular message authentication code suggested previously. This authentication code, featuring low key consumption, is not information-theoretically secure (ITS) since for each message the eavesdropper has intercepted she is able to send a different message from a set of messages that she can calculate by finding collisions of a cryptographic hash function. However, when this authentication code was introduced, it was shown to prevent straightforward man-in-the-middle (MITM) attacks against QKD protocols. In this paper, we prove that the set of messages that collide with any given message under this authentication code contains with high probability a message that has small Hamming distance to any other given message. Based on this fact, we present extended MITM attacks against different versions of BB84 QKD protocols using the addressed authentication code; for three protocols, we describe every single action taken by the adversary. For all protocols, the adversary can obtain complete knowledge of the key, and for most protocols her success probability in doing so approaches unity. Since the attacks work against all authentication methods which allow to calculate colliding messages, the underlying building blocks of the presented attacks expose the potential pitfalls arising as a consequence of non-ITS authentication in QKD post-processing. We propose countermeasures, increasing the eavesdroppers demand for computational power, and also prove necessary and sufficient conditions for upgrading the discussed authentication code to the ITS level.


Quantum key distribution Information-theoretic security Message authentication Collision attacks Man-in-the-middle attack 



This work has been supported by the Vienna Science and Technology Fund (WWTF) via Project ICT10-067 (HiPANQ) and also partly by the Austrian Research Promotion Agency (FFG) within the Project Archistar (Bridge-2364544).


  1. 1.
    Abidin, A., Larsson, J.Å.: Vulnerability of “A novel protocol-authentication algorithm ruling out a man-in-the-middle attack in quantum cryptography”. Int. J. Quantum Inf. 7(5), 1047–1052 (2009)zbMATHCrossRefGoogle Scholar
  2. 2.
    Abidin, A., Larsson, J.Å.: Security of authentication with a fixed key in quantum key distribution. arXiv:1109.5168v1 (2011)
  3. 3.
    Abidin, A., Larsson, J.Å.: New universal hash functions. In: Lucks, S., Armknecht, F. (eds.) WEWoRC 2011, LNCS, vol. 7242, pp. 99–108. Springer, Berlin (2012)Google Scholar
  4. 4.
    Ben-Or, M., Mayers, D.: General security definition and composability for quantum & classical protocols. quant-ph/0409062 (2004)
  5. 5.
    Ben-Or, M., Mayers, D.: The universal composable security of quantum key distribution. In: Kilian, J. (eds.) Proceedings of TCC 2005. Springer, Cambridge, MA, Lecture Notes in Computer Science, vol. 3378, pp. 386–406 (2005). quant-ph/0409078
  6. 6.
    Bennett, C.H., Brassard, G.: Quantum cryptography: Public key distribution and coin tossing. In: Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, IEEE New York, Bangalore, India, pp. 175–179 (1984)Google Scholar
  7. 7.
    Bennett, C.H., Bessette, F., Brassard, G., Salvail, L., Smolin, J.A.: Experimental quantum cryptography. J. Cryptol. 5(1), 3–28 (1992)zbMATHCrossRefGoogle Scholar
  8. 8.
    Beth, T., Müller-Quade, J., Steinwandt, R.: Cryptanalysis of a practical quantum key distribution with polarization-entangled photons. Quantum Inf. Comput. 5(3), 181–186 (2005)zbMATHMathSciNetGoogle Scholar
  9. 9.
    Bierbrauer, J.: Universal hashing and geometric codes. Des. Codes Cryptogr. 11, 207–221 (1997)zbMATHMathSciNetCrossRefGoogle Scholar
  10. 10.
    Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On families of hash functions via geometric codes and concatenation. In: Stinson, D. (eds.) CRYPTO ’93. Lecture Notes in Computer Science, vol. 773, pp. 331–342. Springer, Berlin (1994)Google Scholar
  11. 11.
    Carter, J.L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)zbMATHMathSciNetCrossRefGoogle Scholar
  12. 12.
    den Boer, B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur. 2, 65–72 (1993)Google Scholar
  13. 13.
    Ferguson, N., Schneier, B., Kohno, T.: Cryptography Engineering. Wiley Publishing, Inc, New York (2010)Google Scholar
  14. 14.
    Gilbert, G., Hamrick, M.: Practical quantum cryptography: a comprehensive analysis (part one). MITRE report MTR 00W0000052. quant-ph/0009027v5 (2000)
  15. 15.
    Hayashi, M.: Exponential decreasing rate of leaked information in universal random privacy amplification. IEEE Trans. Inf. Theory 57, 3989–4001 (2011)CrossRefMathSciNetGoogle Scholar
  16. 16.
    Hoeffding, W.: Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc. 58(301), 13–30 (1963)zbMATHMathSciNetCrossRefGoogle Scholar
  17. 17.
    Johansson, T., Kabatianskii, G., Smeets, B.: On the relation between a-codes and codes correcting independent errors. In: Advances in cryptology, EUROCRYPT 1993, Lecture Notes in Computer Science, vol. 765, pp. 1–11. Springer, Berlin (1993)Google Scholar
  18. 18.
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y. (eds.) CRYPTO ’94. Lecture Notes in Computer Science, vol. 839, pp. 129–139. Springer, Berlin (1994)Google Scholar
  19. 19.
    Lütkenhaus, N.: Estimates for practical quantum cryptography. Phys. Rev. A 59(5), 3301–3319 (1999). doi: 10.1103/PhysRevA.59.3301 CrossRefADSGoogle Scholar
  20. 20.
    Mehlhorn, K., Vishkin, U.: Randomized and deterministic simulations of prams by parallel machines with restricted granularity of parallel memories. Acta Inf. 21, 339–374 (1984)zbMATHMathSciNetCrossRefGoogle Scholar
  21. 21.
    Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton, FL (1996)CrossRefzbMATHGoogle Scholar
  22. 22.
    Müller-Quade, J., Renner, R.: Composability in quantum cryptography. New J. Phys. 11(8), 085,006 (2009)CrossRefMathSciNetGoogle Scholar
  23. 23.
    Nguyen, L.H., Roscoe, A.W.: New combinatorial bounds for universal hash functions. Unpublished manuscript (2009).,
  24. 24.
    Peev, M., Nölle, M., Maurhardt, O., Lorünser, T., Suda, M., Poppe, A., Ursin, R., Fedrizzi, A., Zeilinger, A.: A novel protocol-authentication algorithm ruling out a man-in-the middle attack in quantum cryptography. Int J. Quantum Inf. 3(1), 225–231 (2005)zbMATHCrossRefGoogle Scholar
  25. 25.
    Peev, M., Pacher, C., Lorünser, T., Nölle, M., Poppe, A., Maurhart, O., Suda, M., Fedrizzi, A., Ursin, R., Zeilinger, A.: Response to “Vulnerability of ‘A novel protocol-authentication algorithm ruling out a man-in-the-middle attack in quantum cryptography”’. Int J. Quantum Inf. 7(7), 1401–1407 (2009)zbMATHCrossRefGoogle Scholar
  26. 26.
    Portmann, C.: Key recycling in authentication. IEEE Trans. Inf. Theory 60(8), 4383–4396 (2014)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Renner, R., König, R.: Universally composable privacy amplification against quantum adversaries. In: Kilian, J. (eds.) Proceedings of TCC 2005. Lecture Notes in Computer Science, vol. 3378, pp. 407–425. Springer, Cambridge, MA (2005)Google Scholar
  28. 28.
    Sasaki, M., Fujiwara, M., Ishizuka, H., Klaus, W., Wakui, K., Takeoka, M., Miki, S., Yamashita, T., Wang, Z., Tanaka, A., Yoshino, K., Nambu, Y., Takahashi, S., Tajima, A., Tomita, A., Domeki, T., Hasegawa, T., Sakai, Y., Kobayashi, H., Asai, T., Shimizu, K., Tokura, T., Tsurumaru, T., Matsui, M., Honjo, T., Tamaki, K., Takesue, H., Tokura, Y., Dynes, J.F., Dixon, A.R., Sharpe, A.W., Yuan, Z.L., Shields, A.J., Uchikoga, S., Legré, M., Robyr, S., Trinkler, P., Monat, L., Page, J.B., Ribordy, G., Poppe, A., Allacher, A., Maurhart, O., Länger, T., Peev, M., Zeilinger, A.: Field test of quantum key distribution in the Tokyo QKD network. Opt. Express 19(11), 10,387–10,409 (2011). doi: 10.1364/OE.19.010387 CrossRefGoogle Scholar
  29. 29.
    Scarani, V., Bechmann-Pasquinucci, H., Cerf, N.J., Dus̆ek, M., Lütkenhaus, N., Peev, M.: The security of practical quantum key distribution. Rev. Mod. Phys. 81, 1301–1350 (2009)CrossRefADSGoogle Scholar
  30. 30.
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (eds.) CRYPTO ’96, Springer 1996, Lecture Notes in Computer Science, vol. 1109, pp. 313–328 (1996)Google Scholar
  31. 31.
    Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (eds.) CRYPTO ’91, Lecture Notes in Computer Science, vol. 576, pp. 74–85. Springer, Berlin (1991)Google Scholar
  32. 32.
    Taylor, R.: An integrity check value algorithm for stream ciphers. In: Stinson, D. (eds.) Advances in Cryptology—CRYPTO ’93. Lecture Notes in Computer Science, vol. 773, pp. 40–48. Springer, Berlin (1994)Google Scholar
  33. 33.
    Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)zbMATHMathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  • C. Pacher
    • 1
    Email author
  • A. Abidin
    • 2
  • T. Lorünser
    • 1
  • M. Peev
    • 1
  • R. Ursin
    • 3
  • A. Zeilinger
    • 3
    • 4
  • J.-Å. Larsson
    • 2
  1. 1.Digital Safety & Security DepartmentAIT Austrian Institute of TechnologyViennaAustria
  2. 2.Department of Electrical EngineeringLinköping UniversityLinköpingSweden
  3. 3.Institute for Quantum Optics and Quantum InformationAustrian Academy of SciencesViennaAustria
  4. 4.Vienna Center for Quantum Science and Technology (VCQ), Faculty of PhysicsUniversity of ViennaViennaAustria

Personalised recommendations