Skip to main content

Insider-Proof Encryption with Applications for Quantum Key Distribution

  • 1484 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8317)


We introduce insider-proof private channels which are private channels that additionally allow for security even when the key is correlated with the message. This prevents an insider, who has access to secret keys and the capability of choosing messages to be sent on the channel, from signalling to someone who can read the ciphertexts. We give a construction for approximately insider-proof private channels using 2-universal hash functions.

Quantum key distribution (QKD) offers the promise of information-theoretically secure communication, provided a number of assumptions are met. Ideally, the number of these assumptions required in a protocol should be reduced to a minimum. This is the motivation behind device independent QKD (DIQKD) protocols which use an adversarial model for the quantum devices. However, a previous report [3] pointed out that current protocols for DIQKD can leak key to an outside adversary when devices are used repeatedly. We show how to use the insider-proof private channel to allow DIQKD protocols to reuse devices any desired number of times without leaking information.


  • Private Channels
  • Ciphertext
  • Abort flag
  • Private Key Share
  • Error Correction Information

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-04268-8_8
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-04268-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)
Fig. 1.


  1. 1.

    In particular, the element \(x^{\ell }\) in the usual polynomial representation.

  2. 2.

    At the very least, the devices can know the raw keys from previous rounds, and hence are strongly correlated with the final keys.


  1. Acín, A., Brunner, N., Gisin, N., Massar, S., Pironio, S., Scarani, V.: Device-independent security of quantum cryptography against collective attacks. Phys. Rev. Lett. 98, 230501 (2007)

    CrossRef  Google Scholar 

  2. Acin, A., Gisin, N., Masanes, L.: From Bell’s theorem to secure quantum key distribution. Phys. Rev. Lett. 97(12), 120405 (2006)

    CrossRef  Google Scholar 

  3. Barrett, J., Colbeck, R., Kent, A.: Prisoners of their own device: trojan attacks on device-independent quantum cryptography. arXiv:1201.4407v3 (2012)

    Google Scholar 

  4. Barrett, J., Colbeck, R., Kent, A.: Unconditionally secure device-independent quantum key distribution with only two devices. Phys. Rev. A 86, 062326 (2012)

    CrossRef  Google Scholar 

  5. Bennett, C.H., Brassard, G.: Quantum cryptography: public-key distribution and coin tossing. In: Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, pp. 175–179. IEEE, New York (1984)

    Google Scholar 

  6. Carter, J.L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143 (1979)

    CrossRef  MATH  MathSciNet  Google Scholar 

  7. Coffman, V., Kundu, J., Wootters, W.K.: Distributed entanglement. Phys. Rev. A 61, 052306 (2000)

    CrossRef  Google Scholar 

  8. Ekert, A.K.: Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67(6), 661–663 (1991)

    CrossRef  MATH  MathSciNet  Google Scholar 

  9. Hanggi, E., Renner, R.: Device-independent quantum key distribution with commuting measurements. arXiv:1009.1833v2 (2010)

    Google Scholar 

  10. Makarov, V., Anisimov, A., Skaar, J.: Effects of detector efficiency mismatch on security of quantum cryptosystems. Phys. Rev. A 74(2), 022313 (2006)

    CrossRef  Google Scholar 

  11. Masanes, L., Pironio, S., Acín, A.: Secure device-independent quantum key distribution with causally independent measurement devices. Nat. Commun. 2, 238 (2011)

    CrossRef  Google Scholar 

  12. Pironio, S., Acín, A., Brunner, N., Gisin, N., Massar, S., Scarani, V.: Device-independent quantum key distribution secure against collective attacks. New J. Phys. 11, 045021 (2009)

    CrossRef  Google Scholar 

  13. Reichardt, B.W., Unger, F., Vazirani, U.: Classical command of quantum systems via rigidity of CHSH games. arXiv:1209.0449 (2012)

    Google Scholar 

  14. Reichardt, B.W., Unger, F., Vazirani, U.: A classical leash for a quantum system: command of quantum systems via rigidity of CHSH games. arXiv:1209.0448 (2012)

    Google Scholar 

  15. Renner, R.: Security of quantum key distribution. Int. J. Quant. Inf. 6, 1 (2008)

    CrossRef  MATH  MathSciNet  Google Scholar 

  16. Shor, P.W., Preskill, J.: Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85, 441–444 (2000)

    CrossRef  Google Scholar 

  17. Tomamichel, M., Schaffner, C., Smith, A., Renner, R.: Leftover hashing against quantum side information. IEEE Trans. Inf. Theory 57, 5524 (2011)

    CrossRef  MathSciNet  Google Scholar 

Download references


We thank Marco Tomamichel for a helpful discussion and Roger Colbeck for his comments about composability. This work is funded by the Centre for Quantum Technologies, which is funded by the Singapore Ministry of Education and the Singapore National Research Foundation, by the University of Otago through a University of Otago Research Grant and the Performance Based Research Fund, and by the Jack Dodd Centre for Quantum Technology.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Matthew McKague .

Editor information

Editors and Affiliations


A Security of DIQKD Using an Insider-Proof Channel

In order to complete a QKD protocol Alice and Bob will require a series of communication channels back and forth which they have authenticated. When the devices in Alice and Bob’s labs may have some sensitive information in their memories, then some of these channels must be private channels, in order to show security.

Again, let the quantum state just after step \(t\) be \(\rho ^{(t)}\). At first, let us analyze the protocol assuming we start with a perfect key so that \(p^{(0)} = U_{K}^{(3n)} \otimes \sigma _{D} \otimes \tau _{E}\). After step 1, Alice and Bob share with Eve the state \(\rho _{ABE}\). They pick measurements and get outcomes in registers \(A'\) and \(B'\), so that their shared state becomes \(\rho ^{(1)}\), where

$$\begin{aligned} \rho ^{(1)}&= U_{K}^{(3n)} \otimes \sigma _D \ \otimes \sum _{o_{m_{A}},o'_{m_{B}}} p(o_{m_{A}},o'_{m_{B}}) \left| o_{m_{A}} \right\rangle _{A'}\left\langle o_{m_{A}} \right| \nonumber \\&\qquad \qquad \qquad \qquad \qquad \otimes \left| o'_{m_{B}} \right\rangle _{B'}\left\langle o'_{m_{B}} \right| \otimes \rho ^{(o_{m_{A}},o'_{m_{B}})}_{E} \ . \end{aligned}$$

Now in step 2, Alice uses a public channel to send Bob her measurement choices \(m_A\) and Bob can also use a public channel to send Alice his choices \(m_B\). Alice will prepare a private message for Bob that includes a subset \(a\) of her outcomes \(o_{m_{A}}\). She then implements (in step 3) an insider-proof quantum channel to Bob, according to Protocol 4.

We can alter \(\varPhi _{ABC}\) to take the string in register \(K\) as part of the input state rather than a parameter that defines \(\varPhi _{ABC}\). In all other respects, the channel is unchanged. Let the new channel be \(\varPhi '_{ABC}\). Then from Definition 2,

$$\begin{aligned} \left| \left| \mathrm{Tr }_K \varPhi _{AB}^{IPC} \otimes I_{D} \otimes \varPsi _{CE}(U_K\otimes \rho ) - \mathrm{Tr }_K \varPhi '_{ABC} \otimes I_{DE}(U_K\otimes \rho )\right| \right| _{1} \le \epsilon \ . \end{aligned}$$

Let the register \(A\) contain the subset of outcomes (so \(a\) is a function of \(o_{m_{A}}\). Then after an ideal private channel the state will be \(\rho ^{(3)}\) such that:

$$\begin{aligned} \left| \left| \rho ^{(3)} - \xi ^{(3)}\right| \right| _1 \le \epsilon \ . \end{aligned}$$


$$\begin{aligned} \xi ^{(3)}&:= U_K^{(2n)} \otimes \sigma _D \otimes \sum _{o_{m_{A}},o'_{m_{B}}} p(o_{m_{A}},o'_{m_{B}}) \left| a \right\rangle _A\left\langle a \right| \otimes \left| o_{m_{A}} \right\rangle _{A'}\left\langle o_{m_{A}} \right| \nonumber \\&\qquad \qquad \otimes \left| a \right\rangle _B\left\langle a \right| \otimes \left| o'_{m_{B}} \right\rangle _{B'}\left\langle o'_{m_{B}} \right| \otimes \rho ^{(o_{m_{A}},o'_{m_{B}})}_{E}\otimes I_{C,R} \ . \end{aligned}$$

Bob will also have to reply in step 4, again using an insider-proof channel twice. First he sends a one-bit message about whether to abort and second he sends the error correction information. For an ideal private channel:

$$\begin{aligned} \left| \left| \rho ^{(4)} - \xi ^{(4)}\right| \right| _1 \le 3\epsilon \ . \end{aligned}$$


$$\begin{aligned} \xi ^{(4)}&:= \sigma _D \otimes \sum _{o_{m_{A}},o'_{m_{B}}} p(o_{m_{A}},o'_{m_{B}}) \left| b \right\rangle _A\left\langle b \right| \otimes \left| o_{m_{A}} \right\rangle _{A'}\left\langle o_{m_{A}} \right| \nonumber \\&\qquad \ \ \otimes \left| b \right\rangle _B\left\langle b \right| \otimes \left| o'_{m_{B}} \right\rangle _{B'}\left\langle o'_{m_{B}} \right| \otimes \rho ^{(o_{m_{A}},o'_{m_{B}})}_{E} \otimes (I_{C,R})^{\otimes 3} \, . \end{aligned}$$

At this point, they arrive at identical raw keys with probability \(1-\epsilon _{EC}\), where Alice and Bob can choose \(\epsilon _{EC}\) arbitrarily small. Then,

$$\begin{aligned} \left| \left| \rho ^{(5)} - \xi ^{(5)}\right| \right| _1 \le 3\epsilon + \epsilon _{\text {EC}} + \epsilon _{\text {PE}} \ , \end{aligned}$$


$$\begin{aligned} \xi ^{(5)} := \sigma _D \otimes \sum _{o_{m_{A}},o'_{m_{B}}} p(o_{m_{A}},o'_{m_{B}}) \left| k_{\text {raw}} \right\rangle _{A'}\left\langle k_{\text {raw}} \right| \otimes \left| k_{\text {raw}} \right\rangle _{B'}\left\langle k_{\text {raw}} \right| \otimes \rho ^{(o_{m_{A}},o'_{m_{B}})}_{E} \ , \end{aligned}$$

where we dropped the \(C\) and \(R\) registers for convenience, and \(k_{\text {raw}}\) still depends on \(o_{m_{A}}\) and \(o'_{m_{B}}\). They then implement a privacy amplification hash in step 6 and let us define \(\epsilon _{\text {qkd}} = \epsilon _{\text {EC}} + \epsilon _{\text {PE}} + \epsilon _{\text {PA}}\). So now we are left with a state \(\rho ^{(6)}_{A'B'CDER}\) such that:

$$\begin{aligned} \left| \left| \rho ^{(6)}_{A'B'CDER} - \mathcal {U}_{A'B'} \otimes \sigma _{D} \otimes \tau '_{CER} \right| \right| _{1} \le 3\epsilon +\epsilon _{\text {qkd}} \ . \end{aligned}$$

where \(\mathcal {U}_{A'B'}\) is the normalized uniform distribution over all strings of a given length and we have followed the standard analysis (see eg. [15]) for the overheads of a single round of QKD. We can write this instead as

$$\begin{aligned} \left| \left| \varPhi _{\text {prot}}(U_{K}\otimes \sigma _{D} \otimes \tau _{E}) - \varPhi _{\text {ideal}}(U_{K}\otimes \sigma _{D} \otimes \tau _{E}) \right| \right| _{1} \le 3\epsilon +\epsilon _{\text {qkd}} \ . \end{aligned}$$

where \(\varPhi _{\text {prot}}\) is the action of the entire modified QKD protocol and \(\varPhi _{\text {ideal}}\) is an ideal protocol that shares key between Alice and Bob while leaking nothing to Eve.

Now let us relax the assumption of a perfect key. Instead, assume that Alice and Bob have already successfully grown some key using a DIQKD protocol, secure against malicious devices with memory. Before step 1, we assume that Eve has bounded correlations with these keys:

$$\begin{aligned} \left| \left| \rho _{KDE} - U_{K} \otimes \sigma _{D} \otimes \tau _{E} \right| \right| _{1} \le \epsilon _0 \ . \end{aligned}$$

We can apply \(\varPhi _{\text {prot}}\) to both states in the above bound. Then using the data processing inequality, we have

$$\begin{aligned} \left| \left| \varPhi _{\text {prot}}(\rho _{KDE}) - \varPhi _{\text {prot}}(U_{K} \otimes \sigma _{D} \otimes \tau _{E}) \right| \right| _{1} \le \epsilon _0 \ . \end{aligned}$$

We can use the triangle inequality on Eqs. (30) and (32), to finally obtain

$$\begin{aligned} \left| \left| \varPhi _{\text {prot}}(\rho _{KDE}) - \varPhi _{\text {ideal}}(U_{K} \otimes \sigma _{D} \otimes \tau _{E}) \right| \right| _{1} \le \epsilon _0 + 3\epsilon +\epsilon _{\text {qkd}} \ . \end{aligned}$$

Now, let us back up a minute and consider what happens if Alice and Bob need to abort in step 4. Implementing the insider-proof channel uses up their store of private key. Asymptotically, the largest amount of key will be used to send the error correction information. However, if they abort, there is no need to send this. By using separate applications of the channel, after sending the signal to abort, Bob is free to not use the insider-proof channel and instead send a random string. This is fine, since referring to Protocol 1 the contents of \(R\) are uniformly random, and, looking at Eq. (12), the contents of \(C\) cannot be distinguished from a uniform string by the adversary, except with probability \(\epsilon \). Therefore, in the case of an abort, the largest share of the cost of establishing a insider-proof channel can be avoided by breaking up Bob’s messages in this way.

Notice also that extending each state in the norm in Eq. 33 to a larger Hilbert space by tensor product with a state corresponding to a uniformly random \(n\)-bit string \(2^{-n}\sum _x \left| x \rangle \langle x \right| \) will not increase the trace distance. Therefore, all encoded messages sent from Alice can be assumed to have a fixed length and remain secure.

B Aborts

It may happen that on some rounds Alice and Bob must abort the protocol. However, since the devices that Alice and Bob use can cause an abort even on a “good” state \(\rho _{A'B'E}\), they can use this as a pretext to signal to Eve, as was observed in [3]. Therefore, Alice and Bob must hide aborts when they occur. As explained in Sect. 3.2, they can do this since they have encrypted the parameter estimation bits and will also encrypt Bob’s signal as to whether or not to abort. If they abort, they pretend to continue the protocol, but instead of exchanging encrypted information to perform error correction, they send random strings. In this round they do not gain any additional key, but also Eve does not learn that they aborted.

Another concern is that it is possible for the boxes to conduct a denial-of-service attack until Alice and Bob run out of key. If this should occur before the number of rounds that Alice and Bob had agreed to use the devices for, this would also constitute a signal to Eve. They must hide this also, so should it occur, Alice and Bob should simulate the remaining rounds of key growth (sending each other random strings) and then destroy the adversarial boxes securely. This is not a foolproof solution however, since in the meantime Alice and Bob may need to communicate privately. Thus at some point they will be forced to re-key and there is no reason to assume Eve will not notice this. Therefore, it is conceivable that she may gain some information from the fact that this has happened and it seems there is no way to completely avoid that, though Alice and Bob could keep a piece of their initial authentication key from before the first round against this eventuality. (This is similar to the case in trusted-device QKD when Eve executes repeated denial-of-service attacks on Alice and Bob until they run out of key.)

It appears that in this model we cannot think about each run of the device independent protocol as a stand-alone element in a universal composability scheme, in which it is public information how much key they have at any given time. Alice and Bob certainly do not want to output on each round whether they succeeded or failed in obtaining key. This may lead to additional considerations. For example, the adversary may expect Alice and Bob to send a one-time-pad encoded message at a particular time during the multi-round life of the devices when they do not have key available to devote to the purpose. If this occurs they can still avoid leaking information to the adversary by sending a random string of the appropriate length instead. (However, this does not accomplish the communication task Alice and Bob presumably wished to accomplish.) Note that in this case, Alice and Bob have to consider their quantum key distribution in the wider setting in which it is employed to avoid leaking information. Nevertheless, when key is generated in the DIQKD scheme, the resulting key is secure under the trace distance definition given in [15].

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

McKague, M., Sheridan, L. (2014). Insider-Proof Encryption with Applications for Quantum Key Distribution. In: Padró, C. (eds) Information Theoretic Security. ICITS 2013. Lecture Notes in Computer Science(), vol 8317. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-04267-1

  • Online ISBN: 978-3-319-04268-8

  • eBook Packages: Computer ScienceComputer Science (R0)