Attacks on quantum key distribution protocols that employ non-ITS authentication

Abstract

We demonstrate how adversaries with large computing resources can break quantum key distribution (QKD) protocols which employ a particular message authentication code suggested previously. This authentication code, featuring low key consumption, is not information-theoretically secure (ITS) since for each message the eavesdropper has intercepted she is able to send a different message from a set of messages that she can calculate by finding collisions of a cryptographic hash function. However, when this authentication code was introduced, it was shown to prevent straightforward man-in-the-middle (MITM) attacks against QKD protocols. In this paper, we prove that the set of messages that collide with any given message under this authentication code contains with high probability a message that has small Hamming distance to any other given message. Based on this fact, we present extended MITM attacks against different versions of BB84 QKD protocols using the addressed authentication code; for three protocols, we describe every single action taken by the adversary. For all protocols, the adversary can obtain complete knowledge of the key, and for most protocols her success probability in doing so approaches unity. Since the attacks work against all authentication methods which allow to calculate colliding messages, the underlying building blocks of the presented attacks expose the potential pitfalls arising as a consequence of non-ITS authentication in QKD post-processing. We propose countermeasures, increasing the eavesdroppers demand for computational power, and also prove necessary and sufficient conditions for upgrading the discussed authentication code to the ITS level.

Appendices

Appendix 1: Proof of Lemma 1

Lemma 1

Let us assume that f maps all messages in \({\mathcal {M}}\) randomly onto \(\mathcal {Z}\). Then the probability that at least one of the messages in \({\mathcal {M}}\) is validated by the given tag \(t=h_K(f(m^\mathbf A ))\) is

$$\begin{aligned} \mathcal {P}^\text {succ}_\text {coll}=\Pr \left\{ \exists m^\mathbf E \in {\mathcal {M}}: h_K(f(m^\mathbf E ))=t) \right\} > 1-\exp \left( -|{\mathcal {M}}| |\mathcal {Z}|^{-1}\right) . \end{aligned}$$

Proof

By assumption, the probability that f maps any (randomly chosen) message m of \({\mathcal {M}}\) onto any fixed value z of \(\mathcal {Z}\) is \(1/|\mathcal {Z}|\):

$$\begin{aligned} m\in _R {\mathcal {M}}, \forall z\in \mathcal {Z}: \Pr \left\{ f(m)=z\right\} =1/|\mathcal {Z}|. \end{aligned}$$

(5)

Applying \(h_K\) to f(m) and z in the argument of \(\Pr \) (which potentially increases the value of the probability), setting \(z=f(m^\mathbf A )\), and using \(t=h_K(f(m^\mathbf A ))\) we obtain

$$\begin{aligned} m\in _R {\mathcal {M}}: \Pr \left\{ h_K(f(m))=t\right\} \ge 1/|\mathcal {Z}|. \end{aligned}$$

(6)

Consequently, the probability that t authenticates at least one message of all \(|{\mathcal {M}}|\) different messages in \({\mathcal {M}}\) is at least \(1-\left( 1-|\mathcal {Z}|^{-1}\right) ^{|{\mathcal {M}}|}\), and using that \((1-1/n)^{n} < e^{-1}\) for \(n>1\) finishes the proof.

If desired, \(1/|\mathcal {Z}|\) can be replaced by any lower bound on the probability to allow for non-uniform distributions.

Appendix 2: Proof of Corollary 1

Corollary 1

Let \({\mathcal {B}}\) be the closed ball of all messages m having a Hamming distance to \(m^\mathbf E \) not exceeding w:

$$\begin{aligned} {\mathcal {B}}=\left\{ m: d_H(m,m^\mathbf E )\le w \right\} , \end{aligned}$$

and let us assume that f maps all messages in \({\mathcal {B}}\) randomly onto \(\mathcal {Z}\). Then the probability that at least one of the messages in \({\mathcal {B}}\) is validated by the given tag \(t=h_K(f(m^\mathbf A ))\) is

$$\begin{aligned} \mathcal {P}^\text {succ}_\text {coll}=\Pr \left\{ \exists \tilde{m}^\mathbf E \in {\mathcal {B}}: h_K(f(\tilde{m}^\mathbf E ))=t) \right\} > 1-\exp \left( -|{\mathcal {B}}| |\mathcal {Z}|^{-1}\right) . \end{aligned}$$

For simplicity we can loosen the bound and replace \(|{\mathcal {B}}|\) by \({\ell \atopwithdelims ()w} < |{\mathcal {B}}|\), where \(\ell \) is the length of the binary message \(m^\mathbf E \).

Proof

The proof follows from Lemma 1 by setting \({\mathcal {M}}={\mathcal {B}}\).

Finally, \(|{\mathcal {B}}|=\sum _{k=0}^{w} {\ell \atopwithdelims ()k}> {\ell \atopwithdelims ()w}\).

If desired, \(1/|\mathcal {Z}|\) can be replaced by any lower bound on the probability to allow for non-uniform distributions.

Appendix 3: Calculation of success probability in step (Pc’) of attacks 2 and 3

1.1 Attack 2: Toeplitz-based hashing

The probability that step (Pc’) is successful, i.e., a message \(P^\mathbf E \) exists that fulfills \(P^\mathbf E (s^\mathbf{E \leftrightarrow \mathbf B })=K^\mathbf A \) and \(t_2=g_{K_2}(b^\mathbf E ,T^\mathbf E ,P^\mathbf E )\), depends on the length of the message \(P^\mathbf E \): a short message \(P^\mathbf E \) means less freedom for Eve to find collisions. Currently, owing to its low computational complexity, universal hashing with Toeplitz matrices is predominantly used for PA. The smallest known Toeplitz matrix-based hashing family \({\mathcal {H}}_T: \{0,1\}^n \rightarrow \{0,1\}^m\) consists of \(2^{n-1}\) different functions [15]. Note that it has \(2^m\) different images and that for any \(x\ne 0,\,2^{n-m-1}\) different functions exist in \({\mathcal {H}}_T\) that map x to any y.

Thus we need \(\mathrm {len}(s^\mathbf{E \leftrightarrow \mathbf B })-1\) bit for the description of a particular function of this family (here \(\mathrm {len}(\cdot )\) denotes the length of a binary string) and the size of the set \(\mathcal {P}\) of all PA functions that fulfill the first condition, i.e., \(\mathcal {P}:=\{P^\mathbf E : P^\mathbf E (s^\mathbf{E \leftrightarrow \mathbf B })=K^\mathbf A \}\), is given by \(|\mathcal {P}|=2^{\mathrm {len}(s^\mathbf{E \leftrightarrow \mathbf B })-\mathrm {len}(K^\mathbf A )-1}\).

Combining the fixed messages \(b^\mathbf E \) and \(T^\mathbf E \) with all messages from \(\mathcal {P}\), we form the set of all triples \({\mathcal {M}}:=\{(b^\mathbf E ,T^\mathbf E ,P^\mathbf E ): P^\mathbf E \in \mathcal {P}\}\) that fulfill the first condition. Obviously, \(|{\mathcal {M}}| = |\mathcal {P}|\). Now Lemma 1 gives us a lower bound for the success probability for finding a message in \({\mathcal {M}}\) that collides with \(M^\mathbf A \), i.e., \(\mathcal {P}^\text {succ}_\text {coll}=\Pr \left\{ \exists m^\mathbf E \in {\mathcal {M}}: h_{K_2}(f(m^\mathbf E ))=t_2) \right\} > 1-\exp \left( -|{\mathcal {M}}|/|\mathcal {Z}|\right) \).

If we assume again that \(|\mathcal {Z}|=2^{256}\), this means that shrinking the corrected key \(s^\mathbf{E \leftrightarrow \mathbf B }\) by 260 bit or more to obtain the final key \(K^\mathbf A \) gives Eve a chance of \(1-\exp (-2^{260-1}/2^{256} =1 -\exp (-8) \ge 0.999\) to find a collision.

1.2 Attack 3: Toeplitz-based hashing

For attack 3, the argumentation is completely analogous: The only difference is that we directly define \({\mathcal {M}}:=\{P^\mathbf E : P^\mathbf E (\hat{s}^\mathbf B )=K^\mathbf A \}\) and that \(t_2\) is replaced with \(t_5\).

1.3 Discussion for other PA functions

Besides universal hashing, other strong randomness extractors can be used for PA. For example, asymptotically, Trevisan’s extractor needs a shorter description (seed) to select a particular function. In such a case, it might be impossible for Eve to fulfill both conditions. Nevertheless, she can accept that she shares different keys with Alice and Bob and only search for a \(P^\mathbf E \) such that the MAC is accepted. In that case, it would be only necessary that the seed is at least 260 bit long. To the best of our knowledge, all strong extractors with useful parameters need much more than 260 bit of seed.

Appendix 4: Subsequence problem

Eve is given two fixed bitsequences, \(s^\mathbf{E \leftrightarrow \mathbf B }\) (sifted key that Eve wants to achieve) and \(d^\mathbf A \) (the raw key of Alice). Her goal is to find a subsequence of \(d^\mathbf A \) that coincides with \(s^\mathbf E \).

1.1 Algorithm that finds a subsequence

First, we give a simple algorithm that takes two sequences \(s=s_1|s_2|\dots |s_{m},\,S=S_1|S_2|\dots |S_{n}\) as inputs and returns the index set \({\mathcal {J}}=\{j_1,\dots ,j_m\}=\{j_i: S_{j_i}=s_i\}\) if s is a subsequence of S (denoted \(s\preccurlyeq S\)).

1.2 Probability for finding a subsequence in a random sequence

We assume that both sequences consist of i.i.d. Bernoulli trials with \(p(0)=p(1)=1/2\) and calculate the (success) probability that \(s\preccurlyeq S\).

\(s\preccurlyeq S\) iff S is of the form

$$\begin{aligned} S=\bar{s}_1|\dots |\bar{s}_1|\varvec{s_1}| \bar{s}_2|\dots |\bar{s}_2|\varvec{s_2}| \dots | \bar{s}_m|\dots |\bar{s}_m|\varvec{s_m}| x_1|x_2|\dots . \end{aligned}$$

(7)

Here, \(\bar{s}_j\) denotes the negation of \(s_j\) (written above as \(\varvec{s_j}\) to improve readability), while each \(x_i\) can independently take value 0 or 1. All sequences \(\bar{s}_j|\dots |\bar{s}_j\) are optional. Let \(\mathsf {S}\) be the number of different valid sequences, i.e., sequences S, that contain s as a subsequence. Obviously \(\mathsf {S}\) does not depend on s, but only on m and n. To calculate \(\mathsf {S}\), we can therefore choose s to be the all zero sequence of length m. Consequently, \(\mathsf {S}\) is equal to the number of different binary sequences of length n that contain at least m zeroes. The success probability

$$\begin{aligned} {\text {Prob}}\{s\preccurlyeq S\} =\mathsf {S}/2^n=2^{-n}\sum _{l=m}^n \left( {\begin{array}{c}n\\ l\end{array}}\right) . \end{aligned}$$

(8)

1.3 Application to Eve’s attack

Note that Eve wants to find the sifted key \(s^\mathbf{E \leftrightarrow \mathbf B }\) in Alice’s raw key \(d^\mathbf A \). If both bases are used with equal probability (as in standard symmetric BB84), then \(m\approx n/2\). Obviously,

$$\begin{aligned} {\text {Prob}}\{s\preccurlyeq S\} >\frac{1}{2} \Leftarrow m \le \lfloor n/2\rfloor . \end{aligned}$$

(9)

However, it is not necessary that s is an exact subsequence of S. We can allow for some errors that will be removed during the subsequent error correction step. Using Hoeffding’s inequality (Theorem 1 in Ref. [16]), we can give a non-tight (but exponential) lower bound on \({\text {Prob}}\{\tilde{s}\preccurlyeq S\}\) if we allow for approximately k errors in the resulting subsequence \(\tilde{s}\):

$$\begin{aligned} {\text {Prob}}\{\tilde{s}\preccurlyeq S\}\ge 1-\exp \left( -\frac{2k^2}{n}\right) \Leftarrow \tilde{m}=\lfloor n/2\rfloor -k. \end{aligned}$$

(10)

Here, only \(\tilde{m}\) bits of s form a subsequence of S. For moderate values of k, this probability reaches almost unity.

Appendix 5: Universal hash functions and proof of Theorem 1

In the following, we give definitions of (Almost) Universal\(_2\) and Strongly Universal\(_2\) hash function families; see e.g., [31].

Definition 3

(\(\epsilon \) -Almost Universal \(_2\) (\(\epsilon \) -AU \(_2\)) hash functions) Let \(\mathcal {M}\) and \(\mathcal {T}\) be finite sets. A family \(\mathcal {H}\) of hash functions from \(\mathcal {M}\) to \(\mathcal {T}\) is \(\epsilon \) -Almost Universal \(_2\) if there exist at most \(\epsilon |\mathcal {H}|\) hash functions \(h\in \mathcal {H}\) such that \(h(m_1) = h(m_2)\) for any two distinct \(m_1, m_2 \in \mathcal {M}\).

If \(\epsilon =1/|\mathcal {T}|\), then \(\mathcal {H}\) is called Universal \(_2\) (U \(_2\) ).

Definition 4

(\(\epsilon \) -Almost Strongly Universal \(_2\) (\(\epsilon \) -ASU \(_2\)) hash functions) Let \(\mathcal {M}\) and \(\mathcal {T}\) be finite sets. A family \(\mathcal {H}\) of hash functions from \(\mathcal {M}\) to \(\mathcal {T}\) is \(\epsilon \)-ASU\(_2\) if the following two conditions are satisfied:

1. (a)

   The number of hash functions in \(\mathcal {H}\) that take an arbitrary \(m_1 \in \mathcal {M}\) to an arbitrary \(t_1 \in \mathcal {T}\) is exactly \(|\mathcal {H}|/|\mathcal {T}|\).

2. (b)

   The fraction of those functions that also take an arbitrary \(m_2 \ne m_1\) in \(\mathcal {M}\) to an arbitrary \(t_2 \in \mathcal {T}\) (possibly equal to \(t_1\)) is at most \(\epsilon \).

If \(\epsilon =1/|\mathcal {T}|\), then \(\mathcal {H}\) is called Strongly Universal \(_2\) (SU \(_2\) ).

Below, we have restated Theorem 1 together with its proof. This theorem states that the composition of a hash function family with an SU\(_2\) family will form an ASU\(_2\) family if and only if the first family in the composition is AU\(_2\). The “if” part follows from the composition theorem [31], but the below proof simultaneously handles “if and only if”.

Theorem 1

Let \(\mathcal {M},\,\mathcal {Z}\) and \(\mathcal {T}\) be finite sets. Let \(\mathcal {F}\) be a family of hash functions from \(\mathcal {M}\) to \(\mathcal {Z},\,\mathcal {H}\) a family of SU\(_2\) hash functions from \(\mathcal {Z}\) to \(\mathcal {T}\), and \(\mathcal {G}:= \mathcal {H}\circ \mathcal {F}\), where \(\circ \) stands for element-wise composition. Then \(\mathcal {G}\) is \(\epsilon \)-ASU\(_2\) if and only if \(\mathcal {F}\) is \(\epsilon '\)-AU\(_2\), where \(\epsilon =\epsilon '(1-1/|\mathcal {T}|)+1/|\mathcal {T}|\).

Proof

For \(\mathcal {G}\) to be \(\epsilon \)-ASU\(_2\), there are two requirements (Definition 4). The first, on \(|\{g: g(m)=t\}|\), needs no properties of \(\mathcal {F}\), because, for any \(m\in \mathcal {M}\) and \(t\in \mathcal {T}\),

$$\begin{aligned} \begin{aligned} |\{g: g(m)=t\}|&= \sum _z|\{f:f(m)=z\}||\{h:h(z)=t\}|\\&= \sum _z|\{f:f(m)=z\}|\frac{|\mathcal {H}|}{|\mathcal {T}|} = |\mathcal {F}|\frac{|\mathcal {H}|}{|\mathcal {T}|}=\frac{|\mathcal {G}|}{|\mathcal {T}|}. \end{aligned} \end{aligned}$$

(11)

The second requirement is a bound for

$$\begin{aligned} \begin{aligned} |\{g&:g(m_1)=t_1, g(m_2)=t_2\}|\\&= \sum _z |\{f:f(m_1)=f(m_2)=z\}||\{h:h(z)=t_1,h(z)=t_2\}|\\&\quad + \sum _{z_1\ne z_2} |\{f:f(m_1)=z_1,f(m_2)=z_2\}| |\{h:h(z_1)=t_1,h(z_2)=t_2\}|, \end{aligned} \end{aligned}$$

(12)

for any two distinct \(m_1,\,m_2\in \mathcal {M}\). If \(t_1\ne t_2\), the first term above will be zero because h(z) will never equal both \(t_1\) and \(t_2\). If instead \(t_1=t_2=t\), the first term simplifies to

$$\begin{aligned} \begin{aligned} \sum _z |\{f:f(m_1)=f(m_2)=z\}||\{h:h(z)=t\}| = |\{f:f(m_1)=f(m_2)\}|\frac{|\mathcal {H}|}{|\mathcal {T}|}. \end{aligned} \end{aligned}$$

(13)

The second term is

$$\begin{aligned} \sum _{z_1\ne z_2} |\{f:f(m_1)= & {} z_1,f(m_2)=z_2\}| |\{h:h(z_1)=t_1,h(z_2)=t_2\}|\nonumber \\= & {} \big (|\mathcal {F}|-|\{f:f(m_1)=f(m_2)\}|\big )\frac{|\mathcal {H}|}{|\mathcal {T}|^2} \end{aligned}$$

(14)

and this can be bounded by \(|\mathcal {G}|/|\mathcal {T}|^2\) only using properties of \(\mathcal {H}\). Thus, if \(t_1=t_2\) the first term needs a bound for collisions within \(\mathcal {F}\), while the second only needs properties of \(\mathcal {H}\), and we obtain

$$\begin{aligned} |\{g:g(m_1)=t_1, g(m_2)=t_2\}| = |\{f:f(m_1)=f(m_2)\}|\Big (\delta _{t_1,t_2}-\frac{1}{|\mathcal {T}|}\Big ) \frac{|\mathcal {H}|}{|\mathcal {T}|} + \frac{|\mathcal {G}|}{|\mathcal {T}|^2}, \end{aligned}$$

(15)

where \(\delta _{t_1,t_2}=1\) if \(t_1=t_2\) and 0 otherwise. This makes the second requirement on \(\mathcal {G}\) equivalent to \(\mathcal {F}\) being \(\epsilon '\)-AU\(_2\):

$$\begin{aligned} |\{g:g(m_1)= & {} t_1, g(m_2)=t_2\}| \le \epsilon \frac{|\mathcal {G}|}{|\mathcal {T}|}= \epsilon '\Big (1-\frac{1}{|\mathcal {T}|}\Big ) \frac{|\mathcal {G}|}{|\mathcal {T}|} + \frac{|\mathcal {G}|}{|\mathcal {T}|^2}\nonumber \\\Longleftrightarrow & {} \nonumber \\ |\{f:f(m_1)= & {} f(m_2)\}| \le \epsilon '|\mathcal {F}|. \end{aligned}$$

(16)