How Does QKD Work?
To understand how QKD works, we describe the original BB84 prepare-and-measure, polarization-based protocol as it remains a popular implementation choice and is relatively easy to understand compared to other QKD protocols (Gisin, Ribordy, Tittel, & Zbinden, 2002).
Figure 2 illustrates the QKD protocol as a series of eight steps. While these steps (or processes) can be depicted in a number of ways, we have chosen this flow to clearly illustrate how the QKD protocol behaves. In an actual system, these steps would most likely overlap and/or execute in parallel. Note that Quantum Exchange is the only step where the laws of quantum mechanics are directly applicable. Somewhat of a misnomer, most of the QKD protocol is achieved through classical information theory “post-processing” steps.
In step 1, Alice and Bob authenticate with each other to ensure they are communicating with the expected party. Typically, this authentication is accomplished with the lesser known Wegman-Carter authentication technique to meet QKD’s unconditional security claim (Scarani, et al., 2009). Moreover, unlike most cyber systems which authenticate only when initiating communications, QKD systems often utilize a transactional authentication scheme where authentication occurs after each step (or a sequence of steps) according to the specific system implementation.
Table 1. The prepare and measure, polarization-based BB84 QKD protocol.
During quantum exchange (step 2), Alice prepares single photons, known as quantum bits or “qubits,” in one of four polarization states , , , or . The photon’s polarization state is prepared according to a randomly selected basis and bit value as shown in Table 1. Each photon is then transmitted to Bob through the quantum channel, where it can be subject to significant loss (e.g., >90% loss is common). This is due to the loss that is experienced by single photons when they propagate over long distances through optical fiber or line-of-sight free space links. Due to the inherent challenges of single photon propagation, a majority of Alice’s photons are lost during transmission, thereby limiting the system’s effective operational distance to <100 km (Scarani, et al., 2009).
Assuming Alice’s encoded photon arrives at Bob, he must randomly select a measurement basis for each detected photon. If Bob measures the photon with the correctly matching basis, the encoded bit value (0 or 1) is obtained with a high degree of confidence. Conversely, if Bob measures the photon with the incorrect basis, a random result occurs and the originally prepared bit value is destroyed. This quantum mechanical phenomenon underpins QKD’s secure key generation where measuring a photon in flight forces its encoded state to collapse and prevents accurate copies from being made (i.e., the No Cloning Theorem) (Wootters & Zurek, 1982). Quantum exchange results in a series of detections at Bob, which need to be correlated with Alice’s sent photons through a sifting process.
In step 3, Bob’s detections are sifted to eliminate incorrect (non-matching) basis measurements. In general, 50% of Bob’s detections will be in the wrong basis and sifted out because of his random basis selection. This results in a shared sifted key, known as the “raw key,” in both Alice and Bob approximately half the size of Bob’s initial set of detections.
Next, an estimate of the quantum exchange error rate is calculated in step 4. Typically, a random percentage of bits are selected and compared over the classical channel. The estimated error rate is used to inform the error reconciliation technique (step 5), and can also be used to conduct an initial security check. This step is particularly important for QKD’s theoretical security posture as all errors during quantum exchange are attributed to eavesdroppers since the QKD protocol cannot discriminate between noise and malicious interference. Thus, if the estimated error rate exceeds the predetermined QKD error threshold (e.g., 11%), the raw key must be discarded as an adversary is assumed to be listening (Scarani, et al., 2009). Typically, the key generation is then restarted.
In step 5, error reconciliation is performed to correct any errors in Alice and Bob’s raw keys. Due to device non-idealities and physical disturbances during quantum exchange, expected error rates are typically 3-5% (Gisin, Ribordy, Tittel, & Zbinden, 2002). Error reconciliation techniques employ specialize bi-directional correction algorithms (e.g., Winnow, Cascade, or Low-Density Parity-Check) to minimize the amount of information “leaked” over the classical channel to eavesdroppers (Scarani, et al., 2009). With a high probability, this step results in a perfectly matched, error free shared secret key between Alice and Bob. The error reconciliation step results in a formalized Quantum Bit Error Rate (QBER), which is again checked against the QKD security proof threshold (e.g., 11%) to determine if an eavesdropper is listening on the quantum key distribution channel (Scarani, et al., 2009). If the security threshold is exceeded, the key must be discarded and the process is restarted.
Next, entropy estimation (step 6) accounts for the amount of secret key information leaked while executing the QKD protocol steps. For example, during quantum exchange, information leakage occurs from non-ideal laser sources which produce insecure multi-photon pulses. In another example, error reconciliation communications over the classical channel leaks information about the secret key. In general, conservative loss estimates are made; however, implementations may differ considerably (Slutsky, Rao, Sun, Tancevski, & Fainman, 1998). The entropy estimate is then passed to the privacy amplification step, which corrects for the information leakage and ensures the eavesdropper has negligible information regarding the QKD-generated shared secret key. More specifically, step 7 employs advanced information theory techniques such as a universal hash function to produce a more secure final shared secret key (Scarani, et al., 2009).
Lastly, in order to ensure the final symmetric crypto keys are the same, a hash of Alice and Bob’s keys are compared. If they match, the keys are delivered to the system owner. These unconditionally secure shared symmetric keys can then be used as desired by the user to protect sensitive information with the unbreakable one-time pad encryption scheme or supplement more practical encryption schemes such as AES. For readers interested in more details, a security-oriented description of QKD is available in (Mailloux, Grimaila, Hodson, Baumgartner, & McLaughlin, 2015) with comprehensive physics based discussions in (Scarani, et al., 2009) and (Gisin, Ribordy, Tittel, & Zbinden, 2002).