#
**Developing new security fundamentals in the quantum era**

Securing today’s communication networks against unwanted attacks is becoming more and more pressing as networks become larger and more ubiquitous. Currently, network security infrastructure largely uses conventional public key encryption (PKE) to ensure communications remain secure. PKE has largely been successful approach for cybersecurity as it relies on the fact that even current supercomputers lack the power to calculate the right numbers to break PKE in any sort of practical timeframe.

That’s not to say that PKE is a panacea for cybersecurity as a whole. High-profile hacks and data breaches are common news, with many large organisations seeing their security compromised in one way or another. However, it’s fair to say that, by and large, these hacks are not due to a failure in cryptography. Often, they’re the result certain areas of networks being left unsecured, or careful social engineering and deception carried out by malicious actors to gain network access.

So, PKE has largely been successful at doing what it was designed to do. Or has it?

The quantum era is rapidly approaching, and with it will likely come quantum computers that are powerful enough to break PKE and decrypt sensitive data with relative ease compared to classical computers.

This is largely viewed as inevitable and has been for a while. Technologies like Quantum Key Distribution (QKD), which can prevent attacks by powerful quantum computers, were first proposed by researchers more than two decades ago, and have been further developed ever since in order to one day combat the quantum threat.

While QKD is reaching the stage where it can be viably deployed at a commercial level, PKE still reigns supreme. This is partly because, right now, current quantum computers do not pose a realistic threat to PKE, and partly due to unfamiliarity with technologies like QKD and how best to implement them.

But the truth is, PKE is already vulnerable. While it’s generally accepted that current computers can’t break PKE, there’s nothing stopping bad actors from intercepting communications currently protected by PKE, and then breaking PKE in the near future with quantum computers. While these “harvest now, decrypt later” attacks might seem to pose a relatively minor threat due to data being old by the time it’s exposed, consider the implications for governments or financial services companies, whose data will undoubtedly remain sensitive and valuable many years into the future.

The truth is that the security industry needs to shift paradigms now, away from classical modes of encryption toward those that can protect today’s data both today and into the future. QKD offers a way for the industry to achieve this shift and is already being used in the real world. However, the implementation of QKD is very different to conventional public key encryption.

Developing a broader understanding of what QKD is and how it fundamentally differs from classical modes of encryption is vital for making this shift a reality. Let’s take a look at key aspects of QKD implementation by examining the security protocol used and the validity of the protocol implementation in the Toshiba QKD products.

## Understanding the fundamentals

QKD has reached a level of maturity such that it can be deployed in the real world. Fibre-based QKD is an especially appealing approach to implementing quantum-based security as it can make use of deployed fibre networks throughout the world. Keys exchanged by fibre-based QKD can then be straightforwardly used by network-based applications to securely encrypt data.

QKD offers a distinctly unique approach to securing data based on the laws of physics. This is quite different to conventional data security schemes such as asymmetric public key cryptography. These schemes instead rely on the strength of strong one-way mathematical functions to guarantee safeguarding from data theft. Moreover, the conventional “classical” schemes can in principle be broken by standard computers provided there is enough computing power. Worryingly, with the advent of quantum computers, the classical schemes can also be very easily defeated.

On the other hand, QKD delivers security by utilising quantum uncertainty to both detect and thwart the presence of eavesdropping as well as simultaneously delivering quantifiable security. These two fundamental advantages are not present in the classical schemes. Quantifiable security also means the keys exchanged by QKD have forward secrecy. This is good news for users since data encrypted with these keys can be considered secure both now and in the future. Coupled with symmetric cryptography such as the widely used Advanced Encryption Standard (AES), QKD can replace the keys that are conventionally exchanged using asymmetric classical techniques. This approach is considered a quantum–safe approach and can be straightforwardly implemented with conventional network encryption technology.

In its simplest form, QKD involves exchanging digital keys between two parties, a transmitter and a receiver. The parties utilise single photons as information carriers whereby the transmitter encodes a photon “pulse” with four possible states of information: the bit of the key either “0” or “1” and the basis type, labelled “X” or “Y” for example. These encoded photons are then sent over an untrusted link, such as an optical fibre in a standard network, to the receiver. The receiver decodes these photons by both randomly assigning a basis (X or Y) and measuring the single photons using very sensitive detectors known as single photon detectors to recover the bit information (0 or 1).

Post-processing techniques are then applied using a dedicated data service channel. This is an authenticated channel (to avoid man-in-the-middle attacks) – however the service channel can be publicly accessible. Firstly, a process known as sifting removes the mis-matched basis events resulting in what is termed a “sifted key” which unavoidably contains transmission errors. These errors are corrected by an *error correction* algorithm resulting in identical keys at both the transmitter and receiver. The final step is to remove any information leakage to a potential eavesdropper through a process termed *privacy amplification*. This step is carried out in two parts: (1) leakage is quantified by measuring certain variables such as photon count rates and error rates; and (2) hashing of the error corrected key into a shorter key with length determined by (1). After privacy amplification the transmitter and receiver each hold an identical and crucially, secret key.

Security with QKD derives from the principles of quantum physics. As single photons cannot be cloned or divided, then an eavesdropper listening in on the untrusted link inevitably introduces “noise” onto the single photons through quantum uncertainty. This noise shows up as an increase in error rate between the two legitimate communicating parties. The important step of privacy amplification effectively erases the amount of noise added. More noise means more privacy amplification, so QKD only ever delivers guaranteed secure keys. The description of the QKD protocol follows the prescription termed “BB84” – after the invention of the protocol in 1984 by authors Bennett and Brassard. The Toshiba QKD protocol explained in this white paper is based upon BB84.

For safeguarding networks both today and in the future, QKD is an ideal technology through the two significant advantages of detection of eavesdropping and quantifiable security. However, it is important to recognise that QKD is a very different platform to standard public key cryptography as it relies on physical principles rather than mathematical complexity. In particular QKD involves the faithful implementation of a security protocol inside the QKD technology.

The intuitive security of QKD is based on quantum physics and the uncertainty of working with single photons, but how do we quantify this? It’s possible by using information theory and statistical arguments. This takes measured quantities and applies quantum theory to compute the maximum theoretic possible knowledge that anyone else could have about the photon encoding and then processes this knowledge out.

As a result, the output keys that are truly quantifiably random and secret. This is the general security argument but in the real world other practical factors must be considered. These include the statistics of finite sample sizes, since real users expect keys to be generated (i.e. processed) on short and regular time scales, as well as the inherently random statistics of laser light. Improving upon the original security proofs of QKD to make them more efficient has been a cornerstone of our work at Toshiba.

**Challenges of implementing QKD in practice**

The fundamental differences between QKD and classical forms of security mean that there are some challenges that need to be overcome in order for a paradigm shift in security to be made:

*Finite size effects*: This simply means that the QKD protocol can only be executed for a finite length of time. Otherwise, you would never get a QKD key out of the system. However, this means there is uncertainty in the measured quantities used in determine the secure key length in privacy amplification and an eavesdropper could manipulate this uncertainty.*Quantum signals based on laser sources:*Ideally the QKD system should emit one photon per pulse. However as typical QKD systems use attenuated lasers for the quantum signals, these can contain optical pulses with more than one photon. These additional photons can be exploited by an eavesdropper.*Efficient basis choice:*To increase QKD performance it is desirable to send the main class of states most of the time. However, this can break QKD security since the dominant basis can be eavesdropped on by an adversary.

Let’s examine how all three of these challenges could be overcome with an efficient QKD protocol that is both finite size secure and able to mitigate multiphoton events in the quantum channel. The QKD protocol can also be said to be “information-theoretic secure” since it accounts for the potential for adversaries to have unlimited computing power and time.

## Finite size effects

**Flipping a coin**

Suppose you flip an unbiased coin a number of times. How many heads would you expect? Intuitively you would expect around the half the time the coin to land heads facing up. However, the uncertainty in this expectation depends on the number of flips you perform. To see this considering flipping a coin 10 times. Then the likelihood you end up with five heads is not very high – only around 25% of the time. We can visualise this by plotting the distribution of heads, first plot in Figure 2 (N = 10). As you can see there is quite a spread in the distribution, which is centred around the expected number of heads. This spread represents the “uncertainty” in the result you might obtain, and this spread is often represented as two standard deviations (2σ).

Now consider increasing the number of flips to N = 100. The distribution looks tighter (middle plot in Figure 2) and the spread, 2σ, has reduced from 30% down to 10%. Increasing the flips even further to, say, N = 1000 results in a further reduced spread of about 3% (last plot in Figure 3)

Why are these results useful for understanding finite size effects in QKD? Well, in QKD we need to deal with the probabilistic arrival of photons sent from the QKD transmitter to the QKD receiver. These are also called “photon counts”. Various quantities are derived from these photon counts, which are then used in privacy amplification. Importantly, these quantities have inherent measurement uncertainties associated with them – exactly in analogy with the uncertainty associated when flipping a coin. Loosely speaking, the larger the uncertainties in these quantities, the more privacy amplification needs to be performed, thereby resulting in a shorter final key. This is due to larger uncertainties, representing our lack of complete knowledge of the QKD key exchange, translating into a potentially higher likelihood that an eavesdropper can exploit the QKD system.

**Quantity**

A key in QKD is distilled during a “key session”. The key session comprises all the usual steps in a QKD protocol that result in in a final key (sifting, error correction, privacy amplification & authentication; see Box 1). Toshiba has developed a finite-size based QKD protocol that effectively handles the uncertainties on relevant QKD quantities used in a key session. However, the number of photon counts in each key session still needs to be quite high. Around 100 million photon counts are typically required to distil a practical key that is a good trade-off between final key size and realistic privacy amplification hashing. Much higher numbers of photon counts could be used, for example 1000 million photon counts to reduce the uncertainties to negligible levels. However, this would only yield a slightly longer key while at the same time take a considerable length of time to generate (as well as require a lot of number crunching effort during the privacy amplification hashing stage).

**Quantifying security**

Referring back to Figure 2, we see the uncertainties in the coin flipping distributions are quantified by the standard deviation, σ. Naturally, it would be good to reduce the standard deviation to minimise uncertainty on measured quantities. This can be achieved by increasing the sample size to around 100 million photon arrivals, (as described above). However, the number of standard deviations is important for security as well. For example, 2σ corresponds to a confidence of only 95% and a corresponding key failure probability of ε = 0.05 that the final key is secure.

With this in mind, in the Toshiba QKD protocol, we use many more standard deviations, around 6.5σ. This improved number of standard deviations yields a 99.999999999% confidence and a corresponding key failure probability of ε = 10^{-10} that the final key is secure. This roughly translates into a key failure probability of one key every 30,000 years for a gigahertz-clocked QKD system. Confidential data encrypted by such keys is highly unlikely to be of relevance on such long time frames and therefore such ε-secure keys can be considered completely safe for all practical purposes.

## Quantum signals based on laser sources

**Single and multi-photons**

In an ideal world the key encoded optical pulses (or “time slots”) sent from the QKD transmitter to the QKD receiver are each a single photon. In practice this is very hard to do, if not impossible. Single photon sources exist however they are still very much confined to research and development. Furthermore, they typically require cryogenic cooling and additional sophisticated techniques in order to make them operate efficiently. It is far preferable to use an attenuated laser to generate single photons since telecom laser diodes are ubiquitous and used routinely in optical network equipment. Typically, the laser optical power is attenuated down from about 10^{-3} Watts (0dBm) to the single photon level of around 10^{-10} Watts (-80dBm). However, these attenuated laser sources do not emit single photons every time slot. As the emission is random, it is possible to get two or more photons in a time slot, as well as even no photons in some cases.

Attenuated laser sources like these are said to follow a “Poissonian number distribution” (see below). The pulses containing two or more photons are problematic for QKD security because an eavesdropper can tap off one of the photons and keep them for themselves while letting the remaining (single) photon carry on its way to the QKD receiver. Then the eavesdropper would listen in to the public discussion during the post-processing stage of the key session. The legitimate communicating parties would not notice this covert tapping since the noise on the communication channel would not increase. As a result, the eavesdropper could learn part of the key without being detected. It’s important to note that to carry out this type of attack, the eavesdropper would require some form of quantum memory to store the tapped photon until the key session post processing stage. Quantum memory like single photon sources is currently mainly a research topic, and as such it is highly unlikely an eavesdropper today would be able to realise such technology in order to mount an effective attack. Nevertheless, as QKD promises information-theoretic security , all possible types of attack on the cryptosystem must be accounted for. Even with the assumption of an eavesdropper of unlimited power and resource at their disposal.

It’s important to note that to carry out this type of attack, the eavesdropper would require some form of quantum memory to store the tapped photon until the key session post processing stage. Quantum memory like single photon sources is currently mainly a research topic, and as such it is highly unlikely an eavesdropper today would be able to realise such technology in order to mount an effective attack. Nevertheless, as QKD promises information-theoretic security , all possible types of attack on the cryptosystem must be accounted for. Even with the assumption of an eavesdropper of unlimited power and resource at their disposal.

**Decoy states**

The preceding discussion would imply that a QKD system using attenuated laser sources would be insecure. Fortunately, there is an elegant solution to the problem. Instead of sending the attenuated optical laser pulses at one average intensity, the QKD transmitter randomly intersperses the standard time slots (which are encoded with the key at one average intensity) with one or more sets of time slots with lower average intensities.

These are typically referred to as “decoy states”. If an eavesdropper attempts the photon tapping illustrated in the previous section, they will not know which set of states a time slot is encoded with. This means they will inadvertently affect the overall (average) photon counts of the various decoy states measured by the QKD receiver. The legitimate communicating parties can then use these (average) decoy photon counts to put bounds on an eavesdropping tapping multiphoton time slots. This is very powerful as it means the QKD transmitter can send a much stronger average intensity for the key encoded time slots – significantly elevating the QKD system’s key rate – while at the same time mitigating this photon number splitting attack. Toshiba’s QKD protocol uses decoy states for protection against photon number splitting. Furthermore, as it relies on measured quantities (the measured decoy photon counts) it also considers finite-size effects on these counts. This means the decoy state analysis in the protocol is fully consistent with the overall security parameter, ε of the QKD system.

**Poissonian photon number distributions**

Consider a perfect single photon source emitting single photons at the clock rate of the QKD system. The clock rate of the photon source might be at one gigahertz in which case each “time slot” is one nanosecond. In each QKD time slot there is exactly one photon, top half of Figure 3. There is no possibility for an eavesdropper to launch a photon splitting attack using this type of photon source to transmit key information in QKD. It’s important to note, however, that such a perfect source is impossible to realise – even the state of the art single photon sources are not perfect and can occasionally emit more than one photon per time slot.

Now consider an attenuated laser source used in QKD. Due to the operating principle of attenuated laser diodes, the number of photons emitted is purely random per time slot. Such behaviour can be described mathematically by a Poissonian photon number distribution. Photons are therefore randomly distributed among time slots. Sometimes you get a single photon in a time slot and sometimes no photons in a time slot. Occasionally you get two photons in a time slot and very rarely three photons. In this case, an eavesdropper can launch a photon number splitting attack on the time slots that contain more than one photon, thereby learning part of the QKD key unnoticed (see main text).

In the example in Figure 3, it is easy to see the average intensity of the single photons from the perfect photon source is exactly *one photon per time slot*. Conversely, in the case of the attenuated laser source, the average intensity is the total number of photons divided by the total number of time slots – in this case 12 photons /14 time slots = 0.86 photons per time slot*.* QKD systems with attenuated laser sources typically use average photon intensities of less than one photon per pulse. Otherwise, the multiphoton component becomes too high that even with decoy states, the photon number splitting attack can be successful – which is clearly undesirable from a security point of view. Otherwise, the multiphoton component becomes too high that even with decoy states, the photon number splitting attack can be successful – which is clearly undesirable from a security point of view.

## Efficient basis choice

The final aspect of the security protocol we’d like to consider is *efficient basis choice*. As shown in Figure 1, the basis choice can be X or Y. In traditional QKD, one chooses between these two bases with a 50% probability. However, this is not very efficient since the QKD receiver has to guess the basis the transmitter used with a 50% probability which leads to only half of the bases matching (the other half gets thrown away). This can be illustrated by multiplying probabilities: if the QKD transmitter encodes X and Y with equal probabilities of 50% and the QKD receiver decodes X and Y with equal probabilities, then the probability to match X is simply 50% x 50 % = 25%. The probability to match Y is the same; 50% x 50% = 25%. Therefore, the total probability that **both** bases matched is 25% + 25% = 50%.

If the basis choice could be biased, e.g. 75% X and 25% Y, then the efficiency is much better – 62.5% of the bases match and therefore this larger amount contributes to the final secure key. If we consider an extreme example, 99% X and 1 % Y then we get to keep almost everything (98%) and in principle the overall secure bit rate has almost doubled over the traditional case.

However, is biasing the basis probabilities like this secure? It turns out that it is – as long as you keep track of the information associated with the bases separately when computing the length of the secure key. This information would be things like count rates, error rates and decoy count rates etc. The secure key length is then calculated separately for the X basis and Y basis. These two key lengths can simply be added together to give a final key length.

Toshiba’s security protocol^{1} incorporates efficient basis choice with a probability of over 90% for the X basis and less than 10% for the Y basis. This translates into an efficiency factor increase of over 1.8 when compared to using the standard approach of 50:50 basis probabilities. Note that more extreme biased basis choices than this aren’t really possible due to finite size issues in the Y basis (due to finite size effects are discussed earlier).

## Putting it all together

Toshiba’s QKD systems all use the efficient protocol with considerations for finite effects and the use of decoy states for enhanced security. The implementation works very effectively – record commercial QKD key rates are achieved for 10 dB loss which works out at 50 km of standard single mode fibre for the Long Distance (LD) QKD systems and around 30 km for the Multiplexed Unidirectional (MU) QKD system. Figure 4 shows the typical performance of both types of system as a function of fibre distance. While the MU system extends to about 90 km, the LD system can support distances up to and beyond 150 km.

QKD can provide the basis for new fundamentals that underpin the security industry now, and into the future. By understanding these fundamentals, and the differences between QKD and classical security systems, organisations can start taking action now to mitigate both current and future threats arising from the power of quantum security.

**Contact us** to learn more about QKD and how it can be used to overhaul your approach to cybersecurity, today.

^{1}**Efficient decoy-state quantum key distribution with quantified security**

M. Lucamarini, K. A. Patel, J. F. Dynes, B. Fröhlich, A. W. Sharpe, A. R. Dixon, Z. L. Yuan, R. V. Penty and A. J. Shields *Opt. Express*, **21**, pp. 24550–24565, 7 October 2013