EITC/IS/QCF Quantum Cryptography Fundamentals is the European IT Certification programme on theoretical and practical aspects of quantum cryptography, primarily focusing on the Quantum Key Distribution (QKD), which in conjunction with the One-Time Pad offers for the first time in the history absolute (information-theoretic) communication security.
The curriculum of the EITC/IS/QCF Quantum Cryptography Fundamentals covers introduction to Quantum Key Distribution, quantum communication channels information carriers, composite quantum systems, classical and quantum entropy as communication theory information measures, QKD preparation and measurement protocols, entanglement based QKD protocols, QKD classical post-processing (including error correction and privacy amplification), security of Quantum Key Distribution (definitions, eavesdropping strategies, security of BB84 protocol, security cia entropic uncertainty relations), practical QKD (experiment vs. theory), introduction to experimental quantum cryptography, as well as quantum hacking, within the following structure, encompassing comprehensive video didactic content as a reference for this EITC Certification.
Quantum cryptography is concerned with developing and implementing cryptographic systems that are based on quantum physics laws rather than classical physics laws. Quantum key distribution is the most well-known application of quantum cryptography, as it provides an information-theoretically secure solution to the key exchange problem. Quantum cryptography has the advantage of allowing the completion of a variety of cryptographic tasks that have been shown or conjectured to be impossible using solely classical (non-quantum) communication. Copying data encoded in a quantum state, for example, is impossible. If the encoded data is attempted to be read, the quantum state will be altered owing to wave function collapse (no-cloning theorem). In quantum key distribution, this can be used to detect eavesdropping (QKD).
The work of Stephen Wiesner and Gilles Brassard is credited with establishing quantum cryptography. Wiesner, then at Columbia University in New York, invented the concept of quantum conjugate coding in the early 1970s. The IEEE Information Theory Society rejected his important study “Conjugate Coding,” but it was eventually published in SIGACT News in 1983. In this study, he demonstrated how to encode two messages in two “conjugate observables,” such as linear and circular photon polarization, so that either, but not both, can be received and decoded. It wasn’t until the 20th IEEE Symposium on the Foundations of Computer Science, held in Puerto Rico in 1979, that Charles H. Bennett of IBM’s Thomas J. Watson Research Center and Gilles Brassard discovered how to incorporate Wiesner’s results. “We recognized that photons were never meant to store information, but rather to convey it” Bennett and Brassard introduced a secure communication system named BB84 in 1984, based on their previous work. Following David Deutsch’s idea to use quantum non-locality and Bell’s inequality to accomplish secure key distribution, Artur Ekert investigated entanglement-based quantum key distribution in greater depth in a 1991 study.
Kak’s three-stage technique proposes both sides rotating their polarization at random. If single photons are employed, this technology can theoretically be used for continuous, unbreakable data encryption. It has been implemented the basic polarization rotation mechanism. This is a solely quantum-based cryptography method, as opposed to quantum key distribution, which uses classical encryption.
Quantum key distribution methods are based on the BB84 method. MagiQ Technologies, Inc. (Boston, Massachusetts, United States), ID Quantique (Geneva, Switzerland), QuintessenceLabs (Canberra, Australia), Toshiba (Tokyo, Japan), QNu Labs, and SeQureNet are all manufacturers of quantum cryptography systems (Paris, France).
Advantages
Cryptography is the most secure link in the data security chain. Interested parties, on the other hand, cannot expect that cryptographic keys will remain secure permanently. Quantum cryptography has the capability of encrypting data for longer durations of time than traditional cryptography. Scientists can’t guarantee encryption for more than 30 years with traditional cryptography, but some stakeholders may require longer protection periods. Take the healthcare industry, for example. Electronic medical record systems are used by 85.9% of office-based physicians to store and transmit patient data as of 2017. Medical records must be kept private under the Health Insurance Portability and Accountability Act. Paper medical records are usually incinerated after a certain amount of time has passed, while computerized records leave a digital trail. Electronic records can be protected for up to 100 years using quantum key distribution. Quantum cryptography also has applications for governments and militaries, as governments have typically kept military material secret for almost 60 years. There has also been demonstrated that quantum key distribution can be secure even when transmitted over a noisy channel over a long distance. It can be transformed into a classical noiseless scheme from a noisy quantum scheme. Classic probability theory can be used to tackle this problem. Quantum repeaters can help with this process of having constant protection over a noisy channel. Quantum repeaters are capable of efficiently resolving quantum communication faults. To ensure communication security, quantum repeaters, which are quantum computers, can be stationed as segments over the noisy channel. Quantum repeaters accomplish this by purifying the channel segments before linking them to form a secure communication line. Over a long distance, sub-par quantum repeaters can give an efficient level of protection through the noisy channel.
Applications
Quantum cryptography is a broad term that refers to a variety of cryptographic techniques and protocols. The following sections go through some of the most notable applications and protocols.
Quantum keys distribution
The technique of using quantum communication to establish a shared key between two parties (for example, Alice and Bob) without a third party (Eve) learning anything about that key, even if Eve can eavesdrop on all communication between Alice and Bob, is known as QKD. Discrepancies will develop if Eve attempts to gather knowledge about the key being established, causing Alice and Bob to notice. Once the key has been established, it is usually used to encrypt communication via traditional methods. The exchanged key, for example, might be used for symmetric cryptography (e.g. One-time pad).
Quantum key distribution’s security may be established theoretically without imposing any constraints on an eavesdropper’s skills, which is not achievable with classical key distribution. Although some minimal assumptions are required, such as that quantum physics apply and that Alice and Bob can authenticate each other, Eve should not be able to impersonate Alice or Bob because a man-in-the-middle attack would be possible.
While QKD appears to be secure, its applications face practical challenges. Due to transmission distance and key generation rate constraints, this is the case. Continuous research and developments in technology have allowed for future advancements in such constraints. Lucamarini et al. suggested a twin-field QKD system in 2018 that may be able to overcome a lossy communication channel’s rate-loss scaling. At 340 kilometers of optical fiber, the rate of the twin field protocol was shown to exceed the secret key-agreement capacity of the lossy channel, known as the repeater-less PLOB bound; its ideal rate exceeds this bound already at 200 kilometers and follows the rate-loss scaling of the higher repeater-assisted secret key-agreement capacity (see figure 1 of for more details). According to the protocol, ideal key rates can be achieved using “550 kilometers of conventional optical fibre,” which is already widely used in communications. Minder et al., who have been dubbed the first effective quantum repeater, confirmed the theoretical finding in the first experimental demonstration of QKD beyond the rate-loss limit in 2019. The sending-not-sending (SNS) variant of the TF-QKD protocol is one of the major breakthroughs in terms of reaching high rates over long distances.
Mistrustful quantum cryptography
The participants in mistrustful cryptography do not trust each other. Alice and Bob, for example, collaborate to complete a computation in which both parties provide private inputs. Alice, on the other hand, does not trust Bob, and Bob does not trust Alice. As a result, a safe implementation of a cryptographic job necessitates Alice’s assurance that Bob did not cheat once the calculation is completed, and Bob’s assurance that Alice did not cheat. Commitment schemes and secure computations, the latter of which includes the tasks of coin flipping and oblivious transfer, are examples of mistrustful cryptographic tasks. The field of untrustworthy cryptography does not include key distribution. Mistrustful quantum cryptography investigates the use of quantum systems in the field of mistrustful cryptography.
In contrast to quantum key distribution, where unconditional security can be achieved solely through the laws of quantum physics, there are no-go theorems proving that unconditionally secure protocols cannot be achieved solely through the laws of quantum physics in the case of various tasks in mistrustful cryptography. Some of these jobs, however, can be carried out with absolute security if the protocols make use of both quantum physics and special relativity. Mayers and Lo and Chau, for example, demonstrated that absolutely secure quantum bit commitment is impossible. Lo and Chau demonstrated that unconditionally secure perfect quantum coin flipping is impossible. Furthermore, Lo demonstrated that quantum protocols for one-out-of-two oblivious transfer and other secure two-party calculations cannot be guaranteed to be secure. Kent, on the other hand, has demonstrated unconditionally secure relativistic protocols for coin flipping and bit-commitment.
Quantum coin flipping
Quantum coin flipping, unlike quantum key distribution, is a mechanism used between two parties that do not trust one other. The participants communicate through a quantum channel and exchange data via qubit transmission. However, because Alice and Bob are distrustful of one another, they both expect the other to cheat. As a result, more work must be expended to ensure that neither Alice nor Bob has a considerable edge over the other in order to achieve the desired result. A bias is the ability to affect a specific outcome, and there is a lot of effort on designing protocols to eliminate the bias of a dishonest player, also known as cheating. Quantum communication protocols, such as quantum coin flipping, have been proved to provide considerable security advantages over traditional communication, despite the fact that they may be challenging to implement in practice.
The following is a typical coin flip protocol:
- Alice selects a basis (rectilinear or diagonal) and generates a string of photons in that basis to deliver to Bob.
- Bob chooses a rectilinear or diagonal basis to measure each photon at random, noting which basis he used and the recorded value.
- Bob makes a public guess about the foundation on which Alice sent her qubits.
- Alice reveals her choice of basis and sends Bob her original string.
- Bob confirms Alice’s string by comparing it to his table. It should be perfectly associated with Bob’s measurements made on Alice’s basis and fully uncorrelated with the contrary.
When a player tries to influence or improve the likelihood of a specific outcome, this is known as cheating. Some forms of cheating are discouraged by the protocol; for example, Alice could claim that Bob incorrectly guessed her initial basis when he guessed correctly at step 4, but Alice would then have to generate a new string of qubits that perfectly correlates with what Bob measured in the opposite table. With the number of qubits transferred, her chances of generating a matching string of qubits diminish exponentially, and if Bob notices a mismatch, he’ll know she’s lying. Alice might similarly construct a string of photons by combining states, but Bob would quickly see that her string will somewhat (but not completely) correspond with both sides of the table, indicating that she cheated. There is an inherent weakness in contemporary quantum devices as well. Bob’s measurements will be affected by errors and lost qubits, resulting in holes in his measurement table. Bob’s ability to verify Alice’s qubit sequence in step 5 will be hampered by significant measurement errors.
The Einstein-Podolsky-Rosen (EPR) paradox is one theoretically certain way for Alice to cheat. Two photons in an EPR pair are anticorrelated, which means that they will always have opposite polarizations when measured on the same basis. Alice may create a string of EPR pairs, sending one to Bob and keeping the other for herself. She could measure her EPR pair photons in the opposite basis and gain a perfect correlation to Bob’s opposite table when Bob states his guess. Bob would have no idea she had cheated. This, however, necessitates skills that quantum technology currently lacks, making it impossible to achieve in practice. To pull this out, Alice would need to be able to store all of the photons for an extended period of time and measure them with near-perfect accuracy. This is because every photon lost during storage or measurement would leave a hole in her string, which she would have to fill with guesswork. The more guesses she has to make, the more likely she is to be caught cheating by Bob.
Quantum commitment
When there are distrustful parties involved, quantum commitment methods are used in addition to quantum coin flipping. A commitment scheme allows a party Alice to fix a value (to “commit”) in such a way that Alice cannot change it and the recipient Bob cannot learn anything about it until Alice reveals it. Cryptographic protocols frequently employ such commitment mechanisms (e.g. Quantum coin flipping, Zero-knowledge proof, secure two-party computation, and Oblivious transfer).
They’d be particularly beneficial in a quantum setting: Crépeau and Kilian demonstrated that an unconditionally secure protocol for performing so-called oblivious transfer may be built from a commitment and a quantum channel. Kilian, on the other hand, has demonstrated that oblivious transfer could be used to construct practically any distributed computation in a secure manner (so-called secure multi-party computation). (Notice how we are a little sloppy here: The findings of Crépeau and Kilian do not directly indicate that one can execute secure multi-party computation with a commitment and a quantum channel. This is because the results do not ensure “composability,” which means that when you combine them, you risk losing security.
Early quantum commitment mechanisms, unfortunately, were shown to be faulty. Mayers demonstrated that (unconditionally safe) quantum commitment is impossible: any quantum commitment protocol can be broken by a computationally limitless attacker.
However, Mayers’ discovery does not rule out the possibility of building quantum commitment protocols (and hence safe multi-party computation protocols) using considerably weaker assumptions than those required for commitment protocols that do not employ quantum communication. A situation in which quantum communication can be utilized to develop commitment protocols is the bounded quantum storage model described below. A discovery in November 2013 provides “unconditional” information security by combining quantum theory and relativity, which has been effectively proved for the first time on a worldwide scale. Wang et al. has presented a new commitment system in which “unconditional hiding” is ideal.
Cryptographic commitments can also be constructed using physically unclonable functions.
Bounded and noisy quantum storage model
The constrained quantum storage model can be used to create unconditionally secure quantum commitment and quantum oblivious transfer (OT) protocols (BQSM). In this scenario, it is assumed that an adversary’s quantum data storage capacity is restricted by a known constant Q. However, there is no limit on how much classical (non-quantum) data the adversary can store.
Commitment and oblivious transfer procedures can be built in the BQSM. The following is the fundamental concept: More than Q quantum bits are exchanged between protocol parties (qubits). Because even a dishonest adversary can’t store all of that data (the adversary’s quantum memory is limited to Q qubits), a considerable portion of the data will have to be measured or destroyed. By forcing dishonest parties to measure a considerable portion of the data, the protocol can avoid the impossibility result, allowing commitment and oblivious transfer protocols to be used.
Damgrd, Fehr, Salvail, and Schaffner’s protocols in the BQSM do not assume that honest protocol participants retain any quantum information; the technical requirements are identical to those in quantum key distribution protocols. These protocols can thus be accomplished, at least in theory, with today’s technology. The communication complexity on the adversary’s quantum memory is only a constant factor higher than the bound Q.
The BQSM has the advantage of being realistic in its premise that the adversary’s quantum memory is finite. Even storing a single qubit reliably for a lengthy period of time is tough with today’s technology. (The definition of “sufficiently long” is determined by the protocol’s specifics.) The amount of time the adversary needs to keep quantum data can be made arbitrarily long by adding an artificial gap in the protocol.)
The noisy-storage model proposed by Wehner, Schaffner, and Terhal is an extension of the BQSM. An opponent is allowed to utilize defective quantum storage devices of any size instead of placing an upper bound on the physical size of the adversary’s quantum memory. Noisy quantum channels are used to model the level of imperfection. The same primitives as in the BQSM may be produced at high enough noise levels, thus the BQSM is a specific case of the noisy-storage model.
Similar findings can be obtained in the classical situation by imposing a limit on the quantity of classical (non-quantum) data that the opponent can store. However, it has been demonstrated that in this model, the honest parties must likewise consume a huge amount of memory (the square-root of the adversary’s memory bound). As a result, these methods are unworkable for real-world memory constraints. (It’s worth noting that, with today’s technology, such as hard disks, an opponent may store enormous volumes of traditional data for a low price.)
Quantum cryptography based on position
The purpose of position-based quantum cryptography is to use a player’s (only) credential: their geographic location. For example, suppose you wish to send a message to a player at a specific location with the assurance that it can only be read if the receiver is also at that location. The main goal of position-verification is for a player, Alice, to persuade the (honest) verifiers that she is at a specific location. Chandran et al. demonstrated that position verification using traditional protocols is impossible in the presence of collaborating adversaries (who control all positions save the prover’s stated position). Schemes are possible under various constraints on the adversaries.
Kent investigated the first position-based quantum systems in 2002 under the moniker ‘quantum tagging.’ In 2006, a US patent was obtained. In 2010, the idea of exploiting quantum effects for location verification was first published in scholarly journals. After several other quantum protocols for position verification were proposed in 2010, Buhrman et al. claimed a general impossibility result: colluding adversaries can always make it appear to the verifiers that they are at the claimed position by using an enormous amount of quantum entanglement (they use a doubly exponential number of EPR pairs in the number of qubits the honest player operates on). However, in the bounded- or noisy-quantum-storage paradigm, this result does not rule out the possibility of workable approaches (see above). Beigi and König later increased the number of EPR pairs required in the broad assault against position-verification methods to exponential levels. They also demonstrated that a protocol is secure against adversaries who only control a linear number of EPR pairs. The prospect of formal unconditional location verification using quantum effects remains an unresolved subject due to time-energy coupling, it is suggested in. It’s worth noting that research into position-based quantum cryptography has ties to the protocol of port-based quantum teleportation, which is a more advanced variant of quantum teleportation in which multiple EPR pairs are utilized as ports at the same time.
Device independent quantum cryptography
If the security of a quantum cryptography protocol does not rely on the truthfulness of the quantum devices utilized, it is said to be device-independent. As a result, situations of faulty or even hostile devices must be included in the security analysis of such a protocol. Mayers and Yao proposed that quantum protocols be designed using “self-testing” quantum apparatus, whose internal operations may be uniquely identified by their input-output statistics. Following that, Roger Colbeck advocated using Bell tests to assess the gadgets’ honesty in his thesis. Since then, a number of issues have been demonstrated to admit unconditionally safe and device-independent protocols, even when the actual devices performing the Bell test are significantly “noisy,” i.e., far from ideal. Quantum key distribution, randomness expansion, and randomness amplification are examples of these issues.
Theoretical investigations conducted by Arnon- Friedman et al. in 2018 reveal that leveraging an entropy property known as the “Entropy Accumulation Theorem (EAT)”, which is an extension of the Asymptotic Equipartition Property, can guarantee the security of a device independent protocol.
Post-quantum cryptography
Quantum computers may become a technological reality, so it’s critical to research cryptographic algorithms that can be utilized against enemies who have access to one. Post-quantum cryptography is the term used to describe the study of such methods. Many popular encryption and signature techniques (based on ECC and RSA) can be broken using Shor’s algorithm for factoring and computing discrete logarithms on a quantum computer, necessitating post-quantum cryptography. McEliece and lattice-based schemes, as well as most symmetric-key algorithms, are examples of schemes that are secure against quantum adversaries as of today’s knowledge. Post-quantum cryptography surveys are available.
Existing encryption algorithms are also being studied to see how they may be updated to deal with quantum adversaries. When it comes to developing zero-knowledge proof systems that are secure against quantum attackers, for example, new strategies are required: In a traditional environment, analyzing a zero-knowledge proof system usually entails “rewinding,” a technique that necessitates copying the adversary’s internal state. Because copying a state in a quantum context is not always possible (no-cloning theorem), a rewinding approach must be applied.
Post quantum algorithms are sometimes known as “quantum resistant” because, unlike quantum key distribution, it is unknown or provable that future quantum attacks will not be successful. The NSA is declaring intentions to migrate to quantum resistant algorithms, despite the fact that they are not subject to Shor’s algorithm. The National Institute of Standards and Technology (NIST) feels that quantum-safe primitives should be considered.
Quantum cryptography beyond quantum key distribution
Quantum cryptography has been associated with the development of quantum key distribution protocols up to this point. Unfortunately, due to the requirement for the establishment and manipulation of multiple pairs secret keys, symmetric cryptosystems with keys disseminated via quantum key distribution become inefficient for large networks (many users) (the so-called “key-management problem”). Furthermore, this distribution does not handle a wide range of additional cryptographic processes and services that are critical in everyday life. Unlike quantum key distribution, which incorporates classical algorithms for cryptographic transformation, Kak’s three-stage protocol has been presented as a way for secure communication that is fully quantum.
Beyond key distribution, quantum cryptography research includes quantum message authentication, quantum digital signatures, quantum one-way functions and public-key encryption, quantum fingerprinting and entity authentication (for example, see Quantum readout of PUFs), and so on.
Practical implementations
Quantum cryptography appears to be a successful turning point in the information security sector, at least in principle. No cryptographic method, however, can ever be completely safe. Quantum cryptography is only conditionally safe in practice, relying on a set of key assumptions.
Assumption of a single-photon source
A single-photon source is assumed in the theoretical underpinning for quantum key distribution. Single-photon sources, on the other hand, are difficult to build, and most real-world quantum encryption systems rely on feeble laser sources to convey data. Eavesdropper attacks, particularly photon splitting attacks, can take use of these multi-photon sources. Eve, an eavesdropper, can split the multi-photon source into two copies and keep one for herself. The remaining photons are subsequently sent to Bob, with no indication that Eve has collected a copy of the data. Scientists claim that utilizing decoy states to test for the presence of an eavesdropper can keep a multi-photon source secure. Scientists did, however, produce a near-perfect single photon source in 2016, and they believe that one will be developed in the near future.
Assumption of identical detector efficiency
In practice, quantum key distribution systems use two single-photon detectors, one for Alice and one for Bob. These photodetectors are calibrated to detect an incoming photon within a millisecond interval. The detection windows of the two detectors will be displaced by a finite amount due to manufacturing variances between them. By measuring Alice’s qubit and delivering a “fake state” to Bob, an eavesdropper named Eve can take advantage of the detector’s inefficiency. Eve collects the photon Alice sent before generating a new photon to deliver to Bob. Eve tampers with the phase and timing of the “faked” photon in such a way that Bob is unable to detect an eavesdropper. The only method to eliminate this vulnerability is to eliminate photodetector efficiency discrepancies, which is challenging due to finite manufacturing tolerances that produce optical path length disparities, wire length differences, and other problems.
To acquaint yourself in-detail with the certification curriculum you can expand and analyze the table below.
The EITC/IS/QCF Quantum Cryptography Fundamentals Certification Curriculum references open-access didactic materials in a video form. Learning process is divided into a step-by-step structure (programmes -> lessons -> topics) covering relevant curriculum parts. Unlimited consultancy with domain experts are also provided.
For details on the Certification procedure check How it Works.
Download the complete offline self-learning preparatory materials for the EITC/IS/QCF Quantum Cryptography Fundamentals programme in a PDF file
EITC/IS/QCF preparatory materials – standard version
EITC/IS/QCF preparatory materials – extended version with review questions