Quantum Diffie-Hellman key exchange

TL;DR

This work proposes a quantum Diffie-Hellman (QDH) key-exchange protocol that replaces the classical discrete-log one-way function with a quantum one-way function realized by encoding private keys into symmetric coherent states. The protocol relies on phase-encoded coherent states |ψ_x⟩ with a phase-rotation unitary 𝕌 to induce commutativity and a shared k_j = a_j ⊕ b_j, followed by random bit encoding s_j via 𝕌^{s_j N/2} and interference-based extraction of the classical key; security is analyzed under minimum-error discrimination and photon-number-splitting attacks, with a derived secret-key length bound. The key finding is that, for μ ≲ 0.02 and sufficiently large N, the map x ↦ |ψ_x⟩ behaves as a QOWF, rendering Eve's information about s_j negligible while her attacks introduce detectable errors, thereby enabling privacy amplification. The paper discusses practical considerations, compares QDH to twin-field QKD, and concludes that experimental realization is feasible with current technology, provided phase-stabilization and timing synchronization are managed.

Abstract

The Diffie-Hellman key exchange plays a crucial role in conventional cryptography, as it allows two legitimate users to establish a common, usually ephemeral, secret key. Its security relies on the discrete-logarithm problem, which is considered to be a mathematical one-way function, while the final key is formed by random independent actions of the two users. In the present work we investigate the extension of Diffie-Hellman key exchange to the quantum setting, where the two legitimate users exchange independent random quantum states. The proposed protocol relies on the bijective mapping of integers onto a set of symmetric coherent states, and we investigate the regime of parameters for which the map behaves as a quantum one-way function. Its security is analyzed in the framework of minimum-error-discrimination and photon-number-splitting attacks, while its performance and the challenges in a possible realization are also discussed.

Figures (7)

• Figure 1: (Color online) The relative difference (\ref{['qowf_cond2']}), as a function of the number of symmetric coherent states $N$, for three different values of the mean number of photons $\mu$. The minimum-error probability is obtained for the square-root measurement, as described in the text. The dashed horizontal line marks the region (orange area) where $D\leq \epsilon$ for $\epsilon = 2\times 10^{-2}$. The vertical arrows point at the value of $N$, above which the curve for a given $\mu$ enters the area of $D\leq \epsilon$, and the map $x\mapsto|\psi_x\rangle$ is considered to be close to an ideal QOWF.
• Figure 2: (Color online) Conditional probability $P(y|x)$ as a function of $y\in\mathbb{Z}_{30}$, for $x=0$, and various values of $\mu$.
• Figure 3: (Color online) Schematic representation of the quantum Diffie-Hellman key-exchange scheme under consideration.
• Figure 4: (Color online) The marginal probabilities $P(\textrm{cor})$ (black disks), $P(\textrm{inc})$ (blue diamonds) and $P(\textrm{err})$ (red squares), are plotted as functions of the propagation length $L$, for $\mu = 0.02$, before (a), and after (b) the rejection of the data pertaining to inconclusive outcomes. Other parameters: $\alpha = 0.2 {\rm dB/km}$, $\eta_{\rm d} = 0.5$, ${\cal D} = 10^{-3} {\rm rad}^2{\rm km}^{-1}$.
• Figure 5: (Color online) (a) Conditional probability $P(\tilde{s}|s)$ for the eavesdropper to obtain $\tilde{s}$ given the actual bit value $s$, following the attack discussed in the main text, and relies on minimum-error-discrimination measurements. Parameters: (a) $\mu = 0.01$, $N=20$. (b) $\mu = 0.02$, $N=20$. (c) $\mu = 0.05$, $N=20$. (b) $\mu = 0.1$, $N=20$. The adversary has a perfect channel $\eta = 1$, and perfect detectors $\eta_{\rm d} = 1$.

Theorems & Definitions (1)

• Definition 1