Table of Contents
Fetching ...

Authentication in Security Proofs for Quantum Key Distribution

Devashish Tupkary, Shlok Nahar, Ernest Y. -Z. Tan

TL;DR

The paper addresses a fundamental gap in QKD security proofs arising from practical authenticated channels that may abort asymmetrically and tamper with timing. It introduces a general reduction that lifts any QKD security proof validated under honest authentication to the realistic setting by appending an Authentication Post-Processing (APP) step, and it also analyzes a Delayed Authentication variant (del-APP) to reduce authentication-key consumption. The core idea is to show that the real-world protocol’s security can be bounded by the security of the core QKD protocol in the honest-authentication model, via a sequence of reductions, commutations with an ideal map, and a virtual authentication framework. This formalization is broad enough to apply to device-dependent, MDI, and device-independent QKD, and it enables retroactive lifting of prior proofs (e.g., decoy-state BB84) to practical authentication scenarios, with potential composable-security integration in future work. Overall, the work provides a general, protocol-agnostic pathway to reconcile QKD security with realistic authentication assumptions and offers practical variants to optimize authentication resource usage.

Abstract

Quantum Key Distribution (QKD) protocols rely on authenticated classical communication. Typical QKD security proofs are carried out in an idealized setting where authentication is assumed to behave honestly: it never aborts, and all classical messages are delivered faithfully with their original timing preserved. Authenticated channels that can be constructed in practice have different properties. Most critically, such channels may abort asymmetrically, such that only the receiving party may detect an authentication failure while the sending party remains unaware. Furthermore, an adversary may delay, reorder, or block classical messages. This discrepancy renders the standard QKD security definition and existing QKD security proofs invalid in the practical authentication setting. In this work we resolve this issue. Our main result is a reduction theorem showing that, under mild and easily satisfied protocol conditions, any QKD protocol proven secure under the honest authentication setting remains secure under a practical authentication setting. This result allows all existing QKD proofs to be retroactively lifted to the practical authentication setting with a minor protocol tweak.

Authentication in Security Proofs for Quantum Key Distribution

TL;DR

The paper addresses a fundamental gap in QKD security proofs arising from practical authenticated channels that may abort asymmetrically and tamper with timing. It introduces a general reduction that lifts any QKD security proof validated under honest authentication to the realistic setting by appending an Authentication Post-Processing (APP) step, and it also analyzes a Delayed Authentication variant (del-APP) to reduce authentication-key consumption. The core idea is to show that the real-world protocol’s security can be bounded by the security of the core QKD protocol in the honest-authentication model, via a sequence of reductions, commutations with an ideal map, and a virtual authentication framework. This formalization is broad enough to apply to device-dependent, MDI, and device-independent QKD, and it enables retroactive lifting of prior proofs (e.g., decoy-state BB84) to practical authentication scenarios, with potential composable-security integration in future work. Overall, the work provides a general, protocol-agnostic pathway to reconcile QKD security with realistic authentication assumptions and offers practical variants to optimize authentication resource usage.

Abstract

Quantum Key Distribution (QKD) protocols rely on authenticated classical communication. Typical QKD security proofs are carried out in an idealized setting where authentication is assumed to behave honestly: it never aborts, and all classical messages are delivered faithfully with their original timing preserved. Authenticated channels that can be constructed in practice have different properties. Most critically, such channels may abort asymmetrically, such that only the receiving party may detect an authentication failure while the sending party remains unaware. Furthermore, an adversary may delay, reorder, or block classical messages. This discrepancy renders the standard QKD security definition and existing QKD security proofs invalid in the practical authentication setting. In this work we resolve this issue. Our main result is a reduction theorem showing that, under mild and easily satisfied protocol conditions, any QKD protocol proven secure under the honest authentication setting remains secure under a practical authentication setting. This result allows all existing QKD proofs to be retroactively lifted to the practical authentication setting with a minor protocol tweak.
Paper Structure (18 sections, 16 theorems, 53 equations, 5 figures)

This paper contains 18 sections, 16 theorems, 53 equations, 5 figures.

Key Result

Theorem 2.1

Let $\widetilde{\mathcal{P}}_\mathrm{QKD}$ be an arbitrary QKD protocol. Let $\mathcal{P}_\mathrm{APP}$ be the prot:authpp described in subsec:APPprotocol, executed after the core QKD protocol $\widetilde{\mathcal{P}}_\mathrm{QKD}$. Let $\mathcal{P}_\mathrm{QKD} = \mathcal{P}_\mathrm{APP} \circ \wid

Figures (5)

  • Figure 1: The practical authenticated classical communication model used in this work. Messages pass through Eve, who may delay, drop, or substitute them with $\texttt{auth-abort}\xspace$, subject to the constraints described in \ref{['subsec:classicalcommunicationsmodel']}. Time flows from top to bottom in the figure, which illustrates an example scenario: in earlier parts of the protocol (not shown in the figure), 4 messages have been sent from Alice to Bob, and 13 messages from Bob to Alice. Eve does not interfere with Alice’s 5th message to Bob. However, she chooses to delay Bob’s 14th message. (Presumably, Alice does not send a new message during this period because she is waiting to receive one.) During the delay, Eve receives Bob’s 15th message and also delivers the 6th message to Bob. According to our communication model, this implies that $C^{(6)}_{E \rightarrow B}$ must be $\texttt{auth-abort}\xspace$, since it was received before Alice sent her $6$th message.
  • Figure 2: Schematic of \ref{['prot:authpp']} described in \ref{['subsec:APPprotocol']}. Alice and Bob first update their key registers based on whether they received an $\texttt{auth-abort}\xspace$ in any of the prior communication. They then communicate their tentatively $\texttt{accept}\xspace$ / $\texttt{abort}\xspace$ decisions. They then perform a final update operation on their key registers depending on their final $\texttt{accept}\xspace$ / $\texttt{abort}\xspace$ decision.
  • Figure 3: A diagram illustrating transformations between real and ideal states evolving through the \ref{['prot:authpp']}. The '$?$' indicates the transformations that must be shown to be true in \ref{['lemma:commutationidealauth']}. The states go through the map $\mathcal{E}^\mathrm{repl}_\mathrm{auth} \in \operatorname{CPTP}(K_A K_B \bm{C_\mathrm{fin}}, K_A K_B \bm{C_\mathrm{fin}})$ that replaces the key registers depending on $\bm{C_\mathrm{fin}}$. They then go through some communication steps given by $\mathcal{E}_\mathrm{comm} \in \operatorname{CPTP}(K_A K_B \bm{E_\mathrm{fin}}, K_A K_B \bm{E^\prime_{\mathrm{fin}}} \bm{C_\mathrm{auth}})$ (influenced by Eve). Finally, Alice and Bob perform the final updates to their key registers described by $\mathcal{E}_\mathrm{update} \in \operatorname{CPTP}(K_A K_B \bm{C_\mathrm{auth}}, K_A K_B \bm{C_\mathrm{auth}})$.
  • Figure 4: For every operation that Eve performs in the virtual authentication setting, one can construct an equivalent operation in the honest authentication setting, where Eve creates a copy of each sent message and performs her original operation on this copy. She does not forward the result of her attack on the copy to the receiver; instead, she forwards the original, unmodified message to the receiving party.
  • Figure 5: Schematic of \ref{['prot:delauthpp']} described in \ref{['subsec:delAPPprotocol']}. Alice and Bob first communicate and verify transcripts. If transcripts matches, they accept the protocol. Else, they abort the protocol and replace their key registers with $\bot$s.

Theorems & Definitions (36)

  • Remark 1.1
  • Definition 2.1: QKD Security with asymmetric aborts ferradini2025definingsecurityquantumkey
  • Remark 2.1
  • Remark 2.2
  • Theorem 2.1: Reduction of QKD security analysis to the honest authentication setting
  • Remark 2.3
  • Lemma 3.1
  • proof
  • Lemma 3.2: Commutation of $\mathcal{R}_\mathrm{ideal}$ and \ref{['prot:authpp']}
  • proof
  • ...and 26 more