The Manipulate-and-Observe Attack on Quantum Key Distribution

Abstract

Quantum key distribution is often regarded as an unconditionally secure method to exchange a secret key by harnessing fundamental aspects of quantum mechanics. Despite the robustness of key exchange, classical post-processing reveals vulnerabilities that an eavesdropper could target. In particular, many reconciliation protocols correct errors by comparing the parities of subsets between both parties. These communications occur over insecure channels, leaking information that an eavesdropper could exploit. Currently there is no holistic threat model that addresses how parity-leakage during reconciliation might be actively manipulated. In this paper we introduce a new form of attack, namely the Manipulate-and-Observe attack in which the adversary (1) partially intercepts a fraction $ρ$ of the qubits during key exchange, injecting the maximally tolerated amount of errors up to the 11 percent error threshold whilst remaining undetected and (2) probes the maximum amount of parity-leakage during reconciliation, and exploits it using a vectorised, parallel brute force filter to shrink the search space from 2n down to as few as a single candidate, for an n-bit reconciled key. We perform simulations of the attack, deploying it on the most widely used protocol, BB84, andthe benchmark reconciliation protocol, Cascade. Our simulation results demonstrate that the attack can significantly reduce the security below the theoretical bound and, in the worst case, fully recover the reconciled key material. The principles of the attack could threaten other parity-based reconciliation schemes, like Low Density Parity Check, which underscores the need for urgent consideration of the combined security of key exchange and post-processing.

Figures (10)

• Figure 1: Threat model diagram of the Manipulate-and-Observe Attack, which exploits the non-extensible security of BB84 and Cascade. For completeness, security proofs of BB84 are given in bennettQuantumCryptographyPublic2014gottesmanProofSecurityQuantum2003loUnconditionalSecurityQuantum1999koashiSimpleSecurityProof2009xuSecureQuantumKey2020shorSimpleProofSecurity2000Senekane18lutkenhausEstimatesPracticalQuantum1999 and security analyses of Cascade are given in mehicErrorReconciliationQuantum2020calverEmpiricalAnalysisCascade2011brassardSecretKeyReconciliationPublic1994mullerPerformanceCascadeLDPCcodes2024martinez-mateoDemystifyingInformationReconciliation2014PDFCrackingCurious2024pedersenHighPerformanceInformation2013. The attack is split into two phases: the active phase (manipulate) and the passive phase (observe). The active phase consists of a partial intercept-resend attack on BB84, where a fraction of the raw key is 'eavesdropped' using an intercept-resend attack. The aim here is to obtain some initial knowledge of the raw key material while only injecting up to the maximum tolerated number of errors up to the 11% error threshold and thereby remaining undetected. This has the added advantage of inserting new errors into the raw key material in known places. We can then probe Cascade to leak additional information over public channels, which is observed in the passive phase of the attack. We combine the information gained from both phases of the attack to filter the search space of possible reconciled keys.
• Figure 2: Diagram of Cascade using two passes to reconcile three errors. During Pass 1, Alice and Bob split their sifted keys into blocks and compare parities. In this example, the parity mismatches in the final block. A search algorithm ('Binary') is run on the final block to locate and correct an error. The parities of the first half of the blocks are compared, revealing another mismatch. The previous step is repeated until the error is located and corrected. During Pass 2, the bits are shuffled to distribute the errors throughout the sifted key material evenly. The block size is doubled, and Binary is applied to the first block due to a parity mismatch. For every pass i>1, whenever an error is corrected, a look-back sub-protocol is activated to correct paired errors that were masked in previous passes. In this example, look-back finds a paired error in the first pass.
• Figure 3: Diagram of brute force reconciled key filtering using the parity conditions leaked by a single Cascade pass. The parities of the first block are compared, revealing that Alice’s first block has a parity of 0 and must contain an even number of 1s. As the parities of the first block match, Cascade continues to the second block, where the process repeats. This time, the parity of Alice’s first block is 1, so the block must have an odd number of 1s. Alice’s and Bob’s parities for the second block disagree, so Binary is executed, revealing additional parities of the sub-blocks until Alice and Bob locate and correct the error. Each parity check made by Alice and Bob during this first pass halves Eve’s search space.
• Figure 4: Diagram of brute force reconciled key filtering using the parity conditions leaked by two Cascade passes. During the first pass, Binary is applied to correct a single error in each block, revealing parity information. Two errors are masked in the final block. Eve observes the leaked parity information and narrows down her search space to $S_{\text{pass 1}}=2^{4}$. During the second pass, the bits are shuffled, and in this case, the masked errors (bits 14 and 15) are distributed across different blocks. Binary is triggered on the first block, corrects bit 14 and leaks additional information. As before, Eve exploits the leaked information to reduce her search space. When Eve uncovers bits in pass 2, it reveals bits in other locations, as these bit pairs are constrained by the parity conditions leaked in pass 1. In this example, Eve has reduced her search space to a single candidate after pass 2, and the information leaked by the look-back sub-protocol is redundant.
• Figure 5: Diagram of the passive phase of the Manipulate-and-Observe Attack. a) Eve stores the leaked information from Cascade/Binary. b) Eve determines the initial block size $k_1$ and assesses whether a remainder block is required. c) Eve divides her initial key prior to reconciliation into blocks of size $k_1$. d) Eve loads an array that contains all the possible $k_1$ bit blocks and their corresponding parity blocks. e) In parallel, an array of valid blocks is determined for each block index in pass 1 using the vectorised block search. f) Each array of valid blocks is combined to form an array of valid keys for pass 1. g) The array of pass 1 valid keys is split into chunks. h) Brute force is used to filter the pass 1 valid keys in each chunk in parallel. i) The valid keys in each processed chunk are recombined. The remaining valid keys satisfy all constraints imposed by Cascade (and any prior eavesdropping results). If there is one valid key remaining, then Eve has obtained Alice’s and Bob’s reconciled key.