]> TQSD Technische Universität München

Theresienstraße 90 Munich 80333 Germany davide.li-calsi@tum.de

TQSD Technische Universität München

Theresienstraße 90 Munich 80333 Germany paul.kohl@tum.de

TQSD Technische Universität München

Theresienstraße 90 Munich 80333 Germany jin.choi@tum.de

TQSD Technische Universität München

Theresienstraße 90 Munich 80333 Germany janis.noetzel@tum.de

General Quantum Internet Research Group keyword In the communication viewpoint, quantum state, i.e., qubit is different from classical bit. Qubit may be transmitted directly but it can’t be cloned or measured without altercation, so existing copy and resend scheme can’t be used to handle a transmission failure. Moreover, in some cases, a sender, even none, knows the state of qubit, so qubit loss may cause irrevocable damage. This draft presents the causes of transmission failures and, analyses the vulnerabilities of several crypto protocols, such defects may bring forth. Thus, quantum teleportation is highly recommended for certain applications.

Introduction Despite our efforts to mitigate this phenomenon, real networks are subject to packet losses. The problem is still present in classical communication, where it causes disturbances in communications requiring re-transmissions to mitigate. The problem is a consequence of several phenomena such as network congestion, strong noise in channels, and finite-length message queues. Quantum communication is much more sensitive to noise than classical communication due to the physical nature of the communication medium. Because of that, it is reasonable to assume that data losses will eventually occur in real quantum communication systems. While classically this is often regarded as a threat to communication performance, in quantum communications it also threatens the security of some protocols. In fact, several quantum cryptography protocols base their security on the fact that attackers can only access a single copy of some quantum state and cannot clone quantum information. For instance, the majority of QKD protocols are provably secure because it is assumed that Alice and Bob exchange qubits once and no retransmission is needed, although some qubits might be lost. If we drop these assumptions the security of such protocols is threatened, although with varying degrees. While some protocols can tolerate replicas of quantum states, others suffer much more from these attacks, and could potentially be broken. The threat is a consequence of the fact that losses and malicious eavesdroping are fundamentally indistinguishable. In fact, when some packet is lost in classical networks it is impossible to tell whether that happened due to innocent errors or due to malicious agents. The same applies to losses of quantum messages, but the consequence are much different. In fact classical cryptography is agnostic to how many copies of some message the attacker can access, that is possessing m copies of some message will not help the attacker at all. In the following we consider three cryptographical primitives, namely public-key encryption, authentication and key distribution, that use quantum states to defend against attackers. We show attacks based on the presence of data losses that threat their validity, and describe possible mitigations. For each primitive we also present noticeable examples of published proposals that are vulnerable to our attack.

Problems of direct transmission

Quantum information limit Quantum state, i.e., qubit may be directly transmitted by encoding it into physical medium, e.g., photon, and sending it over a quantum channel, e.g., fiber. However, qubit is more vulnerable to a link failure than classical bit, so direct transmission may cause some serious, even irrevocable problem. The quantum state of a qubit is fragile to environmental interference, so a link failure is more likely. Also, qubit is governed by the law of quantum mechanics such as quantum measurement postulate and no-cloning theorem, which entails severe constraint that it’s impossible to read and copy an unknown quantum state without altering its state. Hence, the classical recovery mechanisms such as copy and retransmission is difficult to be applied. In some quantum applications, e.g., BB84 QKD, A sender may know the state of the qubit to send, so, in case of a link failure, it can prepare and resend the same state. However, for some applications, this is not possible. For example, a bank may issue a quantum money to a user. If the use sends the quantum money to the bank via direct transmission, it’s lost in the presence of link failure, because the user has no idea of the state of the quantum money. Moreover, for some application, nobody knows the exact quantum state. For example, a bank may use Quantum Physically Unclonable Function (QPUF) to produce a quantum token , . Then even the bank doesn’t know the state of the quantum token. This feature helps to prevent malicious cloning but if the quantum token is lost during a direct transmission, it’s lost forever and can’t be recovered. Even when a retransmission is possible, that may result in a security vulnerability. Quantum cryptography relies on the characteristic that qubit can’t be copied. However, retransmission may allow a malicious node to acquire a copy of the state. For example, Quantum Public Key scheme , assumes only limited number of public keys are distributed. An attacker may falsely claim a link failure and acquire another copy of public key to assess the matching private key.

Transmission limit Transmission is limited by different phenomena in the real world. We will focus on fibre optical networks here, they are widely employed commercially. There are different mechanisms of loss which can occur in optical fibres, resulting in insertion loss e.g. Intrinsic absorption/scattering, Dispersion, Absorption due to splicing/connections, Radiation Induced Attenuation, Micro- and macrobends, additionally there is return loss caused by reflection of signal at material interfaces. Polarisation can be another source of losses as polarisation is not necessarily (perfectly) maintained in transmission and also source and receiver may have a polarisation dependence. In theory one could use a single fibre to connect two endpoints avoiding splicing and connections and also use perfectly straight fibre, resulting in no loss due to bends. Additionally radiation induced attenuation due to cosmic radiation and the like cannot be easily quantified. Thus we will focus here on intrinsic absorption, dispersion and polarisation as they are more independent from a specific implementation.

Absorption due to Material Choice Optical fibres exhibit losses when light is transmitted through them like any other material. Obviously optical fibres are engineered in a way, s.t. losses of light are minimised, but some absorption is intrinsic. If one looks at the intrinsic properties of the fibres it is evident which wavelengths are advantageous. These wavelengths are often employed in telecommunication applications. Generally fibre optical networks use silica (SiO2) fibres with very little attenuation in the infrared (IR) range. The light with wavelengths from 600 nm to 1800 nm exhibits low absorption in silica fibres. There are different local minima in those ranges, which are created by different loss mechanisms in the fibres. With increasing wavelength λ the elastical scattering on particles with diameter d ≪ λ is governed by the Rayleigh scattering cross-section Cs,λ ∝ 1/λ^4. This means increasing λ yields lower attenuation. This is counteracted by the increasing absorption of IR by SiO2 with increasing wavelength. Additionally, there is the OH– absorption peak around ∼ 1440 nm. This results in the lowest attenuations in the so-called O-band around ∼ 1310 nm and the so-called C-band around ∼ 1550 nm which includes the global minimum of attenuation. The O-band is worth mentioning, because it includes the region for zero wave packet dispersion, which minimises signal distortion due to chromatic effects and also using the same fibre for classical communication and quantum key distribution (QKD) via Wavelength Division Multiplexing (WDM) works best for the O-band in metropolitan area networks. This explains the choice of wavelength bands used in telecommunication, but also shows that still in the best case scenario there is absorption of around 0,2 dB/km in commercial networks using the C-band. It would be possible to consider hollow-core optical fibres to reduce absorption and achieve an in general different behaviour, but those fibres are not widely employed in commercial networks (yet?). Additionally, this does not change the general principle that there always will be intrinsic losses. In quantum communication applications encoding qubits e.g. in the polarisation of single photons this loss mechanism may lead to problems, as physical qubits may be lost in transmission. To mitigate this, one would for example employ error correction procedures which encode the information of one logical qubit in multiple physical ones, where the number of physical qubits is high enough to correct errors arising from missing photons due to absorptive effects in transmission. On the other hand, encoding of information into laser pulses in different time bins – i.e. arrival times of photons – may not suffer as strongly from absorption. So in summary – depending on the encoding of information into a physical property of the sent photons – absorption may pose a significant challenge.

Dispersion and Spectral Broadening Another fundamental effect which may be problematic in transmission is dispersion – i.e. wavelength dependency of the refractive index in a material. This may lead to broadening of a pulse with non-zero spectral linewidth (non-zero linewidth is unavoidable in reality), because the different frequencies the beam is consisting of travel with different velocities through the medium. This broadens the pulse temporally. Similarly there is also spectral broadening. Even atomic transitions are not able to produce perfectly monochromatic light. Some intrinsic effects produce a Lorentzian distribution of wavelengths in the best case, while accounting for thermal effects produces a Gaußian distribution. This broadening might contribute to losses due to wavelength-dependent efficiency of detectors. Also absorption is wavelength dependent as shown above, thus it may also lead to attenuation in this way. It is also obvious that a finite energy pulse of light which broadens spectrally has to obey conservation of energy, that means the same amount of energy has to be spread over more wavelengths than before, implying that the energy spreads as well, reducing the amplitude of the peak as a whole. The problem with dispersion is the following: As quantum computation and e.g. quantum repeaters with photons rely on two-photon interference (Hong-Ou-Mandel effect), photons need to be indistinguishable, i.e. identical in every respect. Dispersion now introduces variation in the photon wavepacket impacting the success rate of quantum operations. Especially if photons travel through a different path dispersion will introduce some distinguishability, which might prove fatal. As mentioned before in the O-band around 1310 nm photons exhibit zero wave packet dispersion in SiO2 fibres. Thus, depending on the requirements and structure of a specific setup or implementation of protocol it may be advisable to choose the C-band if dispersion effects can be mitigated – e.g. if all photons traverse the same fibre or they do not have to interfere, but have to travel longer distances – while choosing the O-band in applications where dispersion might hinder interference. The concept of soliton is worth mentioning in this context, as in this case nonlinear effects and dispersion cancel. So if one is able to generate solitons one is able to counteract the effects of dispersion. This might be a route construct physical systems circumventing this problem.

Polarisation-dependency Depending on application and encoding the polarisation of light is instrumental in quantum cryptography (often QKD protocols use polarisation encoding). Thus, it is important to note that in transmission in a real fibre (even a polarisation maintaining (PM) fibre) the polarisation is not maintained perfectly. This can be measured via the polarisation extinction ratio (PER) given in [dB]. Thus over long distances it is possible that the polarisation state of light is altered, which may result in loss of quantum information. Additionally, many optical components have a polarisation dependence with different efficiencies for the different polarisation states, e.g. detectors may have a higher sensitivity for one polarisation rather than the other, resulting in statistically skewed results. In consequence one has to calculate the impact of all of these effects in a given setup and ponder if this significantly impacts the given system.

Transduction limit Not only the transmission limits are a concern, but also the transduction limits. Transduction limits would be the limiting factors, which are not due to the actual losses in transmission, but due to the losses which occur in the conversion from flying qubits to stationary qubits and vice versa. This is obviously highly dependent on the implementation of a given system, but normally one uses photons as flying qubits, which have to interface with a system used as a stationary qubit. These light-matter interactions can be described by cavity quantum electrodynamics (QED). Typically in cavity QED one considers a matter Two-Level System (TLS) in a resonator cavity. This matter system would then be the stationary qubit and light entering the cavity to interact with the matter TLS would be the flying qubit to be transduced. The complete systems dynamics are determined by different properties: The emitter decay rate γ is the rate of decay of the TLS into the cavity mode, which is often approximated by the lifetime τ of the excited state in the TLS via γ ≈ 1/τ . The cavity loss rate κ is the rate of photons exiting the cavity, which is determined by the quality factor Q of the resonator: κ ∝ 1/Q. Also very important is the coupling strength g0 between TLS and photon, which is dependent on the mode volume V0 of the resonator: g0 ∝ √1/V0. The cavities built around the TLS can take different forms. There are e.g. micropillar resonators which use the principle of the Fabry-P ́erot interferometer with Q ∼ 2000 and V0 = 5 · (λ/n)^3 where n is the refractive index inside the cavity and λ is the wavelength of the emitted light from the TLS, microsphere cavities with Q ∼ 8 · 10^9 and V0 ∼ 3000 μm^3, or photonic crystals with Q ∼ 13000 and V0 = 1,2 · (λ/n)^3. Those are some cavities which can be built around the TLS according to ones requirements. Those TLS include for example semiconductor quantum dots (QDs). It has been shown, that InAs QDs can have electron spin lifetimes exceeding 1 s (albeit in this case the QD was charged electrically). In case of QDs, it has to be kept in mind that normally the spin coherence times seem to be more on the order of tens of microseconds but they have excellent optical properties which allow generation of spin-photon entanglement efficiently. Other material systems like vacancy centers in diamond exhibit spin coherence time of whole seconds but with low emission efficiencies. So there seems to be a trade-off between advantageous spin and photonic properties. Spin decoherence also limits the lifetimes of stationary qubits apart from the losses in transduction. With such information one could estimate how good a flying qubit can be transduced to a stationary one and how good the stationary qubit can be preserved.

Vulnerabilities Several protocols in quantum cryptography found their security upon (at least one of) two core assumptions:

• Bounded copies: adversaries have up to N copies of some quantum state, with N depending on the cite protocol. In some cases, N = 1.
• Unknown State: despite holding one or more copies of some state |ψ>, adversaries do lack information on what state they hold.

Despite such assumptions being theoretically sound and convenient, the limits presented in Section 2 jeopardize their validity. This may lead to protocol-specific attacks, either leaking partial information or completely breaking the protocol’s security or correctness. In the following, we explain how such a vulnerability may result in an attack against popular quantum cryptographic protocols.

Attacks to public-key encryption and digital signature We start by considering the quantum public-key encryption scheme devised by . Such a protocol is a perfect example, as it bases its security on both the aforementioned assumptions. In fact, it supposes an upper bound to the number of distributed public keys, and that public key holders do not know which state they hold. If one of these assumptions is broken, it is trivial to leak the private key from the quantum public key. We can compute the upper limit of N based on acceptable security risk. suppose that Alice generates m′ copies of her public key, with m′ is less than N, and distributes them in a quantum network. Due to the inherent limits of telecommunication, it is likely that some of these quantum keys are lost. However, the cause for this loss is quite tricky and could be one of the following:

• Benign faults: the quantum key is lost forever due to unforeseeable hazards.
• Malicious attack: some attacker could fake a hazard and steal the quantum key for future attacks.

The two situations are indistinguishable to Alice, as she does not have a global view of what happens in the network. Therefore, Alice has two options when some agent claims a public key loss:

• Optimism: Alice trusts the claim, i.e. she believes it was the consequence of a benign fault. She then prepares one or more copies of the public key, and re-transmits them.
• Pessimism: Alice does not trust the claim, as she fears it is the result of a malicious attack. She will not replace the lost quantum key.

A pessimistic behavior preserves the protocol’s security but jeopardizes its correctness. In fact, if Alice misjudges, i.e., the loss resulted from benign faults, then benign users will no longer be able to encrypt a message for Alice, as they lack the public key to encrypt it. On the other hand, optimistic behavior preserves the protocol’s correctness but may jeopardize its security. Malicious users could exploit this to gather enough public key copies to run a measurement and find the private key. A similar reasoning holds for the quantum digital signature scheme by . The latter distributes quantum public keys obtained from a classical private key via a classical-quantum one-way function. The one-way property is guaranteed when only one copy of the quantum output is available. One may still wonder what happens if one public key copy is lost. If Alice plays optimistically, malicious users can exploit her trust to gather several public key copies. If such an action is repeated over time, it can lead to information leakage and possibly an inversion of the one-way function. On the other hand, if Alice plays pessimistically, benign users who have lost a public key against their will are going to suffer from her decision. In fact, they will be unable to verify signatures, which exposes them to other types of attacks forging malicious signatures.

Attacks to authentication In the following, we show how the phenomenon of data loss may jeopardize the security of some authentication protocols. Hong’s protocol is based on measuring single photons for m rounds, and implicitly makes the bounded-copies assumption. In fact, they assume that at authentication time Alice and Bob are able to send and measure each photon once. Let us now assume that some losses occur when Bob prepares a photon in position i in state |ψ_i> ∈ {|0⟩, |1⟩, |+⟩, |−⟩}. If Bob acts optimistically, he will prepare a copy of state |ψ_i> and re-send it to Alice. The latter could possibly happen m times, depending on the number of faults. This allows malicious users to exploit this behavior and accumulate m copies of state |ψ_i>, and use them to distinguish which of the four possible states it is. This allows adversaries to leak the corresponding key bits k_i. On the other hand, if Bob plays pessimistically, he will not re-send state |ψ_i>. This scenario may lead to security issues or impracticality depending on which policy Alice takes. If Alice decides to skip that position, the protocol’s security decreases, since attackers with a partial knowledge of the shared key can still be successfully authenticated. The attacker may simply claim that his qubit was lost, and still pass authentication. On the other hand, if Alice is intransigent, she may just reject Bob’s authentication attempt, and ask him to re-attempt later. That works fine when data losses are occasional and rare accidents. However, with the currently available technologies, the loss rate is so high that with a high probability one loss will occur in every protocol. This implies that even an honest Bob will likely be unable to prove his identity, as most authentication attempts will fail due to Alice’s intransigent policy Other proposals are more resilient to lost qubits. Kanamori’s protocol uses a random session key ϕ to mask the information on the classical shared key. In case of a single qubit, even if an attacker with no a prior knowledge intercepts it, it can't extract any information on it.

Attacks to quantum money Wiesner’s quantum money also relies on the bounded-copies and unknown-state assumptions. If one possesses several copies of the same quantum note, one may use them to attack the scheme. Specifically, they can use simple measurements and operations to learn the note’s quantum state, and produce arbitrarily many copies. Let's consider a quantum note with n qubits. If an attacker wants to cheat with probability δ, it needs approximately m copies of the note where m = -log_2(1-δ^(1/n)). We remark that once the attack is repeated for all the n qubits, you know all their bases and values, and may therefore forge as many banknotes as you like. Now, suppose a user claims that a quantum note was lost. If Alice acts optimistically and re-issues the banknote, some attacker can exploit this to gather copies of the note and later run the attack. On the other hand, Alice could act pessimistically and refuse to re-issue the lost qubits. Although this preserves the protocol’s security, it prevents benign users from verifying the note in the future.

Attacks to Oblivious Transfer The BBCS protocol is extremely sensitive to multicopy attacks. In fact, suppose that Bob obtains two copies of the qubits generated by Alice in the BB84 phase. He may run a very simple attack:

• Measure each qubit of the first copy in the computational basis
• Measure each qubit of the second copy in the Hadamard basis
• Once Alice has revealed her true bases, Bob keeps the measurement outcomes obtained by measuring in the right basis

Such a simple attack allows him to learn both messages with certainty. Hence, if Alice receives the claim of a lost BB84 qubit string, she must play pessimistically and refuse to re-send it. Fortunately, in this scenario, Alice may get away with a simple counterattack: because the BB84 phase happens at an early stage, she may prepare a different BB84 string and send it to Bob. This preserves the protocol’s correctness at no security cost. Furthermore, re-preparing a random BB84 string comes with negligible overhead, thus preserving the protocol’s practicality.

Conclusion

Quantum teleportation Overall, in some cases, direct transmission of qubit is problematic because of its quantum characteristics, e.g., no cloning. For some applications, e.g., QPUF based authentication , , a transmission failure may cause an irrevocable damage. Even if a sender can retransmit a qubit in case of a failure , , this may bring forth a security breach. We believe that the risks described above can be mitigated by sharing entangled pairs between a sender and a receiver over the (imperfect) link and then perform quantum teleportation procedure. Usually, it’s easier to send a qubit with known state than one with an unknown state. There may also arise a problem during an entanglement swapping but such failure can be recovered with enough trials. Moreover, entangled pair can be stored in the form of matter qubit . Hence, the result of quantum computation can be directly transferred without going through transducer. As indicates, we may, in turn, create link-local entanglement between neighboring nodes, establish end-to-end entanglement with entanglement swapping, then perform distillation to improve the fidelity. Using entangled pairs of high enough fidelity, we may use quantum teleportation to send even an irrecoverable quantum state.

IANA Considerations This memo includes no request to IANA.

Security Considerations This document do not introduce any new security considerations.

References Informative References Master’s Thesis, Technical University of Munich Ph.D. thesis, KTH a review, Semiconductor Science and Technology 34 Applied Physics Letters 119, 124001 Master Series in Physics, Vol. 15 (Oxford University Press) summer semester npj Quantum Information 7 Nature Communications 13 Physical Review A 77 arXiv:quant-ph/0105032 [quant-ph] Quantum Information Processing 16 Phys. Rev. A 64 GLOBECOM ’05 SIGACT News 15 Scientific reports 2022 IEEE Globecom Workshops Quantum 5, 475 MRS Bulletin volume 38 Advances in Cryptology — CRYPTO ’91

Acknowledgements This work was financed by the DFG via grant NO 1129/2-1 (JN) and by the BMBF via grants 16KISQ039 (JHC), 16KISQ077 (DLC) and 16KISR026 (PK). The authors acknowledge the financial support by the Federal Ministry of Education and Research of Germany in the programme of “Souverän. Digital. Vernetzt.”. Joint project 6G-life, project identification number: 16KISK002